SDL / Secure Coding and impact on CWE / Top 25

[coley at linus.mitre.org (Steven M. Christey)]

In the past year or so, I've been of a growing mindset that one of the
hidden powers of CWE and other weakness/bug/vulnerability/attack
taxonomies would be in evaluating secure coding practices: if you do X and
Y, then what does that actually buy you, in terms of which vulnerabilities
are fixed or mitigated?  We capture some of that in CWE with CAPEC
mappings for attacks.

We've also mapped to the CERT C Secure Coding standard, as reflected in
this CWE view: http://cwe.mitre.org/data/graphs/734.html (for the
complete/detailed listing, click the "Slice" button on the upper right and
sift through the Taxonomy Mappings).  Or, check out the coverage graphs
that show where the coding standard fits within the two main CWE
hierarchical views: http://cwe.mitre.org/data/pdfs.html

Now Microsoft has released a paper that shows how their SDL practices
address the Top 25, like they did when the OWASP Top Ten came out.  To me,
this seems like a productive practice and a potential boon to consumers,
*if* other vendors adopt similar practices.  Are there ways that the
software security community can further encourage this type of thing from
vendors?  Should we?

Gary, do your worst ;-)

http://blogs.msdn.com/sdl/archive/2009/01/27/sdl-and-the-cwe-sans-top-25.aspx

- Steve