CWE: what developers of connected embedded systems need to know

Tapp and Chandran (LRDA) wrote an articles published in EETimes (online). The articles starts with sharing information on vulnerabilities and cases related to exploitation. It then goes into CWE (Common Weaknesses Enumeration), purpose, people behind it, etc. They further explain on propose tool in CWE and end-up with why LRDA should be incorporated in SDLC.

First, the title itself is totally conflicted with the contents of the articles which did not touch anything on developers related things especially in gaining knowledge on using CWE as part of their skills in securing their code. However, I tends to agree with them that there are indeed required to use multiple tools for security check.

Their conclusion are more as promoting use of tools in part of SDLC to improve security testing which I believe it is more as marketing rather than technical.

To be able a developer to use CWE, the developers must well equip with knowledge about vulnerabilities and how does it appear in codes. They can avoid it while writing the codes without waiting to use tools which it will be quite messy when dealing with millions LOC (Lines of Codes). Some of the tools even throw false alarm or too many warning as it depends on techniques implemented (PPT).

On understanding vulnerabilities, there are few ways and one of those is to understanding on the behavior and code structures from coding perspective. A paper published in Springer shares on how a taxonomy can be used by developers to understand further thus improve their security skill and usage of tools. The papers can be read here.