Is it the goal of CWE to provide prescriptive guidance on these things? If so,
then you might need a working group to keep up with developments in the space,
since NIST updates infrequently and usually lags behind industry best practices.
Or is it enough just to have categories for insecure alg
Some problems have a set of relatively simple solutions like a lot of web
problems boil down to using a good framework so SQL injection, XSS and so
on mostly go away and get patched from the project responsible for the
framework. Picking a good framework is often left as an exercise for the
reader,
t
I would start with asking why we are in the business of providing crypto
guidance rather than pointing audience to available resources.
- Jason
From: Chris Eng
Sent: Wednesday, September 8, 2021 11:41 AM
To: Alec J Summers ; CWE CAPEC Board
Subject: RE: Proposed action: Establishing CWE/CA
Hi Alec,
I hope you had a good weekend as well. I am also not opposed to having a
working group in this area, I think a venue for cryptography subject matter
experts to work together to better capture cryptographic weaknesses would
be great. Similar to Chris, do you have any thoughts on what this