News & Events - 2009 Archive
News & Events - 2009 Archive
December 28, 2009
December 28, 2009
CWE Version 1.7 Now Available
CWE Version 1.7 has been posted on the CWE List page. A detailed report is available that lists specific changes between Version 1.6 and Version 1.7.
Changes for the new release include:(1) creation of 8 new entries to better organize weaknesses related to improper filtering, with no entries deprecated; (2) significant quality improvements to approximately 20 entries that were "On the Cusp" for inclusion in the 2009 Top 25 list; (3) additions or improvements to demonstrative examples for 29 entries; (4) cleanup of the general-purpose Other_Notes field in 19 entries, which typically moved content into other more relevant fields within those entries; (5) promotion of one entry from "Draft" to "Usable" status; (6) updated relationships for 4 entries; and (7) major changes to 109 entries.
The schema definition was updated from version 4.2.1 to version 4.3, to reflect some minor updates to improve the maintainability and expressiveness of CWE. A summary is available here.
PDF documents have been updated to display graphs of views such as the Research View (CWE-1000) and the Development View (CWE-699), and a "Printable CWE" document lists all of the entries in CWE.
Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to [email protected].
CWE/CAPEC and MAEC Briefings at DHS/DoD SwA Working Group Meeting Session
CWE/CAPEC Program Manager Robert A. Martin presented a briefing about CWE/CAPEC and MAEC Program Manager Penny Chase presented a briefing about MAEC at the DHS/DoD SwA Working Group Meeting Session on December 15-17, 2009 at MITRE Corporation in McLean, Virginia, USA.
Visit the CWE Calendar page for information on this and other upcoming events.
CWE/SwA Briefing at Consortium for IT Software Quality (CISQ)
MITRE presented a luncheon keynote briefing about CWE/SwA to the Consortium for IT Software Quality (CISQ) on December 14, 2009 in Arlington, Virginia, USA.
Visit the CWE Calendar page for information on this and other upcoming events.
MITRE's New "Malware Attribute Enumeration and Characterization" Standardization Effort Leverages CWE and CAPEC
Malware Attribute Enumeration and Characterization (MAEC) is a community initiative to create a standardized language for encoding and communicating high-fidelity information about malware based upon attributes such as behaviors, artifacts, and attack patterns. MAEC leverages the Common Attack Pattern Enumeration and Classification (CAPEC) and CWE standards as part of its approach to describing malware.
MAEC will make use of CAPEC for describing the relevant attack patterns associated with the high-level malware taxonomy, such as those dealing with network reconnaissance, propagation, insertion, and command and control. MAEC's usage of CAPEC will allow for such behaviors to be defined through an industry standard attack pattern enumeration, thus ensuring that the attacker's perspective in implementing these behaviors is properly represented. If it is determined that a malware instance exploits a particular software weakness, MAEC will link to its corresponding CWE Entry. This linkage will allow for the generation of statistics with regard to the most common types of weaknesses being exploited by malware, thereby highlighting the areas where better security-oriented coding practices need to be implemented.
Please visit the MAEC Web site to learn more or join the effort.
November 23, 2009
November 23, 2009
CWE/SwA Briefing at Consortium for IT Software Quality (CISQ), December 14
CWE Program Manager Robert A. Martin is scheduled to present a luncheon keynote briefing about CWE/SwA to the Consortium for IT Software Quality (CISQ) on December 14, 2009 in Arlington, Virginia, USA.
Visit the CWE Calendar page for information on this and other upcoming events.
CWE/CAPEC and MAEC Briefings at DHS/DoD SwA Working Group Meeting Session, December 15-17
CWE/CAPEC Program Manager Robert A. Martin is scheduled to present a briefing about CWE/CAPEC and MAEC Program Manager Penny Chase is scheduled to present a briefing about MAEC at the DHS/DoD SwA Working Group Meeting Session on December 15-17, 2009 at MITRE Corporation in McLean, Virginia, USA.
Visit the CWE Calendar page for information on this and other upcoming events.
CWE/CAPEC/MAEC Briefing at Cyber Security for National Defense Summit
CWE/CAPEC Program Manager Robert A. Martin presented a briefing about CWE/CAPEC at IDGA's Cyber Security for National Defense Summit on November 16-18, 2009 in Washington, D.C., USA.
Visit the CWE Calendar page for information on this and other upcoming events.
CWE and Making Security Measurable Briefings at DHS/DoD/NIST SwA Forum
CWE Program Manager Robert A. Martin presented a briefing about CWE and a briefing about Making Security Measurable to the DHS/DoD/NIST SwA Forum on November 2, 2009 at MITRE Corporation in McLean, Virginia, USA.
Visit the CWE Calendar page for information on this and other upcoming events.
October 29, 2009
October 29, 2009
CWE Version 1.6 Now Available
CWE Version 1.6 has been posted on the CWE List page. A detailed report is available that lists specific changes between Version 1.5 and Version 1.6.
The main changes include: (1) creation of 4 new entries with no entries deprecated; (2) cleanup of the general-purpose Other_Notes field in 84 entries, which typically moved content into other more relevant fields within those entries, especially Common_Consequences; (3) modified descriptions for 49 entries stemming from the Other_Notes modification and continued efforts to establish a common vocabulary; (4) promotion of three entries from "Draft" to "Usable" status; and (5) updated relationships for 50 entries, including a partial restructuring of CWE-119 to better handle closely-related buffer-overflow concepts. There were no schema changes in this version.
The "Stakeholder Field Priorities" document has been modified to reflect additional stakeholders, new CWE fields, and changing priorities. The CWE/SANS Top 25 document has been updated to reflect the latest changes in names and attack patterns. PDF documents have been updated to display graphs of views such as the Research View (CWE-1000) and the Development View (CWE-699), and a "Printable CWE" document lists all of the entries in CWE.
Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to [email protected].
CWE/Making Security Measurable Briefing and Booth at IT Security Automation Conference 2009
MITRE presented a Making Security Measurable briefing and hosted a Making Security Measurable booth at the U.S. National Institute of Standards and Technology's (NIST) 5th Annual IT Security Automation Conference on October 26-29, 2009 in Baltimore, Maryland, USA.
Visit the CWE Calendar page for information on this and other upcoming events.
CWE/CAPEC Briefing at CSI Annual Conference
CWE/CAPEC Program Manager Robert A. Martin presented a briefing about CWE and the Common Attack Pattern Enumeration and Classification (CAPEC™) at the CSI Annual Conference on October 26-29 , 2009 in Washington, D.C., USA.
Visit the CWE Calendar page for information on this and other upcoming events.
CWE/CAPEC Briefing at George Mason University
CWE/CAPEC Program Manager Robert A. Martin presented a briefing about CWE and the Common Attack Pattern Enumeration and Classification (CAPEC™) as a guest lecturer at an IT Security Course at George Mason University on October 27, 2009 in Fairfax, Virginia, USA.
Visit the CWE Calendar page for information on this and other upcoming events.
CWE/CAPEC Briefing at SC World Congress
CWE/CAPEC Program Manager Robert A. Martin presented a briefing about CWE and the Common Attack Pattern Enumeration and Classification (CAPEC™) at the SC World Congress on October 13-14, 2009 in New York, New York, USA.
Visit the CWE Calendar page for information on this and other upcoming events.
October 1, 2009
October 1, 2009
CWE/Making Security Measurable Briefing and Booth at IT Security Automation Conference 2009, October 26-29
MITRE is scheduled to present a Making Security Measurable briefing and host a Making Security Measurable booth at the U.S. National Institute of Standards and Technology's (NIST) 5th Annual IT Security Automation Conference on October 26-29, 2009 in Baltimore, Maryland, USA.
Visit the CWE Calendar page for information on this and other upcoming events.
CWE and CAPEC Are Topics of Discussion at 10th International Common Criteria Conference
CWE/CAPEC Project Leader Robert Martin, and Miguel Bañón on behalf of the Spanish Common Criteria Certification Body, presented a two-part talk about CWE and CAPEC and how version 4 of Common Criteria could leverage the two standards efforts at the 10th International Common Criteria Conference in Tromso, Norway, on September 22-24, 2009. The content of the two talks reflected the preliminary results of some of the improvement processes that will lead to the next major version of the Common Criteria. The conference itself focused on the evolution and enhancement of Common Criteria and the community of organizations working with it.
Visit the CWE Calendar page for information on this and other upcoming events.
CWE/CAPEC Briefing at 8th Annual QAI & QAAM Regional Conference
CWE/CAPEC Co-Founder and Architect Sean Barnum presented a briefing about CWE and the Common Attack Pattern Enumeration and Classification (CAPEC™) at the 8th Annual QAI & QAAM Regional Conference on September 21-23, 2009 in Baltimore, Maryland, USA.
Visit the CWE Calendar page for information on this and other upcoming events.
CWE Mentioned in Article about CVE's 10-Year Anniversary
CWE was mentioned in an article about CVE's 10-year anniversary entitled "CVE: Ten years and more than 38,000 vulnerabilities catalogued," published in Government Computer News on September 23, 2009. CWE was mentioned by the author when he explains how the success of CVE inspired follow-on efforts such as CWE and its Top 25 list. The article also includes quotes from CWE Program Lead and CVE Compatibility Lead Robert A. Martin and CWE Technical Lead and CVE Co-Creator and Technical Lead Steve Christey.
September 21, 2009
September 21, 2009
Parasoft Corporation Makes Declaration of CWE Compatibility
Parasoft Corporation declared that its Java software quality analysis and testing solution, Jtest, is CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.
CAST Makes Declaration of CWE Compatibility
CAST declared that its automated application assessment and remediation tool, CAST Application Intelligence Platform, is CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.
KDM Analytics Makes Declaration of CWE Compatibility
KDM Analytics declared that its Software Assurance Assessment service is CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.
LDRA Makes Declaration of CWE Compatibility
LDRA declared that its static and dynamic software analysis tool suite, LDRA Testbed, will be CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.
Programming Research, Inc. Makes Two Declarations of CWE Compatibility
Programming Research, Inc. declared that its source code static analysis product suites, QA●C – CWE Compliance Module for C Programming Language and QA●CPP – CWE Compliance Module for C++ Programming Language, will be CWE-Compatible. For additional information about these and other compatible products, visit the CWE Compatibility and Effectiveness section.
Making Security Measurable Main Topic of Article in CrossTalk, The Journal of Defense Engineering
An article entitled "Making Security Measurable and Manageable" by CWE/CAPEC Program Manager Robert A. Martin was published in the September/October 2009 issue of CrossTalk, The Journal of Defense Engineering.
The article explains how measurable security and automation can be achieved by having government and public efforts address the creation, adoption, operation, and sustainment of their information security infrastructures in a holistic manner and by using common, standardized concepts to define the data (CVE, CCE, CPE, CAPEC, CWE, etc.), communicating this information through standardized languages (OVAL, XCCDF, CEE, etc.), sharing the information in standardized ways (OVAL Repository, NVD, etc.), and adopting tools and services that adhere to these standards.
CWE/CAPEC Briefing at 2009 NSA NIAP CCEVS Validators Workshop
CWE/CAPEC Program Manager Robert A. Martin presented a briefing about CWE and the Common Attack Pattern Enumeration and Classification (CAPEC™) at the 2009 NSA NIAP CCEVS Validators Workshop on September 10, 2009 in Linthicum, Maryland, USA.
Visit the CWE Calendar page for information on this and other upcoming events.
September 11, 2009
September 11, 2009
Apple Makes Declaration of CWE Compatibility
Apple declared that its Secure Development Lifecycle is CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.
Codenomicon Ltd. Makes Declaration of CWE Compatibility
Codenomicon Ltd. declared that its assessment and remediation tool, DEFENSICS 3, is CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.
Coverity, Inc. Makes Two Declarations of CWE Compatibility
Coverity, Inc. declared that its static analysis assessment and remediation tools, Coverity Prevent and Coverity Integrity Center, will be CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.
International Information Systems Security Certification Consortium Makes Declaration of CWE Compatibility
International Information Systems Security Certification Consortium (ISC2) declared that its Certified Secure Software Lifecycle Professional Education and Certification Program will be CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.
Cenzic, Inc, Makes Two Declarations of CWE Compatibility
Cenzic, Inc. declared that its Web application security risk management platform, Cenzic Hailstrom Enterprise ARC, and its Web application penetration testing and vulnerability management system, Cenzic Hailstorm Professional, are CWE-Compatible. For additional information about these and other compatible products, visit the CWE Compatibility and Effectiveness section.
CWE/CAPEC Briefing at 2009 NSA NIAP CCEVS Validators Workshop, September 10
CWE/CAPEC Program Manager Robert A. Martin is scheduled to present a briefing about CWE and the Common Attack Pattern Enumeration and Classification (CAPEC™) at the 2009 NSA NIAP CCEVS Validators Workshop on September 10, 2009 in Linthicum, Maryland, USA.
Visit the CWE Calendar page for information on this and other upcoming events.
CWE/CAPEC Briefing at 10th International Common Criteria Conference, September 21-23
CWE/CAPEC Program Manager Robert A. Martin is scheduled to present a briefing about CWE and the Common Attack Pattern Enumeration and Classification (CAPEC™) at the 10th International Common Criteria Conference on September 21-23, 2009 in Tromso, Norway.
Visit the CWE Calendar page for information on this and other upcoming events.
CWE/CAPEC Briefing at 8th Annual QAI & QAAM Regional Conference, September 21-23
CWE/CAPEC
Co-Founder and Architect Sean Barnum
is scheduled to present a briefing about CWE and the Common Attack Pattern Enumeration and Classification (CAPEC™) at the 8th Annual QAI & QAAM Regional Conference on September 21-23, 2009 in Baltimore, Maryland, USA.
Visit the CWE Calendar page for information on this and other upcoming events.
CWE/CAPEC and Making Security Measurable Briefings at GFIRST5: The 5 Pillars of Cyber Security
CWE/CAPEC Program Manager Robert A. Martin and CWE/CAPEC Co-Founder and Architect Sean Barnum and presented a briefing about CWE/Common Attack Pattern Enumeration and Classification (CAPEC™), and Robert A. Martin presented a briefing about Making Security Measurable, at GFIRST5: The 5 Pillars of Cyber Security on August 24-28, 2009 at Atlanta, Georgia, USA.
Visit the CWE Calendar page for information on this and other upcoming events.
August 20, 2009
August 20, 2009
JPCERT/CC Makes Declaration of CWE Compatibility
Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) and Information-technology Promotion Agency, Japan (IPA) declared that its filtered vulnerability countermeasure information tool, MyJVN, is CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.
MITRE Hosts 'Making Security Measurable' Booth at Black Hat Briefings 2009
CWE participated in a Making Security Measurable booth at Black Hat Briefings 2009 on July 29-30, 2009 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA.
Attendees learned how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures. See photos below:
Visit the CWE Calendar page for information on this and other upcoming events.
July 27, 2009
July 27, 2009
CWE Version 1.5 Now Available
CWE Version 1.5 has been posted on the CWE List page. A detailed report is available that lists specific changes between Version 1.4 and Version 1.5.
Changes for the new release include: (1) creation of 10 new entries, some of which used information provided by Fortify, Inc.; (2) 197 entries changed from the previous version and two entries were deprecated (one was a duplicate and another used vague terminology and inadvertently combined multiple weaknesses); (3) modification of 14 white box definitions, as updated by KDM Analytics; (4) improvements and additions to demonstrative examples for 38 entries; (5) movement of "other notes" to more appropriate elements in 32 entries; (6) updated CAPEC attack patterns for 14 entries, including several on the CWE Top 25; (7) usage of a more established vocabulary in the names and descriptions of several additional entries; and (8) updated relationships for 48 entries. There were no schema changes in this version.
The "Introduction to Vulnerability Theory" paper has also been updated to include important new concepts such as control spheres, a simplified error handling model, and a resource life cycle model. The CWE Top 25 document has been updated to reflect the latest changes in names and attack patterns. PDF documents have been updated to display graphs of views such as the Research View (CWE-1000) and the Development View (CWE-699), and a "Printable CWE" document lists all of the entries in CWE.
Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to [email protected].
CWE/CAPEC Briefing at GFIRST5: The 5 Pillars of Cyber Security, August 23-28
CWE/CAPEC Program Manager Robert A. Martin is scheduled to present a briefing about CWE and the Common Attack Pattern Enumeration and Classification (CAPEC™) at GFIRST5: The 5 Pillars of Cyber Security on August 23-28, 2009 at Atlanta, Georgia, USA.
Visit the CWE Calendar page for information on this and other upcoming events.
June 11, 2009
June 11, 2009
CWE Main Topic of Article in IEEE Security and Privacy
CWE was the main topic of an article entitled "Improving Software Security by Eliminating the CWE Top 25 Vulnerabilities" in the May/June 2009 issue of IEEE Security and Privacy. The article, which may be downloaded from the IEEE Web site for a fee, provides best practices for specific weaknesses identified in the article by their CWE-IDs that can help users eliminate the CWE Top 25 vulnerabilities in their own development environment and products.
MITRE to Host "Making Security Measurable" Booth at Black Hat Briefings 2009, July 29-30
CWE is scheduled to participate in a Making Security Measurable booth at Black Hat Briefings 2009 on July 29-30, 2009 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA.
Stop by Booth 70 and learn how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.
Visit the CWE Calendar page for information on this and other upcoming events.
May 27, 2009
May 27, 2009
CWE Version 1.4 Now Available
CWE Version 1.4 has been posted on the CWE List page, and now includes a printable book-form PDF with table of contents and index. Changes include: (1) creation of 15 new entries, most of which are newly-identified weaknesses; (2) deprecation of one entry that inadvertently combined multiple weaknesses; (3) usage of a more established vocabulary in the names and descriptions of 89 entries; (4) updated relationships for 35 entries; (5) improvements and additions to demonstrative examples for 75 entries; (6) updated CAPEC attack patterns for 31 entries; and (7) changes to 198 total entries. A detailed report is available that lists specific changes between Version 1.3 and Version 1.4. Several documents have also been updated: the glossary for terms used in CWE, and an updated CWE Top 25 document that reflects the latest changes in names, mitigations, and attack patterns. There were no schema changes in this version.
Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to [email protected].
Making Security Measurable Briefing at CSI SX 2009
CWE Program Manager Robert A. Martin presented a briefing about Making Security Measurable at CSI SX 2009 on May 17-18, 2009 in Las Vegas, Nevada, USA.
Visit the CWE Calendar page for information on this and other upcoming events.
CWE Briefing and Making Security Measurable Briefing at SERC Showcase 2009
CWE Program Manager Robert A. Martin presented a briefing about CWE and a briefing about Making Security Measurable at SERC Showcase 2009 on May 13-14, 2009 in Fairview Heights, Illinois, USA.
Visit the CWE Calendar page for information on this and other upcoming events.
Making Security Measurable Briefing at Secure360 Conference
CWE Program Manager Robert A. Martin presented a briefing about Making Security Measurable at the Secure360 Conference on May 12, 2009 in St. Paul, Minnesota, USA.
Visit the CWE Calendar page for information on this and other upcoming events.
CWE Briefing at Application Security Summit
CWE Program Manager Robert A. Martin presented a briefing about CWE at the Application Security Summit – Tools to Automate the Consensus Audit Guidelines (CAG) on April 29, 2009 in Washington D.C., USA.
Visit the CWE Calendar page for information on this and other upcoming events.
MITRE Hosts "Making Security Measurable" Booth at RSA 2009
MITRE hosted a Making Security Measurable booth at RSA 2009 at the Moscone Center in San Francisco, California, USA, on April 20-24, 2009.
Visit the CWE Calendar page for information on this and other upcoming events.
April 23, 2009
April 23, 2009
EMC Corporation Makes Three Declarations of CWE Compatibility
EMC Corporation and RSA (The Security Division of EMC) have declared that its internal software development practices, EMC Security Development Lifecycle (SDL), EMC Product Security Policy (PSP), and EMC Vulnerability Response Policy (VRP), are CWE-Compatible. For additional information about these and other compatible products, visit the CWE Compatibility and Effectiveness section.
April 3, 2009
April 3, 2009
Ounce Labs Makes Declaration of CWE Compatibility
Ounce Labs declared that its static source code analysis tool, Ounce, is CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.
Fortify Software, Inc. Makes Declaration of CWE Compatibility
Fortify Software, Inc. declared that its static source code analysis tool, Fortify Source Code Analysis (SCA), is CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.
Armorize Technologies, Inc. Makes Three Declarations of CWE Compatibility
Armorize Technologies, Inc. declared that its Web application source code analysis tools, CodeSecure Enterprise and CodeSecure Workbench, and its Web application source code analysis suite, CodeSecure Verifier, are CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.
MITRE to Host "Making Security Measurable" Booth at RSA 2009, April 20-24
MITRE is scheduled to host a Making Security Measurable booth at RSA 2009 at the Moscone Center in San Francisco, California, USA, on April 20-24, 2009. Please stop by Booth 2411 and say hello!
Visit the CWE Calendar page for information on this and other upcoming events.
CWE Briefing at OWASP Meeting
CWE Technical Lead Steve Christey presented a briefing about CWE to the Open Web Application Security Project (OWASP) Meeting on March 13, 2009 at MITRE Corporation in McLean, Virginia, USA.
Visit the CWE Calendar page for information on this and other upcoming events.
CWE and Making Security Measurable Briefings at DHS/DoD/NIST SwA Forum
CWE Program Manager Robert A. Martin presented a briefing about CWE and a briefing about Making Security Measurable to the DHS/DoD/NIST SwA Forum on March 10-12, 2009 at MITRE Corporation in McLean, Virginia, USA.
Visit the CWE Calendar page for information on this and other upcoming events.
MITRE Hosts "Making Security Measurable" Booth at InfoSec World 2009
MITRE hosted a Making Security Measurable booth at MIS Training Institute's (MISTI) InfoSec World Conference & Expo 2009 at the Disney Coronado Springs Resort, in Orlando, Florida, USA, on March 9-10, 2009.
Visit the CWE Calendar page for information on this and other upcoming events.
March 10, 2009
March 10, 2009
CWE Version 1.3 Now Available
CWE Version 1.3 has been posted on the CWE List page. Changes include creation of 7 new entries, for a total of 762; more consistent mitigations for 35 entries, especially the Top 25; usage of a more established vocabulary in the names and descriptions of 39 entries; updated relationships for 89 entries, especially the OWASP Top Ten 2004 view (CWE-711) and the CWE-703 pillar in the Research View (CWE-1000); improved labeling of good and bad code blocks in demonstrative examples; and changes to 183 total entries. A detailed report is available that lists specific changes between Version 1.2 and Version 1.3. The CWE Top 25 document has been updated to reflect the changes in the mitigations. There were also minor changes to the schema, which was updated to Version 4.2.1.
Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to [email protected].
March 3, 2009
March 3, 2009
CWE Mentioned in Top Twenty Most Critical Security Controls Document
CWE was mentioned in Draft 1.0 of the "Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance" consensus list released by a consortium of federal agencies and private organizations on February 23, 2009. The document, which uses "knowledge of actual attacks and defines controls that would have stopped those attacks from being successful," includes 15 critical controls that are subject to automated measurement and validation and an additional 5 critical controls that are not.
CWE is mentioned as follows in a section about why the list is so important for chief information security officers (CISOs), chief information officers (CIOs), federal inspectors general, and auditors: "This effort also takes advantage of the success and insights from the development and usage of standardized concepts for identifying, communicating, and documenting security-relevant characteristics/data. These standards include the following: common identification of vulnerabilities (Common Vulnerabilities and Exposures-CVE), definition of secure configurations (Common Configuration Enumeration-CCE), inventory of systems and platforms (Common Platform Enumeration-CPE), vulnerability severity (Common Vulnerability Scoring System-CVSS) and identification of application weaknesses (Common Weaknesses Enumeration-CWE). These standards have emerged over the last decade through collaborative research and deliberation between government, academia and industry. While still evolving, several of these efforts in standardization have made their way into commercial solutions and government, industry, and academic usage. Perhaps most visible of these has been the Federal Desktop Core Configuration (FDCC) which leveraged the Security Content Automation Program (SCAP)."
The draft is available for public review and comment at www.sans.org/cag, www.csis.org, and www.gilligangroupinc.com until March 23, 2009.
MITRE to Host "Making Security Measurable" Booth at InfoSec World 2009, March 9-10
MITRE is scheduled to host a Making Security Measurable booth at MIS Training Institute's (MISTI) InfoSec World Conference & Expo 2009 at the Disney Coronado Springs Resort, in Orlando, Florida, USA, on March 9-10, 2009. Please stop by booth 531 and say hello.
Visit the CWE Calendar for information on this and other events.
CWE/Making Security Measurable Briefing at DHS/DoD/NIST SwA Forum, March 10-12
CWE Program Manager Robert A. Martin is scheduled to present a briefing about CWE and a briefing about Making Security Measurable to the DHS/DoD/NIST SwA Forum on March 10-12, 2009 at MITRE Corporation in McLean, Virginia, USA.
Visit the CWE Calendar for information on this and other upcoming events. Contact [email protected] to have CWE present a briefing or participate in a panel discussion about CWE, CAPEC, CVE, CCE, CPE, CEE, CRF, OVAL, and/or Making Security Measurable at your event.
CWE Briefing at OWASP Meeting, March 13
CWE Technical Lead Steve Christey is scheduled to present a briefing about CWE to the Open Web Application Security Project (OWASP) Meeting on March 13, 2009 at MITRE Corporation in McLean, Virginia, USA.
Visit the CWE Calendar page for information on this and other upcoming events.
February 12, 2009
February 12, 2009
MITRE Hosts "Making Security Measurable" Booth at 2009 Information Assurance Symposium
MITRE hosted a Making Security Measurable booth at the 2009 Information Assurance Symposium at the Sheraton Dallas International Conference and Exposition Center, in Dallas, Texas, USA, on February 3-6, 2009. The symposium is designed to bring together industry, government, and military information assurance professionals with "the latest Information Assurance (IA) products and solutions available to secure voice and data networks."
Visit the CWE Calendar for information on this and other events.
CWE/SANS Top 25 Programming Errors List Receives Extensive News Coverage
CWE and the SANS Institute posted the completed 2009 CWE/SANS Top 25 Programming Errors on the CWE and SANS Web sites on January 12, 2009. A collaboration between the SANS Institute, MITRE, and over 40 top software security experts in the U.S. and Europe, the list provides detailed descriptions of the top 25 programming errors along with authoritative guidance for mitigating and avoiding them.
The release received extensive news media coverage:
- "Targeting the 25 Most Dangerous Programming Errors," MITRE Digest, February 4, 2009
- "Are you a dangerous programmer?" iTWire, January 14, 2009
- "Coalition of Cybersecurity Organizations Reveals 25 Most Dangerous Programming Errors," Security Management, January 14, 2009
- "25 most dangerous software coding errors that help cyber criminals revealed," Sindh Today, January 14, 2009
- "The 25 most dangerous programming errors," heise online, January 14, 2009
- "New York drafts language demanding secure code," SearchSecurity.com, January 14, 2009
- "New York Plans Application Security Program: Developers must straighten up and fly right if they want to do business with the Empire State," InternetNews.com, January 14, 2009
- "Top 25 dangerous programming errors identified by panel of experts," SC Magazine, January 13, 2009
- "Tech project finds Top 25 coding flaws that let hackers in," USA Today, January 13, 2009
- "Dangerous coding errors revealed," BBC News, January 13, 2009
- "NSA helps name most dangerous programming mistakes," Macworld, January 13, 2009
- "Group releases list to kill most-dangerous bugs," SecurityFocus, January 13, 2009
- "Experts trumpet '25 most dangerous' programming errors," The Register, January 13, 2009
- "Update: The 25 greatest coding threats," ComputerworldUK, January 13, 2009
- "Cyber Security Alert: Top 25 Software Writing Blunders," Scientific American, January 13, 2009
- "NSA helps name most dangerous programming mistakes," InfoWorld, January 13, 2009
- "Software development gets 25 most dangerous coding mistakes list," Geek.com, January 13, 2009
- "Experts reveal top 25 programming errors," vnunet.com, January 13, 2009
- "Security experts name top 25 programming screw-ups," ARN.com, January 13, 2009
- "Security Group SANS Exposes 25 "Most Wanted" Coding Errors," ITProPortal.com, January 13, 2009
- "Experts reveal top 25 programming blunders," PC Pro, January 13, 2009
- "Top 25 common coding errors that brought down websites," neowin.net, January 13, 2009
- "Security Group SANS Exposes 25 "Most Wanted" Coding Errors," SecurityProPortal.com, January 13, 2009
- "Industry agrees on top 25 software errors," ITExaminer.com, January 13, 2009
- "The 25 most dangerous programming errors," heise Security UK, January 13, 2009
- "25 most dangerous programming errors," Tech Republic, January 13, 2009
- "2009 CWE/SANS Top 25 Most Dangerous Programming Errors," swbusiness.fi, January 13, 2009
- "One big step toward a safer Internet," Zero Day Threat, January 13, 2009
- "Software [In]security: Top 11 Reasons Why Top 10 (or Top 25) Lists Don’t Work," informIT, January 13, 2009
- "Top 25 coding defects listed, surprising nobody with a clue," ZDNet, January 13, 2009
- "Top 25 Programming Errors Released," eFluxMedia.com, January 13, 2009
- "Dangerous Programming Errors Exposed," eFluxMedia.com, January 13, 2009
- "Software giants list 25 greatest net threats," PC Advisor, January 13, 2009
- "Top 25 programming errors revealed," ITPro, January 13, 2009
- "Are You Vulnerable to These Top 25 Coding Errors?" DaniWeb, January 13, 2009
- "25 dangerous programming errors made public," MX Logic, January 13, 2009
- "Top 25 dangerous programming errors identified by panel of experts," SC Magazine UK, January 13, 2009
- "CWE/SANS Top 25 Programming Errors," InformationWeek, January 13, 2009
- "Top firms launch web coding error list," Bluhalo, January 13, 2009
- "Top 25 coding errors listed," New Electronics, January 13, 2009
- "Top 25 Software Programming Errors," CIO, January 12, 2009
- "DHS, Microsoft, others release Top 25 programming blunders," SC Magazine, January 12, 2009
- "Top 25 software screw-ups," Network World, January 12, 2009
- "NSA, DHS, Industry Gang Up on Dangerous Software Errors," Business Week, January 12, 2009
- "Hack-Proofing Software," Forbes, January 12, 2009
- "Will Top 25 list of software errors rescue you from rotten software?" Network World, January 12, 2009
- "Security Experts ID Top 25 Programming Errors," Network World, January 12, 2009
- "NSA helps name most dangerous programming mistakes," Network World, January 12, 2009
- "List of Most Dangerous Programming Errors Changes IT Security Discussion," eWeek.com, January 12, 2009
- "Report Names Top 25 Worst Programming Errors," eWeek.com, January 12, 2009
- "25 Most Dangerous Programming Errors Exposed," InformationWeek, January 12, 2009
- "Update: The 25 greatest coding threats," Computerworld, January 12, 2009
- "Groups list most dangerous software programming errors," Federal Computer Week, January 12, 2009
- "Error correcting software from the beginning," Government Computer News, January 12, 2009
- "NSA initiative pinpoints 25 Top coding errors," ZDNet Government, January 12, 2009
- "SANS Releases List Of Top 25 Most Dangerous Programming Errors In Software," Dark Reading, January 12, 2009
- "Security Wonks List Coders' Top 25 Worst Flubs," TechNewsWorld.com, January 12, 2009
- "Security experts identify 25 dangerous coding errors," SearchSecurity.com, January 12, 2009
- "Most dangerous programming mistakes fingered," TechWorld.com, January 12, 2009
- "Group Lists 25 Most Dangerous Coding Errors Hackers Exploit," CIO India, January 12, 2009
- "Security experts identify 25 dangerous coding errors," SearchSecurity.com, January 12, 2009
- "Security Experts ID Top 25 Programming Errors," CSO, January 12, 2009
- "Groups release top 25 programming errors to improve cybersecurity," NextGov.com, January 12, 2009
- "The 25 most dangerous programming screw-ups…. ever!" TechBlorge.com, January 12, 2009
- "More than Coding Mistakes at Fault in Bad Software," InformationWeek, January 12, 2009
- "25 Most Dangerous Programming Errors Exposed," InformationWeek, January 12, 2009
- "CWE/SANS top 25 most dangerous programming errors," Help Net Security, January 12, 2009
- "The 25 Most Dangerous Programming Errors," Bank Info Security, January 12, 2009
- "Experts reveal 25 coding errors that let in hackers," ComputerWeekly.com, January 12, 2009
- "Unveiled: Top 25 most dangerous code errors," Public Technology, January 12, 2009
- "Most Dangerous Programming Errors," Redmond Developer News, January 12, 2009
- "Avoiding the Most Common Programming Errors," InternetNews.com, January 12, 2009
- "Groups Release List of 25 Most Dangerous Programming Errors," IT Business Edge, January 12, 2009
January 28, 2009
January 28, 2009
MITRE to Host "Making Security Measurable" Booth at 2009 Information Assurance Symposium, February 3-6
MITRE is scheduled to host a Making Security Measurable booth at the 2009 Information Assurance Symposium at the Sheraton Dallas International Conference and Exposition Center, in Dallas, Texas, USA, on February 3-6, 2009. The symposium is designed to bring together industry, government, and military information assurance professionals with "the latest Information Assurance (IA) products and solutions available to secure voice and data networks." Please stop by booth 301 and say hello.
Visit the CWE Calendar for information on this and other events.
January 12, 2009
January 12, 2009
CWE Version 1.2 Now Available
CWE Version 1.2 has been posted on the CWE List page. Content changes include 4 new entries, a new view depicting the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors, and changes to 63 entries. There were a few small changes to the schema, which has been updated to version 4.2. A detailed report is available that lists specific changes between Version 1.1 and Version 1.2.
Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to [email protected].
2009 MITRE/SANS Top 25 Most Dangerous Programming Errors Now Available
The official version of the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors that can lead to serious software vulnerabilities is now available on the CWE and SANS Web sites. The list is the result of collaboration between the SANS Institute, MITRE, and over 40 top software security experts in the US and Europe. It leverages experiences in the development of the SANS Top 20 attack vectors and MITRE's Common Weakness Enumeration (CWE). MITRE maintains the CWE Web site, with the support of the US Department of Homeland Security's National Cyber Security Division, presenting detailed descriptions of the top 25 programming errors along with authoritative guidance for mitigating and avoiding them.
The main goal for the Top 25 list is to stop vulnerabilities at the source by educating programmers on how to eliminate all-too-common mistakes before software is even shipped. The list will be a tool for education and awareness that will help programmers to prevent the kinds of vulnerabilities that plague the software industry. Software consumers could use the same list to help them to ask for more secure software. Finally, software managers and CIOs can use the Top 25 list as a measuring stick of progress in their efforts to secure their software to "stop vulnerabilities at the source by educating programmers on how to eliminate all-too-common mistakes software is even shipped." Many supporters of the Top 25 list voiced their thoughts about the importance of this effort.
January 8, 2009
January 8, 2009
MITRE Announces Initial "Making Security Measurable" Calendar of Events for 2009
MITRE has announced its initial Making Security Measurable calendar of events for 2009. Details regarding MITRE's scheduled participation at these events are noted on the CWE Calendar page. Each listing includes the event name with URL, date of the event, location, and a description of our activity at the event.
Other events may be added throughout the year. Visit the CWE Calendar for information or contact [email protected] to have MITRE present a briefing or participate in a panel discussion about CWE, CAPEC, CVE, CCE, CPE, CEE, CRF, OVAL, and/or Making Security Measurable at your event.
More information is available — Please edit the custom filter or select a different filter.
|