proposed CWE Compatibility and CWE Effectiveness Requirements 1.0 changes

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

proposed CWE Compatibility and CWE Effectiveness Requirements 1.0 changes

Robert A. Martin
Hello,  (apologies for the double send - but I changed the links to
          avoid this being mis-flagged as spam)

Hopefully everyone on the CWE Research List is doing well and enjoying
summer.  We have a proposal we would like your feed-back on.

We want to take the CWE Compatibility Program to the next level in the
coming months.  CWE Compatibility - like its sibling compatibility
program for CVE - is about recognizing the products and services that
have implemented support for the enumeration.

You can find more about the general activity on the CWE web site
[cwe.mitre.org/compatible/program.html]

All of the current declarations about support of CWE are focused on the
first of three phases of the CWE Compatibility process.

These can be seen at: [cwe.mitre.org/compatible/organizations.html]

In order to move the CWE Compatibility Program to the second level and
allow us to start the process for awarding CWE Compatibility to products
and services we need to finalize - to the extent possible - the
"Requirements and Recommendations for CWE Compatibility and CWE
Effectiveness" document.

See: [cwe.mitre.org/compatible/requirements.html]

While it will be a while before we can finalize the portion of this
document that relates to CWE Effectiveness, we believe we are at the
point of definitively describing CWE Compatibility's requirements.

The only proposed change to the document, originally posted in December
2006, is to move the "CWE-Coverage" requirement from one for "CWE
Effectiveness" to one for "CWE Compatibility".

Basically the "CWE-Coverage" requirement is to make a publicly available
document (pdf, word document, or web page) that clearly articulates the
CWE Identifiers that a product or service believes it covers in its
capability offering.  For an assessment tool or service this would be
which CWE Identifiers they look for; for a education or repository it
would be which CWE Identifiers they offer information or training on.

This clarity of stating the intended scope of a capability will help
users and perspective users to understand what a capability is trying to
accomplish/focus on and help manage their expectations.

So the change is to change the wording of item 2.16 from:

2.16) For CWE Effectiveness the Capability's publicly available
documentation MUST explicitly list the CWE identifiers that the Owner
considers the Capability to be effective at locating in software
("CWE-Coverage").

to:

2.16) For CWE Compatibility the Capability's publicly available
documentation MUST explicitly list the CWE identifiers that the Owner
considers the Capability to be effective at locating in software
("CWE-Coverage").

With this change we will promote the document to version 1.0 and proceed
to create a CWE Compatibility Questionnaire that can be used express how
a particular capability has full-filled the CWE Compatibility requirements.

Please let us know if you have any suggestions on additional changes or
concerns about this next step by 20 July 2010 so we can move the CWE
initiative forward this summer.

Regards,

Bob & Steve