- |
News & Events - 2017 ArchiveRight-click and copy a URL to share an article. Send feedback about this page to [email protected]. CWE Version 3.0 Now Available November 16, 2017 | Share this article CWE Version 3.0 has been posted on the CWE List page. A detailed report is available that lists specific changes between Version 2.11 and Version 3.0. The main changes for CWE 3.0 include: Views:
Entries: CWE 3.0 has three new Weaknesses:
Schema:
Summary: There are now 714 weaknesses and a total of 1023 entries on the CWE List. Changes for the new version includes the following:
See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v2.11_v3.0.html. Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to [email protected]. IMPORTANT: Release of CWE 3.0 Includes Major Changes to CWE Schema November 8, 2017 | Share this article The release of CWE Version 3.0 includes major changes to the CWE Schema, which was updated from v5.4.4 to v6.0. The main changes for the CWE Schema Version 6.0 include:
See a detailed list of schema changes at https://cwe.mitre.org/data/reports/diff_reports/xsd_v5.4.4_v6.0.html. Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to [email protected]. CWE Version 2.12 Released November 8, 2017 | Share this article As part of preparation for the release of CWE Version 3.0 (see news article above), CWE Version 2.12 was released to support changes for CWE 3.0. A detailed report is available that lists specific changes between v2.11 and v2.12. The schema was also updated to v5.4.4 to also support changes for CWE Version 3.0. As an added benefit, CWE Version 2.12 also provides CWE Version 3.0 content in the older schema format. 1 Product from Optimyth Software Now Registered as Officially "CWE-Compatible" June 15, 2017 | Share this article One additional cyber security product has achieved the final stage of MITRE's formal CWE Compatibility Program and is now officially "CWE-Compatible." The product is now eligible to use the CWE-Compatible Product/Service logo, and a completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CWE-Compatible Products and Services page on the CWE Web site. A total of 48 products to-date have been recognized as officially compatible. The following product is now registered as officially "CWE-Compatible": Use of the official CWE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting SwA products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CWE compatibility requirements, and therefore which specific implementations are best for their networks and systems. For additional information about CWE compatibility and to review all products and services listed, visit CWE Compatibility Program and CWE-Compatible Products and Services. Parasoft Makes 6 Declarations of CWE Compatibility June 15, 2017 | Share this article Parasoft Corporation declared that its static code analysis tools, C/C++test Versions 10.x, C/C++test Versions 9.x, Jtest Versions 10.x, Jtest Versions 9.x, dotTEST Versions 10.x, and dotTEST Versions 9.x, are CWE-Compatible. For additional information about these and other compatible products, visit the CWE Compatibility and Effectiveness section. CWE Version 2.11 Now Available May 5, 2017 | Share this article CWE Version 2.11 has been posted on the CWE List page. A detailed report is available that lists specific changes between Version 2.10 and Version 2.11. CWE 2.11 has one new entry and two deprecated entries. In all, 116 entries had important changes, primarily due to continued reorganization of the Development Concepts View (CWE-699), updated CAPEC mappings, and focused improvements on individual entries. The main changes include: (1) relationship changes for 28 entries (mostly in the Development View); (2) updates to 52 entries to align with attack pattern mappings from the recently-released Common Attack Pattern Enumeration and Classification (CAPEC™) Version 2.10; (3) error fixes and improved completeness for many individual entries based on external feedback and internal quality review; and (4) small consistency changes to mitigations for 47 entries. The schema was updated to 5.4.3. There are now 705 weaknesses and a total of 1006 entries on the CWE List. Changes for the new version includes the following:
See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v2.10_v2.11.html. Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to [email protected]. CWE Privacy Policy Updated May 2, 2017 | Share this article The CWE Privacy Policy was updated to notify users that cookies are now being used on the CWE website for the sole purpose of saving "Presentation Filter" and "Show Details" (previously "Mapping-Friendly") selections so users do not have to continuously update the filter to navigate the CWE List. CWE a Major Focus of DARPA’s New System Security Integrated Through Hardware and Firmware (SSITH) Program April 10, 2017 | Share this article CWE is cited in an April 10, 2017 article on the DARPA website entitled “Baking Hack Resistance Directly into Hardware” as a major focus of DARPA’s new System Security Integrated Through Hardware and Firmware (SSITH) program. As stated on the website, the purpose of the SSITH program is to "develop hardware design tools that provide security against hardware vulnerabilities that are exploited through software in Department of Defense (DoD) and commercial electronic systems. SSITH seeks to leverage current research in hardware design and software security to propel new research in the area of hardware security at the microarchitecture level." CWE is mentioned in the article as follows: "SSITH specifically seeks to address the seven classes of hardware vulnerabilities listed in the Common Weakness Enumeration (cwe.mitre.org), a crowd-sourced compendium of security issues that is familiar to the information technology security community. In cyberjargon, these classes are: permissions and privileges, buffer errors, resource management, information leakage, numeric errors, crypto errors, and code injection. Researchers have documented some 2800 software breaches that have taken advantage of one or more of these hardware vulnerabilities, all seven of which are variously present to in the integrated microcircuitry of electronic systems around the world. Remove those hardware weaknesses … and you would effectively close down more than 40% of the software doors intruders now have available to them." Read the complete article at http://www.darpa.mil/news-events/2017-04-10. CWE Mentioned in Article about Software Code and Security on Information Age March 31, 2017 | Share this article CWE is mentioned as a main topic in a March 31, 2017 article entitled "Does software quality equal software security? It depends" on Information Age. The main topic of the article is a discussion of software code quality versus software code security. CWE is the focus of a section of the article entitled "CWE," in which the author describes what CWE is and how to use it and other tools to check code for weaknesses. The author also states: "Checking against various CWEs can also be a step toward achieving industry compliance. And CWEs can also be associated with common vulnerabilities and exposures (CVE), another intersection between quality and security." CWE is mentioned again as the author concludes the article: "Producing software free of CWEs or CVEs makes it quality code. However, failure to maintain the code with the latest updates of its individual component and/or using fuzz testing to truly harden the code against future threats is vital. Both are necessary to have secure software applications." Read the complete article at http://www.information-age.com/quality-software-security-123465456/. CWE Refreshes Website with Easier-to-Use Navigation Menus & Streamlined CWE List Page January 19, 2017 | Share this article We have updated the CWE website to streamline site navigation for an improved user experience. The main navigation menu is now located in an easy-to-access menu bar at the top of every page, with Section Contents menus for each section of the website just below the new main menu. The main CWE List page has also been streamlined for ease-of-use into four main sections: Navigate CWE – Offers two hierarchical representations, Research Concepts and Development Concepts, to help you navigate all weaknesses according to your specific point of view.
External Mappings – Offers views used to represent mappings to external groupings such as a Top-N list, as well as to express subsets of entries that are related by some external factor.
Helpful Views – Offers additional helpful views based on specific criteria and hopes to provide insight for a certain domain or use case, such as a specific source code language or phase of development.
Release Downloads – Provides an archive of previous release versions of the core content downloads, schemas, schema documentation, and difference reports.
Please send any comments or concerns to [email protected]. |