How to best handle creation of new CWE style data

14 views
Skip to first unread message

Kurt Seifried

unread,
Jan 10, 2022, 10:27:18 PMJan 10
to GSD Discussion Group
So the gsd-database repo is for vulnerabilities/weaknesses/risks/etc.

I'm now on the board of CWE (https://cwe.mitre.org/) and unfortunately, things are not moving very quickly, I have been pushing for greater transparency in the creation, modification and retiring of CWE's, it may happen, it may not, we'll see.

It's clear we need more CWE coverage, e.g. cloud-specific items, blockchain and a lot of other newer technologies aren't really covered well if at all. 

I don't think having this discussion purely on email lists/etc makes sense, we need somewhere to put the artifacts and massage them into shape. A spreadsheet isn't ideal, but is ok for an overview, e.g.:


My general thinking is, workflow wise:

Somewhere to discuss this stuff "hey what about?"
Somewhere to capture it "at a glance" once it gets a bit more concrete, e.g. a spreadsheet view (Google Drive?)
Somewhere to work on the final version, e.g. one issue per file, JSON, CWE+more

Which sounds like a new repo is best suited for this (especially discussion via issues), gsd-academic? gsd-definitions? 



Kurt Seifried (He/Him)
Chief Blockchain Officer and Director of Special Projects
Cloud Security Alliance
Reply all
Reply to author
Forward
0 new messages