Friday, April 28, 2006

On Pete's "Allow me to Defend Michal Zalewski"

Great point from Pete on a recent IE vulnerability disclosure case:

Spire Security Viewpoint: Allow me to Defend Michal Zalewski: "Here's the interesting thing about Zalewski's approach: if it inspires a lot of 'shock and awe' in you, then you are nowhere near able to protect your environment in a reasonable manner."

TaoSecurity on Demonstrating vs Maintaining Compliance

Richard Bejtlich poses an interesting statement at TaoSecurity. He says that "costs of demonstrating compliance far exceed those of maintaining compliance. This is sad."

Is it, really? I feel this is an important thing to think about, but I am not sure yet that it is indeed sad. You might think you are "doing OK" compliance-wise, but if you cannot prove it, you are in trouble...

Dumb Security Humor: "Security startup targets 0day problem"

Read and weep :-)

Security startup targets 0day problem InfoWorld News 2006-04-28 By Robert McMillan, IDG News Service: "company developed software that scans network traffic for known exploits, called 0days"

Do Engineers Ever Lie?

Yet another gem from a genius of Guy Kawasaki: The Top Ten Lies of Engineers. Some technical folks like to think that only "suits" lie. Nothing can be father from the truth....

Some fave examples are

4. "Our architecture is scalable."
5. "The code supports all the industry standards."
7. "We have an effective bug reporting database and system."
10. "This time we got it right."

Read on.

Do you Work for One of Those? Signs that Your Employer is Sinking!

Very fun read for techies and non-techies alike. Check your employer for those signs and shudder :-)

Six Early Signs That a Company Could Be Headed for Failure - Los Angeles Times: "Here are six early warning signs of potential trouble:

Not being focused on the core business: Straying from the business' main product or service is a common problem.

A headstrong CEO: It takes a strong will to start and run a business, but that disposition can make it difficult for advisors to convince an entrepreneur or small-business owner that unwelcome changes are necessary.

Conversion to a new computer system: Combining computer accounting and operations systems looks like a great idea on paper, and many companies make the change without a serious hitch.

Lack of a timely cash-flow forecast. [...] Do all businesses understand that? No. The ones who stay in business do.

Lack of clarity on the profitability of each customer and product. This is one of the first things a turnaround specialist will look at. A successful company will periodically analyze what's driving its cash flow. "

Thursday, April 27, 2006

Good or Evil: Make Your Pick!

So, this hacking story got reported in two completely opposite manners:

a) this man hacked and stole, needs to go to jail now :-)
b) this man revealed a weakness and got persecuted unfairly

Category a) from the assclowns of "SC Mag" - "The U.S. Department of Justice (DOJ) announced yesterday that it charged a San Diego man for hacking into the University of Southern California’s student application system and accessing personal records."

Categiry b) from Emergent Chaos - "The clear message: Next time, don't tell. "

Who is right? We might never know...

Are you owned? Quite likely, actually :-)

Journalists have this unique penchant for using totally obvious names for supposedly sensational articles. Haven't you seen you share of

Here is one of a more subtle kind:

One-third of companies don't know if they've been hacked - IT Security News - SC Magazine US: "Research of 293 senior managers carried out be polling company YouGov, found 33 percent did not have any idea if their network had been breached. "

I remember when I wrote this paper that covered compromise discovery, folks contacted me and reported that most companies they've seen have a few boxes permanently owned by various parties...

Risk Exaggeration Summary from Bruce Schneier

Here is a fun and useful one from Bruce Schneier : "five different tendencies people have to exaggerate risks" i.e. "to believe that something is more risky than it actually is. "

  • People exaggerate spectacular but rare risks and downplay common risks.
  • People have trouble estimating risks for anything not exactly like their normal situation.
  • Personified risks are perceived to be greater than anonymous risks.
  • People underestimate risks they willingly take and overestimate risks in situations they can't control.
  • People overestimate risks that are being talked about and remain an object of public scrutiny."

"Do dedicated security vendors have a future?"

Here is a fun question: "Do dedicated security vendors have a future?"

This paper with the same name discusses just that and has some good points. Check out these quotes:

"McAfee proudly proclaims itself “the largest dedicated [IT] security company in the world”. Based on revenues this is a fair claim—it is some way ahead of closest rivals Check Point and Trend Micro for that crown. But is a dedicated security company really the best thing to be in 2006 and beyond?"

"If a crown was being awarded for “security revenues” then it might well go to Symantec, but it would be a close run thing with Cisco, currently the world largest networking equipment vendor (it will be demoted to number two if the Lucent/Alcatel merger gets approved)."

"With giants like Cisco and Microsoft building security into their infrastructure and Symantec diversifying into storage and building security into its new offerings, will there be any place left for dedicated security vendors in the long term? ... There probably will be, providing they stay ahead of the game, i.e. keeping on top of emerging threats and coming up with innovative new products to counter them. "

"The revenue share of the IT security market going to dedicated vendors will decrease more and more with time."

This reminds me this old blog post.

Great Resource Site: "E-Evidence Information Center"

Here is a good site with A LOT of resources on forensics. I "mined" it recently for information on log forensics and recommend it for others as well: E-Evidence Information Center - Home

Tuesday, April 25, 2006

Speaking at USMA, West Point

Blogs can be useful for many things, including boasting. However low your opinion of such activity might be, sometimes it is certainly appropriate to boast...

So, tomorrow I am giving a guest lecture on log analysis and forensics at United States Military Academy at West Point. I'll post a follow-up telling everybody how it went.

I did speak at the FBI Academy back in 2002, during the Honeynet Project tour. It sure was fun!

UPDATE: slides posted.

Where's the real underground these days?

Dancho Danchev tries to answer the elusive question: "Where's the real [computer] underground these days", not the one hyped up by the media? Read his review and enjoy the exploit pricing discussion, 0days, etc.

Dancho Danchev - Mind Streams of Information Security Knowledge!: Wild Wild Underground: "Where's the real underground these days, behind the shadows of the ShadowCrew, the revenge of the now, for-profit script kiddies, or in the slowly shaping real Mafia's online ambitions? "

Next for air travelers: Standing room only? - Technology - International Herald Tribune


Next for air travelers: Standing room only? - Technology - International Herald Tribune: "Airbus has been quietly pitching the standing-room-only option to Asian carriers, though none has agreed to it yet. Passengers in the standing section would be propped against a padded backboard, held in place with a harness, according to seating experts who have seen a proposal"

Happy vs Rich?

Quoting verbatim from Feld Thoughts

"NPR had a great segment over the weekend on the secret to happiness about this year’s most popular class at Harvard is Psych 1504, also known as “how to get happy.” Apparently the most popular class – until recently – was an economics class also known as “how to get rich.”"

What's that, a new trend? :-)

Monday, April 24, 2006

SIEM Market is a Failure... Now we Know Why!

Some quotes pretty much tell all - read this exciting blog post from analyst Eric Ogren...

"I have always regarded Security Event Management (SEM) as the most dysfunctional segment in the security industry."

"SEM vendors would always preach rapid response and attack prevention, even though they only examine log file entries written long after the attack has come and gone."

"It has just been a brain-dead market segment."

And, on the other hand, what is needed is a "good place to collect, filter, and manage audit logs of corporate activity."

In other words, log management with a brain (intelligence). Because "you wouldn't think of running your business without independent corporate auditing, you shouldn't think of running IT without auditing"!

Winning, Losing - Ah, Come on!

Misc useless and somewhat funny discussion on "winning the war against hackers", whatever that means (Answer: it means nothing! :-))

Network Security Blog: We're not winning the war against hackers: "The Register is running an article that called

Wednesday, April 19, 2006

Time to Start 2007 Security Predictions?

Here is one from SecurityIncite (blog post The Race to Get in the Closet Security Incite: Analysis on Information Security): "my early prediction is that the most over-hyped product of RSA 2007 is going to be the 'security switch.'"

"CISSP is a self-perpetuating myth"

Here is a fun bit I picked from one security mailing list, one guy called CISSP "a self-perpetuating myth" since "the more people get certified the more certify themselves to be compliant with the myth."

Well, to some extent "the self-perpetuating" part is true about any certification, but "a myth" part ... well, that's special for this case :-)

Tuesday, April 18, 2006

CISSP quote of the week or pick your poison

Pick your poison here:

Quote One: "Also, the majority of attacks in the wild are well-known and easily
detected and blocked

Quote Two: "I'm going to go out on a limb here and say that the majority of real attacks in the wild are probably 0days or difficult to detect or block. The latest IE bug is, of course, both."

Hehe, which camp are you with? :-)

It Ain't Fair, Ya Know! :-)

Totally cool security quote from Gary McGraw (reported by 1 Raindrop: Not a Fair Fight:Gary McGraw on Security): "The biggest problem is that most people that are security practitioners are network people, and most people that are doing exploits are software people, and frankly that is not fair."

Metricon 1.0 Call For Papers (CFP)

First ever convention on security metrics ... presenting Metricon!
Emergent Chaos: Metricon 1.0 Call For Papers

Conceived by the team during RSA 2006 (with yours truly involved a bit as well...)

ISP Log Retention: Evil Incarnate or World Savior? :-)

Here is something I was curious about before: should ISPs a) log customer Internet access and b) retain logs beyond the troubleshooting period?

ISP snooping gaining support CNET "Internet providers generally offer three reasons why they are skeptical of mandatory data retention:
  • first, it is not clear who will be able to access records of someone's online behavior;
  • second, it's not clear who will pay for the data warehouses to be constructed; and
  • third, it's not clear that police are hindered by current law as long as they move swiftly in investigations. "

InformationWeek Security | 10 Infamous Moments In Security Research | April 17, 2006

Just a fun read: "10 Infamous Moments In Security Research "

InformationWeek Security 10 Infamous Moments In Security Research April 17, 2006: "10 Infamous Moments In Security Research "

Examples are:

1. SQL Slammer
6. Oracle PLSQL gateway

On whos is the inventor of the firewall

Dave Piscitello's Personal Journal: "In 20 people who changed the industry, Network World gives Shlomo Kramer and fellow Check Point colleagues credit for inventing the firewall."

What was the last time you've seen "Network World" get something right? :-)

Book review "Security Log Management: Identifying Patterns in the Chaos"

It is not often that I review a genuinely bad book, but this is one such rare occasion. It so happens that log analysis is my primary area of focus for the last several years and thus I could not miss a book titled “Security Log Management.”

Yuck! The book starts from a hodge-podge of examples, which, if entertaining at times, doesn’t lead to any meaningful lessons and thus doesn’t deliver the value it could have produced. The same applies to material selection for the book, which, as a result, suffers from a compete lack of logical structure. Even the Ch 1 “Log Analysis: Overall Issues” barely touched on analyzing logs and clearly didn’t cover any “overall issues.” Also, authors have undoubtedly trademarked the concept of a random irrelevant picture or graph...

In addition, the book reveals many areas where authors are deeply befuddled. ESM chapter (‘Enterprise Security Management’) is one such example, where such confusion reigns supreme. They can talk about ‘ESM process’ and claim that ‘ESM is not a tool’ in one sentence and then describe ‘ESM tools’ in the next one. On top of that, if you are looking for some arcane security humor, try understanding their ROI calculation in the chapter (‘Cost of problem’ + ‘Cost of solution’ …)

One would think that they can get something as (relatively) simple as firewall reporting right (chapter 3). One would think that – and one would be wrong… The reader is still left with no answers to questions such as ‘what summaries, statistics and reports he/she should collect and how to do it.’

As far as style is concerned, the book carries unfortunate signs of being written by a group of authors who didn’t talk to each other much. Furthermore, what adds insult to injury is truly excessive amount of quoted source code, which plainly doesn’t belong in the book, but on the website, CD, etc (were editors asleep at the wheel?)

To conclude, the book does have some relationship to patterns and chaos: the patterns in your brain will immediately turn into chaos after you are done reading it, provided you would even finish it. My suggestion is to avoid this largely useless title and save the money for better books (such as Bejtlich’s or countless others).

Dr Anton Chuvakin, GCIA, GCIH, GCFA ( is a
recognized security expert and book author. A frequent conference speaker, he also represents the company at various security meetings and standard organizations. He is an author of a book "Security Warrior" and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and the upcoming "Hacker's Challenge 3". Anton also published numerous papers on a broad range of security subjects, such as incident response, intrusion detection, honeypots and log analysis. In his spare time he maintains his security portal and two blogs.

Monday, April 17, 2006

Change or Die!?

Don't like to change? Then die :-) This thought-provoking piece in "Fast Company" pretty much says that...

Change or Die: "Meanwhile, the leaders of a company need 'a business strategy for continuous mental rejuvenation and new learning,' he says. Posit Science has a 'fifth-day strategy,' meaning that everyone spends one day a week working in a different discipline. Software engineers try their hand at marketing. Designers get involved in business functions. "

On Plasma Shields

Here is a fun one but, that I've heard many years ago, back in Russia (albeit as a scientific spoof!). Suddenly it turns out to be real :-)

Defense Tech: Stealth's Radioactive Secret: "Plasma aerodynamics offers tantalizing promises of improving aircraft performance. By producing a thin layer of charged particles around an aircraft you can change the behavior of the boundary layer, significantly reducing friction. The charged layer also absorbs radar, improving stealth."

and even this:

"The Russians seemed to be years ahead, even marketing a plasma stealth add-on device said to reduce radar returns by a factor of a hundred."

On Plasma Shields

Here is a fun one but, that I've heard many years ago, back in Russia (albeit as a scientific spoof!). Suddenly it turns out to be real :-)

Defense Tech: Stealth's Radioactive Secret: "Plasma aerodynamics offers tantalizing promises of improving aircraft performance. By producing a thin layer of charged particles around an aircraft you can change the behavior of the boundary layer, significantly reducing friction. The charged layer also absorbs radar, improving stealth."

and even this:

"The Russians seemed to be years ahead, even marketing a plasma stealth add-on device said to reduce radar returns by a factor of a hundred."

"Column or data sheet?"

When marketing security product folks sometimes get downright silly. Similarly, when describing "bleeding edge security" products, journalists in trade rags sometimes get downright dumb.

But how do you tell one from the other? Challenge yourself to this "contest", by the Matasano gang:

Matasano Chargen » Our Peabody-Award-Winning Game Show:: "Column or data sheet? You be the judge."

Updated my Wikipedia Page!

It is with some trepidation, I updated an entry about me in Wikipedia to reflect my up-to-date employment information.

On the Utility (Futility?) of HIPS?

Do you like the idea of "hardening" a host by installing a host intrusion prevention system (HIPS)? Dailydave list has this fun discussion on the value (and hackability of HIPS), check it out. Here is one take on it - patching is more useful than HIPS:

Fwd: [Dailydave] RE: We have the enemy, and the enemy is... you: "Verdict [on HIPS]:

Don't buy them! Don't spend the time and the energy to get them to work
for your enterprise. There are several reasons for me to say this but i
would like to first start offering you the alternative.


Pay attention to what MSFT is doing!"

Others violently disagree...

Software Engineer - The Best Job Today?

Believe it or not? :-)

The Standard - China's Business Newspaper: "Software engineers are said to have the best jobs in America, followed by college professors and administrators and then financial advisers.Software engineers are said to have the best jobs in America, followed by college professors and administrators and then financial advisers."

On Security As Insurance

Security as armed guards? Security as risk management (we'll hit upon this one later...)? Security as "protection racket" (OK, this one is a joke... maybe :-))

How about "security as insurance"? Just watch Pete Lindstrom flatten this one: Spire Security Viewpoint: Security <> Insurance: "Sure, insurance is useful. But the implication is that it is okay to do less preventive stuff. I think insurance needs to be treated as a last resort."

Saturday, April 15, 2006

On "Microsoft silently fixing security vulnerabilities"

A good question indeed:

[Dailydave] Microsoft silently fixes security vulnerabilities: "I also would like to point some interesting statistics: by browsing the list of MS security advisories released over the past 2 years, at least 75% of all vulnerabilites credit external security researchers for having discovered them. The remaining 25% are either anonymously reported vulnerabilities, or are discovered internally by
Microsoft itself.

Do you guys believe that MS (a multi-billion dollar software company stating 'security is our priority number one') is only able to detect and publicly report less than 25% of the vulnerabilities in its products ?"

Ideas? Discussion?

Friday, April 14, 2006

On Security Innovation

This guy reminds us something pretty important - innovation matters not only in the area of "cool" technology, but also in using mundane or commodity technology in a cool way (or even inventing a new cool way to sell it...)

Things I Like Security Incite: Analysis on Information Security: "Folks that 'think different' either from a technology or business model standpoint are cool."

On "Use a firewall, go to jail, and send Bill Gates too"

I've heard this one before (not sure if I blogged or commented on it though), but strangely it is making a come-back. The bottom line is a law that makes any device that conceals the true origin of communication illegal. NAT anyone? :-)

Use a firewall, go to jail, and send Bill Gates too The Register: "'If you have a home DSL router, or if you use the 'Internet Connection Sharing' feature of your favorite operating system product, you're in violation because these connection sharing technologies use NAT. Most operating system products (including every version of Windows introduced in the last five years, and virtually all versions of Linux) would also apparently be banned, because they support connection sharing via NAT.'"

Thursday, April 13, 2006

On DDoS and "non-root" attackers

Some time ago I was using my honeynet (part of the Honeynet Research Alliance) to study so-called "non-root" attackers, who get user-level access and are perfectly happy with it. My GCIH "thesis" actually had some specific research. I did mention DDoS client installation as one of the uses I observed.

Nowadays, it looks like its becoming more common - check it out:

» Disturbing developments in DDoS attacks Threat Chaos "The hacker used a common mis-configuration in PHP scripts to take over Linux machines and use them for his army of zombies. "

Wednesday, April 12, 2006

"When a product is better than the company"

Wow, such stupidity from a security vendor! Pretty amazing, but read the full article. Is your security vendor logging in to your systems and shutting them down? Are you sure? Do you have the logs to prove that they are not?

CipherTrust: When a product is better than the company: "But when it comes to buying products, our tests aren't enough. It's important to investigate all those peripheral aspects of the vendor before you sign a purchase order. I was reminded of that the hard way. "

That is why when you hear "you are buying a company, not just a product" you should treat it seriously and not as just marketing spin....

What Makes a Great Entrepreneur?

Here is an interesting one from a VC - a discussion on what makes a great entrepreneur?

A VC: VC Cliché of the Week: "Here are the characteristics that I find most commonly in great entrepreneurs"

Compliance Trumps Malware!

Here is an interesting one. Literally for years, malware infections were the Top #1 reason for buying all sorts of security solutions (not just anti-virus!) Is it really about to change? That would have a major impact on security market and technologies.

InformationWeek IT Security Spending Compliance, Not Malware, Drives IT Budgets: Survey April 6, 2006: "Regulatory compliance and protecting intellectual property (IP) are among the top reasons driving demand for security products – not phishing, worms, spyware and hack attacks,
according to a recent report. "

So, the old one of

#1 Malware
#2 Malware :-)

is replaced by

#1 Compliance
#2 IP protection

Great news!

The paper quotes a bunch of other fun factoids, such as this one: "Respondents expect to increase spending for endpoint security [in line with my 2006 predictions] an average of 32 percent during the next 12 months, with Symantec products garnering the strongest preference in this category. Strong authentication followed with an average expected spending increase of 27 percent, with RSA Security in the lead. "

Authentication growth is an interesting one as well. Is it the IAM/IDM crawling thru the backdoor of strong authentication? Sure looks like it...

Tuesday, April 11, 2006

"If you are soo cool, why aren't you..."

Check out this fun post on what it means to be cool for a security vendor (half-humor)

Matasano Chargen » You’re so cool,, you’re so cool…: "What is the analytical process for determining whether or not a company is cool?"

Wednesday, April 05, 2006

BART and switch crashes: an unusual outlook

Here is a weird question: do situations like this prove or disprove claims that cyber-terrorism is a reality?

BAY AREA / BART to investigate computer work at rush hour / Troubleshooting crashed system, stranded 35,000: " technicians risked working on computers that control trains while the transit system was running, work that crashed BART's main computer, stalled 50 to 60 trains, and stranded 35,000 passengers for more than an hour at the peak of the Wednesday evening commute. " and "... the new program overloaded a router..."

On one hand, if computers crash during routine maintainance, one should not fear that someone will do it on purpose (there is no scare factor if you know it will happen anyway one day)

On the other hand, if the system causes damage by itself, giving it a nudge will cause much more disastrous results...?

On legally mandating "adequate encryption"

When I see stuff like this:

Consumer data security bill passes out of House committee: "Data encryption is the only technology specified in the bill, and adequate encryption could exempt a company from the need to notify victims. "

I always wonder whether ROT13 is "adequate encryption" based on the letter of the law.

Tuesday, April 04, 2006

Wiping is the Only Choice: "Microsoft Says Recovery from Malware Becoming Impossible"

Folks often argued that there is this magical method of reliably cleaning malware (either viruses, worms or spyware) without rebuilidng the system. No, there never was! But now even Microsoft agrees: "In a rare discussion on the severity of the Windows malware scourge, a Microsoft security official said businesses should consider investing in an automated process to wipe hard drives and reinstall malware-infested operating systems."

read more digg story

"How much new information is created each year?"

Interesting read...

Executive Summary: "How much new information is created each year?"

E.g. "Print, film, magnetic, and optical storage media produced about 5 exabytes of new information in 2002."

TaoSecurity on "Security Log Management" book

So, I am finishing this book ("Security Log Management" by Jacob Babbin) that Richard reviewed and I think his review is right on: "I don't think readers will learn much from SLM."

It is a pretty blatant waste of natural resources indeed :-)

My review will go up in a few days.

Cool site - "The Dashboard Spy"

As I mentioned on my blog after RSA, I attended a fun preso on 'security data presenation [errors]' by Andrew Jacquith, a Yankee analyst. It had a bunch of interesting examples of broken charts and graphs. Here is another resource for those - The Dashboard Spy: "Welcome to The Dashboard Spy - a collection of enterprise dashboard screenshots."

And don't forget the new O'Reilly book on dashboards: "Information Dashboard Design: The Effective Visual Communication of Data" by Stephen Few.

"Drive-By Assessment" on "Skybox Security - Nice-to-have or Must-have?" by Security Incite

Is your security solution a must-have or a nice-to-have? Which one do you want it to be? Think about while reading this one...

Drive-By: Skybox Security - Nice-to-have or Must-have? Security Incite: Analysis on Information Security: "Unfortunately Skybox comes up short here. It's not clear to me what problem is being solved, so I likely move on to the next site. "

"Glitch wiki" or security hole to drive a train thru?

So, it is often reported that since the "bad guys" share technology information (such as exploits, bot access, malware, etc), the "good guys" should ramp up their sharing efforts as well. But companies' unwillingness to share data that might, under the circumstances, be considered sensitive is legendary – and understandable.

Thus, while I was happy to see such projects as Splunk Base which lets users upload their logs that indicate problems (yes, security problems as well) and tag the logs with descriptive tags that enable other Base users to learn from their experience, described via tagged log samples. Just sharing logs is nowhere near as useful as sharing such experiences. Either way, this is a good initiative to watch.

Specifically, CNet says ( "Instead, Splunk has designed its software and Splunk Base to allow system administrators to submit information themselves and then classify and search the collected information of their peers. "

Well, it brings our the standard question: if you start a community for marketing reasons (this one clearly fits such definition), how do you make sure it actually takes off and starts a life as a real community of dedicated users (sometimes ramping up to "raving fans" :-)). I was reading this book by Guy Kawasaki ("Selling the Dream") and it seems to have some answers... In any case, there is a difference between a real community and just a free platform for sharing which might develop into a community, might get monetized or just might tank. We will see what happens to this one.

Security remains an issue as well. Passwords are not too uncommon in Unix and Apache logs (if users mistype them for a username). Other things to watch for include allowed email addresses, IP addresses of critical servers, access control rule information, types of security software used and maybe a few dozen other possible thingies... An intelligent sanitization algorithm seems very important!

My experience with Honeynet Project data tells me that sanitization is not as easy as some think. So, given you have a serious issue – that you might or might not want others to know about, and that might or might not contain sensitive data, do you want to post that data to an open forum hoping that a) someone would help you and/or b) your experience will help someone else? Just post the comments here.

Another fun thing is the "added intelligence" factor. It has to be better (make it "much better") than simply dumping the logs on the public HTML page and having good ole Google search them...

Monday, April 03, 2006

But Does it Support IPv6? :-)

Is IPv6 coming? Is it coming soon? Here is a list of almost-up-to-date IPv6 support status statements of lots of apps, even including syslog-ng and other logging apps.

Current Status of IPv6 Support for Networking Applications: "Syslog"

On "More data, more tools or more answers?"

Please, don't make fun of me :-) but I somehow became an owner of one more blog.... here is my first post (or, a repost, for my loyal readers of :-)

More data, more tools or more answers?: "More data, more tools or more answers?" @ ITtoolbox

Check out a New CWE List, a Brother of CVE

Check this out ->

CWE - CWE List: "The Common Weakness Enumeration (CWE), currently in a very preliminary form, is a list of software weaknesses, idiosyncrasies, faults, and flaws."

"The next steps are to adequately capture the specific effects, behaviors, exploit mechanisms, and implementation details in the CWE dictionary as well as to review and revise the presentation approaches that will best suit this information."

Dr Anton Chuvakin