proposed CWE Compatibility and CWE Effectiveness Requirements 1.0 changes

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

proposed CWE Compatibility and CWE Effectiveness Requirements 1.0 changes

Robert A. Martin
Hello,

Hopefully everyone on the CWE Research List is doing well and enjoying
summer.  We have a proposal we would like your feed-back on.

We want to take the CWE Compatibility Program to the next level in the
coming months.  CWE Compatibility - like its sibling compatibility
program for CVE - is about recognizing the products and services that
have implemented support for the enumeration.

You can find more about the general activity on the CWE web site
http://cwe.mitre.org/compatible/program.html

All of the current declarations about support of CWE are focused on the
first of three phases of the CWE Compatibility process.

These can be seen at: http://cwe.mitre.org/compatible/organizations.html

In order to move the CWE Compatibility Program to the second level and
allow us to start the process for awarding CWE Compatibility to products
and services we need to finalize - to the extent possible - the
"Requirements and Recommendations for CWE Compatibility and CWE
Effectiveness" document.

See: http://cwe.mitre.org/compatible/requirements.html

While it will be a while before we can finalize the portion of this
document that relates to CWE Effectiveness, we believe we are at the
point of definitively describing CWE Compatibility's requirements.

The only proposed change to the document, originally posted in December
2006, is to move the "CWE-Coverage" requirement from one for "CWE
Effectiveness" to one for "CWE Compatibility".

Basically the "CWE-Coverage" requirement is to make a publicly available
document (pdf, word document, or web page) that clearly articulates the
CWE Identifiers that a product or service believes it covers in its
capability offering.  For an assessment tool or service this would be
which CWE Identifiers they look for; for a education or repository it
would be which CWE Identifiers they offer information or training on.

This clarity of stating the intended scope of a capability will help
users and perspective users to understand what a capability is trying to
accomplish/focus on and help manage their expectations.

So the change is to change the wording of item 2.16 from:

2.16) For CWE Effectiveness the Capability's publicly available
documentation MUST explicitly list the CWE identifiers that the Owner
considers the Capability to be effective at locating in software
("CWE-Coverage").

to:

2.16) For CWE Compatibility the Capability's publicly available
documentation MUST explicitly list the CWE identifiers that the Owner
considers the Capability to be effective at locating in software
("CWE-Coverage").

With this change we will promote the document to version 1.0 and proceed
to create a CWE Compatibility Questionnaire that can be used express how
a particular capability has full-filled the CWE Compatibility requirements.

Please let us know if you have any suggestions on additional changes or
concerns about this next step by 20 July 2010 so we can move the CWE
initiative forward this summer.

Regards,

Bob & Steve
Reply | Threaded
Open this post in threaded view
|

Re: proposed CWE Compatibility and CWE Effectiveness Requirements 1.0 changes

Paul E. Black
My apologies for being well past the time set.  In Requirements
  http://cwe.mitre.org/compatible/requirements.html
A.2.8 says "(1) the rate of false positives is less than 100 percent
... and (2) the rate of false negatives is less than 100 percent"
We understand these are not meant to apply to tiny test program.
Perhaps this understanding should be made explicit by adding
something like, "for large bodies of code (1) the rate ..."

Sincerely,
-paul-

On Tuesday 06 July 2010 01:40:11 pm Martin, Robert A. wrote:

> We want to take the CWE Compatibility Program to the next level in the
> coming months.  CWE Compatibility - like its sibling compatibility
> program for CVE - is about recognizing the products and services that
> have implemented support for the enumeration.
>
> You can find more about the general activity on the CWE web site
> http://cwe.mitre.org/compatible/program.html
>
> All of the current declarations about support of CWE are focused on the
> first of three phases of the CWE Compatibility process.
>
> These can be seen at: http://cwe.mitre.org/compatible/organizations.html
>
> In order to move the CWE Compatibility Program to the second level and
> allow us to start the process for awarding CWE Compatibility to products
> and services we need to finalize - to the extent possible - the
> "Requirements and Recommendations for CWE Compatibility and CWE
> Effectiveness" document.
>
> See: http://cwe.mitre.org/compatible/requirements.html
>
> ...
>
> Please let us know if you have any suggestions on additional changes or
> concerns about this next step by 20 July 2010 so we can move the CWE
> initiative forward this summer.
>
> Regards,
>
> Bob & Steve

--
Paul E. Black ([hidden email])     100 Bureau Drive, Stop 8970
[hidden email]                 Gaithersburg, Maryland  20899-8970
voice: +1 301 975-4794              fax: +1 301 975-6097
http://hissa.nist.gov/~black/                                   KC7PKT
Reply | Threaded
Open this post in threaded view
|

remove

Tim.Lorge



**********************************************************

Tim Lorge
IT Training Coordinator
Office of Information Technology Services
NJ Department of Health & Senior Services
PO Box 360
240 West State Street, 15th Floor
Trenton, NJ 08625

Confidentiality Notice:  The information contained in this message may be privileged and confidential information intended only for the use of the individual or entity named above.  If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited.  If you have received this communication in error, please notify the author immediately by replying to this message and delete the original message. Thank you.
Reply | Threaded
Open this post in threaded view
|

Re: proposed CWE Compatibility and CWE Effectiveness Requirements 1.0 changes

Steven M. Christey-2
In reply to this post by Paul E. Black
On Tue, 3 Aug 2010, Paul E. Black wrote:

> My apologies for being well past the time set.  In Requirements
>  http://cwe.mitre.org/compatible/requirements.html
> A.2.8 says "(1) the rate of false positives is less than 100 percent
> ... and (2) the rate of false negatives is less than 100 percent"
> We understand these are not meant to apply to tiny test program.
> Perhaps this understanding should be made explicit by adding
> something like, "for large bodies of code (1) the rate ..."

Paul,

The primary purpose of A.2.8 is to ensure that tools/capabilities *must*
work at least some of the time in order to be "CWE-compatible."  This is
borrowed from the CVE requirements (in place for around 9 years), whose
original intention was a small protection against abuse of the label.
Without this requirement, somebody could write up a program that spits out
CWE ID's at random and call itself compatible.

These requirements are focused on ensuring that a tool uses CWE
identifiers properly, not how good it is at finding problems.  (That's for
SATE and other efforts to help the community with, and for consumers to
decide).

So, I don't see a need to specify minimum requirements for which code the
tool works against.

- Steve
Reply | Threaded
Open this post in threaded view
|

Re: proposed CWE Compatibility and CWE Effectiveness Requirements 1.0 changes

BARBER Glynis [Applecross Senior High School]
To Whom it May Concern,
Please take me off your emails at once.
G. Barber

-----Original Message-----
From Steven M. Christey <[hidden email]>
Sent Thu 5/08/2010 2:48 AM
To Paul E. Black <[hidden email]>
Cc Martin, Robert A. <[hidden email]>; [hidden email]; NIST Samate <[hidden email]>
Subject Re: proposed CWE Compatibility and CWE Effectiveness Requirements 1.0 changes

On Tue, 3 Aug 2010, Paul E. Black wrote:

> My apologies for being well past the time set.  In Requirements
>  http://cwe.mitre.org/compatible/requirements.html
> A.2.8 says "(1) the rate of false positives is less than 100 percent
> ... and (2) the rate of false negatives is less than 100 percent"
> We understand these are not meant to apply to tiny test program.
> Perhaps this understanding should be made explicit by adding
> something like, "for large bodies of code (1) the rate ..."

Paul,

The primary purpose of A.2.8 is to ensure that tools/capabilities *must*
work at least some of the time in order to be "CWE-compatible."  This is
borrowed from the CVE requirements (in place for around 9 years), whose
original intention was a small protection against abuse of the label.
Without this requirement, somebody could write up a program that spits out
CWE ID's at random and call itself compatible.

These requirements are focused on ensuring that a tool uses CWE
identifiers properly, not how good it is at finding problems.  (That's for
SATE and other efforts to help the community with, and for consumers to
decide).

So, I don't see a need to specify minimum requirements for which code the
tool works against.

- Steve
Reply | Threaded
Open this post in threaded view
|

Re: proposed CWE Compatibility and CWE Effectiveness Requirements 1.0 changes

Simon Brandhof-2

On Thu, Aug 5, 2010 at 6:19 AM, BARBER Glynis [Applecross Senior High School] <[hidden email]> wrote:
To Whom it May Concern,
Please take me off your emails at once.
G. Barber

Same request for me. I don't know why I'm subscribed to this list.
Thanks
Reply | Threaded
Open this post in threaded view
|

RE: proposed CWE Compatibility and CWE Effectiveness Requirements 1.0 changes

Nagakumar Somasundaram

Same here, please take me off the list.

 

Thanks and Regards,

Naga Kumar S | Amba Research

Ph +91 80 3980 8511 | Ph +91 80 4151 4411 | Mob +91 9448 365 785 | Fax +91 80 3980 8509 | VoIP 2044

Bangalore • Colombo • London • New York • San José • Singapore www.ambaresearch.com        

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Simon Brandhof
Sent: 05 August 2010 01:24 PM
To: BARBER Glynis [Applecross Senior High School]
Cc: Steven M. Christey; Paul E. Black; Martin, Robert A.; [hidden email]; NIST Samate
Subject: Re: proposed CWE Compatibility and CWE Effectiveness Requirements 1.0 changes

 

 

On Thu, Aug 5, 2010 at 6:19 AM, BARBER Glynis [Applecross Senior High School] <[hidden email]> wrote:

To Whom it May Concern,
Please take me off your emails at once.
G. Barber

 

Same request for me. I don't know why I'm subscribed to this list.

Thanks

This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this
e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of
the material in this e-mail is strictly forbidden.  Any views or opinions presented are solely those of the author and do not
necessarily represent those of Amba Holdings Inc., and/or its affiliates.  Important additional terms relating to this email can be obtained
at  http://www.ambaresearch.com/disclaimer
Reply | Threaded
Open this post in threaded view
|

RE: proposed CWE Compatibility and CWE Effectiveness Requirements 1.0 changes

security curmudgeon
Amazing, so many people aren't familiar with mail list 101. Check the
headers of every e-mail you receive from this list:

List-Help: <http://lists.mitre.org/cgi-bin/wa.exe?LIST=CWE-RESEARCH-LIST>,
           <mailto:[hidden email]?body=INFO%20CWE-RESEARCH-LIST>
List-Unsubscribe:
<mailto:[hidden email]>
List-Subscribe:
<mailto:[hidden email]>
List-Owner: <mailto:[hidden email]>
List-Archive:
<http://lists.mitre.org/cgi-bin/wa.exe?LIST=CWE-RESEARCH-LIST>

Please take note of the Unsubscribe address and use it.



On Thu, 5 Aug 2010, Nagakumar Somasundaram wrote:

: Same here, please take me off the list.

: On Thu, Aug 5, 2010 at 6:19 AM, BARBER Glynis [Applecross Senior High School] <[hidden email]> wrote:
:
: Please take me off your emails at once.

: Same request for me. I don't know why I'm subscribed to this list.
Reply | Threaded
Open this post in threaded view
|

RE: proposed CWE Compatibility and CWE Effectiveness Requirements 1.0 changes

security curmudgeon
On Thu, 5 Aug 2010, Chris Wysopal wrote:

: If the email doesn't have a hypertext link to click to unsubscribe most
: people can't unsubscribe.  

They really shouldn't be in a tech industry then.

: The question I have is how did they get subscribed in the first place?

Typically, and this applies to most lists, someone will subscribe, the
list goes dormant for a while, traffic flares up, short attention span
hits and they forgot they subscribed in the first place, then the flood of
UNSUBSCRIBLE mails pours forth.
Reply | Threaded
Open this post in threaded view
|

RE: proposed CWE Compatibility and CWE Effectiveness Requirements 1.0 changes

Steven M. Christey-2
On Thu, 5 Aug 2010, security curmudgeon wrote:

> Typically, and this applies to most lists, someone will subscribe, the
> list goes dormant for a while, traffic flares up, short attention span
> hits and they forgot they subscribed in the first place, then the flood
> of UNSUBSCRIBLE mails pours forth.

This has been our frequent experience with the CVE announcement list.  We
will be double-checking the people who unsubscribed to see if anything odd
happened, and possibly modifying our registration procedures to add in an
extra verification step.

All, apologies for the excess traffic.

- Steve