CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities

New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > News > News & Events - 2007 Archive  
ID

News & Events - 2007 Archive
News & Events - 2007 Archive

December 21, 2007
December 21, 2007

CWE Presents Briefing to Boston Software Process Improvement Network on December 18

CWE Program Manager Robert A. Martin presented a briefing about CWE to the Boston Software Process Improvement Network (SPIN) on December 18, 2007 in Bedford, Massachusetts, USA.

Visit the CWE Calendar page for information on this and other upcoming events. Contact [email protected] to have CWE present a briefing or participate in a panel discussion about CWE, CVE, CAPEC, CCE, CME, CEE, CPE, CRF, OVAL, and/or Making Security Measurable at your event.

December 6, 2007
December 6, 2007

Difference Reports Added to CWE List Section

A Difference Reports page has been added to the CWE List section of the CWE Webs site. Difference reports have been posted for Version 5 to Version 6 and Version 6 to Version 7.

CWE to Present Briefing to Boston Software Process Improvement Network on December 18

CWE Program Manager Robert A. Martin is scheduled to present a briefing about CWE to the Boston Software Process Improvement Network (SPIN) on December 18, 2007 in Bedford, Massachusetts, USA. A previous article had an incorrect date.

Visit the CWE Calendar page for information on this and other upcoming events.

MITRE to Host "Making Security Measurable" Booth at 2008 Information Assurance Workshop, January 28 - February 1

MITRE is scheduled to host a Making Security Measurable exhibitor booth at the 2008 Information Assurance Workshop on January 28 - February 1, 2008 at the Philadelphia Marriott Downtown in Philadelphia, Pennsylvania, USA. The conference will expose the CWE, CAPEC, CVE, CCE, CPE, CME, OVAL, and Making Security Measurable efforts to information security professionals from government and industry.

Visit the CWE Calendar page for information on this and other upcoming events.

CWE to Present Briefing to DHS/DoD SwA Working Group Meeting Session

CWE Program Manager Robert A. Martin is scheduled to present a briefing about CWE to the DHS/DoD SwA Working Group Meeting Session on January 30 - February 2, 2008 in McLean, Virginia, USA.

Visit the CWE Calendar page for information on this and other upcoming events.

November 9, 2007
November 9, 2007

CWE to Present Briefing to Boston Software Process Improvement Network on December 8

CWE Program Manager Robert A. Martin is scheduled to present a briefing about CWE to the Boston Software Process Improvement Network (SPIN) on December 8, 2007 in Bedford, Massachusetts, USA.

Visit the CWE Calendar page for information on this and other upcoming events. Contact [email protected] to have CWE present a briefing or participate in a panel discussion about CWE, CVE, CAPEC, CCE, CME, CPE, OVAL, and/or Making Security Measurable at your event.

CWE Presents Briefing at Static Analysis Summit III on November 8

CWE Program Manager Robert A. Martin presented a briefing about CWE at Static Analysis Summit III on November 8, 2007 at the Hyatt Fair Lakes Hotel in Fairfax, Virginia, USA.

Visit the CWE Calendar page for information on this and other upcoming events.

CWE Presents Two Briefings at CSI 2007 on November 6

CWE Program Manager Robert A. Martin presented two briefings about CWE/Making Security Measurable at CSI 2007 on November 6, 2007 at the Hyatt Regency Crystal City in Arlington, Virginia, USA.

Visit the CWE Calendar page for information on this and other upcoming events.

CWE Presents Briefing at Verify Conference on October 29

CWE Program Manager Robert A. Martin presented a briefing about CWE at VERIFY Conference on October 29, 2007 at the Crown Plaza Hotel in Arlington, Virginia, USA.

Visit the CWE Calendar page for information on this and other upcoming events.

CWE Presents Briefing at Tactical Information Assurance 2007 on October 26

CWE Program Manager Robert A. Martin is scheduled presented a briefing about CWE/Making Security Measurable at Tactical Information Assurance 2007 on October 26, 2007 at the Georgetown University Conference Center in Washington, D.C., USA.

Visit the CWE Calendar page for information on this and other upcoming events.

October 17, 2007
October 17, 2007

CWE Presents Briefing at DHS/DoD SwA Forum on October 2-3

CWE Program Manager Robert A. Martin presented a briefing about CWE at the U.S. Department of Homeland Security (DHS)/Department of Defense (DoD) Software Assurance (SwA) Forum on October 2-3, 2007 at the McLean Hilton in McLean, Virginia, USA.

Visit the CWE Calendar page for information on this and other upcoming events. Contact [email protected] to have CWE present a briefing or participate in a panel discussion about CWE, CVE, CAPEC, CCE, CME, CPE, OVAL, and/or Making Security Measurable at your event.

October 1, 2007
October 1, 2007

Seventh Draft of CWE Now Available

The seventh draft of CWE has been posted on the CWE List page. It incorporates numerous changes to improve consistency, supports additional types of views of CWE content, and includes a variety of edits suggested by members of the CWE Research Community.

In preparation for CWE Draft 7 the CWE Team actively solicited the CWE Researcher Community in September for feedback on the following: issues in CWE Draft 6, managing node restructuring in CWE, major discussion points identified that could have a significant impact on future versions of CWE, usage scenarios, stakeholder analysis, and a discussion of current and other possible CWE views. The bulk of the discussions took place on the public CWE-Research mailing list, an archive of which will be made available on the CWE Web site for public review. In support of these discussions the CWE Team added a "CWE Research page" to the Community Section of the site that includes descriptions of the systemic issues, stakeholders and use-cases; a plan for the upcoming months; and other supporting documentation. The CWE Team pulled together the community responses and incorporated them into Draft 7, and after sufficient community review and input of this latest draft, the CWE Team will make the final decisions about the best way to proceed and modify CWE accordingly as Draft 8.

We welcome any comments about CWE at [email protected].

CWE to Present Briefing at DHS/DoD SwA Forum on October 2-3

CWE Program Manager Robert A. Martin is scheduled to present a briefing about CWE at the U.S. Department of Homeland Security (DHS)/Department of Defense (DoD) Software Assurance (SwA) Forum on October 2-3, 2007 at the McLean Hilton in McLean, Virginia, USA.

Visit the CWE Calendar page for information on this and other upcoming events. Contact [email protected] to have CWE present a briefing or participate in a panel discussion about CWE, CVE, CAPEC, CCE, CME, CPE, OVAL, and/or Making Security Measurable at your event.

CWE to Present Briefing at Tactical Information Assurance 2007 on October 26

CWE Program Manager Robert A. Martin is scheduled to present a briefing about CWE/Making Security Measurable at Tactical Information Assurance 2007 on October 26, 2007 at the Georgetown University Conference Center in Washington, D.C., USA.

Visit the CWE Calendar page for information on this and other upcoming events.

CWE to Present Briefing at Verify Conference on October 29

CWE Program Manager Robert A. Martin is scheduled to present a briefing about CWE at VERIFY Conference on October 29, 2007 at the Crown Plaza Hotel in Arlington, Virginia, USA.

Visit the CWE Calendar page for information on this and other upcoming events.

CWE Presents Briefing at ESC Integration Week on September 18th

CWE Program Manager Robert A. Martin presented a briefing about CWE/Making Security Measurable at ESC Integration Week on September 18, 2007 at HANSCOM AFB, Massachusetts, USA.

Visit the CWE Calendar page for information on this and other upcoming events.

CWE Included in Making Security Measurable Booth at Security Automation Conference 2007 on September 19-20

MITRE hosted a Making Security Measurable exhibitor booth at the U.S. National Institute of Standards and Technology's (NIST) Security Automation Conference & Workshop 2007 on 19-20, 2007 in Gaithersburg, Maryland, USA. The conference exposed the CWE, CVE, CAPEC, CCE, CME, CPE, OVAL, and Making Security Measurable efforts to information security professionals from government and industry.

Visit the CWE Calendar page for information on this and other upcoming events.

September 7, 2007
September 7, 2007

CWE to Present Briefing at ESC Integration Week on September 18th

CWE Program Manager Robert A. Martin is scheduled to present a briefing about CWE/Making Security Measurable at ESC Integration Week on September 18, 2007 at HANSCOM AFB, Massachusetts, USA.

Visit the CWE Calendar page for information on this and other upcoming events. Contact [email protected] to have CWE present a briefing or participate in a panel discussion about CWE, CAPEC, CVE, CCE, CME, CPE, OVAL, and/or Making Security Measurable at your event.

CWE Included in Making Security Measurable Booth at Security Automation Conference 2007, September 19-20

MITRE will host a Making Security Measurable exhibitor booth at the U.S. National Institute of Standards and Technology's (NIST) Security Automation Conference & Workshop 2007 on 19-20, 2007 in Gaithersburg, Maryland, USA. The conference will expose the CWE, CAPEC, CVE, CCE, CME, CPE, OVAL, and Making Security Measurable efforts to information security professionals from government and industry.

Visit the CWE Calendar page for information on this and other upcoming events.

CWE Mentioned in InfoWorld/Computerworld Article

CWE was mentioned twice in an August 1, 2007 article entitled "NSA guru lauds security intelligence sharing" in InfoWorld (reprinted on August 2, 2007 in Computerworld). The main topic of the article was the keynote speech by National Security Agency Vulnerability Analysis and Operations Group Chief Tony Stager at Black Hat Briefings 2007 about how "U.S. government initiatives aimed at fostering the sharing of security intelligence throughout the federal space are helping to establish the community atmosphere and best practices necessary to help those agencies -- and private enterprises -- improve their network and applications defenses..." that mentioned the CWE and the Common Vulnerabilities and Exposures (CVE) projects.

CWE is first mentioned in the article as follows: "A major element of the vision is pushing for standards that translate security intelligence into language that any organization can interpret, said Sager. He highlighted the Common Weakness Enumeration (CWE) project -- an effort aimed at creating a common language for identifying software vulnerabilities that is backed by the Department of Homeland Security and nonprofit Mitre -- as one example of the types of standards that are delivering on the NSA's goal."

CWE is mentioned again in a quote by CWE Program Manager Robert A. Martin who states: "With all these different pieces that are coming together, we are standardizing the basic concepts of security themselves as well as methods for reviewing and improving computing and networking systems. I see a future where a tapestry of tools, procedures, and processes are built over time that recognize and address the common problems that exist among all these constituencies."

CWE Included in Podcast on BankInfoSecurity.com

CWE Program Manager Robert A. Martin conducted a 10-minute podcast interview with BankInfoSecurity.com about CWE, CVE, and Making Security Measurable at Black Hat Briefings 2007. It is one of nine interviews from the event available at http://www.bankinfosecurity.com/podcasts.php?podcastID=53 (sign-up is required), or you may play or download the podcast now from the CWE Web site.

"Unforgivable Vulnerabilities" Briefing Now Available on CWE Documents Page

CWE Technical Lead Steve Christey presented a "Turbo-Talk" at Black Hat Briefings 2007 on August 2, 2007 entitled "Unforgivable Vulnerabilities." The talk was well-received and had an audience of 80, including several key members of the Web application security community. The briefing is posted for the public on the CWE Documents page.

Contact [email protected] to have CWE present a briefing or participate in a panel discussion about CWE, CAPEC, CVE, CCE, CME, CPE, OVAL, and/or Making Security Measurable at your event.

Photos of Booth at Black Hat Briefings 2007

MITRE hosted a Making Security Measurable exhibitor booth that included CWE and CAPEC as topics at Black Hat Briefings 2007 on August 1-2, 2007 at Caesars Palace in Las Vegas, Nevada, USA. See photos below:

2007 Black Hat Booth 2007 Black Hat Booth 2007 Black Hat Booth

Visit the CWE Calendar page for information on this and other upcoming events.

August 3, 2007
August 3, 2007

CWE Included in Booth at Black Hat Briefings 2007

MITRE hosted a Making Security Measurable exhibitor booth at Black Hat Briefings 2007 on August 1-2, 2007 at Caesars Palace in Las Vegas, Nevada, USA. The conference exposed the CWE, CAPEC, CVE, CCE, CME, CPE, OVAL, and Making Security Measurable efforts to a diverse audience of information security-focused attendees from around the world.

Visit the CWE Calendar page for information on this and other upcoming events.

July 3, 2007
July 3, 2007

SANS Institute Makes Declaration of CWE Compatibility

The SANS Institute declared that its professional secure programming examination, Secure Programming Exams/Assessments, will be CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.

CWE Mentioned in Veracode Press Release about its New "Software Security Rating Service"

CWE was mentioned in a June 25, 2007 news release by Veracode, Inc. entitled "Veracode Answers Industry Call For Security Insight with Industry's First Software Security Ratings Service" about their new Software Security Rating Service for assessing and identifying the severity and exploitability of software flaws.

CWE is first mentioned as being part of the foundation of the new service: "Veracode's Software Security Rating Service is based on respected industry standards including MITRE's Common Weakness Enumeration (CWE) for classification of software weaknesses and FIRST's Common Vulnerability Scoring System (CVSS) for severity and ease of exploitability." CWE is mentioned again when the release quotes CWE Technical Lead Steve Christey, who states: "We are pleased that Veracode, the first organization to declare Common Weakness Enumeration compatibility for CWE Coverage, CWE Output and CWE Searchable, is committed to promoting standards such as CWE. Early adopters such as Veracode play an important role in bringing clarity to the application security space for their customers."

Veracode is a member of the CWE Community page and its SecurityReview assessment service is listed in the CWE Compatibility and Effectiveness section.

CWE Mentioned in Infoworld Article about Veracode's New Rating Service

CWE was mentioned in a June 25, 2007 article entitled "Veracode debuts system to test binary code: Standards-based method would allow enterprises to scan programs' binary code for problems before they are put into production" on Infoworld. The main topic of the article was Veracode, Inc.'s new Software Security Rating Service for assessing and identifying the severity and exploitability of software flaws.

CWE is mentioned when the author states: "To support its ratings service — which customers can use to test the code of their own homegrown applications or those of third-party providers — the company built a scoring system based on the CWE (Common Weakness Enumeration) classification, which has been forwarded by federally funded IT security watchdog Mitre, as well as the CVSS (Common Vulnerability Scoring System), which has been piloted by the FIRST (Forum of Incident Response and Security Teams) industry group."

Veracode is a member of the CWE Community page and its SecurityReview assessment service is listed in the CWE Compatibility and Effectiveness section. The article was also reprinted on Computerworld on June 26, 2007.

CWE Included in Booth at Black Hat Briefings 2007

MITRE will host a Making Security Measurable exhibitor booth at Black Hat Briefings 2007 on August 1-2, 2007 at Caesars Palace in Las Vegas, Nevada, USA. The conference will expose the CWE, CAPEC, CVE, CCE, CME, CPE, OVAL, and Making Security Measurable efforts to a diverse audience of information security-focused attendees from around the world.

Visit the CWE Calendar page for information on this and other upcoming events.

CWE Participates on Discussion Panel at GFIRST Conference

CWE Program Manager Robert A. Martin participated on a discussion panel entitled "Software Assurance (SwA) Panel: Reducing Risk Exposure in the Face Application-Level Threats" at the 3rd Annual GFIRST Conference on June 26, 2007 in Orlando, Florida, USA.

Visit the CWE Calendar page for information on this and other upcoming events. Contact [email protected] to have CWE present a briefing or participate in a panel discussion about CWE, CAPEC, CVE, CCE, CME, CPE, OVAL, and/or Making Security Measurable at your event.

CWE Presents Briefing at System and Software Technology Conference

CWE Program Manager Robert A. Martin presented a briefing about CWE and Making Security Measurable entitled "Creating a Secure Architecture as a Basis for Compliance" at the 19th Annual Systems and Software Technology Conference (SSTC) 2007 on June 20, 2007 in Tampa, Florida, USA.

Visit the CWE Calendar page for information on this and other upcoming events. Contact [email protected] to have CWE present a briefing or participate in a panel discussion about CWE, CAPEC, CVE, CCE, CME, CPE, OVAL, and/or Making Security Measurable at your event.

June 14, 2007
June 14, 2007

CWE to Present Briefing at System and Software Technology Conference

CWE Program Manager Robert A. Martin is scheduled to present a briefing about CWE and Making Security Measurable entitled "Creating a Secure Architecture as a Basis for Compliance" at the 19th Annual Systems and Software Technology Conference (SSTC) 2007 on June 20, 2007 in Tampa, Florida, USA.

Visit the CWE Calendar page for information on this and other upcoming events.

CWE to Participate on Discussion Panel at GFIRST Conference

CWE Program Manager Robert A. Martin is scheduled to participate on a discussion panel entitled "Software Assurance (SwA) Panel: Reducing Risk Exposure in the Face Application-Level Threats" at the 3rd Annual GFIRST Conference on June 26, 2007 in Orlando, Florida, USA.

Visit the CWE Calendar page for information on this and other upcoming events.

CWE Presents Briefing at Information Assurance Conference of the Pacific

CWE Program Manager Robert A. Martin presented a briefing about CWE and Making Security Measurable at the Information Assurance Conference of the Pacific on June 13, 2007 in Honolulu, Hawaii, USA.

Visit the CWE Calendar page for information on this and other upcoming events.

CWE Presents Briefing to EMC's Software Engineering Workforce

CWE Program Manager Robert A. Martin presented a briefing about CWE and Making Security Measurable to EMC Corporation's Software Engineering Workforce on June 1, 2007 in Hopkinton, Massachusetts, USA.

Visit the CWE Calendar page for information on this and other upcoming events.

May 26, 2007
May 26, 2007

Updated Vulnerability Type Distributions in CVE White Paper Now Available

A May 2007 update to the Vulnerability Type Distributions in CVE has been posted on the CWE Documents page. Originally published in October 2006, this May 22, 2007 update written by CWE Technical Lead/Common Vulnerabilities and Exposures (CVE) List Editor Steve Christey and CWE Program Manager Robert A. Martin now includes data from all of 2006 and discusses the high-level types of vulnerabilities that have been publicly reported over the past five years, such as buffer overflows, cross-site scripting (XSS), SQL injection, and PHP file inclusion. The paper also identifies and explains trends such as the rapid rise of Web application vulnerabilities, covers the distribution of vulnerability types in operating system vendor advisories, and compares the issues being reported in open and closed source advisories.

CWE Presents Briefing at AusCERT 2007

CWE Program Manager Robert A. Martin presented a briefing about CWE and CVE entitled "Vulnerability Type Distributions in CVE" on May 22, 2007 at AusCERT 2007 at the Royal Pines Resort in Gold Coast, Australia. The presentation is based on the recently updated Vulnerability Type Distributions in CVE white paper (May 22, 2007) that now includes data and analysis for all of 2006.

Visit the CWE Calendar page for information on this and other upcoming events.

CWE Presents Briefing at DHS/DoD SwA Working Group Meeting

CWE Program Manager Robert A. Martin presented a briefing about CWE to the U.S. Department of Homeland Security (DHS)/Department of Defense (DoD) Software Assurance (SwA) Working Group Meeting on May 15-17, 2007 in Arlington, Virginia, USA.

Visit the CWE Calendar page for information on this and other upcoming events.

CWE Presents Briefing at Joint Meeting of Boston Software Process Improvement Network/Software Quality Group of New England

CWE Program Manager Robert A. Martin presented a briefing about CWE and Making Security Measurable to the Joint Meeting of Boston Software Process Improvement Network (SPIN) and Software Quality Group of New England (SQNE) session entitled "Exploitable Software: New Security Concerns in a Post-9/11 World" on May 9, 2007 in Burlington, Massachusetts, USA.

Visit the CWE Calendar page for information on this and other upcoming events.

May 7, 2007
May 7, 2007

Sixth Draft of CWE Now Available

The sixth draft of CWE has been posted on the CWE List page. This update includes (1) additional descriptions and mitigations for about 27 of the items, (2) minor revisions and updates to approximately 100 items based on the donated information, and (3) several revisions to the names and structure of the hierarchical view to reflect the new and revised CWE content. Most of these changes are from the initial insertions of material from several more of the sixteen companies that are contributing to CWE under non-disclosure agreements.

CWE is a community-developed formal list of common software weaknesses. The intention of CWE is to serve as a common language for describing software security weaknesses in architecture, design, or code; as a standard measuring stick for software security tools targeting these weaknesses; and to provide a common baseline standard for weakness identification, mitigation, and prevention efforts. Broad community adoption of CWE will help shape and mature the code security assessment industry and also dramatically accelerate the use and utility of software assurance capabilities for organizations in reviewing the software systems they acquire or develop.

This current step of building CWE involves gathering data about weaknesses from the seventeen tool and knowledge sources that are participating in CWE. Additions and revisions from these contributions are in process and will be added when they are ready in a seventh draft. We welcome any comments about CWE at [email protected].

CWE Mentioned in Article about Automated Code Scanners in Network Computing

CWE was mentioned in an April 16, 2007 article entitled "Analysis: Automated Code Scanners" in Network Computing. The main focus of the article is that "...makers of automated source-code analysis tools are shifting their focus from commercial software vendors to enterprises. They say adopting their tools will let your developers build more secure software and meet the compliance burden. But are they up to the job?" The remainder of the article is a discussion of the author's review of "three popular static source-code analyzers," Fortify SCA (Source Code Analysis) 4.0, Klocwork K7.5 and Ounce Labs' Ounce 4.1.

CWE is mentioned in a section of the article entitled "Getting to the source" in reference to the "Vulnerability Type Distributions in CVE" white paper by CVE List Editor and CWE Technical Lead Steve Christey when the author states: "In particular, arithmetic vulnerabilities, such as integer overflows and type conversions, were usually missed or detected only at confidence levels that included an extremely high ratio of false positives. We found this a bit disconcerting given the growing trend in reports of these vulnerabilities--in fact, integer overflows rose to the No. 2 position in OS vendor advisories in 2006, just behind buffer overflows, according Mitre's October Common Weakness Enumeration report (cwe.mitre.org/documents/vuln-trends/index.html#overall_trends)."

CWE to Present Briefing at Joint Meeting of Boston Software Process Improvement Network/Software Quality Group of New England on May 9

CWE Program Manager Robert A. Martin is scheduled to present a briefing about CWE and Making Security Measurable to the Joint Meeting of Boston Software Process Improvement Network (SPIN) and Software Quality Group of New England (SQNE) session entitled "Exploitable Software: New Security Concerns in a Post-9/11 World" on May 9, 2007 in Burlington, Massachusetts, USA.

Visit the CWE Calendar page for information on this and other upcoming events.

CWE Presents Briefing at MISTI's Government Compliance and Cybersecurity Training Workshop on April 10

CWE Program Manager Robert A. Martin presented a briefing about CWE and CVE entitled "Due Diligence for Software: Bringing Standards to software Security Assessment" at MISTI's Government Compliance and Cybersecurity Training Workshop in Washington, D.C. on April 10, 2007.

Visit the CWE Calendar page for information on this and other upcoming events.

April 5, 2007
April 5, 2007

CWE Team Participates in SANS Announcement of "National Secure Programming Skills Assessment Examination" Initiative

CWE Program Manager Robert A. Martin and Technical Lead Steven M. Christey participated in the SANS Institute announcement at SANS in Maryland, USA on March 26, 2007 about the launch of the National Secure Programming Skills Assessment (NSPSA) examinations initiative that will allow government and industrial employers to measure how well their programmers know how to avoid security errors in code they write. The CWE Team worked with the SANS Institute and other leading secure software experts to develop NSPSA.

Numerous news media articles resulted from the announcement including "SANS: New exam program about more secure code" on TechTarget.com, "Groups team to test secure-coding skill" on SecurityFocus, "Developers' secure-coding skill put to the test" on The Register, "Coalition Aims To Nip Software Bugs In The Bud" on InformationWeek, and "Security Fix: They Say They Want a Revolution" on WashingtonPost.com, all of which quoted from a written statement by Christey, who is also CVE List Editor, regarding the need for the exam program: "After reviewing more than 7,000 vulnerabilities in 2006 alone, one thing becomes crystal clear: Most of these vulnerabilities could be found very easily, using techniques that require very little expertise. In my CVE work, I regularly interact with vendors who are surprised to hear of vulnerabilities in their products. They react with the classic stages of shock, denial, anger, bargaining, and finally, acceptance." A second quote used in some of the articles mentions that most colleges and universities don't teach programmers how to write secure code: "There needs to be a revolution. Secure programming examinations will help everyone draw the line in the sand, to say 'No more,' and to set minimum expectations for the everyday developer."

The NSPSA initiative will be piloted this August in Washington D.C., USA and then rolled out worldwide during the remainder of 2007.

CWE to Present Briefing at MISTI's Government Compliance and Cybersecurity Training Workshop on April 10th

CWE Program Manager Robert A. Martin is scheduled to present a briefing about CWE and CVE at MISTI's "Government Compliance and Cybersecurity Training Workshop" in Washington, D.C. on April 10, 2007.

Visit the CWE Calendar page for information on this and other upcoming events.

CWE Hosts Booth at InfoSec World 2007, March 19-21

CWE co-hosted a Making Security Measurable exhibitor booth at InfoSec World 2007 Conference & Expo on March 19-21, 2007 at the Rosen Shingle Creek Resort in Orlando, Florida, USA. The conference exposed MITRE's CWE, CVE, CCE, CME, CPE, and OVAL efforts to a diverse audience of attendees from the banking, finance, real estate, insurance, and health care industries, among others. The conference is targeted to information security policy and decision makers from these and other industries, as well as directors and managers of information security, CIOs, network and systems security administrators, IT auditors, systems planners and analysts, systems administrators, software and application developers, engineers, systems integrators, strategic planners, and other information security professionals.

Visit the CWE Calendar page for information on this and other upcoming events.

March 17, 2007
March 17, 2007

MITRE Launches Companion Web Site for Common Attack Pattern Enumeration and Classification (CAPEC) Effort

MITRE has launched a new Web site to support the Common Attack Pattern Enumeration and Characterization (CAPEC) effort that like CWE is funded by the U.S. Department of Homeland Security as part of the Software Assurance Strategic Initiative of the National Cyber Security Division. Led by Cigital, Inc., CAPEC is a companion effort to CWE in that CAPEC is structuring and formalizing the discussion of the attack patterns that are used against the weaknesses described in CWE.

The objective of CAPEC is to provide a publicly available catalog of attack patterns along with a comprehensive schema and classification taxonomy. During this initial review period the CAPEC Web site is hosting a draft schema and content that requires members of the software community to register in order to access the information and provide comments. In this way the catalog will continue to evolve safely with public participation and contributions to form a standard mechanism for identifying, collecting, refining, and sharing attack patterns among the software community.

Please send any comments or concerns to [email protected].

GrammaTech, Inc. Makes Declaration of CWE Compatibility

GrammaTech, Inc. declared that its static analysis tool, CodeSonar, will be CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.

Two Organizations Join the CWE Community

Two additional organizations have joined the CWE Community, GrammaTech, Inc. and SureLogic, Inc. Members of the CWE Community work together to create specific and succinct definitions for each of the elements in the CWE List. By leveraging the widest possible group of interests and talents we hope to ensure that the CWE elements are adequately described and differentiated.

There are now 43 organizations from around the world participating in the CWE initiative. Visit the CWE Community page for a complete list.

CWE Presents Briefing & Participates on Discussion Panel at OMG Software Assurance Workshop, March 5-7

CWE Program Manager Robert A. Martin presented a briefing entitled "Certifying Applications for Known Security Weaknesses: The Common Weakness Enumeration (CWE) Effort" at the OMG Software Assurance Workshop on March 5-7, 2007 at the Hyatt Fair Lakes in Fairfax, Virginia, USA. In addition, members of the CWE Team moderated a discussion panel entitled "Bringing Standards to Software Source Code Security Assessment" that also included CWE Community members Fority Software, Ounce Labs, NSA, Watchfire, and Veracode.

CWE also hosted an exhibitor booth at the event. Visit the CWE Calendar page for information on this and other upcoming events.

March 12, 2007
March 12, 2007

Armorize Technologies, Inc. Makes Three Declarations of CWE Compatibility

Armorize Technologies, Inc. declared that its Web application source code analysis suite, CodeSecure Verifier, Web application source code analysis tool, CodeSecure Enterprise, and its Web application source code analysis tool, CodeSecure Workbench, will be CWE-Compatible. For additional information about these and other compatible products, visit the CWE Compatibility and Effectiveness section.

CWE Main Focus of Article in InfoWorld

CWE was the main focus of a March 1, 2007 article in InfoWorld entitled "Software Vulnerability Index making progress." The article describes what CWE is, the benefits it provides for software developers and acquirers, mentions several of the sources used to create the list, and describes how the final draft of the list is being formed. The article also includes quotes by CWE Program Manager Robert A. Martin on the reason for CWE: "We wanted to evaluate what the tools claim to cover and what they are most effective at finding. Right now, best test is to throw tools at a big pile of code and see what tools find the most vulnerabilities, but we're changing that paradigm [with CWE] into test cases where we now look at the answers so we can evaluate what the tools found and what kinds of complexities they can handle."

The author also paraphrases Martin in describing the creation of the CWE List: "CWE's research will not list the names and performance results of the products it is testing -- provided by over 20 firms, including Cenzic, Fortify, SPI Dynamics, Veracode, and Watchfire -- but the work to compile a resource that offers developers an idea of the types of vulnerabilities missed by the tools should provide a great deal of value."

Also included is a quote by Sean Barnum, director of knowledge management at Cigital, regarding the CWE research: "We found that less than half of what we already have in CWE is covered by these tools, so this helps prove that there are a lot of known issues out there that aren't being addressed. We also thought that the tools would look for the same types of things, but they are actually very different, and there's not a lot of overlap; that's something that developers need to be aware of as they choose tools; you want to right set for aggregated coverage."

The author closes the article with a description of how the CWE dictionary is being developed: "Before each release of CWE, workers with the project spend much of their time comparing all the vulnerability definitions and mitigation taxonomies in the index, attempting to refine the language used in the descriptions and add real-world examples of attacks that target the flaws. That work is continuing and will remain the primary focus of CWE's efforts going forward ... including work to de-emphasize nomenclature that describes common problems based on the attack methods used to exploit them."

CWE Main Focus of Article in Computerworld

CWE was the main focus of a March 1, 2007 article in Computerworld entitled "Black Hat: Software Vulnerability Index making progress." The article describes what CWE is, the benefits it provides for software developers and acquirers, mentions several of the sources used to create the list, describes how the final draft of the list is being formed, and notes that CWE is sponsored by the U.S. Department of Homeland Security.

The author also notes that while the CWE work completed to date has involved the "gathering of vulnerability formats and the various methods used to identify and remediate the coding problems, the project has recently involved a significant amount of testing of security scanning tools to get a better idea of the capabilities and limitations of those products" and that the "tests ... revealed that the products were looking for only 45 percent of the 600 common vulnerabilities that have already been entered into the CWE index."

A quote by Sean Barnum, director of knowledge management at Cigital, further addresses the results: "We found that less than half of what we already have in CWE is covered by these tools, so this helps prove that there are a lot of known issues out there that aren't being addressed. We also thought that the tools would look for the same types of things, but they are actually very different, and there's not a lot of overlap; that's something that developers need to be aware of as they choose tools; you want to right set for aggregated coverage."

The author concludes the article by describing how the work on CWE is continuing by refining the language used in the descriptions, adding real-world examples of attacks that target the flaws, and "de-emphasizing nomenclature that describes common problems based on the attack methods used to exploit them."

CWE Main Focus of Article on ZDNet.com

CWE was the main focus of a March 1, 2007 article on ZDNet.com entitled "Dictionary for software bugs to cut confusion?" The article describes what CWE is, the benefits it provides for software developers and acquirers, mentions that organizations such as Cigital are committing to incorporating CWE in their products, and describes how a final draft of the list is being formed. The article also includes quotes by CWE Technical Lead Steve Christey on the creation of CWE: "Without a common, high-fidelity description of these [software] weaknesses, efforts to address vulnerabilities will be piecemeal at best, only solving part of the problem." The author then paraphrases Christey on the need for CWE because "coverage of early definitions by source code-checking tools is very slim."

The article also describes the creation of CWE: "Mitre has been working on CWE for the past year and a half. People working on the project are pulling together data from multiple sources, including security tool makers, and unifying it. This is proving to be an arduous task. One list alone already contains 300 bug categories."

The article concludes with a progress report on the latest draft: "The dictionary's fifth draft was published December 15. The sixth draft is expected to have merged data regarding weaknesses from 16 tool and knowledge sources participating in the CWE initiative."

CWE A Main Topic of Article on Dark Reading

CWE was the main focus of a March 1, 2007 article in Dark Reading entitled "Getting to Know the Enemy Better." The author states: "The best way to secure applications is to build security in during the development phase. The problem is that there are few standards or templates for doing it." "In two separate presentations, experts from Mitre and Cigital -- two companies with long track records in government and industry standards -- outlined plans for the implementation of Common Weakness Enumeration (CWE) and Common Attack Pattern Enumeration and Classification (CAPEC), two specifications that could eventually help developers recognize weaknesses in their applications and anticipate common attack patterns that adversaries might use to break in."

The article describes both CAPEC and CWE, including what CWE is, the benefits CWE provides for software developers and acquirers, and how the final draft of the CWE List is being formed. The article also includes a quote by CWE Program Manager Robert A. Martin, who states: "It's a common body of knowledge about software assurance that will help developers to build security into their applications. The initiative, funded largely by the U.S. Department of Homeland Security (DHS), represents some 600 entries from more than 20 vendors of tools that help to identify security weaknesses in software."

CWE Hosts Booth at OMG Software Assurance Workshop, March 5-7

CWE co-hosted a Making Security Measurable exhibitor booth for MITRE's CWE, CVE, CCE, CME, CPE, and OVAL efforts at the OMG Software Assurance Workshop on March 5-7, 2007 at the Hyatt Fair Lakes in Fairfax, Virginia, USA. Object Management Group (OMG) is an international, open membership, not-for-profit computer industry consortium. OMG's task forces "develop enterprise integration standards" for a wide range of technologies and industries and its modeling standards "enable powerful visual design, execution and maintenance of software and other processes."

Visit the CWE Calendar page for information on this and other upcoming events.

CWE Presents Briefing & Participates on Discussion Panel at DoD/DHS Software Assurance Forum on March 9

CWE Program Manager Robert A. Martin presented a briefing about CWE and participated on a discussion panel about software assurance and malware on March 9, 2007 at the DoD/DHS Software Assurance Forum at in Washington, D.C., USA.

Visit the CWE Calendar page for information on this and other upcoming events.

March 5, 2007
March 5, 2007

CERIAS/Purdue University Makes Declaration of CWE Compatibility

CERIAS/Purdue University declared that its Secure Programming Class and its Publicly Available Teaching Materials for it Materials are CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.

SofCheck, Inc. Makes Declaration of CWE Compatibility

SofCheck, Inc. declared that its static analysis and fault detection tool, SofCheck Inspector for Ada, will be CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.

CWE Main Topic of Article in CrossTalk Magazine

CWE was a main topic in an article by CWE Program Manager Robert A. Martin entitled "Being Explicit About Security Weaknesses" in the March 2007 issue of CrossTalk, The Journal of Defense Software Engineering. The article describes the creation of the CWE initiative and the sources used to develop the initial concept, related efforts, how CWE is a community effort and a list of current members, how the drafts of the CWE dictionary are being developed, an example of a CWE entry, the CWE Compatibility and CWE Effectiveness program, and the additional impact and transition opportunities tied to CWE.

The author describes the importance of community contributions to the initiative as follows: "An important element of the CWE initiative is to be transparent to all on what we are doing, how we are doing it, and what we are using to develop the CWE dictionary. We believe this transparency is important during the initial creation of the CWE dictionary so that all of the participants in the CWE community are comfortable with the end result and will not be hesitant about incorporating CWE into what they do." The CWE dictionary is freely available for the public on the CWE Web site and "... all of the publicly available source content is [also] being hosted on the site for anyone to review or use for their own research and analysis."

The author concludes the article as follows: "This work is already helping to shape and mature the code security assessment industry, and it promises to dramatically accelerate the use and utility of automation-based assessment capabilities for organizations and the software systems they acquire, develop, and use."

CWE to Host Booth at OMG Software Assurance Workshop, March 5-7

CWE is scheduled to co-host a Making Security Measurable exhibitor booth for MITRE's CWE, CVE, CCE, CME, CPE, and OVAL efforts at the OMG Software Assurance Workshop on March 5-7, 2007 at the Hyatt Fair Lakes in Fairfax, Virginia, USA. Object Management Group (OMG) is an international, open membership, not-for-profit computer industry consortium. OMG's task forces "develop enterprise integration standards" for a wide range of technologies and industries and its modeling standards "enable powerful visual design, execution and maintenance of software and other processes."

Visit the CWE Calendar page for information on this and other upcoming events.

CWE to Present Briefing & Participate on Discussion Panel at DoD/DHS Software Assurance Forum on March 9

CWE is scheduled to present a briefing about CWE and participate on a discussion panel about software assurance and malware on March 9, 2007 at the DoD/DHS Software Assurance Forum at in Washington, D.C., USA.

Visit the CWE Calendar page for information on this and other upcoming events.

CWE to Host Booth at InfoSec World 2007, March 19-21

CWE is scheduled to co-host a Making Security Measurable exhibitor booth at InfoSec World 2007 Conference & Expo on March 19-21, 2007 at the Rosen Shingle Creek Resort in Orlando, Florida, USA. The conference will expose MITRE's CWE, CVE, CCE, CME, CPE, and OVAL efforts to a diverse audience of attendees from the banking, finance, real estate, insurance, and health care industries, among others. The conference is targeted to information security policy and decision makers from these and other industries, as well as directors and managers of information security, CIOs, network and systems security administrators, IT auditors, systems planners and analysts, systems administrators, software and application developers, engineers, systems integrators, strategic planners, and other information security professionals.

Visit the CWE Calendar page for information on this and other upcoming events.

CWE Presents Briefing at Black Hat 2007 D.C. on March 1

CWE presented a briefing about CWE entitled "Being Explicit about Weaknesses" on March 1, 2007 at Black Hat 2007 D.C. at the Sheraton Crystal City Hotel in Washington, D.C., USA.

Visit the CWE Calendar page for information on this and other upcoming events.

CWE Mentioned in Award Description in "2007 SC Magazine Awards"

CWE was cited in the description of SC Magazine's "Editor's Choice Professional Award" to the NSA's Information Assurance Directorate's Vulnerability Analysis and Operations (VAO) Group for its work in the past year with the U.S. Air Force and Microsoft Corporation to "examine and provide security-setting recommendations for Microsoft's new Vista operating system" and to promote the use of standards. CWE was mentioned as follows: "The VAO Group is also shaping the development of security standards for vulnerability naming and identification, such as the Open Vulnerability and Assessment Language (OVAL), Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) standards." The "2007 SC Magazine Awards" were presented on February 6, 2007 at the Hilton San Francisco in San Francisco, California, USA.

Photos from CWE Booth at 2007 Information Assurance Workshop

CWE co-hosted a Making Security Measurable exhibitor booth for MITRE's CWE, CVE, CCE, CME, CPE, and OVAL efforts at the 11th annual 2007 Information Assurance (IA) Workshop on February 12-15, 2007 at the Wyndham Orlando Resort, in Orlando, Florida, USA. See photos below:

2007 Information Assurance (IA) Workshop 2007 Information Assurance (IA) Workshop

Visit the CWE Calendar page for information on this and other upcoming events.

February 15, 2007
February 15, 2007

CWE Discussion List Now Available

Members of the information security community are invited to participate in CWE by joining our CWE Research email discussion list, a lightly moderated public forum to discuss CWE definitions, suggest potential definition expansion(s), and/or submit new definitions. General discussion of the vulnerabilities themselves is also welcome. View our Privacy Policy.

CWE Hosts Booth at 2007 Information Assurance Workshop, February 12-15

MITRE hosted a Making Security Measurable exhibitor booth at the 11th annual 2007 Information Assurance (IA) Workshop on February 12-15, 2007 at the Wyndham Orlando Resort, in Orlando, Florida, USA. The purpose of the workshop, which is hosted by the U.S. Defense Information Systems Agency (DISA) and National Security Agency (NSA), is to provide a forum in which the IA community can provide updates and work issues on relevant IA topics that have been aligned with the goals of Department of Defense (DOD) IA strategy. The event introduced MITRE's CWE, CVE, CCE, CME, CPE, and OVAL efforts to representatives of the DOD and other Federal Government employees and their sponsored contractors.

Visit the CWE Calendar page for information on this and other upcoming events.

CWE Hosts Booth at RSA Conference 2007, February 5-8

MITRE hosted a Making Security Measurable exhibitor booth at RSA Conference 2007 on February 5-8, 2007 at the Moscone Center in San Francisco, California, USA. RSA Conference provides a forum for information security professionals and visionaries to "exchange and collaborate in a dynamic, authoritative setting."The event introduced MITRE's CWE, CVE, CCE, CME, CPE, and OVAL efforts to security professionals from industry, government, and academia from around the world.

See photos below:

RSA 2007 RSA 2007 RSA 2007 RSA 2007 RSA 2007 RSA 2007 RSA 2007 RSA 2007 RSA 2007

Visit the CWE Calendar page for information on this and other upcoming events.

February 5, 2007
February 5, 2007

Veracode, Inc. Makes Declaration of CWE Compatibility

Veracode, Inc. declared that its SecurityReview assessment service is CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.

Watchfire Corporation Makes Three Declarations of CWE Compatibility

Watchfire Corporation declared that its Web application security assessment tool, AppScan, its enterprise Web application security assessment tool, AppScan Enterprise, and its Web application security assessment service, AppScan Enterprise OnDemand, will be CWE-Compatible. For additional information about these and other compatible products, visit the CWE Compatibility and Effectiveness section.

SPI Dynamics Makes Five Declarations of CWE Compatibility

SPI Dynamics declared that its WebInspect, QAInspect, DevInspect, and Assessment Management Platform (AMP) assessment and remediation tools, and its WebInspect Direct assessment service, will be CWE-Compatible. For additional information about these and other compatible products, visit the CWE Compatibility and Effectiveness section.

Klocwork, Inc. Makes Declaration of CWE Compatibility

Klocwork, Inc. declared that its assessment and remediation tool, Klocwork Enterprise Development Suite, will be CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.

Cigital, Inc. Makes Three Declarations of CWE Compatibility

Cigital, Inc. declared that its software security architecture and design risk assessment and management product, Cigital Architectural & Design Risk Management, its security code assessment product, Cigital Secure Code Review with Automated Tools, and its Software Security Training and Awareness Courses, will be CWE-Compatible. For additional information about these and other compatible products, visit the CWE Compatibility and Effectiveness section.

Fortify Software Makes Declaration of CWE Compatibility

Fortify Software declared that its source code analysis tool, Fortify Source Code Analysis (SCA), will be CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.

Ounce Labs Makes Declaration of CWE Compatibility

Ounce Labs declared that its static source code analysis tool, Ounce, will be CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.

CWE Introduces Free Newsletter

CWE is now offering a free e-newsletter that you can receive directly in your email mailbox. "CWE-Announce" will provide updates of new drafts of CWE List, new compatible products, upcoming conferences, new Web site features, CWE in the news, etc.

Messages will be sent infrequently, once a week or less. Online sign-up is available on the Free Newsletter page. View our Privacy Policy.

January 5, 2007
January 5, 2007

CWE to Host Booth at RSA Conference 2007, February 5-8

MITRE is scheduled to host a CWE/CVE/CCE/OVAL/CME exhibitor booth at RSA Conference 2007 on February 5-8, 2007 at the Moscone Center in San Francisco, California, USA. RSA Conference provides a forum for information security professionals and visionaries to "exchange and collaborate in a dynamic, authoritative setting." The event will introduce CWE, CVE, CCE, CME, and OVAL to security professionals from industry, government, and academia from around the world. Please stop by Booth 1949 and say hello.

Visit the CWE Calendar page for information on this and other upcoming events.

CWE to Host Booth at the 2007 Information Assurance Workshop, February 12-16

MITRE is scheduled to host a CWE/CVE/CCE/OVAL/CME exhibitor booth at the 11th annual 2007 Information Assurance (IA) Workshop on February 12-16, 2007 at the Wyndham Orlando Resort, in Orlando, Florida, USA. The purpose of the workshop, which is hosted by the U.S. Defense Information Systems Agency (DISA) and National Security Agency (NSA), is to provide a forum in which the IA community can provide updates and work issues on relevant IA topics that have been aligned with the goals of Department of Defense (DOD) IA strategy. The event will introduce CWE, CVE, CCE, CME, and OVAL to representatives of the DOD and other Federal Government employees and their sponsored contractors.

Visit the CWE Calendar page for information on this and other upcoming events.

CWE Information Included in Article about Web Application Vulnerabilities in SC Magazine

CWE information was included in a December 27, 2006 article entitled "Hot or Not: Web Application Vulnerabilities" in SC Magazine. The article is about a report on the trends in the types of Common Vulnerabilities and Exposures (CVEs) as noted in the October 2006 Vulnerability Type Distributions in CVE white paper posted on the CWE Documents page that was written by CVE Editor Steve Christey. The author of the article states: "There's no doubt that web applications have become the attackers' target of choice. In September, Mitre Corp.'s Common Vulnerabilities and Exposures list - a tally of publicly disclosed vulnerabilities - ranked cross-site scripting in the number one slot. In fact, cross-site scripting attacks surpassed buffer overflow vulnerabilities. And four of the top five reported vulnerabilities proved to be within web applications."

The article also mentions that in the November 2006 SANS Institute Top-20 Internet Security Attack Targets 2006 Annual Update, which uses 210 CVE Identifiers to uniquely identify the vulnerabilities it describes, "...web applications topped the list for Cross-Platform Application vulnerabilities."

Important Message about CWE Web Site Availability

Due to business disaster planning activities the CWE Web site may be temporarily unavailable for short periods from 5:00am eastern time on Saturday, January 13, 2007 through 5:00am on Tuesday, January 16, 2007. We apologize for any inconvenience. Please contact [email protected] with any comments or concerns.

Page Last Updated: March 30, 2018