CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities

New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > News > News & Events - 2010 Archive  
ID

News & Events - 2010 Archive
News & Events - 2010 Archive

December 13, 2010
December 13, 2010

CWE Version 1.11 Now Available

CWE Version 1.11 has been posted on the CWE List page. A detailed report is available that lists specific changes between Version 1.10 and Version 1.11.

The main changes include: (1) creation of 7 new entries, mostly for race conditions and "functionality inclusion" issues; (2) deprecation of one entry; (3) changes in the names of 26 entries, and descriptions of 40 entries; (4) modified mitigations for 20 entries, primarily to further normalize the mitigations in the Top 25; (5) updates to relationships for 35 entries, primarily for sub-tree reorganization for race conditions; (6) updates to the demonstrative examples in 23 entries; and (7) major changes to 135 entries.

PDF documents have been updated to display graphs of views such as the Research View (CWE-1000) and the Development View (CWE-699), and a "Printable CWE" document lists all of the entries in CWE.

Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to [email protected].

Common Weakness Scoring System (CWSS) Introductory White Paper Now Available

A white paper entitled Introduction to the Common Weakness Scoring System (CWSS) is now available for community review and download on the CWE Web site. CWSS is co-sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security, and led by MITRE's CWE Team.

The white paper introduces the CWSS effort and explains how it can be used for assessing and prioritizing possible software architecture, design, code, and implementation weaknesses that "might be introduced into an application, which in some cases can contribute to a vulnerability within that software ... For example, a buffer overflow vulnerability might arise from a weakness in which the programmer does not properly validate the length of an input buffer. This weakness only contributes to a vulnerability if the input buffer can be influenced by a malicious party, and the malicious buffer is copied to a smaller buffer." In addition to helping developers score the severity of weaknesses, CWSS also provides a way for software consumers to "know what they should worry about the most, and what to ask for to get a more secure product from their vendors and suppliers."

Topics discussed in the white paper include CWSS's six primary stakeholders; design considerations for the framework and metrics; various scoring methods that might need to be supported; introduction of CWSS's "Vignette" concept, which is a "shareable, formalized way to define a particular environment, the role that software plays within that environment, and its priorities with respect to software security"; a CWSS Version 0.1 scoring list; considerations for CWSS beyond Version 0.1; additional scoring factors; activities for future versions; and ways the community can participate.

The majority of the development and refinement of the first major version of CWSS is expected to occur in 2011. We encourage members of the community to review the white paper and send feedback to [email protected].

CAPEC/CWE/MAEC Briefings at DHS/DoD/NIST SwA Working Group Meeting, December 14-16

CWE/CAPEC Program Manager Robert A. Martin will present a briefing about CWE, CWE/CAPEC Co-Founder and Architect Sean Barnum will present a briefing about CAPEC, and MAEC Program Manager Penny Chase will present a briefing about MAEC to the DHS/DoD SwA Working Group Meeting Session on December 14-16, 2010 at MITRE Corporation in McLean, Virginia, USA.

Visit the CWE Calendar for information on this and other events.

CWE/Making Security Measurable Briefing at ITU-T Security Workshop

CWE/CAPEC Program Manager Robert A. Martin presented a briefing about CWE/Making Security Measurable entitled "Vendor Neutral Security Measurement & Management with Standards" at ITU-T security workshop "Addressing Security Challenges on a Global Scale" on December 6-7, 2010 in Geneva, Switzerland.

Visit the CWE Calendar for information on this and other events.

Software Assurance Panel Discussion at CIP Congress

CWE/CAPEC Program Manager Robert A. Martin participated on a discussion panel about Software Assurance at CIP Congress on November 30- December 2, 2010 in Washington, D.C., USA.

Visit the CWE Calendar for information on this and other events.

November 23, 2010
November 23, 2010

New ISO/IEC Report Lists the 51 Most Common Vulnerabilities in Programming Languages

The International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) issued a joint technical report (TR) on September 29, 2010 entitled "ISO/IEC TR 24772:2010, Information technology -- Programming languages -- Guidance to avoiding vulnerabilities in programming languages through language selection and use" that describes classes of programming language vulnerabilities—features of languages that encourage or permit the writing of code that contains application vulnerabilities. The report describes 51 vulnerabilities in languages themselves, as well as 20 additional vulnerabilities that could be avoided by offering a richer set of library routines.

According to the report, programming language vulnerabilities should especially be avoided "in the development of systems where assured behaviour is required for security, safety, mission critical and business critical software. In general, this guidance is applicable to the software developed, reviewed, or maintained for any application." The report explains that the vulnerabilities occur in programming languages due to issues arising from incomplete or evolving language specifications, human cognitive limitations, lack of predictable execution, lack of portability and interoperability, inadequate language intrinsic support, and language features prone to erroneous use.

All of the vulnerabilities are documented in a standardized, language-independent format that allows readers to quickly comprehend and utilize the information. The report also provides standardized templates for the community to use when a new programming language vulnerability and/or resulting application vulnerability is identified.

No one language contains all of the vulnerabilities described in the report, but most are very common. Of the programming language and application vulnerabilities detailed in the report, 17 are also on the 2010 CWE/SANS Top 25 Most Dangerous Software Errors list. Future editions of the report will cover the remainder of the Top 25, any additional programming language and application vulnerabilities found in follow-on work, and annexes that apply the general guidance to particular programming languages.

The report is available for purchase from http://www.iso.org and http://www.ansi.org.

CWE and Making Security Measurable Panel Presentation at Rethinking Cyber Security: A Systems-Based Approach Conference

CWE/CAPEC Program Manager Robert A. Martin made a panel presentation about the Common Weakness Enumeration (CWE) initiative and Making Security Measurable at Rethinking Cyber Security: A Systems-Based Approach Conference on November 16, 2010 in Charlottesville, Virginia, USA.

Visit the CWE Calendar for information on this and other events.

CWE/CAPEC/MAEC Panel Discussion at 11th Annual Security Conference

CWE/CAPEC Co-Founder and Architect Sean Barnum participated on a discussion panel about CWE, CAPEC, and MAEC entitled "Current Attack Patterns and What's on the Horizon" at 11th Annual Security Conference on November 17, 2010 in Washington, D.C., USA.

Visit the CWE Calendar for information on this and other events.

November 12, 2010
November 12, 2010

CWE and Making Security Measurable Panel Presentation at Rethinking Cyber Security: A Systems-Based Approach Conference, November 16

CWE/CAPEC Program Manager Robert A. Martin will make a panel presentation about the Common Weakness Enumeration (CWE) initiative and Making Security Measurable at Rethinking Cyber Security: A Systems-Based Approach Conference on November 16, 2010 in Charlottesville, Virginia, USA.

Visit the CWE Calendar for information on this and other events.

CWE/CAPEC/MAEC Panel Discussion at 11th Annual Security Conference, November 17

CWE/CAPEC Co-Founder and Architect Sean Barnum will participate on a discussion panel about CWE, CAPEC, and MAEC entitled "Current Attack Patterns and What's on the Horizon" at 11th Annual Security Conference on November 17, 2010 in Washington, D.C., USA.

Visit the CWE Calendar for information on this and other events.

Software Assurance Panel Discussion at CIP Congress, November 30-December 2

CWE/CAPEC Program Manager Robert A. Martin will participate on a discussion panel about Software Assurance at CIP Congress on November 30-December 2, 2010 in Washington, D.C., USA.

Visit the CWE Calendar for information on this and other events.

Software Assurance and MAEC Briefing at SC World Congress

CWE/CAPEC Program Manager Robert A. Martin presented a briefing about Software Assurance and the Malware Attribute Enumeration and Characterization (MAEC) Initiative at SC World Congress on November 10-11, 2010 in New York, New York, USA.

Visit the CWE Calendar for information on this and other events.

CWE/Making Security Measurable and CAPEC Briefings at AppSec DC 2010

CWE/CAPEC Co-Founder and Architect Sean Barnum presented a briefing about CWE/Making Security Measurable and a briefing about CAPEC at Open Web Application Security Project (OWASP)'s AppSec DC 2010 on November 10, 2010 in Washington, D.C., USA.

Visit the CWE Calendar for information on this and other events.

CWE/CAPEC Keynote Presentation at SecureSDLC Conference

CWE/CAPEC Program Manager Robert A. Martin presented a briefing about the CWE/SANS Top 25 List entitled "Avoiding the Most Dangerous Software Security Weaknesses – the 2010 Top 25" at SecureSDLC: Building Security into the Software Lifecycle on November 4, 2010 in Washington D.C., USA.

Visit the CWE Calendar for information on this and other events.

CWE/SANS Top 25 Keynote Presentation at Software Test Professionals Conference 2010

CWE/CAPEC Program Manager Robert A. Martin gave a keynote presentation about the CWE/SANS Top 25 entitled "2010's Top 25 Most Dangerous Application Security Weaknesses" at Software Test Professionals Conference & Expo 2010 on October 21, 2010 in Las Vegas, Nevada, USA. Attendees learned the 25 Most Dangerous Programming Software Errors, what they can do as a tester to determine and identify these potential vulnerabilities, and how to help create test cases to address them.

Visit the CWE Calendar for information on this and other events.

MAEC and Software Assurance Briefing at CSI Annual Conference

CWE/CAPEC Program Manager Robert A. Martin presented a briefing about Software Assurance and the Malware Attribute Enumeration and Characterization (MAEC) Initiative at CSI Annual Conference on October 28, 2010 in National Harbor, Maryland, USA.

Visit the CWE Calendar for information on this and other events.

Software Assurance Panel at SIGAda Conference 2010

Director for Software Assurance at U.S. Department of Homeland Security (DHS) National Cyber Security Division (NCSD), Joe Jarzombek chaired a discussion panel that included CWE/CAPEC Program Manager Robert A. Martin and CWE/CAPEC Co-Founder and Architect Sean Barnum entitled "Mitigating Risks to the Enterprise via Software Assurance" at SIGAda Conference 2010 on October 28, 2010 in Fair Lakes, Virginia, USA. NCSD is the sponsor of CWE, CAPEC, and MAEC.

Visit the CWE Calendar for information on this and other events.

CWE/CAPEC Briefing at 2010 Federal Cybersecurity Conference and Workshop

CWE/CAPEC Co-Founder and Architect Sean Barnum presented a briefing about the CWE and CAPEC initiatives at 2010 Federal Cybersecurity Conference and Workshop on October 21, 2010 in Washington, D.C., USA. In addition, OVAL Program Manager Jonathan Baker presented a briefing about the Open Vulnerability and Assessment Language (OVAL)/Security Content Automation Protocol (SCAP) initiatives on October 20.

Visit the CWE Calendar for information on this and other events.

October 13, 2010
October 13, 2010

CWE/SANS Top 25 Keynote Presentation at Software Test Professionals Conference 2010, October 21

CWE/CAPEC Program Manager Robert A. Martin will give a keynote presentation about the CWE/SANS Top 25 entitled "2010's Top 25 Most Dangerous Application Security Weaknesses" at Software Test Professionals Conference & Expo 2010 on October 21, 2010 in Las Vegas, Nevada, USA. Attendees will learn the 25 Most Dangerous Programming Software Errors, what they can do as a tester to determine and identify these potential vulnerabilities, and how to help create test cases to address them.

Visit the CWE Calendar for information on this and other events.

MAEC and Software Assurance Briefing at CSI Annual Conference, October 28

CWE/CAPEC Program Manager Robert A. Martin will present a briefing about Software Assurance and the Malware Attribute Enumeration and Characterization (MAEC) Initiative at CSI Annual Conference on October 28, 2010 in National Harbor, Maryland, USA.

Visit the CWE Calendar for information on this and other events.

Software Assurance Panel at SIGAda Conference 2010, October 28

Director for Software Assurance at U.S. Department of Homeland Security (DHS) National Cyber Security Division (NCSD), Joe Jarzombek will chair a discussion panel that includes CWE/CAPEC Program Manager Robert A. Martin and CWE/CAPEC Co-Founder and Architect Sean Barnum entitled "Mitigating Risks to the Enterprise via Software Assurance" at SIGAda Conference 2010 on October 28, 2010 in Fair Lakes, Virginia, USA. NCSD is the sponsor of CWE, CAPEC, and MAEC.

Visit the CWE Calendar for information on this and other events.

CWE/CAPEC/MAEC and Making Security Measurable Briefings at DHS/DoD/NIST SwA Forum

CWE/CAPEC Program Manager Robert A. Martin presented briefings about CWE and Making Security Measurable, CAPEC/CWE Co-Founder and Architect Sean Barnum presented a briefing about CAPEC, and MAEC Program Manager Penny Chase presented a briefing about MAEC to the DHS/DoD/NIST SwA Forum on September 27-October 1, 2010 at the U.S. National Institute of Standards and Technology (NIST) in Gaithersburg, Maryland, USA.

Visit the CWE Calendar for information on this and other events.

CWE Briefing and Making Security Measurable Booth at IT Security Automation Conference 2010

CWE Program Manager Robert A. Martin presented a briefing about CWE at the U.S. National Institute of Standards and Technology's (NIST) 6th Annual IT Security Automation Conference on September 27-29, 2010 in Baltimore, Maryland, USA.

In addition, MITRE hosted a CWE/Making Security Measurable booth and presented briefings and/or participated on discussion panels about the Making Security Measurable, CAPEC, MAEC, CVE, CCE, CPE, OVAL, XCCDF, CVSS, ARF, and CEE efforts.

Visit the CWE Calendar for information on this and other events.

Discussion Panel and Making Security Measurable Booth at HSNI 2010

MITRE participated in a SCAP Panel Discussion about CVE, CCE, CPE, OVAL, XCCDF, and OCIL, and hosted a Making Security Measurable table booth, at Homeland Security for Networked Industries (HSNI) 2010 Conference and Expo on September 20-21, 2010 in Washington, D.C., USA.

Visit the CWE Calendar for information on this and other events.

September 27, 2010
September 27, 2010

CWE Version 1.10 Now Available

CWE Version 1.10 has been posted on the CWE List page. A detailed report is available that lists specific changes between Version 1.9 and Version 1.10.

The main changes include: (1) creation of 7 new entries, mostly for synchronization and "memory safety" issues; (2) small changes in the names of 9 entries, and descriptions of 15 entries, primarily to reflect enhancements to CWE's vocabulary; (3) modified mitigations for 34 entries, primarily to further normalize the mitigations in the Top 25; (4) updates to 43 relationships, primarily for sub-tree reorganization for synchronization and memory safety; and (6) major changes to 91 entries.

PDF documents have been updated to display graphs of views such as the Research View (CWE-1000) and the Development View (CWE-699), and a "Printable CWE" document lists all of the entries in CWE.

The CWE/SANS Top 25 has been updated to reflect the changes in CWE content.

Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to [email protected].

CWE/CAPEC/MAEC and Making Security Measurable Briefings at DHS/DoD/NIST SwA Forum

CWE/CAPEC Program Manager Robert A. Martin presented briefings about CWE and Making Security Measurable, CAPEC/CWE Co-Founder and Architect Sean Barnum presented a briefing about CAPEC, and MAEC Program Manager Penny Chase presented a briefing about MAEC to the DHS/DoD/NIST SwA Forum on September 27-October 1, 2010 at the U.S. National Institute of Standards and Technology (NIST) in Gaithersburg, Maryland, USA.

Visit the CWE Calendar for information on this and other events.

Discussion Panel and Making Security Measurable Booth at HSNI 2010

MITRE participated in a SCAP Panel Discussion about CVE, CCE, CPE, OVAL, XCCDF, and OCIL, and hosted a Making Security Measurable table booth, at Homeland Security for Networked Industries (HSNI) 2010 Conference and Expo on September 20-21, 2010 in Washington, D.C., USA.

Visit the CWE Calendar for information on this and other events.

Symantec Makes Declaration of CWE Compatibility

Symantec declared that its Secure Development Lifecycle Process is CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.

September 2, 2010
September 2, 2010

CWE Briefing and Making Security Measurable Booth at IT Security Automation Conference 2010, September 27-29

CWE Program Manager Robert A. Martin will present a briefing about CWE at the U.S. National Institute of Standards and Technology's (NIST) 6th Annual IT Security Automation Conference on September 27-29, 2010 in Baltimore, Maryland, USA.

In addition, MITRE will host a CWE/Making Security Measurable booth and present briefings and/or participate on discussion panels about the Making Security Measurable, CAPEC, MAEC, CVE, CCE, CPE, OVAL, XCCDF, CVSS, ARF, and CEE efforts.

Visit the CWE Calendar for information on this and other events.

CWE/CAPEC/MAEC and Making Security Measurable Briefings at DHS/DoD/NIST SwA Forum, September 27-October 1

CWE/CAPEC Program Manager Robert A. Martin is scheduled to present briefings about CWE and Making Security Measurable, CAPEC/CWE Co-Founder and Architect Sean Barnum is scheduled to present a briefing about CAPEC, and MAEC Program Manager Penny Chase will present a briefing about MAEC to the DHS/DoD/NIST SwA Forum on September 27-October 1, 2010 at the U.S. National Institute of Standards and Technology (NIST) in Gaithersburg, Maryland, USA.

Visit the CWE Calendar for information on this and other events.

Discussion Panel and Making Security Measurable Booth at HSNI 2010, September 20-21

MITRE will participate in a SCAP Panel Discussion about CVE, CCE, CPE, OVAL, XCCDF, and OCIL, and host a Making Security Measurable table booth, at Homeland Security for Networked Industries (HSNI) 2010 Conference and Expo on September 20-21, 2010 in Washington, D.C., USA.

Visit the CWE Calendar for information on this and other events.

CWE/CAPEC/MAEC and Making Security Measurable Briefing at GFIRST National Conference

CWE, CAPEC, MAEC, and Making Security Measurable were key parts of a briefing entitled "Software Assurance: Mitigating Risks to Improve Incident Management" presented at the 6th Annual GFIRST National Conference in San Antonio, Texas, USA, on August 17, 2010 by Director for Software Assurance at DHS NCSD, Joe Jarzombek, Deputy Operations Manager at US-CERT, Thomas Millar, CWE/CAPEC Program Manager Robert A. Martin, and CAPEC/CWE Co-Founder and Architect Sean Barnum. The conference itself ran August 15-20.

Visit the CWE Calendar for information on this and other events.

August 12, 2010
August 12, 2010

CWE/CAPEC/MAEC and Making Security Measurable Briefing at GFIRST National Conference

CWE, CAPEC, MAEC, and Making Security Measurable are key parts of a briefing entitled "Software Assurance: Mitigating Risks to Improve Incident Management" scheduled to be presented at the 6th Annual GFIRST National Conference in San Antonio, Texas, USA, on August 17, 2010 by Director for Software Assurance at DHS NCSD, Joe Jarzombek, Deputy Operations Manager at US-CERT, Thomas Millar, CWE/CAPEC Program Manager Robert A. Martin, and CAPEC/CWE Co-Founder and Architect Sean Barnum. The conference itself runs August 15-20.

Visit the CWE Calendar for information on this and other events.

CWE/Making Security Measurable Booth at Black Hat Briefings 2010

CWE participated in a Making Security Measurable booth at Black Hat Briefings 2010 on July 28-29, 2010 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA. Attendees learned how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Visit the CWE Calendar for information on this and other events.

June 29, 2010
June 29, 2010

CWE/SANS Top 25 List Name Tweaked

The name of the Top 25 list has been changed to the "2010 CWE/SANS Top 25 Most Dangerous Software Errors." The word "Programming" was changed to "Software" in order to more accurately describe the content of the list.

June 21, 2010
June 21, 2010

CWE Version 1.9 Now Available

CWE Version 1.9 has been posted on the CWE List page. A detailed report is available that lists specific changes between Version 1.8.1 and Version 1.9.

The main changes include: (1) creation of 11 entries for a new view (CWE-809) of the OWASP 2010 Top Ten; (2) small changes in the names of 22 entries, and descriptions of 55 entries, primarily to reflect enhancements to CWE's vocabulary; (3) modified mitigations for 89 entries, primarily to make the wording more consistent; (4) additions or improvements to demonstrative examples for 23 entries; (5) addition of references to each 2010 Top 25 entry; and (6) major changes to 155 entries.

The schema definition was updated from version 4.4.1 to 4.4.2, to reflect some changes to the Consequence_Technical_Impact element.

PDF documents have been updated to display graphs of views such as the Research View (CWE-1000) and the Development View (CWE-699), and a "Printable CWE" document lists all of the entries in CWE.

The CWE/SANS Top 25 has been updated to reflect the changes in CWE content.

Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to [email protected].

CWE/CAPEC/MAEC Briefings at DHS/DoD SwA Working Group Meeting Session, June 21-23

CWE Team Member Conor Harris presented a briefing about CWE, CWE/CAPEC Co-Founder and Architect Sean Barnum presented a briefing about CAPEC, MAEC Program Manager Penny Chase presented a briefing about MAEC, CWE Technical Lead Steve Christey presented a briefing about the Common Weakness Scoring System (CWSS) and Pocket Guides, and CWE/CAPEC Program Manager Robert A. Martin presented a briefing about Software Assurance Automation Protocol (SwAAP) at the DHS/DoD SwA Working Group Meeting Session on June 21-23, 2010 in Balston, Virginia, USA.

Visit the CWE Calendar for information on this and other events.

CWE/CAPEC/MAEC Briefings at Security Automation Developer Days 2010

CWE/CAPEC Co-Founder and Architect Sean Barnum presented CWE and CAPEC briefings and MAEC Program Manager Penny Chase presented a briefing about MAEC at MITRE's Security Automation Developer Days 2010 on June 16, 2010 at MITRE in Bedford, Massachusetts, USA.

The main purpose of the three-day conference, held June 14-16, was for the information security community to discuss current and emerging Security Content Automation Protocol (SCAP) standards in technical detail and to derive solutions that benefit all concerned parties.

Visit the CWE Calendar for information on this and other events.

Making Security Measurable Briefing at Seventh Biennial Multinational Operations Conference

CWE/CAPEC Co-Founder and Architect Sean Barnum presented a briefing about Making Security Measurable at the Seventh Biennial Multinational Operations Conference held at MITRE in McLean, Virginia USA on June 2-3, 2010.

Visit the CWE Calendar for information on this and other events.

May 17, 2010
May 17, 2010

MITRE Hosts Making Security Measurable Booth at InfoSec World 2010

MITRE hosted a Making Security Measurable booth at MIS Training Institute's (MISTI) InfoSec World Conference & Expo 2010 at the Disney Coronado Springs Resort, in Orlando, Florida, USA, on April 19-21, 2010. Attendees learned how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Visit the CWE Calendar for information on this and other events.

CWE/CAPEC Panel Discussion at SOURCE Boston Conference

CWE/CAPEC Program Manager Robert A. Martin and CWE/CAPEC Technical Lead Steve Christey participated on a CWE/CAPEC panel discussion, and Christey presented a briefing about Common Vulnerabilities and Exposures (CVE), at SOURCE Boston Conference on April 21-23, 2010 in Boston, Massachusetts, USA.

Visit the CWE Calendar for information on this and other events.

April 5, 2010
April 5, 2010

CWE Version 1.8.1 Now Available

CWE Version 1.8.1 has been posted on the CWE List page. This is a minor release that does not contain any new CWE entries or critical changes. A detailed report is available that lists specific changes between Version 1.8 and Version 1.8.1.

Changes for the new release include: (1) updated CAPEC mappings for 50 entries; (2) small changes in the names of 28 entries, reflecting enhancements to CWE's vocabulary; (3) improvements to descriptions for 30 entries; (4) additions or improvements to demonstrative examples for 24 entries; (5) additions or improvements to potential mitigations for 17 entries; and (6) major changes to 105 entries.

There are no new or deprecated CWE entries, and there are no modifications to the schema. PDF documents have been updated to display graphs of views such as the Research View (CWE-1000) and the Development View (CWE-699), and a "Printable CWE" document lists all of the entries in CWE.

In addition, the 2010 CWE/SANS Top 25 has been updated to reflect the changes in CWE content.

Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to [email protected].

MITRE to Host "Making Security Measurable" Booth at InfoSec World 2010, April 19-21

MITRE is scheduled to host a Making Security Measurable booth at MIS Training Institute's (MISTI) InfoSec World Conference & Expo 2010 at the Disney Coronado Springs Resort, in Orlando, Florida, USA, on April 19-21, 2010. Please stop by booth 319 and say hello!

Visit the CWE Calendar for information on this and other events.

CWE/CAPEC Panel Discussion and CVE Briefing at SOURCE Boston Conference, April 21-23

CWE/CAPEC Program Manager Robert A. Martin and CWE Technical Lead Steve Christey are scheduled to participate on a panel discussion about vulnerability management, and Christey is scheduled to present a briefing about the last 10 years of Common Vulnerabilities and Exposures (CVE), at SOURCE Boston Conference on April 21-23, 2010 in Boston, Massachusetts, USA.

Visit the CWE Calendar for information on this and other events.

CWE/CAPEC Briefing at GovSec/FOSE

CWE/CAPEC Program Manager Robert A. Martin presented a briefing about CWE and Common Attack Pattern Enumeration and Classification (CAPEC) at GovSec/FOSE on March 23-24, 2010 in Washington, D.C., USA.

Visit the CWE Calendar for information on this and other events.

Photos from Making Security Measurable Booth at RSA 2010

MITRE hosted a Making Security Measurable booth at RSA 2010 at the Moscone Center in San Francisco, California, USA, on March 1-5, 2010. See photos below:

RSA 2010 RSA 2010 RSA 2010 RSA 2010

Visit the CWE Calendar for information on this and other events.

March 19, 2010
March 19, 2010

2010 CWE/SANS Top 25 Programming Errors List Receives Extensive News Coverage

CWE and the SANS Institute posted the completed 2010 CWE/SANS Top 25 Programming Errors on the CWE and SANS Web sites on February 16, 2010. A collaboration between the SANS Institute, MITRE, and over 40 top software security experts in the U.S. and Europe, the list provides detailed descriptions of the top 25 programming errors along with authoritative guidance for mitigating and avoiding them.

The release received extensive news media coverage:

CWE and Top 25 Are Main Topics of Federal News Radio Interview

Federal News Radio interviewed CWE/CAPEC Program Manager Robert A. Martin on March 10, 2010 about CWE and the Top 25 Most Dangerous Programming Errors. In the interview, entitled "Top federal software security holes exposed," Martin states: "The big problem is that traditional education in our country and across the world for software developers, for testers, for program managers has pretty much ignored this area. We put them into our software because we didn't know how they happened. So the CWE, the full Common Weakness Enumeration and then this prioritized part of the CWE, which we're calling the Top 25 Most Dangerous Programming Errors is basically an education tool at the first level. These are issues you should be aware of. You should ask your developers "have you been trained to recognize these if someone puts them in accidentally? Do you know how to program around these so that you don't introduce them?" You test people. "Do you know how to try to misuse and abuse your system?" So that, if there any of these latently in your software, you can find them before the user has it in his hands." A summary of the interview was published on the Federal News Radio Web site.

CWE Mentioned in Federal News Radio Interview about Software Assurance

Federal News Radio interviewed Joe Jarzombek, director for software assurance in the National Cyber Security Division of the Department of Homeland Security, on March 3, 2010 about software assurance. In the interview, entitled, "Software assurance affects more than just programmers," Jarzombek "explains why the CWE benefits cyber security -- and why this impacts more than programmers." A summary of the interview was published on the Federal News Radio Web site.

Coverity, Inc. Makes Two CWE Compatibility Declarations

Coverity, Inc. declared that its static analysis assessment and remediation tools, Coverity Prevent and Coverity Integrity Center, are now CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.

MITRE Hosts Making Security Measurable Booth at RSA 2010

MITRE hosted a Making Security Measurable booth at RSA 2010 at the Moscone Center in San Francisco, California, USA, on March 1-5, 2010. Attendees learned how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Visit the CWE Calendar for information on this and other events.

MITRE Presents Making Security Measurable Briefing at DHS/DoD/NIST SwA Forum

CWE/CAPEC Program Manager Robert A. Martin presented a briefing about Making Security Measurable to the DHS/DoD/NIST SwA Forum on March 9-12, 2010 at MITRE Corporation in McLean, Virginia, USA.

Visit the CWE Calendar for information on this and other events.

February 16, 2010
February 16, 2010

2010 Top 25 Most Dangerous Programming Errors List Now Available

The 2010 version of the SANS/MITRE Top 25 Most Dangerous Programming Errors that can lead to serious software vulnerabilities is now available on the CWE and SANS Web sites. Based primarily on the CWE List and leveraging the SANS Top 20 attack vectors, the main goal of the Top 25 list is to stop vulnerabilities at the source by educating programmers on how to eliminate all-too-common mistakes before software is even shipped. The list is a tool for education and awareness that will help programmers to prevent the kinds of vulnerabilities that plague the software industry. Software consumers may also use the list to help them to ask for more secure software, and software managers and CIOs can use the Top 25 as a measuring stick of progress in their efforts to secure their software.

Updates for the 2010 version include substantial improvements to the 2009 list. The structure of the list has been modified to distinguish mitigations and general secure programming principles from more concrete weaknesses. This year's Top 25 entries are prioritized using inputs from over 20 different organizations, who evaluated each weakness based on prevalence and importance. The 2010 version introduces focus profiles that allow developers and other users to select the parts of the Top 25 that are most relevant to their concerns. The 2010 version also adds a small set of the most effective "Monster Mitigations," which help developers to reduce or eliminate entire groups of the Top 25 weaknesses, as well as many of the other 800 weaknesses that are documented in the Common Weakness Enumeration (CWE). Finally, many high-level weaknesses from the 2009 version have been replaced with lower-level variants that are more actionable.

Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to [email protected].

CWE Version 1.8 Now Available

CWE Version 1.8 has been posted on the CWE List page, primarily in support of the release of the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors list. A detailed report is available that lists specific changes between Version 1.7 and Version 1.8.

Changes for the new release include: (1) creation of 11 new entries, primarily in support of the 2010 CWE/SANS Top 25; (2) significant quality improvements to approximately 20 entries that are part of the 2010 Top 25, or "On the Cusp";" (3) additions or improvements to demonstrative examples for 33 entries; (4) additions or improvements to potential mitigations for 43 entries; (5) additions or improvements in references for 54 entries; (6) detection methods for 33 entries; (7) mappings to the WASC threat classification; (8) updated relationships for 77 entries; and (9) major changes to 162 entries.

The schema definition was updated from version 4.3 to version 4.4, to reflect some additional elements to support mitigations and detection methods. A summary is available here.

PDF documents have been updated to display graphs of views such as the Research View (CWE-1000) and the Development View (CWE-699), and a "Printable CWE" document lists all of the entries in CWE.

Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to [email protected].

MITRE to Host Making Security Measurable Booth at RSA 2010, March 1-5

MITRE is scheduled to host a Making Security Measurable booth at RSA 2010 at the Moscone Center in San Francisco, California, USA, on March 1-5, 2010. Please stop by Booth 2617 and say hello!

Visit the CWE Calendar for information on this and other events.

MITRE to Present Making Security Measurable Briefing at DHS/DoD/NIST SwA Forum, March 9-12

MAEC Team Member and CWE/CAPEC Program Manager Robert A. Martin is scheduled to present a briefing about Making Security Measurable to the DHS/DoD/NIST SwA Forum on March 9-12, 2010 at MITRE Corporation in McLean, Virginia, USA.

Visit the CWE Calendar for information on this and other events.

MITRE Hosts Making Security Measurable Booth at the 2010 Information Assurance Symposium

MITRE hosted a Making Security Measurable booth at the 2010 Information Assurance Symposium in Nashville, Tennessee, USA, on February 2-5, 2010. In addition, CWE/CAPEC Co-Founder and Architect Sean Barnum participated on a SwA Panel Discussion. The symposium is designed to bring together industry, government, and military information assurance professionals with "the latest Information Assurance (IA) products and solutions available to secure voice and data networks."

Visit the CWE Calendar for information on this and other events.

January 26, 2010
January 26, 2010

MITRE Announces Initial "Making Security Measurable" Calendar of Events for 2010

MITRE has announced its initial Making Security Measurable calendar of events for 2010. Details regarding MITRE's scheduled participation at these events are noted on the CWE Calendar page. Each listing includes the event name with URL, date of the event, location, and a description of our activity at the event.

Other events may be added throughout the year. Visit the CWE Calendar for information or contact [email protected] to have MITRE present a briefing or participate in a panel discussion about CWE, CAPEC, CVE, CCE, CPE, CEE, MAEC, OVAL, and/or Making Security Measurable at your event.

Security Automation Is Main Focus of DoD's IAnewsletter

"Security Automation: A New Approach to Managing and Protecting Critical Information" is the main topic of the Winter 2010 issue of the Department of Defense's (DoD) Information Assurance Technology Analysis Center's (IATAC) IAnewsletter.

According to the newsletter, a security automation strategy will enable automation of "many security and configuration management, compliance, and network defense functions and give our [DoD] system administrators and network defenders a chance to succeed." Specific articles topics include: An Introduction to Security Automation; Security Automation: A New Approach Managing and Protecting Critical Information; Security Content Automation Protocol; Secure Configuration Management (SCM); DoD Activities Underway to Mature SCAP Standards; Why Industry Needs Federal Government Leadership to Gain the Benefits of Security Automation; and Practicing Standards-Based Security Assessment and Management.

In addition, MITRE's CVE, CCE, CPE, and OVAL information assurance data standards are mentioned throughout the issue, especially with regard to how they are utilized by the National Institute of Standards and Technology's (NIST) Security Content Automation Protocol (SCAP) to help enable automated, standards-based security assessment and management.

The newsletter is free to download from the IATAC Web site.

Page Last Updated: March 30, 2018