How to best handle creation of new CWE style data

[Kurt Seifried]

So the gsd-database repo is for vulnerabilities/weaknesses/risks/etc.

I'm now on the board of CWE (https://cwe.mitre.org/) and unfortunately, things are not moving very quickly, I have been pushing for greater transparency in the creation, modification and retiring of CWE's, it may happen, it may not, we'll see.

It's clear we need more CWE coverage, e.g. cloud-specific items, blockchain and a lot of other newer technologies aren't really covered well if at all. 

I don't think having this discussion purely on email lists/etc makes sense, we need somewhere to put the artifacts and massage them into shape. A spreadsheet isn't ideal, but is ok for an overview, e.g.:

https://docs.google.com/spreadsheets/d/1HIM3BH8Cgth27ED4ruy9fXOpbOUAPAGY7merlZiE6_U/edit#gid=1028635246

My general thinking is, workflow wise:

Somewhere to discuss this stuff "hey what about?"

Somewhere to capture it "at a glance" once it gets a bit more concrete, e.g. a spreadsheet view (Google Drive?)

Somewhere to work on the final version, e.g. one issue per file, JSON, CWE+more

Which sounds like a new repo is best suited for this (especially discussion via issues), gsd-academic? gsd-definitions? 

Kurt Seifried (He/Him) Chief Blockchain Officer and Director of Special Projects Cloud Security Alliance e: ksei...@cloudsecurityalliance.org