Thanks for your note. This is great stuff. Coincidentally, the “detection methods” of our schema is one that we had identified for strengthening throughout the corpus. We recently expanded
the scope of the project to include hardware-relevant weaknesses, and we had noticed that this is an important but sometimes inconsistently-populated schema element.
I’d love to touch base with you on this further. Please let me know if you and your team have time over the next couple weeks to support an initial conversation on this with some CWE team
Alec J. Summers
Cyber Solutions Innovation Center
Group Leader, Software Assurance
Cyber Security Engineer, Lead
O: (781) 271-6970
C: (781) 496-8426
MITRE - Solving Problems for a Safer World
Chris Horn <[hidden email]> Organization: Secure Decisions, a division of Applied Visions, Inc. Date: Tuesday, August 25, 2020 at 3:33 PM To: <[hidden email]> Cc: Trevor Bidhadar <[hidden email]>, Lucja Kot <[hidden email]> Subject: [EXT] Improving CWE detection methods data
We suggest that MITRE could enrich the CWE taxonomy's weakness "detection methods" data using claimed weakness coverage from static analyzers. One value of these data is giving
individuals and organizations a menu of options that can be used to improve their software development pipelines and increase their ability to detect software weaknesses.
In the process of developing
Kompar, under contract with DHS S&T, Secure Decisions has curated claimed weakness coverage information for over 15 different static software analyzers. We categorize claimed weakness coverage using the CWE taxonomy; this
information could be used to enhance the CWE taxonomy.
Please see the attached document for more details.