- |
Cr0security Penetration Testing and Consultant Services |
News & Events - 2013 ArchiveDecember 12, 20132 Products from Cr0security Now Registered as Officially "CWE-Compatible" Two additional information security products have achieved the final stage of MITRE's formal CWE Compatibility Program and are now officially "CWE-Compatible." The products are now eligible to use the CWE-Compatible Product/Service logo, and a completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization’s listing on the CWE-Compatible Products and Services page on the CWE Web site. A total of 27 products to-date have been recognized as officially compatible. The following products are now registered as officially "CWE-Compatible":
Use of the official CWE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting SwA products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CWE compatibility requirements, and therefore which specific implementations are best for their networks and systems. For additional information about CVE compatibility and to review all products and services listed, visit the CWE Compatibility Program and CWE-Compatible Products and Services. CWE/CAPEC Briefing and Software Assurance Panel at AppSec USA 2013 CWE/CAPEC Program Manager Robert A. Martin and CWE/CAPEC Co-Founder and Architect Sean Barnum presented a briefing about Common Weakness Enumeration (CWE™) and Common Attack Pattern Enumeration and Classification (CAPEC™) entitled "Tagging Your Code with a Useful Assurance Label," and Barnum also participated on a panel discussion about software assurance entitled "Aim-Ready-Fire," at AppSec USA 2013 in New York City, New York, USA on November 20, 2013. Visit the CWE Calendar for information on this and other events. October 23, 2013"Use & Citations of CWE" Page Added to Community Section A "Use & Citations of CWE" page has been added to the Community section of the CWE Web site update. The new page lists the numerous documents and resources that use or cite CWE in the areas of Academia, Government, Industry, Policy, Reference, and Standards. September 5, 20131 Product from Conviso Application Security Now Registered as Officially "CWE-Compatible" One additional information security product has achieved the final stage of MITRE’s formal CWE Compatibility Program and is now officially "CWE-Compatible." The product is now eligible to use the CWE-Compatible Product/Service logo, and a completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization’s listing on the CWE-Compatible Products and Services page on the CWE Web site. A total of 25 products to-date have been recognized as officially compatible. The following product is now registered as officially "CWE-Compatible": Use of the official CWE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting SwA products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CWE compatibility requirements, and therefore which specific implementations are best for their networks and systems. For additional information about CVE compatibility and to review all products and services listed, visit the CWE Compatibility Program and CWE-Compatible Products and Services. August 8, 2013MITRE Hosts CWE Booth at Black Hat Briefings 2013 MITRE hosted a "Strengthening Cyber Defense" booth that included CWE at Black Hat Briefings 2013 at Caesar’s Palace in Las Vegas, Nevada, USA, on July 27 – August 1, 2013. Visit the CWE Calendar for information on this and other events. July 17, 2013CWE Version 2.5 Now Available CWE Version 2.5 has been posted on the CWE List page. A detailed report is available that lists specific changes between Version 2.4 and Version 2.5. In all, 78 entries were modified. The main changes include: (1) 20 new entries, primarily covering mobile applications (6 entries) and the OWASP 2013 Top Ten (11 entries); (2) two deprecated entries; (3) name and description changes for 11 and 16 entries respectively; (4) relationship changes for 47 entries, primarily reflecting the new views; and (5) modifications to at least 10 entries for applicable platforms, references, and potential mitigations. There were no schema changes for this version. PDF documents have been updated to display graphs of views such as the Research View (CWE-1000) and the Development View (CWE-699), and a "Printable CWE" document lists all of the entries in CWE. Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to [email protected]. MITRE to Host CWE Booth at Black Hat Briefings 2013 on July 27 – August 1 MITRE will host a "Strengthening Cyber Defense" booth that includes CWE at Black Hat Briefings 2013 at Caesar’s Palace in Las Vegas, Nevada, USA, on July 27 – August 1, 2013. Attendees will learn how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures. Members of the CWE Team will be in attendance. Please stop by Booth 242 and say hello! Visit the CWE Calendar for information on this and other events. CWE Mentioned in Article about the OWASP Top 10 Security Flaws for 2013 on NetworkWorld.com CWE and Common Vulnerabilities and Exposures (CVE®) were mentioned in a June 14, 2013 article entitled "Breaking down the OWASP Top 10 security flaws for 2013: What’s changed from OWASP's 2010 list and why" on NetworkWorld.com's "Security Blanket" blog. CWE and CVE were mentioned in a section about why web application denial-of-service attacks (DoS) attacks were not included on the OWASP list in quotes by CWE/CVE Technical Lead Steve Christey, as follows: "Regarding application DoS I don't know if we should be so dismissive of it. The (negative) commentary I've seen on application DoS is concentrating on network-based attacks. (However,) there are other resource-consumption vulnerabilities that are gaining popularity in CVE, such as unrestricted XML entity expansion, a.k.a. "billion laughs" (CWE-776) (that causes a DoS due to) memory consumption. Another example is algorithmic complexity involving hash collisions that slow down hash-table lookups, which was all the rage about a year ago, (that causes a DoS due to) CPU consumption. More recently, Ruby and/or Ruby-based applications have been getting hit with a number of other resource-consumption issues, such as a memory DoS by forcing the creation of a large number of symbols." Christey continued, "While I don't know how often these are exploited, and they may be difficult to detect, or how often they'll be exploited in the future, these kinds of application DoS issues are becoming popular. As code-execution vulnerabilities get harder to find, I suspect we will see more of these. This might not be enough to merit inclusion in the OWASP Top Ten, but is definitely something to watch out for." CWE Compatibility Main Topic of Press Release by High-Tech Bridge SA CWE and Common Vulnerabilities and Exposures (CVE) were the main topics of a July 2, 2013 press release by High-Tech Bridge SA entitled "ImmuniWeb Web Security Assessment SaaS is certified CVE and CWE Compatible" about their ImmuniWeb product achieving both Official CWE-Compatible status and Official CVE-Compatible status. The release also includes a quote by CWE Program Manager Robert A. Martin, who states: "We are always excited about having the CVE and CWE efforts adopted and used within commercial offerings but it is especially gratifying when it is by companies in other countries and markets, like High-Tech Bridge. Leveraging CVE and CWE in ImmuniWeb clearly makes business sense and it is directly helping their customers improve the speed and directness as they address vulnerabilities and weaknesses that are putting their organization's at risk." High-Tech Bridge's CWE Compatibility Questionnaire for ImmuniWeb is available as part of the organization's listing on the CWE-Compatible Products and Services page on the CWE Web site. CWE/CAPEC Briefings at DHS/DoD SSCA Working Group Meeting Session – Summer 2013 CWE/CAPEC Program Manager Robert A. Martin engaged the working group participants in discussions about applying Common Weakness Enumeration (CWE) and Common Attack Pattern Enumeration and Classification (CAPEC) to the software and supply chain assurance problems of software, hardware, and services at the DHS/DoD Software and Supply Chain Assurance (SSCA) Working Group Meeting Session - Summer 2013 on June 25-27, 2013 at MITRE Corporation in McLean, Virginia, USA. Visit the CWE Calendar for information on this and other events. June 26, 20131 Product from High Tech Bridge Now Registered as Officially "CWE-Compatible" One additional information security product has achieved the final stage of MITRE’s formal CWE Compatibility Program and is now officially "CWE-Compatible." The product is now eligible to use the CWE-Compatible Product/Service logo, and a completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization’s listing on the CWE-Compatible Products and Services page on the CWE Web site. A total of 24 products to-date have been recognized as officially compatible. The following product is now registered as officially "CWE-Compatible": Use of the official CWE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting SwA products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CWE compatibility requirements, and therefore which specific implementations are best for their networks and systems. For additional information about CVE compatibility and to review all products and services listed, visit the CWE Compatibility Program and CWE-Compatible Products and Services. CWE/CAPEC Briefing at CISQ Seminar at OMG Technical Meeting, Berlin, Germany CWE/CAPEC Program Manager Robert A. Martin presented a briefing about Common Weakness Enumeration (CWE) and Common Attack Pattern Enumeration and Classification (CAPEC) entitled "Measuring and Managing Software Security" at Consortium for IT Software Quality (CISQ) Seminar at OMG Technical Meeting on June 19, 2013 in Berlin, Germany. Visit the CWE Calendar for information on this and other events. June 10, 2013CWE/CAPEC Briefings at DHS/DoD SSCA Working Group Meeting Session – Summer 2013, June 25-27 CWE/CAPEC Program Manager Robert A. Martin will be engaging the working group participants in discussions about applying Common Weakness Enumeration (CWE) and Common Attack Pattern Enumeration and Classification (CAPEC) to the software and supply chain assurance problems of software, hardware, and services at the DHS/DoD Software and Supply Chain Assurance (SSCA) Working Group Meeting Session - Summer 2013 on June 25-27, 2013 at MITRE Corporation in McLean, Virginia, USA. Co-sponsored by organizations in the U.S. Department of Homeland Security (DHS), U.S. Department of Defense (DoD), and U.S. National Institute of Standards and Technology (NIST), the DHS/DoD Software and Supply Chain Assurance (SSCA) Working Group Sessions provide venues for public-private interaction and collaboration on enhancing software security and focus on "software security-related advances in practices, products, and standards for software development, acquisition, supply chain management, education and training, tools, and measurement in order to reduce risk." Visit the CWE Calendar for information on this and other events. High Tech Bridge Makes Declaration of CWE Compatibility High-Tech Bridge SA declared that its SaaS Web application vulnerability assessment service, ImmuniWeb, is CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section. May 24, 20131 Product from Fasoo.com, Inc. Now Registered as Officially "CWE-Compatible" One additional information security product has achieved the final stage of MITRE’s formal CWE Compatibility Program and is now officially "CWE-Compatible." The product is now eligible to use the CWE-Compatible Product/Service logo, and a completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization’s listing on the CWE-Compatible Products and Services page on the CWE Web site. A total of 23 products to-date have been recognized as officially compatible. The following product is now registered as officially "CWE-Compatible": Use of the official CWE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting SwA products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CWE compatibility requirements, and therefore which specific implementations are best for their networks and systems. For additional information about CVE compatibility and to review all products and services listed, visit the CWE Compatibility Program and CWE-Compatible Products and Services. May 10, 2013MITRE Hosts CWE Booth at InfoSec World 2013 MITRE hosted a "Strengthening Cyber Defense" booth that included CWE at InfoSec World Conference & Expo 2013 at Walt Disney World Swan and Dolphin in Orlando, Florida, USA, on April 15-17, 2013. Visit the CWE Calendar for information on this and other events. April 12, 20131 Product from WebLayers, Inc. Now Registered as Officially "CWE-Compatible" One additional information security product has achieved the final stage of MITRE’s formal CWE Compatibility Program and is now officially "CWE-Compatible." The product is now eligible to use the CWE-Compatible Product/Service logo, and a completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization’s listing on the CWE-Compatible Products and Services page on the CWE Web site. A total of 22 products to-date have been recognized as officially compatible. The following product is now registered as officially "CWE-Compatible": Use of the official CWE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting SwA products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CWE compatibility requirements, and therefore which specific implementations are best for their networks and systems. For additional information about CVE compatibility and to review all products and services listed, visit the CWE Compatibility Program and CWE-Compatible Products and Services. Conviso Application Security Makes Declaration of CWE Compatibility Conviso Application Security declared that its vulnerability identification and management product, Conviso Security Compliance (CSC), is CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section. CWE/CWRAF Briefing and Secure Coding Briefing at IEEE Secure Software Technology Conference 2013 CWE/CAPEC Program Manager Robert A. Martin presented a briefing entitled "Tagging Your Binaries with a Risk Analysis Measurement from CWE/CWRAF" and a briefing entitled "Organizing Your Secure Coding Efforts for Automation, Compliance, and Successful Risk Management" at IEEE Software Technology Conference (STC) 2013 on April 8-10, 2013 in Salt Lake City, Utah, USA. Visit the CWE Calendar for information on this and other events. Photos from CWE Booth at RSA 2013 MITRE hosted a "Strengthening Cyber Defense" booth that included CWE at RSA Conference 2013 at the Moscone Center in San Francisco, California, USA, on February 25 – March 1, 2013. Strengthening Cyber Defense booth photos: Visit the CWE Calendar for information on this and other events. March 15, 20131 Product from Denim Group, Ltd. Now Registered as Officially "CWE-Compatible" One additional information security product has achieved the final stage of MITRE’s formal CWE Compatibility Program and is now officially "CWE-Compatible." The product is now eligible to use the CWE-Compatible Product/Service logo, and a completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization’s listing on the CWE-Compatible Products and Services page on the CWE Web site. A total of 21 products to-date have been recognized as officially compatible. The following product is now registered as officially "CWE-Compatible": Use of the official CWE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting SwA products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CWE compatibility requirements, and therefore which specific implementations are best for their networks and systems. For additional information about CVE compatibility and to review all products and services listed, visit the CWE Compatibility Program and CWE-Compatible Products and Services. CWE/CWRAF Briefing and Secure Coding Briefing at IEEE Secure Software Technology Conference 2013, April 8-10 CWE/CAPEC Program Manager Robert A. Martin will present a briefing entitled "Tagging Your Binaries with a Risk Analysis Measurement from CWE/CWRAF" and a briefing entitled "Organizing Your Secure Coding Efforts for Automation, Compliance, and Successful Risk Management" at IEEE Software Technology Conference (STC) 2013 on April 8-10, 2013 in Salt Lake City, Utah, USA. The "Tagging Your Binaries with a Risk Analysis Measurement from CWE/CWRAF" briefing will discuss how Common Weakness Enumeration (CWE™) and Common Weakness Risk Analysis Framework (CWRAF™) can be used to "create ‘An Assurance Tag for Binaries’, basically an assurance "food label" for code. This talk will conclude with a discussion of what such an item could look like, what it could capture, how the information could be obtained, who would/could create them, and how they could be represented for humans and machines to use." The "Organizing Your Secure Coding Efforts for Automation, Compliance, and Successful Risk Management" briefing will discuss the "Defense Information Systems Agency’s new application Security Recommendation Guide (SRG) for mobile apps as well as their Application Security Technical Implementation Guide and the National Institute of Standards and Technology’s App Vetting Special Publication 163. Learn about how to structure and manage your organization’s secure coding activities so you can leverage commercial assessment tools, comply with these new mandates and, more importantly, make your software less vulnerable to exploit and better prepared to perform its mission while under cyber attack." Visit the CWE Calendar for information on this and other events. "Measurable Software Assurance Against Expected Threats" Briefing Available as Webcast on BrightTalk.com The "Measurable Software Assurance Against Expected Threats" briefing is now available as a webcast on BrightTalk.com. The briefing, which was presented by CWE/CAPEC Program Manager Robert A. Martin at DHS Software Assurance Summit 2013 on February 21, 2013 in Gaithersburg, Maryland, USA, includes discussion of Common Weakness Enumeration (CWE™), Common Attack Pattern Enumeration and Classification (CAPEC™), Common Weakness Scoring System (CWSS™), and Common Weakness Risk Analysis Framework (CWRAF™), and details how the "use of structured assurance case tools and methods can ease the navigation and explanation of what was done to address the weaknesses of a system for third party review and the evolution and understanding of why someone should have confidence and assurance about a system throughout its lifetime." March 8, 2013MITRE to Host CWE Booth at InfoSec World 2013, April 15-17 MITRE will host a "Strengthening Cyber Defense" booth that includes CWE at InfoSec World Conference & Expo 2013 at Walt Disney World Swan and Dolphin in Orlando, Florida, USA, on April 15-17, 2013. Attendees will learn how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures. Members of the CWE Team will be in attendance. Please stop by Booth 313 and say hello! Visit the CWE Calendar for information on this and other events. MITRE Hosts CWE Booth at RSA 2013 MITRE hosted a booth about "Strengthening Cyber Defense" that includes CWE at RSA Conference 2013 at the Moscone Center in San Francisco, California, USA, on February 25 – March 1, 2013. Visit the CWE Calendar for information on this and other events. CWE/CWSS/CWRAF/CAPEC Briefing at DHS Software Assurance Summit 2013 CWE/CAPEC Program Manager Robert A. Martin presented a briefing entitled "Measurable Software Assurance Against Expected Threats" at DHS Software Assurance Summit 2013 on February 21, 2013 in Gaithersburg, Maryland, USA. The briefing included discussion of Common Weakness Enumeration (CWE), Common Attack Pattern Enumeration and Classification (CAPEC), Common Weakness Scoring System (CWSS), and Common Weakness Risk Analysis Framework (CWRAF), and details how the "use of structured assurance case tools and methods can ease the navigation and explanation of what was done to address the weaknesses of a system for third party review and the evolution and understanding of why someone should have confidence and assurance about a system throughout its lifetime." Visit the CWE Calendar for information on this and other events. February 21, 2013CWE Version 2.4 Now Available CWE Version 2.4 has been posted on the CWE List page. A detailed report is available that lists specific changes between Version 2.3 and Version 2.4. In all, 96 entries were modified. The main changes include: 11 new entries covering a variety of weaknesses; (2) significant changes to several entries, related mostly to password hashes, certificates, deserialization, XML-related attacks; (3) name and description changes for 11 and 15 entries respectively; (4) relationship changes for 44 entries, primarily reflecting re-organization of parts of the research view; (5) mitigation updates in 36 entries; (6) updated fields to start showing links with mobile applications; and (7) updates in at least 10 entries for alternate terms, observed examples, demonstrative examples, references, and applicable platforms. The schema was updated to version 5.3 to support tracking weaknesses related to mobile applications. PDF documents have been updated to display graphs of views such as the Research View (CWE-1000) and the Development View (CWE-699), and a "Printable CWE" document lists all of the entries in CWE. Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to [email protected]. February 12, 2013CWE/CWSS/CWRAF/CAPEC Briefing at DHS Software Assurance Summit 2013 on February 21 CWE/CAPEC Program Manager Robert A. Martin will present a briefing entitled "Measurable Software Assurance Against Expected Threats" at DHS Software Assurance Summit 2013 on February 21, 2013 in Gaithersburg, Maryland, USA. The briefing will include discussion of Common Weakness Enumeration (CWE), Common Attack Pattern Enumeration and Classification (CAPEC), Common Weakness Scoring System (CWSS), and Common Weakness Risk Analysis Framework (CWRAF), and detail how the "use of structured assurance case tools and methods can ease the navigation and explanation of what was done to address the weaknesses of a system for third party review and the evolution and understanding of why someone should have confidence and assurance about a system throughout its lifetime." Visit the CWE Calendar for information on this and other events. MITRE to Host CWE Booth at RSA 2013, February 25 – March 1 MITRE will host a booth about "Strengthening Cyber Defense" that includes CWE at RSA Conference 2013 at the Moscone Center in San Francisco, California, USA, on February 25 – March 1, 2013. Attendees will learn how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures. Members of the CWE Team will be in attendance. Please stop by Booth 2617 and say hello! Visit the CWE Calendar for information on this and other events. Updated CWE Introductory Flyer Now Available The updated CWE Introductory Flyer, which is a brief two-page introduction to the CWE effort, is now available on the Documents page. CWSS/CWRAF Introductory Flyer Now Available The CWSS/CWRAF Introductory Flyer, which is a brief two-page introduction to the Common Weakness Scoring System (CWSS™) and Common Weakness Risk Analysis Framework (CWRAF™) efforts, is now available on the Documents page. January 11, 2013MITRE Announces Initial "Making Security Measurable" Calendar of Events for 2013 MITRE has announced its initial Making Security Measurable calendar of events for 2013. Details regarding MITRE’s scheduled participation at these events are noted on the CWE Calendar page. Each listing includes the event name with URL, date of the event, location, and a description of our activity at the event.
Other events may be added throughout the year. Visit the CWE Calendar for information or contact [email protected] to have MITRE present a briefing or participate in a panel discussion about CWE™, CWSS™, CAPEC™, CVE®, OVAL®, CCE™, CPE™, CEE™, MAEC™, CybOX™, STIX™, TAXII™, and/or Making Security Measurable at your event. Visit the CWE Calendar for information on this and other events. |