There are numerous systems that do not need an active internet connection to run software and carry out their functions. A quick example is software running on geographically distributed systems used in industries like transportation, mining, etc. Do these systems need external connectivity to download software? Yes. Do they need always-on connectivity to run the software and execute their steady state functions? Absolutely not.
I agree that we probably need to better account for the cloud space, but to state that there is not so much a case for standalone software is incorrect. Regards, Shravan From: Kurt Seifried <k...@seifried.org> Sent: Wednesday, June 1, 2022 8:32 AM To: Kevin Keen <kk...@colsa.com> Cc: Steve Grubb <sgr...@redhat.com>; Steven M Christey <co...@mitre.org>; CWE Research Discussion <firstname.lastname@example.org> Subject: [EXTERNAL]: Re: [External] - Re: Bad loop construct I’d challenge you to use your phone or computer without an internet connection. Realistically for the work and activity most engage in on compute devices, connected software is the default now. On Jun 1, 2022, at 7:12 AM, Kevin Keen <kk...@colsa.com<mailto:kk...@colsa.com>> ZjQcmQRYFpfptBannerStart Be Careful With This Message The sender's identity could not be verified and someone may be impersonating the sender. Please use caution responding to this email or opening any attachments. ZjQcmQRYFpfptBannerEnd I’d challenge you to use your phone or computer without an internet connection. Realistically for the work and activity most engage in on compute devices, connected software is the default now. On Jun 1, 2022, at 7:12 AM, Kevin Keen <kk...@colsa.com<mailto:kk...@colsa.com>> wrote: I agree that CWEs could use some updates. In addition to possible new CWEs, I remember looking at a few that didn't have code examples and thinking that they could benefit from that. I would however, push back just a little on stand alone software not being a common case. I think it depends on your area. For the average at home user a trend toward cloud is probably true. But we see a lot of software in the field I'm in and it is rarely ever cloud based. ________________________________ From: Kurt Seifried <k...@seifried.org<mailto:k...@seifried.org>> Sent: Tuesday, May 31, 2022 8:21 PM To: Steve Grubb <sgr...@redhat.com<mailto:sgr...@redhat.com>> Cc: Steven M Christey <co...@mitre.org<mailto:co...@mitre.org>>; CWE Research Discussion <email@example.com<mailto:firstname.lastname@example.org>> Subject: [External] - Re: Bad loop construct CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. On a related item, I'm doing a CWE a week with my Smartcontracts working group (~10 total and then we'll release a short paper on it at the end of summer) at the Cloud Security Alliance. Longer term my plan is to look at all the stuff covered in places like rekt.news or Microsoft blog entries and so on, and make sure it maps cleanly to a CWE, and if not, to make a CWE for it. E.g. so far: [cid:image001.png@01D8759E.1110B5E0] I've submitted 1, 3, and 4 so far, and 5 are going in next week (3 for 1 sale =). In my mind every CVE/vuln/etc writeup should map to a CWE, and I don't mean CWE-20. We literally need a few hundred more CWE's, especially in the smart contract/blockchain space, and the Cloud SaaS space. CWE is showing its age with respect to "software" being something you download and run locally. That's not the case so much anymore. On Tue, May 31, 2022 at 3:30 PM Steve Grubb <sgr...@redhat.com<mailto:sgr...@redhat.com>> wrote: Hello everyone, On Tuesday, May 24, 2022 5:49:57 PM EDT Steven M Christey wrote: > Kurt said “I've seen code with loops of one because of future growth, or > because various options were removed and it's easier than refactoring the > code” – so a CWE-related writeup wouldn’t want to inadvertently call all > loops of size 1 “bad.” From what I can see, it's a mixed bag. There are cases like Kurt mentioned, but also some that are thinko's. > But remember that a weakness is about a <mistake> that only becomes a > vulnerability <under the right conditions.> Code analysis tools report > weaknesses all the time, but determining false positives is a different > story that’s not in CWE’s purview. Similarly, external parties can decide > which CWEs become a “requirement” or not – it’s primarily CWE’s > responsibility to provide the identifier and explanation for the mistake, > and how it can (at least sometimes) contribute to vulnerabilities. > > In this “dir” example, we can’t be clear whether the developer made a > mistake or not. But we can observe that there’s a loop construct with only > one element, and that it’s (sometimes) going to be a mistake. And it seems > like such constructs could occur in most languages. > > I’m not sure how deep CWE should go to cover “just bad syntax,” but for > this example, I think CWE-670 is probably the closest match in spirit – > the algorithm (probably) isn’t implementing the logic that the programmer > thought they were implementing. There’s a good argument for CWE-1164 as > well, though, since the developer might be doing this intentionally even > though the code is not technically essential. In the end, we chose 1164. It was added to a csv file where we are cateloging warnings from a couple tools and mapping to CWE. It is here in case anyone finds it useful: https://github.com/csutils/csmock/blob/main/cwe-map.csv<https://urldefense.com/v3/__https:/www.google.com/url?q=https:**Ausg02.safelinks.protection.office365.us**Aurl*3Dhttps*253A*252F*252Fgithub.com*252Fcsutils*252Fcsmock*252Fblob*252Fmain*252Fcwe-map.csv*26data*3D05*257C01*257Ckkeen*2540colsa.com*257Cf518d89fcb464d325ecb08da436d4ba5*257C9821086b78824b43a5edb1e979bee31f*257C1*257C0*257C637896433982029055*257CUnknown*257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*253D*257C3000*257C*257C*257C*26sdata*3DO4u39YUHsyfUDc3141c8pXCXDoQ3yKlZAjmB*252BZxaQN0*253D*26reserved*3D0&source=gmail-imap&ust=1654693924000000&usg=AOvVaw07Gu9CelyBkN9VGl7JBsIq__;Ly8vPyUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!NUSCbv4_!TTSJyLuIkzKijliKuaTKA5VtAucPQ20RjEZsx8QLDQnAYvh5QD9d4JYScGrtLLIYIi9DgRSXByekWhDfMh7r$> Thanks for the help! -Steve -- Kurt Seifried (He/Him) k...@seifried.org<mailto:k...@seifried.org> ________________________________ The information contained in this e-mail and any attachments from COLSA Corporation may contain company sensitive and/or proprietary information, and is intended only for the named recipient to whom it was originally addressed. If you are not the intended recipient, any disclosure, distribution, or copying of this e-mail or its attachments is strictly prohibited. If you have received this e-mail in error, please notify the sender immediately by return e-mail and permanently delete the e-mail and any attachments. COLSA Proprietary This email and any attachments are only for use by the intended recipient(s) and may contain legally privileged, confidential, proprietary or otherwise private information. Any unauthorized use, reproduction, dissemination, distribution or other disclosure of the contents of this e-mail or its attachments is strictly prohibited. If you have received this email in error, please notify the sender immediately and delete the original. Neither this information block, the typed name of the sender, nor anything else in this message is intended to constitute an electronic signature unless a specific statement to the contrary is included in this message.