Common Weakness Enumeration

CWE Glossary Definition

Name of Your Organization:

CXSecurity

Web Site:

http://cxsecurity.com

Compatible Capability:

World Laboratory of Bugtraq 2

Capability home page:

http://cxsecurity.com

Product Accessibility <CR_2.4>

Provide a short description of how and where your capability is made available to your customers and the public (required):

Our vulnerability database is accessible to the general public at our web site: http://cxsecurity.com. The WLB2 Database contains CVE and CWE references that are updated every day.

Map Currency Update Approach <CR_6.2>

Indicate how often you plan on updating the mappings to reflect the current CWE content and describe your approach to keeping reasonably current with the CWE content when mapping them to your repository (recommended):

Mappings are updated constantly by obtaining the latest mapping file (NVD) and we monitor changes to CWE on a daily basis.

MAP CURRENCY UPDATE TIME <CR_6.3>

Describe how and where you explain to your customers the timeframe they should expect an update of your capability's mappings to reflect newly available CWE content (required):

We supply RSS feeds to inform our customers. Our time frame for CWE mapping:
2.00 AM CET
2.00 PM CET
8.00 AM CET

CWE AND COMPATIBILITY DOCUMENTATION <CR_5.1>

Provide a copy, or directions to its location, of where your documentation describes CWE and CWE compatibility for your customers (required):

http://cxsecurity.com/wlb/about

DOCUMENTATION OF FINDING ELEMENTS USING CWE IDENTIFIERS <CR_5.2>

Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CWE identifiers to find the individual security elements within your capability's repository (required):

http://cxsecurity.com/wlb/about#cwe
Use the search form: http://cxsecurity.com/cwe/
Or using syntax: http://cxsecurity.com/cwe/CWE-NNNN

DOCUMENTATION OF FINDING CWE IDENTIFIERS USING ELEMENTS <CR_5.3>

Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CWE identifiers associated with individual security elements within your capability's repository (required):

http://cxsecurity.com/wlb/about#cwe

DOCUMENTATION INDEXING OF CWE-RELATED MATERIAL <CR_5.4>

If your documentation includes an index, provide a copy of the items and resources that you have listed under "CWE" in your index. Alternately, provide directions to where these "CWE" items are posted on your web site (recommended):

http://cxsecurity.com/wlb/about#cwe
Using CWE Dictionary: http://cxsecurity.com/allcwe/

Type-Specific Capability Questions

FINDING TASKS USING CWE IDENTIFIERS <CR_A.2.1>

Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CWE identifier (required):

The User can use bellow search form: http://cxsecurity.com/cwe/
Associated vulnerabilities will be presented as the search results.

FINDING CWE IDENTIFIERS USING ELEMENTS IN REPORTS <CR_A.2.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CWE identifier for the individual security elements in the report (required):

In each WLB2 record
Example: http://cxsecurity.com/issue/WLB2011050133

The user will see:

Topic: Multiple Vendors libc/fnmatch(3) DoS (incl apache poc)
Credit: Maksymilian Arciemowicz
Date: 2011.05.13
CWE: CWE399
(Show similar)
CVE: CVE20110419
Risk: Medium
Local: Yes
Remote: Yes
History: [20110513]
Started
In each CVEMAP record
Example: http://cxsecurity.com/cveshow/CVE20120149/
The user will see:
Type: CWE20
(Improper Input Validation)

GETTING A LIST OF CLAIMED CWE IDENTIFIER COVERAGE <CR_A.2.3>

Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that the owner claims the tool is effective at locating in software (required):

Using URL: http://cxsecurity.com/cwe/CWE-[NNN]
Example: http://cxsecurity.com/cwe/CWE-89

GETTING A LIST OF CWE IDENTIFIERS ASSOCIATED WITH TASKS <CR_A.2.6>

Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that are associated with the tool's tasks (recommended):

Security alerts with CWE related
http://cxsecurity.com/cwelist/

SELECTING TASKS WITH A LIST OF CWE IDENTIFIERS <CR_A.2.7>

Describe the steps and format that a user would use to select a set of tasks by providing a file with a list of CWE identifiers (recommended):

Using URL: http://cxsecurity.com/cwe/CWE-[NNN]

SERVICE COVERAGE DETERMINATION USING CWE IDENTIFIERS <CR_A.3.1>

Users can search the entire vulnerability database for vulnerability records matching a particular CWE Identifiers. (required):

Users can search the entire vulnerability database for vulnerability records matching a particular CWE Identifiers.
http://cxsecurity.com/searchwlb/

FINDING CWE IDENTIFIERS USING ELEMENTS IN REPORTS <CR_A.3.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CWE identifier for the individual security elements in the report (required):

The CWE Identifiers of a vulnerability, if available, is displayed in the "Details" tab of the WLB2 Database.

GETTING A LIST OF CLAIMED CWE IDENTIFIER COVERAGE <CR_A.3.3>

Give detailed examples and explanations of how a user can obtain a listing of all of the CWE identifiers that the owner claims the tool is effective at locating in software (required):

Using CWE list: http://cxsecurity.com/allcwe/

ELECTRONIC DOCUMENT FORMAT INFO <B.3.1>

Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CWE-related text (required):

Database is provided in HTML on the CXSecurity web site:
http://cxsecurity.com/wlb/

CVEMAP: http://cxsecurity.com/cvemap/

By accessing the search page:

http://cxsecurity.com/searchwlb/
http://cxsecurity.com/cwe/

By RSS: http://cxsecurity.com/wlb/rss/all/

ELECTRONIC DOCUMENT LISTING OF CWE IDENTIFIERS <CR_B.3.2>

If one of the capability's standard electronic documents only lists security elements by their short names or titles provide example documents that demonstrate how the associated CWE identifiers are listed for each individual security element (required):

The associated CWE name is listed prominently in the "Details" tab of a WLB2 Database entry.

ELECTRONIC DOCUMENT ELEMENT TO CWE IDENTIFIER <CR_B.3.3>

Provide example documents that demonstrate the mapping from the capability's individual elements to the respective CWE identifier(s) (recommended):

http://cxsecurity.com/issue/WLB2011050133
http://cxsecurity.com/issue/WLB2011030139
http://cxsecurity.com/issue/WLB2011070105
http://cxsecurity.com/cveshow/CVE20121067/
http://cxsecurity.com/cveshow/CVE20120145/
http://cxsecurity.com/cveshow/CVE20120761/

FINDING ONLINE CAPABILITY TASKS USING CWE <CR_B.4.1>

Give detailed examples and explanations of how a "find" or "search" function is available to the user to locate tasks in the online capability by looking for their associated CWE identifier or through an online mapping that links each element of the capability with its associated CWE identifier(s) (required):

The User can use bellow search form:

http://cxsecurity.com/cwe/
http://cxsecurity.com/searchwlb/

Associated vulnerabilities will be presented as the search results.

ONLINE CAPABILITY INTERFACE TEMPLATE USAGE <CR_B.4.1.1>

http://cxsecurity.com/cwe/[CWE-NNNN]

ONLINE CAPABILITY CGI GET METHOD SUPPORT <CR_B.4.1.1>

Yes

FINDING CWE IDENTIFIERS USING ONLINE CAPABILITY ELEMENTS <CR_B.4.2>

Briefly describe how the associated CWE identifiers are listed for the individual security elements or discuss how the user can use the mapping between CWE identifiers and the capability's elements, also describe the format of the mapping (required):

In each security advisory, there is a ‘Details’ section which will provide a direct mapping to the CWE web site.

Example: http://cxsecurity.com/issue/WLB-2011050133
The user will see:

Date: 2011.05.13
CWE: CWE-399 (Show similar)
CVE: CVE-2011-0419
Example: http://cxsecurity.com/cveshow/CVE-2012-1067/

Type: CWE-89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))

GUI EXPORT ELECTRONIC DOCUMENT FORMAT INFO <CR_B.4.3>

Provide details about the different electronic document formats that you provide for exporting or accessing CWE-related data and describe how they can be searched for specific CWE-related text (recommended):

CWE-RELATED: http://cxsecurity.com/cwelist/
CWE-DICTIONARY: http://cxsecurity.com/allcwe/

STATEMENT OF COMPATIBILITY <CR_2.11>

Have an authorized individual sign and date the following Compatibility Statement (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Maksymilian Arciemowicz

Title: Security Officer

STATEMENT OF ACCURACY <CR_3.4>

Have an authorized individual sign and date the following accuracy Statement (recommended):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Maksymilian Arciemowicz

Title: Security Officer

STATEMENT ON FALSE-POSITIVES AND FALSE-NEGATIVES <CR_B.2.10> and/or <CR_B.3.7>

FOR TOOLS AND SERVICES ONLY - Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CWE Compatibility Requirements as well as all of the additional mandatory CWE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Maksymilian Arciemowicz

Title: Security Officer