Re: CWE 3.0 - quick progress update - should include CQE

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: CWE 3.0 - quick progress update - should include CQE

Joe Jarzombek
CWE v3 should include Common Quality Enumeration (CQET) as a subset.  See <https://urldefense.proofpoint.com/v2/url?u=https-3A__cqe.mitre.org_&d=DwIFaQ&c=DPL6_X_6JkXFx7AXWqB0tg&r=uxVVCWR8UcUyeakFZXcD5bxiMa6Nx1hPouclYdJYz00&m=m4ZKGTHDgcUiZ_GvqJLEiFyBgjiXqzMSxDo1N3JdW2o&s=TrHvaLvlk4MNc7wvl0Jc4pM5f1ZZtOjYh9dVugEfwNg&e=>

CWE v3 should and could easily cover weaknesses that address more than security issues.  CWE can easily accommodate the identification of security and quality issues.  There is no restriction on applying 'weaknesses' to quality issues.  

Why does the community need a separate enumeration that attempts to make a distinction for quality issues?  It is not productive to expend effort classifying a defect as either quality (CQE) or security (CWE). Many defects are both. Software can't be secure if it isn't correct. Improperly implemented business rules are yet another potential penetration point that can be leveraged by an adversary. There is a tight correlation between certain quality issues, such as reliability, and security issues.  In today's environment of asymmetric attacks, a product is not secure if it is not reliable, and it is not reliable if it is not secure.  Moreover, in many instances it is just a matter of 'exploration time' by hackers in which certain quality issues can become security issues.  CQE IDs (as a subset of CWE) could 'morph' into other CWE IDs or CVE IDs once exploits are identified against the respective quality issues.  Given the information about a defect that tools present to the developer, one could easily spend more time arguing "quality or security" than it takes to just fix it.

Moreover, CQE uses three constructs similar to CWE content.  These are the graph view, the list view, and the slice view.  Incorporating CQE as a part of CWE v3 should not be a challenge.  In fact, keeping CQE separate from CWE creates more challenges for those wishing to address both.

These are some of the reasons why CQE should be a subset of CWE.  If CQE is to have a chance of remaining relevant, it needs to become a subset of CWE that has the wider community support and use.  

Moreover, expanding the scope of CWE to address quality issues makes a better case for moving to CWE v3.0 - CWE would certainly not be 'stale'.

Regards,

   -Joe -

Joe Jarzombek, CSSLP 
Global Manager, Software Supply Chain Solutions
Email: [hidden email]  |  Mobile: 703 627-4644
Synopsys Software Integrity Group  |  www.synopsys.com/software     


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Christey, Steven M.
Sent: Friday, October 13, 2017 11:59 AM
To: cwe-research-list CWE Research Discussion <[hidden email]>
Subject: CWE 3.0 - quick progress update

All,

Just a very quick update, since some questions have arisen in recent discussions.

We are continuing to work actively on CWE 3.0.  The resulting data will be much cleaner, as will the new schema, which we are continuously refining.  We will send more detailed descriptions of the new schema as soon as possible - maybe next week - but interested parties can read Drew Buttner's "CWE Schema Proposal" post from June 5, archived here:

  https://urldefense.proofpoint.com/v2/url?u=http-3A__making-2Dsecurity-2Dmeasurable.1364806.n2.nabble.com_CWE-2DSchema-2DProposal-2Dtd7589556.html&d=DwIFAg&c=DPL6_X_6JkXFx7AXWqB0tg&r=uxVVCWR8UcUyeakFZXcD5bxiMa6Nx1hPouclYdJYz00&m=kr6SsvZtkWtsnIFlSfXD9ASzpPhkdeUF57Z9SpiFdPc&s=GOtmkscvYCZUDHA7i0_FloZ3kuRno9RbFynGYk8fx7Q&e=

We will also have a small number of new weaknesses in CWE, such as one related to homoglyphs, and we plan to add others in later versions.

- Steve

To unsubscribe, send an email message to [hidden email] with SIGNOFF CWE-RESEARCH-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF CWE-RESEARCH-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: CWE 3.0 - quick progress update - should include CQE

Walter Houser
Merging CQE with CWE would have a significant organizational and cultural benefit. It facilitates application security efforts to enlist software quality professionals to support security. The relationship of software security and software quality is a close one; many argue that software security is a subset of software quality. Poor quality code can be difficult to understand and therefore hard to secure. The better code analyzers scan for quality as well as security. 

Thank you.  
Walt 

On Fri, Oct 13, 2017 at 1:23 PM, Joe Jarzombek <[hidden email]> wrote:
CWE v3 should include Common Quality Enumeration (CQET) as a subset.  See <https://urldefense.proofpoint.com/v2/url?u=https-3A__cqe.mitre.org_&d=DwIFaQ&c=DPL6_X_6JkXFx7AXWqB0tg&r=uxVVCWR8UcUyeakFZXcD5bxiMa6Nx1hPouclYdJYz00&m=m4ZKGTHDgcUiZ_GvqJLEiFyBgjiXqzMSxDo1N3JdW2o&s=TrHvaLvlk4MNc7wvl0Jc4pM5f1ZZtOjYh9dVugEfwNg&e=>

CWE v3 should and could easily cover weaknesses that address more than security issues.  CWE can easily accommodate the identification of security and quality issues.  There is no restriction on applying 'weaknesses' to quality issues.

Why does the community need a separate enumeration that attempts to make a distinction for quality issues?  It is not productive to expend effort classifying a defect as either quality (CQE) or security (CWE). Many defects are both. Software can't be secure if it isn't correct. Improperly implemented business rules are yet another potential penetration point that can be leveraged by an adversary. There is a tight correlation between certain quality issues, such as reliability, and with issues.  In today's environment of asymmetric attacks, a product is not secure if it is not reliable, and it is not reliable if it is not secure.  Moreover, in many instances it is just a matter of 'exploration time' by hackers in which certain quality issues can become security issues.  CQE IDs (as a subset of CWE) could 'morph' into other CWE IDs or CVE IDs once exploits are identified against the respective quality issues.  Given the information about a defect that tools present to the developer, one could easily spend more time arguing "quality or security" than it takes to just fix it.

Moreover, CQE uses three constructs similar to CWE content.  These are the graph view, the list view, and the slice view.  Incorporating CQE as a part of CWE v3 should not be a challenge.  In fact, keeping CQE separate from CWE creates more challenges for those wishing to address both.

These are some of the reasons why CQE should be a subset of CWE.  If CQE is to have a chance of remaining relevant, it needs to become a subset of CWE that has the wider community support and use.

Moreover, expanding the scope of CWE to address quality issues makes a better case for moving to CWE v3.0 - CWE would certainly not be 'stale'.

Regards,

   -Joe -

Joe Jarzombek, CSSLP 
Global Manager, Software Supply Chain Solutions
Email: [hidden email]  |  Mobile: <a href="tel:703%20627-4644" value="+17036274644">703 627-4644
Synopsys Software Integrity Group  |  www.synopsys.com/software     


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Christey, Steven M.
Sent: Friday, October 13, 2017 11:59 AM
To: cwe-research-list CWE Research Discussion <[hidden email]>
Subject: CWE 3.0 - quick progress update

All,

Just a very quick update, since some questions have arisen in recent discussions.

We are continuing to work actively on CWE 3.0.  The resulting data will be much cleaner, as will the new schema, which we are continuously refining.  We will send more detailed descriptions of the new schema as soon as possible - maybe next week - but interested parties can read Drew Buttner's "CWE Schema Proposal" post from June 5, archived here:

  https://urldefense.proofpoint.com/v2/url?u=http-3A__making-2Dsecurity-2Dmeasurable.1364806.n2.nabble.com_CWE-2DSchema-2DProposal-2Dtd7589556.html&d=DwIFAg&c=DPL6_X_6JkXFx7AXWqB0tg&r=uxVVCWR8UcUyeakFZXcD5bxiMa6Nx1hPouclYdJYz00&m=kr6SsvZtkWtsnIFlSfXD9ASzpPhkdeUF57Z9SpiFdPc&s=GOtmkscvYCZUDHA7i0_FloZ3kuRno9RbFynGYk8fx7Q&e=

We will also have a small number of new weaknesses in CWE, such as one related to homoglyphs, and we plan to add others in later versions.

- Steve

To unsubscribe, send an email message to [hidden email] with SIGNOFF CWE-RESEARCH-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF CWE-RESEARCH-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF CWE-RESEARCH-LIST in the BODY of the message. If you have difficulties, write to [hidden email].