“Common Weakness Enumeration” Added to CVE Web Site

March 16, 2006

March 15, 2006, according to the official news from mitre.org, a new effort leveraging CVE entitled the "Common Weakness Enumeration (CWE)" has been added to the GET CVE page on the CVE Web site.

GetCVECWE is a community-developed formal list of common software
weaknesses, idiosyncrasies, faults, and flaws. The intention of CWE is to serve as a common language for describing software security vulnerabilities, a standard measuring stick for software security tools targeting these vulnerabilities, and as a baseline standard for vulnerability identification, mitigation, and prevention efforts. Leveraging the diverse thinking on this topic from academia, the commercial sector, and government, CWE unites the most valuable breadth and depth of content and structure to serve as a unified standard. Our objective is to help shape and mature the code security assessment industry and also dramatically accelerate the use and utility of software assurance capabilities for organizations in reviewing the software systems they acquire or develop.

Based in part on the CVE List's 15,000 plus CVE names—but also including detail and scope from a diverse set of other industry and academic sources and examples including the McGraw/Fortify "Kingdoms" taxonomy; Howard, LeBlanc & Viega's 19 Deadly Sins; and Secure Software's CLASP project; among others—CWE's definitions and descriptions support the finding of common types of software security flaws in code prior to fielding. This means both users and developers now have a mechanism for ensuring that the software products they acquire and develop are free of known types of security flaws by describing their code and assessment capabilities in terms of their coverage of the different CWEs.

The new section includes the CWE List, offered in a detailed Taxonomy view and a high-level Dictionary view; an About section describing the overall CWE effort and process in more detail; a Compatibility page; a Community Participation page; and list of Sources.

Technorati Tags: , , ,,


SAML declares victory, closes in on a billion IDs

March 16, 2006

Personally I think there are three trends at security management area. The first is more regulations, best practices, frameworks, standards and laws, so organizations and enterprises must adapt themself to comply those restrictions and suggestions. The second is that security is penetrating into core processes and business applications, deeper and deeper. As the proof, we can see that security managers are paying more and more attentions to data and application security. The third is integration and platform, ie. security information should be shared and exchanged between security devices and functions, so that an architecture similar to SOA and middlewares will be introduced into security technologies.

So a war for the backend standard is going among Microsoft, IBM, Sun, CA, Oracle and other players, or briefly between MS's passport and SAML. OASIS

As a de facto standard, related to the above three trends, SAML is of my interests for a long time. It's an important standard for web services and B/S structure applications, developed and maintained by ID-FF and OASIS. It help build up an open IAM base which other security mechanism and policy will run on.

See the following report at techtarget.com by Rich Seeley.

Read the rest of this entry »