Security Hacking Stories

Software Vulnerability Taxonomy

Recently we reviewed the report functionality of a Vulnerability Management and reporting tool called, Code Dx.

It was discovered that the number of results being collected by Code Dx, did not match exactly the same number of issues being reported by the testing tool, Veracode. It is important to understand that Code Dx did not remove any of the issues being imported from Veracode, but rather it grouped issues which were identified by the classification of the Analysis Configuration.

In the Code Dx configuration, a definition for CWE-20 was created to group all of the issues which were being reported with CWE-20.

CWE-20 is the Common Weakness Enumeration for Invalid Input Validation. CWE-20 currently consists of over 4047 CVE (Common Vulnerability Enumeration) which have been identified due to this weakness. Mitre Corporation has been maintaining both the CWE & CVE lists, here are just a few of them.

CWE -Common Weakness Enumeration
CVE -Common Vulnerabilities and Exposures (CVE)
CVE -About CVE

Now a little more on Taxonomy. There are several views on how Vulnerabilities should be classified. Dr Gary McGraw, developed the ITS4 product, which was later transformed into Fortify, developed the Seven (plus one) Pernicious Kingdoms: https://cwe.mitre.org/documents/sources/SevenPerniciousKingdoms.pdf

The OWASP organization classifies their issues starting with the Top 10 - Top 10 2013-Top 10 - OWASP

The SANS Institute publishes the top 25 - SANS Institute

The important thing to remember is that no matter how we examine the issues that we find in our software, the most important thing to do is to help the developers know that they exist, and how to fix them.