Alec Summers from Mitre discusses the CWE program's evolution, focusing on federation strategies, usability improvements, and future development plans for more accurate weakness tracking.
IDEAS
CWE program shifted to federation model in 2019 to improve content development speed
Program contains 938 weakness types, with more being added as new vulnerabilities emerge
Current CWE website has significant usability issues with its "wall of text" approach
Federation model helps minimize technical debt and expands expertise throughout ecosystem
Program is developing new visualization capabilities beyond just text descriptions
CWE entries are organized in a hierarchy from abstract "pillars" to specific variants
Many CWE entries contain redundant information across different sections
AI-related weaknesses require new approaches and language for description
Program is launching a content development repository on GitHub for collaboration
Hardware vulnerabilities have different documentation needs than software ones
Manual verification of weakness mappings is resource-intensive and time-consuming
Program struggles with balancing abstract vs specific weakness classifications
Data quality remains a significant challenge in CWE mapping
Centralized approach to root cause mapping doesn't scale effectively
Chatbot technology shows promise but mixed results for CWE selection
Program aims to reduce redundancy and improve clarity in weakness descriptions
Hardware CWE content often lacks detection method information
Community partnership is crucial for improving weakness coverage
Program needs better tools for navigating between different views and contexts
Visual representations could help explain complex weakness concepts
QUOTES
"The people who own the code are best positioned to provide this information"
"When you go to any entry in CWE, chances are you will be greeted with a very large wall of text"
"We have heard feedback that the CWE user experience needs to improve"
"Federation was the turning point catalyst for that in the hardware CWE content"
"Vulnerabilities as they are discovered later in the life cycle are more expensive and more difficult to deal with"
"We cannot manually verify those we do know based on previous years that there is data quality problems"
"The working groups and sigs are open to the public, anybody's welcome to join"
"We need to leverage the community expertise to provide that information"
"The program itself is not necessarily responsible for tracking"
"The data quality problem is definitely a thing"
FACTS
CWE program started around 2007
Program shifted to federation model in 2019
Currently contains 938 weakness types
Publishes annual "Top 25 Most Dangerous Software Weaknesses" list
Program includes about 100-104 hardware-related weaknesses
Program has 22 different groupings of weaknesses
CWE Schema version 7.0 includes mapping notes for entries
Program introduced hardware weaknesses in 2019
Content Development Repository (CDR) launching in Spring
Program uses GitHub for collaboration
Manual review process examined 7,466 CVE records in recent analysis
5,347 CVE records needed remapping in recent analysis
276 CNAs currently provide CWE information
Recent dataset included approximately 44,000 CVE records
Program analyzed 22 different groupings of weaknesses
REFERENCES
CWE (Common Weakness Enumeration)
CVE (Common Vulnerabilities and Exposures)
National Vulnerability Database (NVD)
OWASP Top 10
GitHub
SQL injection (CWE-89)
CWE Top 25 Most Dangerous Software Weaknesses
Content Development Repository (CDR)
Hardware Special Interest Group
User Experience Working Group
Intel
AMD
Arm
RISC-V
CISA
Attack Framework
Decider tool
RECOMMENDATIONS
Join the root cause mapping working group to contribute expertise
Use the new filtering capabilities on CWE website to navigate content
Focus on mapping to actionable weakness types rather than abstract ones
Contribute to the Content Development Repository on GitHub
Leverage community expertise for expanding program coverage
Improve visualization capabilities for complex weaknesses
Reduce redundancy in CWE descriptions
Implement better search and navigation tools
Create more precise mapping guidance
Develop better tools for weakness identification
Use mapping notes for better accuracy
Focus on federation rather than centralization
Improve detection method documentation
Consider AI and emerging technology impacts on weakness classification
Enhance cross-reference capabilities between related weaknesses
SUMMARY
Alec Summers from Mitre discusses the CWE program's evolution, focusing on federation strategies, usability improvements, and future development plans for more accurate weakness tracking.
IDEAS
QUOTES
FACTS
REFERENCES
RECOMMENDATIONS