Software Vulnerability Index Making Progress RRS feed

  • Question

  • The Common Weakness Enumeration (CWE) project expects to publish the sixth iteration of their software vulnerabilities index in April, and says the final draft of the encyclopedia should be ready later in the year. The security experts involved in CWE continue to aggregate and organize the enormous amount of data on software flaws that they have collected, and lately they have focused more on testing commercial security scanning tools to determine their effectiveness. The applications target 45 percent of the 600 common vulnerabilities that have been entered into the CWE index thus far. "We found that less than half of what we already have in CWE is covered by these tools, so this helps prove that there are a lot of known issues out there that aren't being addressed," says Citigal's Sean Barnum. "We also thought that the tools would look for the same types of things, but they are actually very different, and there's not a lot of overlap; that's something that developers need to be aware of as they choose tools; you want to right set for aggregated coverage." A central resource on common flaws is viewed as a helpful tool for improving software quality, and project participants believe it could lead to a common language and standard procedures for addressing the loopholes in source code today. The Department of Homeland Security is sponsoring the CWE initiative.
    Friday, March 9, 2007 7:53 AM