« Return to Thread: Upcoming plans for CWE 1.0
Upcoming plans for CWE 1.0
by Steven M. Christey-2
::
Rate this Message:
All,
MITRE plans to release CWE 1.0 sometime in August. Here is a summary
of our main goals for that release.
1) Finish existing systemic changes. We want CWE 1.0 to represent a
stable point in CWE's development, which means finalizing the
systemic changes that we've been making over the past year or two.
For this, we are de-prioritizing general "content maintenance" -
i.e., localized modification of individual entries - except as
those modifications might relate to the systemic changes. After
CWE 1.0 is released, we plan to move more into a content
development and refinement mode, in which there will be greater
emphasis on accuracy and completeness of individual entries.
2) Stable schema. We have been making significant schema changes over
the past year, primarily to support our development of views, as
well as the needs of new stakeholders. Our primary goal for CWE
1.0 is to have the schema be stable. We are conducting an internal
review and have outlined the major limitations that still need to
be addressed.
3) Viable views. We have been developing the view concept and
implementation for almost a year now, and we think we finally have
a handle on how we want to support them. So CWE 1.0 will have
multiple views that support different use-cases and stakeholders,
and the schema infrastructure will be in place to support adding
more views without requiring schema modifications.
4) Refinement of the Natural Hierarchy. We have come to realize that
we need to do a better job of communicating what we're trying to
accomplish with the Natural Hierarchy (CWE-1000). In short, we are
attempting to build a classification scheme based on inherent
features of weaknesses of large portions of CWE weaknesses, and
their inter-relationships. My personal hope is that it will take
Seven Pernicious Kingdoms and CLASP one step further. All past
versions of CWE have had multiple ways of grouping weaknesses
together that would lead to difficulty or inconsistency in
performing mappings. It would also be difficult to infer where
knowledge gaps existed. The MITRE team has found that the ongoing
development of the natural hierarchy has helped us significantly in
understanding much of what we have in CWE, and why. Academic
researchers might be especially interested in its development.
Ironically, the natural hierarchy might not seem so "natural" to
regular developers; so, we need to actively support the developer
view. This is one major challenge that we face.
In the coming weeks, we will be releasing a more detailed white
paper to the community on MITRE's goals for the natural hierarchy.
Traces of it exist in CWE Draft 9, but it is far from complete (and
we've since made significant inroads in our 1.0 development). To
get an idea of where we are headed, see: CWE-664 ("Insufficient
Control of a Resource Through its Lifetime"), CWE-682 ("Incorrect
Calculation"), and CWE-691 ("Insufficient Control Flow
Management"). If you are particularly interested in this effort,
then contact us offline and we will give you our current status.
5) More active community engagement. Leading up to CWE 1.0, we will
be actively engaging community members on important issues for CWE.
This discussion list will be one of the main places in which we
solicit feedback. So, this summer is the time to voice any
concerns you have.
6) Resolution of outstanding issues. In the fall of 2007, we brought
up various issues related to CWE content maintenance, including
which types of issues we should include, and what level of
abstraction we should use. We will be actively resolving many of
those issues. See the Working Documents section at
http://cwe.mitre.org/community/workingdocs.html for a refresher.
7) Identifying CWE gaps with respect to current tools, including
guidance for mapping. Several tool vendors have sent us updated
lists of their checks, some of which had CWE mappings. We are
evaluating these mappings to ensure that CWE 1.0 will be able to
support the existing perspectives under which these tools operate.
This might include creating high-level entries that act as
placeholders for future content creation of lower-level entries.
We will not have the time to create new entries for every gap that
we encounter, at least by the release of 1.0, but we will have a
solid understanding of what remains to be done.
MITRE plans to release CWE 1.0 sometime in August. Here is a summary
of our main goals for that release.
1) Finish existing systemic changes. We want CWE 1.0 to represent a
stable point in CWE's development, which means finalizing the
systemic changes that we've been making over the past year or two.
For this, we are de-prioritizing general "content maintenance" -
i.e., localized modification of individual entries - except as
those modifications might relate to the systemic changes. After
CWE 1.0 is released, we plan to move more into a content
development and refinement mode, in which there will be greater
emphasis on accuracy and completeness of individual entries.
2) Stable schema. We have been making significant schema changes over
the past year, primarily to support our development of views, as
well as the needs of new stakeholders. Our primary goal for CWE
1.0 is to have the schema be stable. We are conducting an internal
review and have outlined the major limitations that still need to
be addressed.
3) Viable views. We have been developing the view concept and
implementation for almost a year now, and we think we finally have
a handle on how we want to support them. So CWE 1.0 will have
multiple views that support different use-cases and stakeholders,
and the schema infrastructure will be in place to support adding
more views without requiring schema modifications.
4) Refinement of the Natural Hierarchy. We have come to realize that
we need to do a better job of communicating what we're trying to
accomplish with the Natural Hierarchy (CWE-1000). In short, we are
attempting to build a classification scheme based on inherent
features of weaknesses of large portions of CWE weaknesses, and
their inter-relationships. My personal hope is that it will take
Seven Pernicious Kingdoms and CLASP one step further. All past
versions of CWE have had multiple ways of grouping weaknesses
together that would lead to difficulty or inconsistency in
performing mappings. It would also be difficult to infer where
knowledge gaps existed. The MITRE team has found that the ongoing
development of the natural hierarchy has helped us significantly in
understanding much of what we have in CWE, and why. Academic
researchers might be especially interested in its development.
Ironically, the natural hierarchy might not seem so "natural" to
regular developers; so, we need to actively support the developer
view. This is one major challenge that we face.
In the coming weeks, we will be releasing a more detailed white
paper to the community on MITRE's goals for the natural hierarchy.
Traces of it exist in CWE Draft 9, but it is far from complete (and
we've since made significant inroads in our 1.0 development). To
get an idea of where we are headed, see: CWE-664 ("Insufficient
Control of a Resource Through its Lifetime"), CWE-682 ("Incorrect
Calculation"), and CWE-691 ("Insufficient Control Flow
Management"). If you are particularly interested in this effort,
then contact us offline and we will give you our current status.
5) More active community engagement. Leading up to CWE 1.0, we will
be actively engaging community members on important issues for CWE.
This discussion list will be one of the main places in which we
solicit feedback. So, this summer is the time to voice any
concerns you have.
6) Resolution of outstanding issues. In the fall of 2007, we brought
up various issues related to CWE content maintenance, including
which types of issues we should include, and what level of
abstraction we should use. We will be actively resolving many of
those issues. See the Working Documents section at
http://cwe.mitre.org/community/workingdocs.html for a refresher.
7) Identifying CWE gaps with respect to current tools, including
guidance for mapping. Several tool vendors have sent us updated
lists of their checks, some of which had CWE mappings. We are
evaluating these mappings to ensure that CWE 1.0 will be able to
support the existing perspectives under which these tools operate.
This might include creating high-level entries that act as
placeholders for future content creation of lower-level entries.
We will not have the time to create new entries for every gap that
we encounter, at least by the release of 1.0, but we will have a
solid understanding of what remains to be done.
« Return to Thread: Upcoming plans for CWE 1.0
| Free embeddable forum powered by Nabble | Forum Help |
