Kingdom, phylum, class, vulnerability?

Security firm Fortify announced on Monday that the firm had created a hierarchy for labeling security issues in hopes that giving names to software flaws will enable programmers to avoid making the same mistakes. The hierarchy consist of 115 categories split among seven "kingdoms" or top-level classes and a catch-all external class.

"We are really aiming to name them before the problem occurs than after the problem occurs," said Brian Chess, chief scientist for source-code security firm Fortify. "One way of thinking about it is the mnemonics you learn to prevent spelling mistakes. When you are writing software, even when you don't think you are doing security, you are doing security. We want people to be looking at these things all the time."

Vulnerability bulletins and a constant parade of Web and e-mail attacks underscore the fallout for application users when developers do not roust out major flaws during development. Security researcher HD Moore released a browser flaw every day this month to underscore the problems that software quality impose on end-user security. And while there is an attempt to designate an identifier for common malware to help incident responders, there has not been a single hierarchy of vulnerabilities.

The top-level seven kingdoms are input validation and representation, API abuse, security features, time and state, errors, code quality, and encapsulation. Fortify also announced on Monday that the firm had donated the research project to the Open Web Application Security Project (OWASP).