-1

I am writing a paper on "The Role of Architecture and Design in Software Assurance" and a commenter asked "Provide a stronger case for using the CWE over the CVE. Explain how CVE vulnerabilities relate to the design phase and static code analysis." As the article is more for software engineers and developers, I am looking for an accurate, clear, and concise explanation that speaks to that audience.

AviD
  • 72,138
  • 22
  • 136
  • 218
WaltHouser
  • 321
  • 1
  • 10
  • What research have you done on your own? What are your thoughts? I'd expect you to do some research and thinking on your own before asking, and show us in the question what you've tried. – D.W. Jul 23 '14 at 23:33
  • The definitions of vulnerability and weakness in “National Information Assurance (IA) Glossary: CNSS Instruction No. 4009.” Committee on National Security Systems, 26 April 2010, page 72. are circular. The MITRE definitions https://cwe.mitre.org/documents/glossary/index.html#Vulnerability and https://cwe.mitre.org/documents/glossary/index.html#Weakness are more precise. The MITRE FAQ at http://cwe.mitre.org/about/faq.html#A.8 implies the significance of the distinction but does not IMO explain the key issues. – WaltHouser Jul 29 '14 at 18:06

2 Answers2

1

Briefly: CVEs are for "known knowns" or specific vulnerabilities. CWEs are for "unknown knowns" or vulnerability types. Dynamic scanners are looking for instances of already-identified vulnerabilities. Static scanners do that, too, but one of their main advantages is that they are also looking for not-yet-identified new vulnerabilities.

An obvious example is that if you are testing code that the world has never encountered before, how could there already be a registered CVE about it? You can, however, talk about the type of problem, and that is what a CWE does.

Todd Grotenhuis
  • 121
  • 4
-1

As part of building the CVE, MITRE developed in 2005 a preliminary classification and categorization of vulnerabilities, attacks, faults, and other concepts to generalize the CVE into common software weaknesses. However, while sufficient for CVE, those groupings were too rough to be used to identify and categorize the functionality offered by the code security assessment tool makers. The CWE List was created to better address those additional needs. CVE are akin to an inventory of traffic accidents while the CWE are analogous to the conditions (e.g. highway architecture, bridge and road design, traffic signage, driver practices, enforcement procedures) that lead to accidents. Given the large number of CVE and the process for reporting them, CVE references to architectural and design causes are intermittent and largely unverified. When generating findings from code scans, static code analysis tools can draw upon the CWE for weakness descriptions and mitigation recommendations; identifying the relevant CVE would be difficult given their specificity and their disconnection from the code that generated them.

D.W.
  • 98,420
  • 30
  • 267
  • 572
WaltHouser
  • 321
  • 1
  • 10
  • 2
    This is not a discussion forum. Answers should not be used to ask questions. You might like to refer to the help center and [faq] for more information about how this site works. – D.W. Jul 23 '14 at 23:34
  • On the Ask a Question page http://security.stackexchange.com/questions/ask there is the option "Answer your own question – share your knowledge, Q&A-style" – WaltHouser Jul 29 '14 at 18:09
  • Yes, you are permitted to answer your own questions -- but please limit yourself to an answer. "What are your thoughts?" is inappropriate -- this is not a discussion forum, and you should not use the answer box to ask a question or solicit discussion. I've edited your answer accordingly. When answering your own question, it is particularly important to make sure you have done a reasonable amount of research before asking the question, and only ask if the answer is not apparent from standard resources. – D.W. Jul 29 '14 at 18:51