Dear Board Members, Good morning! I hope you all had an excellent holiday weekend.
I wanted to update you all on a plan of action around establishing a cryptography working group. Unlike many other topics covered by CWE, cryptography requires highly specialized knowledge to perform correctly. Since CWE's early days, that knowledge has evolved, but CWE entries have not kept up with the pace of change. The CWE crypto team is nearing a point in which it must make decisions about how to represent and organize certain concepts in ways that are understandable to developers while being consistent with current perspectives and principles within the cryptography community. Accordingly, a CWE working group could provide focused discussion to give confidence that changes will be beneficial to CWE users. A cryptography working group would be very helpful to the modernization of CWE with respect to cryptography, key management, hashing, randomness/predictability, and other related concepts. The group could be drawn from CWE crypto team members, interested parties from the CWE research list, people who have provided feedback on earlier questions from the crypto team, and focused outreach to knowledgeable individuals from academia, NIST, and security consultants. The working group might start off informally with e-mail discussion on broader modernization strategies for CWE with respect to crypto, then diving into individual topics needing resolution and discussion. A monthly meeting might be appropriate for richer discussion. It is not clear how long this working group would be necessary, but regular discussions might be necessary until at least April 2021. Its benefits would pay off immediately, possibly influencing changes in CWE 4.6, scheduled for release in late October. Please let me know if you have any thoughts or objections to this plan of action. Cheers, Alec p.s. If you haven’t had a chance to provide feedback to the DRAFT CWE/CAPEC Board Charter, please do so by 9/13. -- Alec J. Summers Cyber Solutions Innovation Center Group Leader, Software Assurance Research & Practice Cyber Security Engineer, Lead O: (781) 271-6970 C: (781) 496-8426 –––––––––––––––––––––––––––––––––––– MITRE - Solving Problems for a Safer World
