论文信息 - The Case for Common Flaw Enumeration

The Case for Common Flaw Enumeration

Software acquirers want assurance that the software products they are obtaining are reviewed for known types of security flaws. The acquisition groups in large government and private organizations are moving forward to use these types of reviews as part of future contracts. The tools and services that can be used for this type of review are fairly new at best. However, there are no nomenclature, taxonomies, or standards to define the capabilities and coverage of these tools and services. This makes it difficult to comparatively decide which tool/service is best suited for a particular job. A standard taxonomy of software security vulnerabilities can serve as a unifying language of discourse and measuring stick for tools and services. Leveraging the diverse thinking on this topic from academia, the commercial sector, and government, we can pull together the most valuable breadth and depth of content and structure to serve as a unified standard. As a starting point, we plan to leverage the wide acceptance and use of the Common Vulnerabilities and Exposures (CVE) list of publicly known software security flaws. In conjunction with industry and academia, we propose to extend the coverage of the CVE concept [1] into security-based code assessment tools and services. Our objective is to help shape and mature this new code security assessment industry and also dramatically accelerate the use and utility of these capabilities for organizations in reviewing the software systems they acquire or develop.

Robert A. Martin | Joe Jarzombek | Steven M. Christey

[1] Chen Wang,et al. Taxonomy of security considerations and software quality , 2003, CACM.

[2] Marcus J. Ranum. Security: The Root of the Problem , 2004, ACM Queue.

[3] Amit M. Paradkar,et al. A software flaw taxonomy: aiming tools at security , 2005, SESS@ICSE.

[4] James R. Larus,et al. Righting software , 2004, IEEE Software.

[5] John Viega,et al. 19 Deadly Sins of Software Security , 2005 .

[6] John Viega. Security - Problem Solved? , 2005, ACM Queue.

[7] Gary McGraw,et al. Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors , 2005, IEEE Secur. Priv..

[8] Robert C. Seacord,et al. A Structured Approach to Classifying Security Vulnerabilities , 2005 .

[9] Richard Lippmann,et al. Testing static analysis tools using exploitable buffer overflows from open source code , 2004, SIGSOFT '04/FSE-12.