OtaSoft

Lots of interesting things are happening
with the various efforts to eliminate or counter software vulnerabilities.
The
Software Security Assurance (SwA) State-of-the-Art Report (SOAR)
tries to list what’s going on, especially in things related to the
U.S. government.
As with any such document, it’s incomplete, and it’s only a snapshot
(things keep changing!).
But if you haven’t been following this world, and want to know
“what’s going on”, it’s the best place I know of to start.
Of course, you can also look at sites such as the

U.S. DHS / CERT “build security in” site.

The U.S. National Vulnerability Database
tracks specific vulnerabilities in specific products; they identify each
vulnerability using the unique id defined by
Common Vulnerabilities and Exposures (CVE).
But if the world is going to prevent these kinds of
vulnerabilities from happening in the future, we need to categorize them
in a way that everyone agrees what the categories are.
Informally, there are lots of ways to categorize them, but their meanings
differ between people.
That’s a real problem when comparing tools; different tools find different
problems, but without agreed-on terminology, it’s hard to even describe
their differences.
MITRE is currently developing a way to categorize all vulnerabilities in
a way that everyone can agree on, called
Common Weakness Enumeration (CWE).
The U.S. National Vulnerability Database and MITRE have worked out a
set of CWEs that they will use to
categorize vulnerabilities.
The CWE is still being developed, but at least some common terminology
is getting worked out.

Original post by David A. Wheeler’s Blog and software by Elliott Back