Industry News Coverage - 2011 Archive
Industry News Coverage - 2011 Archive
Below is a comprehensive monthly review of the news and other media's coverage of CWE. A brief summary of each news item is listed with its title, author (if identified), date, and media source.
eWeek, December 22, 2011
The CWE/SANS Top 25 Most Dangerous Software Errors list was mentioned in a December 22, 2011 article entitled "Top 25 Flaws Developers Blindly Build Into Applications" on eWeek.com. The article describes how many of the high-profile security breaches in 2011" took advantage of common, well-known software flaws in applications, such as SQL injection, cross-site scripting and buffer overflows" and states that the "development lifecycle needs to start focusing on avoiding security flaws from the beginning".
The Top 25 is mentioned as follows: "Earlier this year, the SANS Institute, in conjunction with the nonprofit technology research corporation MITRE and the Department of Homeland Security, released the annual Common Weakness Evaluation/SANS Top 25 Most Dangerous Software Errors. The top issues were exploited by groups such as LulzSec and Anonymous in their attacks against Sony Pictures, PBS.org and HB Gary Federal in 2011. And a Citigroup breach, which exposed credit card information for more than 300,000 account holders, relied on the "missing authorization" flaw, which meant the site did not check whether the user was allowed to perform a particular action. All of these software flaws are easy for attackers to find using basic scanning tools." The article then goes on to give brief summaries of the weaknesses listed on the 2011 Top 25.
The article was written by Fahmida Y. Rashid.
SDTimes.com, October 14, 2011
The CWE/SANS Top 25 was mentioned in an October 14, 2011 article entitled "How can you stay one step ahead in security for the cloud?" on SDTimes.com. The Top 25 was mentioned in a quote by Gwyn Fisher, CTO of Klocwork, Inc., regarding the "fact that many programmers are still making the same easily avoided mistakes."
Fisher states: "It's the same set that forms the core of the CWE Top 25, the same set that any two-minute Google search will give you more information on than you could possibly imagine. So is there a light at the end of this particularly repetitive tunnel? I'm much more a fan of removing weakness than managing exploits, as I firmly take the stance that the investment leverage gained from weakness-removal so vastly outweighs any time/effort/money put into exploits as to make the latter laughable. As a counterpoint, however, and as was widely published in a study performed by one of our competitors several years back, the average developer pays way more attention to a report of an identified exploit than they ever do to a report of a weakness, however well-described in their code."
Klockwork, Inc. is a member of the CWE Community and a participant in the CWE Compatibility and Effectiveness Program. The article also included quotes from other CWE Community and CWE Compatibility Program participants.
U.S. Department of Energy Web site, September 2011
CWE was used in a September 2011 report from the U.S. Department of Energy entitled Vulnerability Analysis of Energy Delivery Control Systems that "describes the common vulnerabilities on energy sector control systems, and provides recommendations for vendors and owners of those systems to identify and reduce those risks." The report findings were "mapped to software weakness types defined by the Common Weakness Enumeration (CWE) to the extent possible … so that Supervisory Control and Data Acquisition (SCADA)" vendors and owners can refer to the CWE for additional guidance in identifying, mitigating, and preventing weaknesses that cause vulnerabilities." Common Vulnerability Scoring System (CVSS) was also used to prioritize the vulnerabilities according to the relative risk they pose to the SCADA system.
The report is available for free download at http://energy.gov/sites/prod/files/Vulnerability Analysis of Energy Delivery Control Systems 2011.pdf.
Virtualization Practice, August 15, 2011
CWE was the main focus of a Virtualization Security podcast entitled "MITRE – Two New Tools to Help with PaaS and Risk Assessment" on the Virtualization Practice Web site on August 15, 2011. The podcast was an interview with CWE/CAPEC Program Manager Robert A. Martin about how CWE, CWSS, and CWRAF could "be used by those that program within a PaaS environment, make use of SaaS, or other cloud services."
COTS Journal, July 2011
CWE is the main topic of an article entitled "CWE Initiative Helps Secure Code Development Efforts" in the July 2011 issue of COTS Journal: The Military Journal of Electronics & Computing. The article explains what CWE is, how it is works, its relationship to Common Vulnerabilities and Exposures (CVE), and the benefits of secure coding.
The author states: "As the implementation of standards like CWE becomes more widespread, a tool vendor’s experience and reputation in security- and safety-critical expertise will be invaluable. Use of qualified and well-integrated tools ensures that the developers can automate the process more easily and efficiently. Creating a secure development community using standards, technologies and a well-integrated development environment promotes a continuous process of improvement. And, a focus on secure development lifecycle principles and practices will result in the ongoing production of software systems that are more dependable, trustworthy and extensible."
2011 CWE/SANS Top 25 Most Dangerous Software Errors List Receives Extensive News Coverage
CWE and the
SANS Institute posted the completed 2011 CWE/SANS Top 25 Most Dangerous Software Errors list on the CWE and SANS Web sites on June 27, 2011. A collaboration between the SANS Institute, MITRE, and over top software security experts in the U.S. and Europe, the list provides detailed descriptions of the top 25 programming errors along with authoritative guidance for mitigating and avoiding them.
The release received extensive news media coverage:
- US to Provide Guidelines to Bolster Computer Security, New York Times, June 26, 2011
- Bug-Squashing Tools Offered to Improve Network Security, MIT Technology Review, June 27, 2011
- New U.S. software guidelines aim to thwart hackers, Reuters, June 27, 2011
- New U.S. software guidelines aim to thwart hackers, UK Reuters, June 27, 2011
- DHS unveils new programs for software security, SC Magazine, June 27, 2011
- SQL injection most dangerous threat, according to CWE/SANS list of top software flaws, Infosecurity, June 27, 2011
- US Guidelines Aim to Bolster Software Security(updated), New York Times, June 27, 2011
- Software scores can help secure the Web, InfoWorld, June 27, 2011
- SQL Injection Deemed No. 1 Software Flaw, Government Computer News, June 27, 2011
- DHS rolls out plan to help protect small business' websites from hackers, Yahoo News Canada, June 27, 2011
- US rolls out plan to protect business websites, CNBC, June 27, 2011
- Feds Identify Top 25 Software Vulnerabilities, InformationWeek, June 27, 2011
- New US software guidelines aim to thwart hackers, Economic Times, June 27, 2011
- DHS releases software security scoring system, Computerworld, June 27, 2011
- Feds Identify Top 25 Software Vulnerabilities, InformationWeek, June 27, 2011
- High profile hacks targeted common software bugs, Afterdawn.com, June 27, 2011
- SQL Injection Deemed No. 1 Software Flaw, GovInfoSecurity.com, June 27, 2011
- US rolls out plan to protect business websites, Seattle Post Intelligencer, June 27, 2011
- US rolls out plan to protect business websites, TheNewsTribune.com, June 27, 2011
- US rolls out plan to protect business websites, Macon Telegraph, June 27, 2011
- US offers anti-hacking guidelines, Boston Globe, June 27, 2011
- DHS develops new tools against common cyber threats, Federal News Radio, June 28, 2011
- A New Tool for Website Protection, Wall Street Journal, June 28, 2011
- U.S. Guidelines Aim to Bolster Software Security (updated), New York Times, June 28, 2011
- Department of Homeland Security wants to help you protect your website, NPR Marketplace, June 28, 2011
- Cybersecurity experts warn of common software error, Washington Times, June 28, 2011
- Businesses to get help securing websites, myATLtv.com, June 28, 2011
- Report: Top 25 Coding Mistakes, Application Development Times, June 28, 2011
- DHS Crafts Plans to Protect Small Businesses from Hackers, The New New Internet, June 28, 2011
- LulzSec, Anonymous Hacks Were Avoidable, Report Says, PCWorld, June 28, 2011
- DHS Unveils Security Scoring System for Software Flaws, Attack Vectors, eWeek, June 28, 2011
- US rolls out plan to protect business websites, BusinessWeek, June 28, 2011
- Most hack attacks easy to repeal, says study, Financial Times, June 28, 2011
- Federal Government, Partners Educate Small Organizations on Website Security, TMC Net, June 28, 2011
- US Works To Protect Businesses From Attack, RedOrbit, June 28, 2011
- The 25 most dangerous programming errors, GCN.com, June 28, 2011
- US experts publish top 25 computer security vulnerabilities, V3.co.uk, June 28, 2011
- US spins out cyber-security plans to protect small businesses, International Business Times, June 28, 2011
- US Homeland Security Helps Programmers Close Security Holes, ITProPortal, June 28, 2011
- Most hacking attacks easily avoidable, says government report, TG Daily, June 28, 2011
- New US software guidelines aim to thwart hackers, Vancouver Sun, June 28, 2011
- Report: Top 25 Coding Mistakes, ADT Magazine, June 28, 2011
- Hackers Exploited Common Software Errors, TheStreet.com, June 28, 2011
- Security – Top Priority in 2011, Yahoo Finance, June 29, 2011
- Department of Homeland Security lays down security suggestions, SDTimes.com, June 29, 2011
- Homeland Security Targets Hacking, ABQ Journal, June 29, 2011
- US unveils guidelines for software security, Bend Bulletin, June 29, 2011
- SQL Injection Most Dangerous Software Error, eSecurity Planet, June 29, 2011
- Top 25 dangerous software errors are revealed, Inquirer, June 30, 2011
- Top 25 Most Dangerous Software Errors, LWN.net, June 30, 2011
- Recent high-profile hackings were preventable, says CWE/SANS list of ..., FierceCIO, June 30, 2011
- Developer error: The most dangerous programming mistakes, InfoWorld, June 30, 2011
- DHS, MITRE Name SQL Injection Flaws As Most Dangerous Software Error: Top 25 list also cites OS command errors, buffer overflow vulns at top of list,, Dark Reading, June 29, 2011
- PenTestIT Post Of The Day: CWE/SANS Top 25 Most Dangerous Software Errors, PenTestIT, June 30, 2011
- Top 25 most dangerous mistakes in software development, The H Security, June 30, 2011
- CWE/SANS Top 25 Most Dangerous Software Errors Released, IT Toolbox, July 1, 2011
- The Most Dangerous Programming Mistakes, Slashdot, July 1, 2011
SANS Web Site, June 1, 2011
CWE was included in the 2011 Chief Information Officer Federal Information Security Management Act Reporting Metrics document issued on June 1, 2011 by the U.S. Department of Homeland Security and National Institute of Standards and Technology. The document provides cybersecurity status reporting metrics for government agencies under the Federal Information Security Management Act (FISMA) that focus on the ability to automate system monitoring and security controls.
CWE is included as a reporting requirement in Section 12, Software Assurance, subsection 12.1b., which states: "Provide the number of the information systems above (12.1a) where the tools generated output compliant with: 12.1b (1). Common Vulnerabilities and Exposures (CVE) 12.1b (2). Common Weakness Enumeration (CWE) 12.1b (3). Common Vulnerability Scoring System (CVSS) 12.1b (4). Open Vulnerability and Assessment Language (OVAL)."
DHS Web Site, March 2011
CWE was included in the U.S. Department of Homeland Security (DHS) Enabling Distributed Security in Cyberspace white paper published on March 23, 2011 on the DHS Web site Blog. The main topic of the white paper is "how prevention and defense can be enhanced through three security building blocks: automation, interoperability, and authentication. If these building blocks were incorporated into cyber devices and processes, cyber stakeholders would have significantly stronger means to identify and respond to threats—creating and exchanging trusted information and coordinating courses of action in near real time."
The paper defines Interoperability as already being "enabled through an approach that has been refined over the past decade by many in industry, academia, and government. It is an information-oriented approach, generally referred to as [cyber] security content automation …" and is comprised of (1) Enumerations "of the fundamental entities of cybersecurity" and lists CVE, CCE, CPE, CWE, and CAPEC; (2) Languages and Formats that "incorporate enumerations and support the creation of machine-readable security state assertions, assessment results, audit logs, messages, and reports" and lists OVAL, CEE, and MAEC; and (3) Knowledge Repositories that "contain a broad collection of best practices, benchmarks, profiles, standards, templates, checklists, tools, guidelines, rules, and principles, among others" that are based upon or incorporate data from these standards.
The paper also states that these eight established community enumeration and language standards that have been in use within the community for years can be further leveraged moving forward because they are "standards [that] build upon themselves to expand functionality over time", and projections of that expanding utility are provided through 2014.
The white paper is available to view or download at http://www.dhs.gov/xlibrary/assets/nppd-cyber-ecosystem-white-paper-03-23-2011.pdf.
More information is available — Please select a different filter.