November 2019 - Code Curmudgeon

I’ve finally broken down and started selling merchandize on Zazzle. At the moment it’s just a couple of coffee mugs, but there will be...

Definitioner

NVD

US National Vulnerability Database is a repository of known security issues in software, devices, systems, etc. Each issue can be linked to a CVE. Data is stored in a common format called SCAP to enable easy automation in order to update notification of needed patches and other remediation. See https://nvd.nist.gov/

CVE

CVE stands for "Common vulnerabilities and exposures" and is a way to define a particular security vulnerability in application, system, device, etc. Each security problem gets a unique CVE identifier and is listed as well in the NVD registry. Additionaly, sometimes further efforts can be linked to the underlying issues in application code itself, and will associate the CVE with particular CWE IDs. See https://cve.mitre.org

CWE

CWE stands for "Common weakness enumeration" and is a way to define a particular security issue in programming code. CWE is a security effort lead by the US government and industry to define a taxonomy for coding problems that lead to security vulnerabilities. Each vulnerability reported has an CVE ID and should be linked to the underlying CWEs that lead to the issue. There are currently approximately 800 items defined in CWE and efforts are underway to map their technical impacts to what kinds of problems the weakness may cause, as well as ISO 27010. CWE is often known for it's CWE Top 25 and On the Cusp lists of the most common software security problems. See https://cwe.mitre.org

vulnerability

This is a tricky word, especially in application security or cybersecurity. The simple definition in a software context is that the code has some problem that could be exploited by someone at some point. Some think of it as a piece of code with a proven exploit, IE a static analysis violation with a stack trace and values used. This is a very narrow definition that probably doesn't help improve the state of the art. I prefer the idea that it's code that is exploitable based on the body of knowledge (as encapsulated in software coding standards).

CAN (Controller Area Network)

Controller Area Network aka CAN aka CAN Bus is a wiring standard for vehicles that enables communication between various components and devices without having a host computer. For example doors, brakes, transmission.

IoT (Internet of Things)

common devices that have been internet enabled in order to remotely monitor and manage them, or collaborate with other devices, or provide extra functionality by accessing the internet. Like an internet enabled thermostat that you can control with your smartphone - see the Nest from Google.

Monthly Archives: November 2019

CWE Top 25 2019 and On the Cusp

Why Do You Hate Unit Testing

How is Open Source Different Than Legacy Code

Code Curmudgeon Coffee Mugs Now Available