Common Weakness Enumeration

CWE Glossary Definition

Industry News Coverage - 2014 Archive
Industry News Coverage - 2014 Archive

Below is a comprehensive monthly review of the news and other media's coverage of CWE. A brief summary of each news item is listed with its title, author (if identified), date, and media source.

MITRE Cybersecurity Blog, May 7, 2014

CWE, CAPEC, and CVE are the main topics of an article "Security Standards Help Stop Heartbleed" by CAPEC Technical Lead Drew Buttner on MITRE's Cybersecurity blog on May 7, 2014. "Heartbleed," or CVE-2014-0160, is a serious vulnerability in "certain versions of OpenSSL where it enables remote attackers to obtain sensitive information, such as passwords and encryption keys. Many popular websites have been affected or are at risk, which in turn, puts countless users and consumers at risk."

The article defines the Common Vulnerabilities and Exposures (CVE®), Common Weakness Enumeration (CWE™), and Common Attack Pattern Enumeration and Classification (CAPEC™) efforts and explains the problem each solves.

In sections entitled "CVE and Heartbleed," "CWE and Heartbleed,"and "CAPEC and Heartbleed," the article describes how CVE helped when the issue became public by assigning CVE-2014-0160 to what also was referred to as the Heartbleed bug, and how CWE and CAPEC can help prevent future Heartbleeds.

The author then concludes the article as follows: "Security automation efforts such as CVE, CWE, and CAPEC can help reduce the possibility of similar severe vulnerabilities such as Heartbleed in the future. But it is incumbent upon developers and other security professionals to actively leverage resources such as these to be better prepared for the next Heartbleed."

Read the complete article at http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/security-standards-help-stop-heartbleed.

ContinuousAssurance.org Website, April 29, 2014

CWE and Common Vulnerabilities and Exposures (CVE®) are included as references in an April 29, 2014 white paper entitled "Why Do Software Assurance Tools Have Problems Finding Bugs Like Heartbleed?" by James A. Kupsch and Barton P. Miller of the Software Assurance Marketplace (SWAMP) at the University of Wisconsin in Madison, Wisconsin, USA. The following were cited as references in the white paper, which also included the urls: CVE-2014-0160, CWE-130: Improper Handling of Length Parameter Inconsistency, and CWE-125: Out-of-Bounds Read.

CrosstalkOnline.org Website, March/April 2014

CWE is mentioned in the preface to the March/April 2014 issue of Crosstalk: The Journal of Defense Software Engineering, the main topic of which is "Mitigating Risks of Counterfeit and Tainted Components."

The preface was written by Roberta Stempfley, Acting Assistant Secretary at the U.S. Department of Homeland Security's Office of Cybersecurity and Communications, and CVE is mentioned as follows: "How can we collaboratively orchestrate industry and government response to these attacks [on information and communications technology (ICT) assets]? One way is through the Common Vulnerabilities and Exposures (CVE) List, which is an extensive listing of publicly known vulnerabilities found after ICT components have been deployed. Sponsored by the Department of Homeland Security (DHS), the ubiquitous adoption of CVE has enabled the public and private sectors to communicate domestically and internationally in a consistent manner the vulnerabilities in commercial and open source software. CVE has enabled our operations groups to prioritize, patch, and remediate nearly 60,000 openly reported vulnerabilities. Unfortunately, vulnerabilities are proliferating rapidly thus stretching our capabilities and resources. As we seek to discover and mitigate the root causes of these vulnerabilities, sharing the knowledge we have of them helps to mitigate their impact. In order to keep pace with the threat, we must facilitate the automated exchange of information. To achieve that, DHS sponsors "free for use" standards, such as: Common Weakness Enumeration (CWE), which provides for the discussion and mitigation of architectural, design, and coding flaws introduced during development and prior to use; Common Attack Pattern Enumeration and Classification (CAPEC), which enables developers and defenders to discern the attacks and build software resistant to them; Malware Attribute Enumeration and Characterization (MAEC), which encodes and communicates high-fidelity information about malware based upon behaviors, artifacts, and attack patterns; Structured Threat Information eXpression (STIX), which conveys the full range of potential cyber threat information using the Trusted Automated eXchange of Indicator Information."

The entire issue is available for free in a variety of formats at http://www.crosstalkonline.org/.

CrosstalkOnline.org Website, March/April 2014

CWE and Common Vulnerabilities and Exposures (CVE®) are included in an article written by MITRE Senior Principal Engineer Robert A. Martin entitled "Non-Malicious Taint: Bad Hygiene is as Dangerous to the Mission as Malicious Intent" in March/April 2014 issue of Crosstalk: The Journal of Defense Software Engineering, the main topic of which is "Mitigating Risks of Counterfeit and Tainted Components."

CWE and CVE are mentioned in a section entitled "Making Change through Business Value," as follows: "For an example of a behavior change in an industry motivated by a new perceived business value, consider that many of the vendors currently doing public disclosures are doing so because they wanted to include CVE [14] Identifiers in their advisories to their customers. However, they could not have CVE Identifiers assigned to a vulnerability issue until there was publicly available information on the issue for CVE to correlate. The vendors were motivated to include CVE Identifiers due to requests from their large enterprise customers who wanted that information so they could track their vulnerability patch/remediation efforts using commercially available tools. CVE Identifiers were the way they planned to integrate those tools. Basically the community created an ecosystem of value propositions that influenced the software product vendors (as well as the vulnerability management vendors) to do things that helped the community, as a whole, work more efficiently and effectively. Similarly, large enterprises are leveraging CWE Identifiers to coordinate and correlate their internal software quality/security reviews and other assurance efforts. From that starting point, they have been asking the Pen Testing Services and Tools community to include CWE identifiers in their findings. While CWE Identifiers in findings was something that others had cited as good practice, it was not until the business value to Pen Testing industry players made sense that they started adopting them and pushing the state-of-the-art to better utilize them."

CWE is also mentioned in a section entitled "Assurance for the Most Dangerous Non-Malicious Issues" that explains what CWE is and how the information "can assist project staff in planning their assurance activities; it will better enable them to combine the groupings of weaknesses that lead to specific technical impacts with the listing of specific detection methods. This provides information about the presence of specific weaknesses, enabling them to make sure the dangerous ones are addressed."

The entire issue is available for free in a variety of formats at http://www.crosstalkonline.org/.