In the article Improving Software Security by Eliminating the CWE Top 25 Vulnerabilities, Michael Howard describes the Top 25 CWE vulnerabilities. He explains how attackers use these vulnerabilities to do their "work," and how to best combat them. This is very helpful in understanding what exactly what CWE is and how it can/should be used.
Each CVE is described and possible mitigation strategies are mentioned. Its useful theoretically, but what needs to be analyzed is how to translate these theories into practice. It is one thing to say CVE's can be mitigated by using so and so strategies. But actually translating them into developer aids, thats what we're planning to do.
There goes your introduction. We're a team of 3 students at Rochester Institute of Technology, New York trying to gather requirements for a Security Analyzer tool, tentatively titled "Code-Sentinel". Your inputs in the comments section would be very valuable to us, and in turn aid the developer community to produce secure software. Yes, our goals seem lofty, but we're equally determined to achieve them.
No comments:
Post a Comment