"We fail to anticipate the unforeseen or expect the unexpected in a universe of infinite possibilities we may find ourselves at the mercy of anyone or anything that cannot be programmed, categorized or easily referenced..."
I think it quite obvious that this is the position we'll consistently be at if we approach constructing and assessing systems with a semi-ordered list of instructions *cough*software security book*cough* in hand and less than half a clue.
Creating a taxonomy of vulnerabilities is but one aspect of attempting to understand software security, if efforts such as Common Weakness Enumeration were just about creating such a list then perhaps we can label the whole effort as misguided, but the stated process here is to develop understanding. When we have some basis for that, we can do something with it and then, hopefully, our software won't suck wet sweaty moose testicles, or at least as much as it does now.
CWE attempts to unifies a number of existing software security resources, some of my favourites being:
- OWASP Guide, CLASP, and most everything else...
Which is still just a small selection of the great software security resources out there, for further interest check out work by Brian Chess, Gary McGraw, John Viega, Steve Christey, and Robert Martin; I'm usually very impressed with all their efforts.
