MARCH 1, 2007 | ARLINGTON, Va. -- Black Hat DC -- Experts agree: The best way to secure applications is to build security in during the development phase. The problem is that there are few standards or templates for doing it.

But that situation is about to change, according to speakers at the Black Hat conference here today. In fact, draft guidelines for specifying common security weaknesses and common attack patterns could be just weeks away.

In two separate presentations, experts from Mitre and Cigital -- two companies with long track records in government and industry standards -- outlined plans for the implementation of Common Weakness Enumeration (CWE) and Common Attack Pattern Enumeration and Classification (CAPEC), two specifications that could eventually help developers recognize weaknesses in their applications and anticipate common attack patterns that adversaries might use to break in.

The proposed specifications would offer common methods for describing and categorizing weaknesses and attack vectors, much as Common Vulnerability Enumeration (CVE) and Common Malware Enumeration (CME) have done for vulnerabilities and malware.

The CWE is in its fifth draft and is already delivering some benefits for software developers, according to Robert Martin, principal engineer at Mitre. It represents a "dictionary" of frequently made mistakes in software development that can lead to exploitable vulnerabilities, he said.

"It's a common body of knowledge about software assurance that will help developers to build security into their applications," Martin said. The initiative, funded largely by the U.S. Department of Homeland Security (DHS), represents some 600 entries from more than 20 vendors of tools that help to identify security weaknesses in software.

The link for this article located at Dark Reading is no longer available.