ISO/IEC JTC 1/SC 22/OWG:Vulnerabilities	Maintained by Jim Moore, James.W.Moore@ieee.org	If you don't see two frames, click here.

Disclaimer

Links

This is a list of web sites related to the work of the OWGV. Inclusion in this list does not imply endorsement by OWGV or any participant of OWGV.

[ Participating standards makers ] [ Other organizations and projects ] [ Humor ]

Participating de jure and de facto standards makers

Look [here] for a list.

Please note that some ISO/IEC standards are freely available [here].

Other organizations and projects

CERT Secure Coding Standards	"This web site exists to support the development of secure coding standards for commonly used programming languages such as C and C++. These standards are being developed through a broad-based community effort including the CERT Secure Coding Initiative and members of the software development and software security communities."
CVE	"Common Vulnerabilities and Exposures (CVE®) is: A list of standardized names for vulnerabilities and other information security exposures — CVE aims to standardize the names for all publicly known vulnerabilities and security exposures."
CWE	"International in scope and free for public use, CWE™ [Common Weakness Enumeration] provides a unified, measurable set of software weaknesses that will enable more effective discussion, description, selection, and use of software security tools and services that can find these weaknesses in source code."
GSSP	"The GIAC Secure Software Programmer (GSSP) Certification Exam was developed in a joint effort involving the SANS Institute, CERT/CC, several US government agencies, and leading companies in the US, Japan, India, and Germany. These exams are an essential response to the rapidly increasing number of targeted attacks that are focusing on application vulnerabilities. They help organizations meet four objectives: Identify shortfalls in security knowledge of in-house programmers and help those individuals close the gaps. Ensure outsourced programmers have adequate secure coding skills. Select new employees who will not need remedial training in secure programming. Ensure each major development project has at least one person with advanced secure programming skills. "Programmers can demonstrate that they know the common security flaws found in Java and C programming, and how to avoid the problems, by passing the new GSSP exams."
Making Security Measurable	"MITRE, in collaboration with government, industry, and academic stakeholders, is improving the measurability of security through enumerating baseline security data, providing standardized languages as means for accurately communicating the information, and encouraging the sharing of the information with users by developing repositories. The other activities and initiatives listed here have similar concepts or compatible approaches to MITRE's. Together all of these efforts are helping to make security more measurable by defining the concepts that need to be measured, providing for high fidelity communications about the measurements, and providing for sharing of the measurements and the definitions of what to measure."
MISRA C++	"MISRA has been developing a set of guidelines for the use of C++ in critical systems, in a similar manner to those guidelines that were produced for 'C'. "MISRA is pleased to announce that a draft for public comment will be available shortly. To participate in the review, please download the reply form and return it by email, fax or post to MIRA at the address shown at the top of the form. As this form requires a signature to indicate acceptance of the terms of the review, only fully completed and signed copies can be accepted. "We will contact you shortly once the documents are available to send you the drafts and the details of the review process. In the event that this public review is over-subscribed, MISRA reserves the right to restrict availability of the draft, and you will be informed if this is the case."
NIST SAMATE	The Software Assurance Metrics And Tool Evaluation (SAMATE) project "supports the Department of Homeland Security's Software Assurance Tools and R&D Requirements Identification Program. The objective of part 3, Technology (Tools and Requirements) is the identification, enhancement and development of software assurance tools. NIST is leading in (A) testing software evaluation tools, (B) measuring the effectiveness of tools, and (C) identifying gaps in tools and methods. For us, Software Assurance (SA) is ... the planned and systematic set of activities that ensures that software processes and products conform to requirements, standards, and procedures ... to help achieve trustworthiness ... [and] predictable execution."
RTCA, Inc.	"RTCA, Inc. is a private, not-for-profit corporation that develops consensus-based recommendations regarding communications, navigation, surveillance, and air traffic management (CNS/ATM) system issues. RTCA functions as a Federal Advisory Committee. Its recommendations are used by the Federal Aviation Administration (FAA) as the basis for policy, program, and regulatory decisions and by the private sector as the basis for development, investment and other business decisions." This organization sells RTCA DO-178B, Software Considerations in Airborne Systems and Equipment Certification, which "provides guidance for determining, in a consistent manner and with an acceptable level of confidence, that the software aspects of airborne systems and equipment comply with airworthiness requirements."
US DHS Build Security In	"As part of the Software Assurance program, Build Security In (BSI) is a project of the Strategic Initiatives Branch of the National Cyber Security Division (NCSD) of the Department of Homeland Security (DHS). The Software Engineering Institute (SEI) was engaged by the NCSD to provide support in the Process and Technology focus areas of this initiative. The SEI team and other contributors develop and collect software assurance and software security information that helps software developers, architects, and security practitioners to create secure systems. ... BSI content is based on the principle that software security is fundamentally a software engineering problem and must be addressed in a systematic way throughout the software development life cycle. BSI contains and links to a broad range of information about best practices, tools, guidelines, rules, principles, and other knowledge to help organizations build secure and reliable software."

Humor

NewCode	"A new programming language from a group of Auckland-based computer-language experts is making waves in the software development world. ... Dubbed NewCode, the language promises to revolutionise software development, as the language makes it impossible to express a security vulnerability in a program's source code."
Programming Quotations	Humorous aphorisms regarding the nature of software and programming.

Disclaimer

Most of the items contained in this web site and its associated files and directories are preliminary working material of ISO/IEC JTC 1/SC 22, subject to review and correction.

The web site is maintained for the convenience of the participants in SC 22/OWG:Vulnerabilities by: