Upcoming plans for CWE 1.0

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Upcoming plans for CWE 1.0

Steven M. Christey-2
All,

MITRE plans to release CWE 1.0 sometime in August.  Here is a summary
of our main goals for that release.

1) Finish existing systemic changes.  We want CWE 1.0 to represent a
   stable point in CWE's development, which means finalizing the
   systemic changes that we've been making over the past year or two.
   For this, we are de-prioritizing general "content maintenance" -
   i.e., localized modification of individual entries - except as
   those modifications might relate to the systemic changes.  After
   CWE 1.0 is released, we plan to move more into a content
   development and refinement mode, in which there will be greater
   emphasis on accuracy and completeness of individual entries.

2) Stable schema.  We have been making significant schema changes over
   the past year, primarily to support our development of views, as
   well as the needs of new stakeholders.  Our primary goal for CWE
   1.0 is to have the schema be stable.  We are conducting an internal
   review and have outlined the major limitations that still need to
   be addressed.

3) Viable views.  We have been developing the view concept and
   implementation for almost a year now, and we think we finally have
   a handle on how we want to support them.  So CWE 1.0 will have
   multiple views that support different use-cases and stakeholders,
   and the schema infrastructure will be in place to support adding
   more views without requiring schema modifications.

4) Refinement of the Natural Hierarchy.  We have come to realize that
   we need to do a better job of communicating what we're trying to
   accomplish with the Natural Hierarchy (CWE-1000).  In short, we are
   attempting to build a classification scheme based on inherent
   features of weaknesses of large portions of CWE weaknesses, and
   their inter-relationships.  My personal hope is that it will take
   Seven Pernicious Kingdoms and CLASP one step further.  All past
   versions of CWE have had multiple ways of grouping weaknesses
   together that would lead to difficulty or inconsistency in
   performing mappings.  It would also be difficult to infer where
   knowledge gaps existed.  The MITRE team has found that the ongoing
   development of the natural hierarchy has helped us significantly in
   understanding much of what we have in CWE, and why.  Academic
   researchers might be especially interested in its development.

   Ironically, the natural hierarchy might not seem so "natural" to
   regular developers; so, we need to actively support the developer
   view.  This is one major challenge that we face.

   In the coming weeks, we will be releasing a more detailed white
   paper to the community on MITRE's goals for the natural hierarchy.
   Traces of it exist in CWE Draft 9, but it is far from complete (and
   we've since made significant inroads in our 1.0 development).  To
   get an idea of where we are headed, see: CWE-664 ("Insufficient
   Control of a Resource Through its Lifetime"), CWE-682 ("Incorrect
   Calculation"), and CWE-691 ("Insufficient Control Flow
   Management").  If you are particularly interested in this effort,
   then contact us offline and we will give you our current status.

5) More active community engagement.  Leading up to CWE 1.0, we will
   be actively engaging community members on important issues for CWE.
   This discussion list will be one of the main places in which we
   solicit feedback.  So, this summer is the time to voice any
   concerns you have.

6) Resolution of outstanding issues.  In the fall of 2007, we brought
   up various issues related to CWE content maintenance, including
   which types of issues we should include, and what level of
   abstraction we should use.  We will be actively resolving many of
   those issues.  See the Working Documents section at
   http://cwe.mitre.org/community/workingdocs.html for a refresher.

7) Identifying CWE gaps with respect to current tools, including
   guidance for mapping.  Several tool vendors have sent us updated
   lists of their checks, some of which had CWE mappings.  We are
   evaluating these mappings to ensure that CWE 1.0 will be able to
   support the existing perspectives under which these tools operate.
   This might include creating high-level entries that act as
   placeholders for future content creation of lower-level entries.
   We will not have the time to create new entries for every gap that
   we encounter, at least by the release of 1.0, but we will have a
   solid understanding of what remains to be done.