Skip to content

Standardize CWE adoption across Secure (CWE as Secure's currency)

Context

CWEs are, essentially, vulnerability classes/categories. The purpose of Secure, abstractly, is to prevent or root out vulnerabilities. We thus can be using CWEs as a common denominator across analyzers, findings, benchmarks, tests, etc. Just like CVSS is globally used for vulnerability identification, I propose, CWE needs to be used for vulnerability classification across Gitlab.

Why (i.e. what problems can be solved)

  • The most prominent issue, in my view, is that we do not fully understand our coverage, which is essential.
  • We can't reliably track vulnerability coverage across analyzers, scanners, and other tools in Secure without uniquely identifying vulnerability classes/categories.
  • As a consequence, without that kind of information we won't see the bigger picture: we are not able to determine whether there are serious gaps from the vulnerability identification & classification perspective.
  • On the flip side, we won't see where "quick wins" are.
  • We can, most likely, reduce false positives, duplicates and other noise among findings.
  • Certainly, we can improve results across Composition Analysis, Static & Dynamic Application Security Scanning, Fuzzing working in tandem.
  • We would be in a better position to benchmark analyzers when having a common baseline.
  • We would be able to improve the dogfooding process. The AppSec team maintains their own vulnerability occurrence charts which semantically maps to CWEs. Overlaying the two we get a pretty good picture of our internal capabilities.
  • etc.

How

  • Brainstorming in the comments section. To be updated when we have evaluated the current situation and identified the general direction to go from here.

PS: In all fairness, there's been quite a lot of work done to support CWEs here and there. This issue is just to come up with a common action or at least identify what is missing on the path to success.

/cc @tstadelhofer @twoodham @sethgitlab @thiagocsf @gonzoyumo @nmccorrison @gitlab-org/vulnerability-research @stkerr @matt_wilson @david @NicoleSchwartz @derekferguson @tmccaslin @plafoucriere @laurence.bierner

Edited by Mark Art