Standardize CWE adoption across Secure (CWE as Secure's currency)
Context
CWEs are, essentially, vulnerability classes/categories. The purpose of Secure, abstractly, is to prevent or root out vulnerabilities. We thus can be using CWEs as a common denominator across analyzers, findings, benchmarks, tests, etc. Just like CVSS is globally used for vulnerability identification, I propose, CWE needs to be used for vulnerability classification across Gitlab.
Why (i.e. what problems can be solved)
- The most prominent issue, in my view, is that we do not fully understand our coverage, which is essential.
- We can't reliably track vulnerability coverage across analyzers, scanners, and other tools in Secure without uniquely identifying vulnerability classes/categories.
- As a consequence, without that kind of information we won't see the bigger picture: we are not able to determine whether there are serious gaps from the vulnerability identification & classification perspective.
- On the flip side, we won't see where "quick wins" are.
- We can, most likely, reduce false positives, duplicates and other noise among findings.
- Certainly, we can improve results across Composition Analysis, Static & Dynamic Application Security Scanning, Fuzzing working in tandem.
- We would be in a better position to benchmark analyzers when having a common baseline.
- We would be able to improve the dogfooding process. The AppSec team maintains their own vulnerability occurrence charts which semantically maps to CWEs. Overlaying the two we get a pretty good picture of our internal capabilities.
- etc.
How
- Brainstorming in the comments section. To be updated when we have evaluated the current situation and identified the general direction to go from here.
PS: In all fairness, there's been quite a lot of work done to support CWEs here and there. This issue is just to come up with a common action or at least identify what is missing on the path to success.
/cc @tstadelhofer @twoodham @sethgitlab @thiagocsf @gonzoyumo @nmccorrison @gitlab-org/vulnerability-research @stkerr @matt_wilson @david @NicoleSchwartz @derekferguson @tmccaslin @plafoucriere @laurence.bierner