Please join us!
National Institute of Standards and Technology (NIST) The Bugs Framework (BF)
Date: Tuesday, May 4th, 2021
Time: 11:00 AM ET
Irena Bojanova, NIST
Carlos Galhardo, INMETRO
Dr. Suzanna Schmeelk, Assistant Professor of Cybersecurity
Director of St. John's University M.S. in Cyber and Information Security
Please click here to learn more about the presenters and to sign up for the event!
For 10 years now, the same reoccurring pattern of software weaknesses appears in the reported vulnerabilities. We need a better way of helping developers understand software weaknesses and stop falling into the same old pitfalls.
The Bugs Framework (BF) is a weakness taxonomy. It is a structured, complete, orthogonal, and language-independent classification of software bugs. Each BF Class is a taxonomic category of a kind of bugs, defined by all possible cause→consequence transitions, a set of operations, and a set of attributes. Structured means that a weakness is described via one cause, one operation, one value per attribute, and one consequence from the appropriate lists of values defining a BF class. Complete means that BF has the expressiveness to describe any possible software weakness. Orthogonal means the sets of operations of any two BF classes do not overlap. Language-independent means it is applicable for source code written in any programming language.
BF extends the Common Weaknesses Enumeration (CWE) as a back-end (via causes, operations, consequences, and related attributes) and in coverage (eliminating gaps and overlaps). It also allows unambiguous descriptions of the particular instance(s) of the weakness(es) associated with a particular vulnerability as those recorded in the Common Vulnerabilities and Exposures (CVE). BF would provide a more formal approach towards vulnerabilities root cause identification, mitigation, and prevention.