In the past year or so, I've been of a growing mindset that one of the hidden powers of CWE and other weakness/bug/vulnerability/attack taxonomies would be in evaluating secure coding practices: if you do X and Y, then what does that actually buy you, in terms of which vulnerabilities are fixed or mitigated? We capture some of that in CWE with CAPEC mappings for attacks.
We've also mapped to the CERT C Secure Coding standard, as reflected in this CWE view: http://cwe.mitre.org/data/graphs/734.html (for the complete/detailed listing, click the "Slice" button on the upper right and sift through the Taxonomy Mappings). Or, check out the coverage graphs that show where the coding standard fits within the two main CWE hierarchical views: http://cwe.mitre.org/data/pdfs.html Now Microsoft has released a paper that shows how their SDL practices address the Top 25, like they did when the OWASP Top Ten came out. To me, this seems like a productive practice and a potential boon to consumers, *if* other vendors adopt similar practices. Are there ways that the software security community can further encourage this type of thing from vendors? Should we? Gary, do your worst ;-) http://blogs.msdn.com/sdl/archive/2009/01/27/sdl-and-the-cwe-sans-top-25.aspx - Steve _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________