- |
News & Events - 2015 ArchiveRight-click and copy a URL to share an article. Send feedback about this page to [email protected]. December 7, 2015 | Share this article CWE Version 2.9 has been posted on the CWE List page. A detailed report is available that lists specific changes between Version 2.8 and Version 2.9. There is one new entry, the view CWE-1003, which updates CWE-635 (Weaknesses Used by NVD) to provide a more complete set of CWE entries than the 19 entries that were used in CWE-635 since 2008. In all, 119 entries were modified, primarily due to relationships for the new, updated view. The main changes include: (1) name changes for 1 entry, (2) relationship changes for 114 entries related to the new view, and (3) changes to a small number of entries based on feedback from external parties. No changes were made to the schema. PDF documents have been updated to display graphs of views such as the Research View (CWE-1000) and the Development View (CWE-699), and a "Printable CWE" document lists all of the entries in CWE. Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to [email protected] . 1 Product from Lucent Sky Now Registered as Officially
"CWE-Compatible" December 7, 2015 | Share this article One additional information security product has achieved the final stage of MITRE's formal CWE Compatibility Program and are now officially "CWE-Compatible." The product is now eligible to use the CWE-Compatible Product/Service logo, and a completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CWE-Compatible Products and Services page on the CWE Web site. A total of 42 products to-date have been recognized as officially compatible. The following products are now registered as officially "CWE-Compatible": Use of the official CWE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting SwA products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CWE compatibility requirements, and therefore which specific implementations are best for their networks and systems. For additional information about CWE compatibility and to review all products and services listed, visit the CWE Compatibility Program and CWE-Compatible Products and Services. CWE/CWSS/CAPEC Mentioned in ITU's
"Security in Telecommunications and Information Technology 2015" December 7, 2015 | Share this article Common Weakness Enumeration (CWE™), Common Weakness Scoring System (CWSS™), and Common Attack Pattern Enumeration and Classification (CAPEC™) are included in a September 2015 technical report entitled "Security in Telecommunications and Information Technology 2015" on the International Telecommunication Union (ITU) website. The main topic of the report is an “overview of issues and the deployment of existing ITU-T Recommendations for secure telecommunications." CWE, CWSS, and CAPEC—as well as Common Vulnerabilities and Exposures (CVE®) and Malware Attribute Enumeration and Characterization (MAEC™)–are mentioned in "Chapter 11 - Cybersecurity and incident response," as follows: Common Vulnerabilities and Exposures (CVE) is the main topic of section "11.1.2 Exchange of vulnerability information," CWE is the main topic of section "11.1.4 Exchange of weakness information," CWSS is the main topic of section "11.1.5 Weakness scoring," CAPEC is the main topic of section "11.1.5 Exchange of attack pattern information," and Malware Attribute Enumeration and Characterization (MAEC) is the main topic of section "11.1.7 Exchange of malware characteristics information". The report is available for free download from: http://www.itu.int/dms_pub/itu-t/opb/tut/T-TUT-SEC-2015-PDF-E.pdf.
CWE Mentioned in "The Most Vulnerable Vector of Attack" Article on The Cipher
Brief December 7, 2015 | Share this article CWE is mentioned in a December 6, 2015 article entitled "The Most Vulnerable Vector of Attack" on The Cipher Brief. The article is an interview with U.S. Department of Homeland Security (DHS) Director for Software and Supply Chain Assurance in Cybersecurity and Communications Joe Jarzombek about "threats that face supply chains and the best way to mitigate them." CWE is mentioned by Jarzombek in response to a question about the most effective methods through which businesses can mitigate risks to their supply chains, as follows: "Businesses need to signal that sloppy "manufacturing cyber hygiene" is not acceptable by potential suppliers. The best signals are via purchasing contracts that need to have terms and conditions to address acceptance criteria and liability for non-conforming products. As part of purchasing practices, and prior to being used in operations, ICT components need to have been tested for malware, known vulnerabilities (CVEs in the National Vulnerability Database), and exploitable weaknesses (CWEs) that are most applicable to the technology for the deployed environment – either by testing conducted by the using enterprise or through independent third party evaluation and certification." CWE Cited as Product Feature in Press Release by IAR Systems December 7, 2015 | Share this article CWE is cited as a product feature in a November 30, 2015 press release entitled "IAR Systems enhances 8051 tools with highly requested static code analysis" by IAR Systems. CWE is mentioned as follows: "C-STAT features innovative static analysis that can detect defects, bugs, and security vulnerabilities as defined by CERT C/C++ and the Common Weakness Enumeration (CWE), as well as help keeping code compliant to coding standards like MISRA C:2004, MISRA C++:2008 and MISRA C:2012. By using static analysis, it is possible to identify errors such as memory leaks, access violations, arithmetic errors, and array and string overruns at an early stage. This makes it possible for developers to ensure code quality and minimize the impact of errors on the finished product and on the project timeline." Read the complete press release at: https://www.iar.com/about-us/newsroom/press/?releaseId=2053293. CWE Cited as Product Feature in Press Release by Column Information Security December 7, 2015 | Share this article CWE is cited as a product feature in a November 19, 2015 press release by Column Information Security entitled "Column Information Security Announces Partner Agreement with Veracode." CWE is mentioned at the beginning of the press release in bullet number 2 of 4, as follows: "Web Perimeter Security – discovers all web-facing applications associated with a customer — including cloud-hosted sites, temporary marketing sites – and performs a comprehensive deep scan to quickly identifying highly exploitable vulnerabilities such as those found in the OWASP Top 10 and CWE/SANS Top 25." Read the complete press release at: http://www.columninfosec.com/news/column-information-security-announces-partner-agreement-with-veracode.html. CWE-IDs Cited in ToolsWatch.org's
"ICS/SCADA Top 10 Most Dangerous Software Weaknesses" White Paper December 7, 2015 | Share this article CWE Identifiers (CWE-IDs) are used to uniquely identify the weakness discussed in a November 5, 2015 white paper entitled "ICS/SCADA Top 10 Most Dangerous Software Weaknesses" on ToolsWatch.org. The white paper discusses the methodology its author used to determine its top 10 weaknesses, and then uses the following CWE-IDs to uniquely identify them: (1) CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer; (2) CWE-20: Improper Input Validation; (3) CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'); (4) CWE-264 Permissions, Privileges, and Access Controls; (5) CWE-200: Information Exposure; (6) CWE-255: Credentials Management; (7) CWE-287: Improper Authentication; (8) CWE-399: Resource Management Errors; (9) CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'); and (10) CWE-189: Numeric Errors. The author also provides additional discussion regarding each weakness, and then lists the top 5 affected vendors the author believes are most affected by each of the ten weaknesses. CWE Mentioned in Article about Secure Application Development on TechTarget December 7, 2015 | Share this article CWE is mentioned in a November 2, 2015 article entitled "Q&A: Secure application development in the age of mashups" on TechTarget. The article is an interview with Veracode Chief Strategy Officer Sam King. CWE is mentioned in a response to a question about how it is "…common nowadays to mash up applications using entire programs as components -- and the resulting application inherits a bug stack consisting of the sum of the bugs in the components plus any interactions between them…", as follows: "You need an agreed-on set of quality standards, compliance initiatives with teeth, a way for vendors to signal compliance with those standards, a way to test for compliance that everyone agrees on, and a clear value proposition for both the enterprise and the supply chain to make it work. We are starting to see some of those pieces come to fruition in the context of vendor-supplied applications, between the FS-ISAC recommendation for binary static testing, software component analysis, and VBSIMM (or the equivalent, OpenSAMM); market standards for testing like OWASP, the CWE/SANS Top 25 Most Dangerous Software Errors, and Veracode's Verafied seal; inclusion of software and supply chain security in the PCI standard; and the threat of federal lawsuits for inadequate cybersecurity protection. For mashup applications that leverage third-party Web services, this model -- and some of these specific (risk avoidance) strategies -- may prove helpful for organizations trying to get their arms around this risk." CWE Mentioned in Article about Vulnerabilities in LTE Mobile Networks on Fudzilla.com December 7, 2015 | Share this article CWE is mentioned in an October 20, 2015 article entitled "LTE networks have evil bugs" on Fudzilla.com. The main topic of the article is that "Carnegie Mellon University's CERT security vulnerabilities database has issued an alert regarding the status of LTE (Long-Term Evolution) mobile networks." CWE is mentioned as follows: "The technology has four vulnerabilities that allow attackers to spoof phone numbers, overbill clients, create DoS attacks on the phone and network, and obtain free data transfers without being charged … CERT said that the four vulnerabilities (CWE-732, CWE-284, CWE-287, and CWE-384) allow attackers to take advantage of some things like incorrectly set call permissions, the ability to establish direct sessions between phones, improper authentication for SIP messages, and a bug that enables attackers to establish multiple sessions with the same phone number." Visit CWE-732: Incorrect Permission Assignment for Critical Resource; CWE-284: Improper Access Control; CWE-287: Improper Authentication; and CWE-384: Session Fixation to learn more about these issues. CWE Mentioned in Article about Medical Device Cybersecurity on MD+DI December 7, 2015 | Share this article CWE is mentioned in an October 12, 2015 article entitled "Getting Started on Medical Device Cybersecurity" on Medical Device and Diagnostic Industry (MD+DI). The main topic of the article is that “Tackling cybersecurity in medical devices can be intimidating, leaving manufacturers overwhelmed and wondering where to start." CWE is mentioned as follows: "The notion of tackling cybersecurity in medical devices can be intimidating, leaving manufacturers overwhelmed and asking where they should start. Before developing plans on where you're going, it's important to figure out where you stand. Performing vulnerability assessments on devices that are currently out in the wild is a great way to figure out where you're at, and the results will enable you to identify what steps could be taken to raise the security posture of the device. Utilize industry best practices such as the SANS and CWE top 25 as well as OWASP top 10 for common weaknesses that are found in application security. These lists are wonderful collations of easily digestible steps that can be taken to improve the security of a device or software application." Three CWE-IDs Cited in Article about Vulnerabilities in Seagate Hard Drives on The Inquirer December 7, 2015 | Share this article Three CWE Identifiers (CWE-IDs) are cited in a September 8, 2015 article entitled "Seagate issues fix for wireless hard drive backdoor vulnerability" on The Inquirer. The main topic of the article is the vulnerabilities discovered in Seagate hard drives and that a "CERT announcement confirmed that the flaws could be used to inject malicious files onto the WiFi drives, taking control of or infecting connected devices." The following three CWE-IDs are cited, along with Common Vulnerabilities and Exposures (CVE®) Identifiers, to uniquely identify the three issues: CWE-798: Use of Hard-coded Credentials and CVE-2015-2874; CWE-425: Direct Request ('Forced Browsing') and CVE-2015-2875; and CWE-434: Unrestricted Upload of File with Dangerous Type and CVE-2015-2876.
2nd Product from Suresoft Technologies Now Registered as Officially
"CWE-Compatible" December 1, 2015 | Share this article One additional information security product has achieved the final stage of MITRE's formal CWE Compatibility Program and are now officially "CWE-Compatible." The product is now eligible to use the CWE-Compatible Product/Service logo, and a completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CWE-Compatible Products and Services page on the CWE Web site. A total of 41 products to-date have been recognized as officially compatible. The following products are now registered as officially "CWE-Compatible": Use of the official CWE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting SwA products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CWE compatibility requirements, and therefore which specific implementations are best for their networks and systems. For additional information about CWE compatibility and to review all products and services listed, visit the CWE Compatibility Program and CWE-Compatible Products and Services.
1 Product from CAST Software Now Registered as Officially
"CWE-Compatible" December 1, 2015 | Share this article One additional information security product has achieved the final stage of MITRE's formal CWE Compatibility Program and are now officially "CWE-Compatible." The product is now eligible to use the CWE-Compatible Product/Service logo, and a completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CWE-Compatible Products and Services page on the CWE Web site. A total of 41 products to-date have been recognized as officially compatible. The following products are now registered as officially "CWE-Compatible": Use of the official CWE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting SwA products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CWE compatibility requirements, and therefore which specific implementations are best for their networks and systems. For additional information about CWE compatibility and to review all products and services listed, visit the CWE Compatibility Program and CWE-Compatible Products and Services. Lucent Sky Makes Declaration of CWE Compatibility December 1, 2015 | Share this article Lucent Sky Corporation declared that its application vulnerability mitigation tool, Lucent Sky Application Vulnerability Mitigation (AVM), is CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section. Discussion Panel at
"Industrial Internet West Coast Forum" Meeting on December 10
December 1, 2015 | Share this article CWE/CAPEC Program Manager Robert A. Martin will participate on a discussion panel entitled "Beyond the Hype: Deploying the Industrial IoT in the Real World" at the Industrial Internet West Coast Forum in San Diego, California, USA on December 10, 2015. "The Industrial Internet Consortium is a global not-for-profit, open membership organization formed to accelerate the development, adoption, and wide-spread use of interconnected machines and devices, intelligent analytics, and people at work. Founded by AT&T, Cisco, General Electric, IBM, and Intel in March 2014, the Industrial Internet Consortium catalyzes and coordinates the priorities and enabling technologies of the Industrial Internet." Visit the CWE Calendar for information on this and other events. November 24, 2015 | Share this article CWE/CAPEC Program Manager Robert A. Martin will present a briefing that discusses Common Weakness Enumeration (CWE™), Common Attack Pattern Enumeration and Classification (CAPEC™), and Common Weakness Scoring System (CWSS™) entitled "How Can We Better Use Scoring Systems (CVSS, CWSS, CWE 3.0)" at the Software and Supply Chain Assurance Winter Working Group 2015 meeting hosted at MITRE Corporation in McLean, Virginia, USA on December 3, 2015. The event itself runs December 1-3. "Co-sponsored by organizations within the Department of Homeland Security (DHS), Department of Defense (DoD), National Institute of Standards and Technology (NIST), and the General Services Administration (GSA), SSCA events meet quarterly with the SSCA Forums meeting on a semi-annual basis in spring and fall and the SSCA Working Groups (meeting in between Forums) in the summer and winter. These events bring together stakeholders responsible for protecting the Nation's key information technologies—most of which are enabled and controlled by software and influenced by the supply chain." Visit the CWE Calendar for information on this and other events.
1 Product from Suresoft Technologies Now Registered as Officially
"CWE-Compatible" November 19, 2015 | Share this article One additional information security product has achieved the final stage of MITRE's formal CWE Compatibility Program and are now officially "CWE-Compatible." The product is now eligible to use the CWE-Compatible Product/Service logo, and a completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CWE-Compatible Products and Services page on the CWE Web site. A total of 39 products to-date have been recognized as officially compatible. The following products are now registered as officially "CWE-Compatible": Use of the official CWE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting SwA products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CWE compatibility requirements, and therefore which specific implementations are best for their networks and systems. For additional information about CWE compatibility and to review all products and services listed, visit the CWE Compatibility Program and CWE-Compatible Products and Services. November 19, 2015 | Share this article One additional information security product has achieved the final stage of MITRE's formal CWE Compatibility Program and are now officially "CWE-Compatible." The product is now eligible to use the CWE-Compatible Product/Service logo, and a completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CWE-Compatible Products and Services page on the CWE Web site. A total of 39 products to-date have been recognized as officially compatible. The following products are now registered as officially "CWE-Compatible": Use of the official CWE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting SwA products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CWE compatibility requirements, and therefore which specific implementations are best for their networks and systems. For additional information about CWE compatibility and to review all products and services listed, visit the CWE Compatibility Program and CWE-Compatible Products and Services. Code Dx Makes 2 Declarations of CWE Compatibility November 19, 2015 | Share this article Code Dx, Inc. declared that its software vulnerability assessment tools, Code Dx Enterprise Edition and Code Dx Standard Edition, are CWE-Compatible. For additional information about these and other compatible products, visit the CWE Compatibility and Effectiveness section. Suresoft Technologies Makes Declaration of CWE Compatibility November 19, 2015 | Share this article Suresoft Technologies Inc. declared that its code-based automatic inspection tool, CodeScroll Code Inspector, is CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section. CWE/CAPEC Are Discussion
Topics at 3 Recent Industry Events November 19, 2015 | Share this article Common Weakness Enumeration (CWE™) and Common Attack Pattern Enumeration and Classification (CAPEC™) were discussion topics at three events in October: On October 27, 2015, CWE/CAPEC Program Manager Robert A. Martin presented two briefings that discussed CWE and CAPEC entitled "Prioritizing Security Vulnerabilities and Focused Testing" and "Capturing and Communicating Assurance" at the MISRA & Security Best Practices – PRQA Fall Seminar in Dearborn, Michigan, USA. On October 19, 2015, CWE/CAPEC Program Manager Robert A. Martin presented a briefing that discussed CWE and CAPEC entitled "Prioritizing Security Vulnerabilities and Gaining Assurance" at the Open Group Enabling Boundaryless Information Flow conference in Edinburgh, UK on October 19, 2015. Lastly, on October 15, 2015, CWE and CAPEC were discussion topics in a webinar by the Consortium for IT Software Quality (CISQ) entitled "Latest Advances in Cybersecurity and the NEW CISQ Security Standard" that was presented by CWE Program Manager and co-author of the CISQ security measure to detect cybersecurity issues in software, Robert A. Martin. Please see our article "CWE Mentioned in CISQ Press Release Announcing New Specifications for Measuring Structural Quality of Software" for additional information about the new CISQ security measure. Visit the CWE Calendar for information on these and other events. October 14, 2015 | Share this article CWE will be a discussion topic in a Consortium for IT Software Quality (CISQ) webinar on October 15, 2015 entitled "Latest Advances in Cybersecurity and the NEW CISQ Security Standard" that will be presented by CWE Program Manager/co-author of the CISQ security measure to detect cybersecurity issues in software, Robert A. Martin. From the CISQ website: "Cybersecurity is front and center on the CIO agenda. In this webinar, we will hear from Robert Martin, director of the Common Weakness Enumeration (CWE) at MITRE and the lead researcher on the CISQ security standard. The new CISQ Security measure was developed to predict the vulnerability of application source code to external attack. The measure identifies the Top 25 CWEs in software under evaluation, which represent the most widespread and frequently exploited security weaknesses. Attend this webinar to learn how to use the CISQ Security standard to automatically detect cybersecurity vulnerabilities and measure application security. Robert Martin will also provide an overview of the security landscape and future projects under consideration by CISQ, MITRE, and U.S. Government." NOTE: See our article "CWE Mentioned in CISQ Press Release Announcing New Specifications for Measuring Structural Quality of Software" for additional information about the new CISQ security measure. The webinar, which will be held on Thursday, October 15, 2015, from 11:00am – 12:00pm EDT, is free and open to the public, but registration is required. October 14, 2015 | Share this article CWE/CAPEC Program Manager Robert A. Martin will present a briefing that discusses Common Weakness Enumeration (CWE™) and Common Attack Pattern Enumeration and Classification (CAPEC™) entitled "Prioritizing Security Vulnerabilities and Gaining Assurance" at the Open Group Enabling Boundaryless Information Flow conference in Edinburgh, UK on October 19, 2015. According to the conference website: "In this presentation we will describe how risk calculations that include the business impact of the various failures possible from exploiting different types of vulnerabilities in the common weakness enumeration (CWE) collection can be used to focus remediation and mitigation efforts for critical software in an organization. While security tools play a role in these activities, other architecture, design, and development activities and reviews can also provide valuable insights into the security posture of the organization's software capabilities. Having assurance that the mission will not be circumvented, undermined, or unnecessarily put at risk through attacks on any software that provides critical mission capabilities requires a shift in focus and integration of many types of assessment activities across the acquisition life cycle." Visit the CWE Calendar for information on this and other events. October 14, 2015 | Share this article CWE/CAPEC Program Manager Robert A. Martin will present two briefings that discuss Common Weakness Enumeration (CWE™) and Common Attack Pattern Enumeration and Classification (CAPEC™) entitled "Prioritizing Security Vulnerabilities and Focused Testing" and "Capturing and Communicating Assurance" at the MISRA & Security Best Practices – PRQA Fall Seminar in Dearborn, Michigan, USA on October 27, 2015. According to the conference website: "This session will disclose more about how the absence of a common measure for software weaknesses has limited the software industry's ability to access and remediate exploitable software flaws. Consequently, organizations such as CWE, CAPEC, [CWSS], [CWRAF] have provided consistent and structured mechanisms for prioritizing assurance efforts to deal with the most dangerous weaknesses to the system’s intended functions and capabilities first." Visit the CWE Calendar for information on this and other events. 1 Product from LDRA Now Registered as Officially
"CWE-Compatible" September 17, 2015 | Share this article One additional information security product has achieved the final stage of MITRE's formal CWE Compatibility Program and are now officially "CWE-Compatible." The product is now eligible to use the CWE-Compatible Product/Service logo, and a completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CWE-Compatible Products and Services page on the CWE Web site. A total of 37 products to-date have been recognized as officially compatible. The following product is now registered as officially "CWE-Compatible": Use of the official CWE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting SwA products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CWE compatibility requirements, and therefore which specific implementations are best for their networks and systems. For additional information about CWE compatibility and to review all products and services listed, visit the CWE Compatibility Program and CWE-Compatible Products and Services. 1 Product from ToolsWatch Now Registered as Officially
"CWE-Compatible" September 17, 2015 | Share this article One additional information security product has achieved the final stage of MITRE's formal CWE Compatibility Program and are now officially "CWE-Compatible." The product is now eligible to use the CWE-Compatible Product/Service logo, and a completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CWE-Compatible Products and Services page on the CWE Web site. A total of 37 products to-date have been recognized as officially compatible. The following product is now registered as officially "CWE-Compatible": Use of the official CWE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting SwA products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CWE compatibility requirements, and therefore which specific implementations are best for their networks and systems. For additional information about CWE compatibility and to review all products and services listed, visit the CWE Compatibility Program and CWE-Compatible Products and Services. September 17, 2015 | Share this article CWE is mentioned in a September 15, 2015 press release by the Consortium for IT Software Quality (CISQ) entitled "Consortium for IT Software Quality Announces New Specifications for Measuring Structural Quality of Software". The main topic of the press release is that CISQ announced the release of "new measurement specifications based on detecting weaknesses in the reliability, security, performance efficiency and maintainability of software applications. These quality measures can be used to evaluate the risk in software-intensive systems from such sources as unauthorized penetrations, outages, data corruption, degraded performance, and excessive complexity." CWE is mentioned as follows: "The CISQ measures are developed from counting violations of good architectural and coding practice that are severe enough to be prioritized for remediation. For instance, the security measure is derived from the top 25 violations of good coding practice such as SQL injections, buffer overflows, and cross-site scripting that allow unauthorized intrusions and data theft. This list comes from the Common Weakness Enumeration (CWE) repository which is managed by the MITRE Corporation. The reliability measure incorporates empty exception blocks, unreleased resources, circular dependencies, and other violations that cause outages and slow recovery times. Performance efficiency includes coding weaknesses such as expensive loop operations, un-indexed data access, and unreleased memory that degrade response-time and overuse resources. The maintainability measure includes coding weaknesses such as excessive coupling, dead code, and hard-coded literals that make maintenance and enhancements overly expensive and defect-prone." In addition, the release also announced that CISQ will host a webinar on October 15, 2015 presented by Robert A. Martin, CWE Program Manager/co-author of the CISQ security measure to detect cybersecurity issues in software, entitled "Latest Advances in Cybersecurity and the NEW CISQ Security Standard." The webinar is free and open to the public, but registration is required is required. CWE Mentioned in Article about Commercial Versus Open Source Code Compliance on Security Week September 17, 2015 | Share this article CWE is mentioned in a July 30, 2015 article entitled "Commercial code is more compliant to security standards than open source code" on Security Week. The main topic of the article is the release of Coverity, Inc.'s "Coverity Scan Open Source Report for 2014." CWE is mentioned as follows: "Based on the analysis of more than 10 billion lines of code from thousands of open source and commercial products, experts have determined that while open source projects are doing a better job at addressing quality and security issues, enterprises take the lead when it comes to complying with security standards such as OWASP (Open Web Application Security Project) Top 10 and CWE (Common Weakness Enumeration) 25." CWE Mentioned in Article about Commercial Versus Open Source Code Compliance on Net Security September 17, 2015 | Share this article CWE is mentioned in a July 30, 2015 article entitled "Commercial code is more compliant to security standards than open source code" on Net Security. The main topic of the article is the release of Coverity, Inc.'s "Coverity Scan Open Source Report for 2014." CWE is mentioned as follows: "This year the report also compared security compliance standards such as OWASP Top 10 and CWE 25, and found that commercial code is more compliant with these standards than open source code." CWE Mentioned in
Press Release about "Coverity Scan Open Source Report 2014" September 17, 2015 | Share this article CWE is mentioned in a July 29, 2015 press release by Coverity, Inc. entitled "Coverity Scan Open Source Report Shows Commercial Code Is More Compliant to Security Standards than Open Source Code." The main topic of the press release is the publication of its annual "Coverity Scan Open Source Report for 2014." CWE is mentioned as follows: "As detailed in the new Coverity Scan Open Source Report, nearly 152,000 defects were fixed in 2014 alone – more than the total amount of defects that had been found in the previous history of the service. Based on static analysis defect density, open source code outpaced commercial code for quality in the 2013 report. This trend continues in 2014; however, this year the report also compared security compliance standards such as OWASP (Open Web Application Security Project) Top 10 and CWE (Common Weakness Enumeration) 25, and found that commercial code is more compliant with these standards than open source code." CWE Mentioned in Article about Tightening Cyber Security Systems on Information Age September 17, 2015 | Share this article CWE is mentioned in a July 29, 2015 article entitled "What the US OPM breach teaches us about tightening our security systems" on Information Age. CWE is mentioned in a section entitled "Securing the network and critical applications" in list of preventative measures suggested by the author: "And lastly, ensure Web Applications are developed in line with OWASP and SANS /CWE Secure coding guidelines." CWE Cited as Product Feature in Press Release by Waratek September 17, 2015 | Share this article CWE is mentioned in a July 27, 2015 press release by Waratek, Ltd. entitled "CRN Names Waratek Coolest Security Startup of 2015." The main topic of the release is that: 'CRN, the IT channel's leading source for news, has named it a Coolest Security Startup for 2015. CRN recognized Waratek for its secure container technology, which creates a "bulletproof vest" for applications deployed on-premise or in cloud environments." CWE is mentioned in the press release as follows: "Last month, Waratek announced that it has developed the ability for its RASP product to consume CWE (common weakness enumeration) reports from SAST tools like HP Fortify, Veracode, Checkmarx and others to generate rules that immediately address application security vulnerabilities." CWE Cited as RASP Product Feature in Press Release by Waratek September 17, 2015 | Share this article CWE is mentioned in a June 17, 2015 press release by Waratek, Ltd. entitled "Waratek Integrates Automated Security Vulnerability Remediation with Runtime Application Self-Protection." The main topic of the release is that Waratek added automated security vulnerability remediation to its AppSecurity for Java Runtime Application Self-Protection (RASP) product. CWE is mentioned in the press release as follows: "Waratek has developed the ability to consume CWE (Common Weakness Enumeration) reports form SAST and DAST tools including HP Fortify, Veracode, Checkmarx and others to generate rules that immediately address the top application security flaws identified by SANS and OWASP. This fully automated workflow can immediately protect production applications without any manual intervention or configuration. It can also be integrated into the Software Development Lifecycle." CWE Cited as Product Feature in Press Release by IAS Systems September 17, 2015 | Share this article CWE is mentioned in a June 7, 2015 press release by IAR Systems entitled "IAR Systems extends industry-leading Renesas RX tools with static code analysis." The main topic of the release is that version 2.08 of IAR Embedded Workbench for RX adds "integrated static code analysis through C-STAT, which makes it possible for RX developers to take full control of their code and enables companies to save valuable time and money in their development projects." CWE is mentioned in the press release as follows: "C-STAT is a powerful static analysis tool that checks compliance with rules as defined by the coding standards MISRA C:2004, MISRA C++:2008 and MISRA C:2012, as well as hundreds of rules based on, for example, CWE (the Common Weakness Enumeration) and the CERT C/C++ Secure Coding Standards. Users can easily select which ruleset and which individual rules to check the code against, and the analysis results are provided directly in the IAR Embedded Workbench IDE." CWE Mentioned in Article about Managing Security Risk on Dark Reading September 17, 2015 | Share this article CWE is mentioned in an April 20, 2015 article entitled "DHS: Most Organizations Need Improvement In Managing Security Risk" on Dark Reading. The main topic of the article is that "Government agencies and organizations in the private sector must place more emphasis on software analysis, testing and life-cycle support to mitigate threats exploiting known vulnerabilities and new avenues opened up by the use of open source and re-used software components, according to the Department of Homeland Security (DHS)." CWE is mentioned in section entitled "Third-party code and plug-ins are the achilles heel of web applications," in comments by Joe Jarzombek, director for software and supply chain assurance with the DHS, as follows: "SQL Injection and Cross-Scripting constitute the more frequent and dangerous vector of attacks. IT managers are deploying firewalls, intrusion prevention systems and demilitarized zones, but still wonder why their systems are compromised. They are being exploited at the "soft underbelly of the enterprise" – application software. People know about cross-scripting and SQL injection attacks, but don't understand it. "Someone on your team should know exactly what [these attacks] do and what they are trying to exploit," Jarzombek said. These attacks and their exploits are known as common weakness enumeration (CWE). The attacks and how to defend against them can be found in a free online community dictionary hosted by Mitre Corp. and sponsored by the Homeland Security Department." CWE Mentioned in Article about
"Software as a Process" on Electronic Specifier September 17, 2015 | Share this article CWE is mentioned in a March 27, 2015 article entitled "Software as a process" on Electronic Specifier. The main topic of the article is that "Today's software products are the result of many suppliers, vendors, open source repositories and legacy code coming together in a mix of different processes, standards and cultures. Each input offers a chance to introduce safety, security, or performance-related errors." "Whether it's the shift towards agile, continuous integration, or the adoption of new standards, embracing new ways of developing software hits organisations where it counts: the delivered product." CWE is mentioned when the author states: "One method that is proven to be successful in mitigating security risks is using automated code analysis to look for potential flaws. Capers Jones of Namcook Analytics found that, without tools such as Static Code Analysis (SCA) in particular, developers are less than 50 percent efficient at finding bugs in their own software. SCA is adept at understanding patterns and behaviours in code, across multiple compilation units and developers, to reveal security holes such as buffer overflows, suspicious incoming data and unvalidated inputs. More sophisticated SCA tools can also compare code against common security standards, such as OWASP and CWE, to determine gaps in coverage or generate compliance reports. Rather than convincing teams to spend more effort on security testing, use tools to reduce the effort for you and your suppliers." CWE Mentioned in Article about Securing Embedded Software on Embedded Computing Design September 17, 2015 | Share this article CWE is mentioned in a March 24, 2015 article entitled "5 steps to secure embedded software" on Embedded Computing Design. CWE is first mentioned as follows: "IT standards groups, like the Consortium for IT Software Quality (CISQ), MITRE Common Weakness Enumeration (CWE), and ISO 9000 and ISO 25000, publish guidelines and software quality standards. CISQ has published automated quality measures for security, reliability, performance efficiency, and maintainability. These measures provide some of the specific attributes that should be used as evidence that embedded systems might need to fulfill their business/mission function. While examining the state of embedded systems, it is apparent that security should be engineered in up front." CWE is mentioned again in a section entitled "Follow the standards," as follows: "CISQ has published a security standard that is designed to identify the top 25 known security weaknesses in IT application software as maintained by MITRE in the Common Weakness Enumeration (CWE). The CWEs are a measurable set of items that can be used as evidence for resiliency, security, and safety. Code analyzers such as CAST can pick these out of a complex environment. Developers should stay in constant touch with these important standards." 3 Products from SonarSource Now Registered as Officially
"CWE-Compatible" August 31, 2015 | Share this article Three additional information security product have achieved the final stage of MITRE's formal CWE Compatibility Program and are now officially "CWE-Compatible." The product is now eligible to use the CWE-Compatible Product/Service logo, and a completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CWE-Compatible Products and Services page on the CWE Web site. A total of 35 products to-date have been recognized as officially compatible. The following products are now registered as officially "CWE-Compatible": Use of the official CWE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting SwA products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CWE compatibility requirements, and therefore which specific implementations are best for their networks and systems. For additional information about CWE compatibility and to review all products and services listed, visit the CWE Compatibility Program and CWE-Compatible Products and Services. 2 Products from LDRA Now Registered as Officially
"CWE-Compatible" August 31, 2015 | Share this article
Two additional information security product has achieved the final stage of MITRE's formal CWE Compatibility Program and are now officially "CWE-Compatible." The product is now eligible to use the CWE-Compatible Product/Service logo, and a completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CWE-Compatible Products and Services page on the CWE Web site. A total of 35 products to-date have been recognized as officially compatible. The following products are now registered as officially "CWE-Compatible": Use of the official CWE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting SwA products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CWE compatibility requirements, and therefore which specific implementations are best for their networks and systems. For additional information about CWE compatibility and to review all products and services listed, visit the CWE Compatibility Program and CWE-Compatible Products and Services. 1 Product from MathWorks Now Registered as Officially "CWE-Compatible" August 31, 2015 | Share this article
One additional information security product has achieved the final stage of MITRE's formal CWE Compatibility Program and are now officially "CWE-Compatible." The product is now eligible to use the CWE-Compatible Product/Service logo, and a completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CWE-Compatible Products and Services page on the CWE Web site. A total of 35 products to-date have been recognized as officially compatible. The following product is now registered as officially "CWE-Compatible": Use of the official CWE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting SwA products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CWE compatibility requirements, and therefore which specific implementations are best for their networks and systems. For additional information about CWE compatibility and to review all products and services listed, visit the CWE Compatibility Program and CWE-Compatible Products and Services. 1 Product from GTONE Now Registered as Officially "CWE-Compatible" August 31, 2015 | Share this article One additional information security product has achieved the final stage of MITRE's formal CWE Compatibility Program and is now officially "CWE-Compatible." The product is now eligible to use the CWE-Compatible Product/Service logo, and a completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CWE-Compatible Products and Services page on the CWE Web site. A total of 35 products to-date have been recognized as officially compatible. For additional information about CWE compatibility and to review all products and services listed, visit the CWE Compatibility Program and CWE-Compatible Products and Services. Use of the official CWE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting SwA products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CWE compatibility requirements, and therefore which specific implementations are best for their networks and systems. For additional information about CWE compatibility and to review all products and services listed, visit the CWE Compatibility Program and CWE-Compatible Products and Services. ToolsWatch Makes Declaration of CWE Compatibility August 31, 2015 | Share this article
ToolsWatch declared that its API and vulnerability database community, vFeed, is CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section. AdaCore Makes Declaration of CWE Compatibility August 31, 2015 | Share this article
AdaCore declared that its automated code review and validation tool, CodePeer, is CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section. |