We're familiar with the CWE project and there's a lot of overlap between our vulnerabilities - not surprising given that most came from the same sources. Where possible we're trying to keep the same names. We've found that some of the topics are really attacks, and have organized them accordingly. One of the really great things that CWE has done is providing links to actual CVE entries demonstrating each of the vulnerabilities.
We started Honeycomb to: - create a complete library of application security building-blocks, including principles, threats, attacks, vulnerabilities, and countermeasures - enable the rich interconnection of those building-blocks in ways that a strict one-dimensional taxonomy cannot allow - encourage security experts in the community to share their knowledge, argue, edit, discuss, and resolve in wisdom of crowds fashion --Jeff -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, August 10, 2006 7:06 PM To: sc-l@securecoding.org Subject: [***SPAM (header)***] - Re: [SC-L] A New Open Source Approach to Weakness - Email found in subject The Honeycomb project seems interesting. This sounds a lot like the Common Weakness Enumeration (CWE - see http://cwe.mitre.org) effort that has been going on for the past year as part of the DHS software assurance metrics and tool evaluation project. The CWE is an aggregation of sources including Seven Pernicious Kingdoms, CLASP, PLOVER, ten from OWASP, the Web Security Threat Classification, 19 Deadly Sins, etc. that describes software weaknesses (to date ~500 of them) in a consistently named fashion and provides a taxonomy to organize the relationships between the weaknesses. The classification comes with the help of a large community effort including NIST, MITRE, DHS, NSA, many commercial organizations, academia, and the public. And, I believe there are currently 15-20 tool vendors, including Fortify Software and Secure Software, that are contributing and mapping their content to the CWE. Thanks, Michael Gegick _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
