CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > News > News & Events - 2006 Archive  
ID

News & Events - 2006 Archive
News & Events - 2006 Archive

December 29, 2006
December 29, 2006

CWE Compatibility & Effectiveness Section Added to CWE Web Site

A CWE Compatibility and Effectiveness section has been added to the CWE Web site. CWE Compatibility and Effectiveness provides for a product or service to be reviewed and registered as officially "CWE-Compatible" and "CWE-Effective," thereby assisting organizations in their selection and evaluation of tools and/or services for assessing their acquired software for known types of weaknesses and flaws, for learning about the various weaknesses and their possible impact, or to obtain training and education about these issues. The new section includes a description of the program, a list of the specific compatibility requirements, and instructions for how to make a declaration.

December 15, 2006
December 15, 2006

Fifth Draft of CWE Now Available

The fifth draft of CWE has been posted on the CWE List page. This update includes (1) additional descriptions and mitigations for about 40 of the items, (2) minor revisions and updates to approximately 100 items based on the donated information, and (3) revisions to the names and structure of the hierarchical view to reflect the new and revised CWE content. Most of these changes are from the initial insertions of material from three more of the sixteen companies that are contributing to CWE under non-disclosure agreements.

CWE is a community-developed formal list of common software weaknesses. The intention of CWE is to serve as a common language for describing software security weaknesses in architecture, design, or code; as a standard measuring stick for software security tools targeting these weaknesses; and to provide a common baseline standard for weakness identification, mitigation, and prevention efforts. Broad community adoption of CWE will help shape and mature the code security assessment industry and also dramatically accelerate the use and utility of software assurance capabilities for organizations in reviewing the software systems they acquire or develop.

This current step of building CWE involves gathering data about weaknesses from the sixteen tool and knowledge sources that are participating in CWE. Additions and revisions from these contributions are in process and will be added when they are ready in a sixth draft. We welcome any comments about CWE at cwe@mitre.org.

CWE Presents Briefing at DHS/DoD SwA Working Group Meeting Session

CWE Program Manager Robert A. Martin presented a briefing about CWE at the "DHS/DoD SwA Working Group Meeting Session" in Arlington, Virginia, USA on December 11, 2006 that introduced CWE to information security professionals and decision-makers from the DoD and DHS. The CWE Team also helped lead the kick-off of the new Malware Working Group session, which focused on enumerating the attributes of malware so that the different types of malware can be characterized and the attribute-base characterizations can be combined with the emerging legal definitions for the different types of malware.

Visit the CWE Calendar page for information on this and other upcoming events.

CWE Presents Briefing at OMG Software Assurance Information Day

CWE Program Manager Robert A. Martin presented a briefing about CWE at OMG Software Assurance Information Day in Washington, D.C., USA on December 7, 2006. The briefing introduced CWE and software assurance activities to information technology and security professionals and decision-makers from the software, information security, and technology service provider industries.

Visit the CWE Calendar page for information on this and other upcoming events.

CWE Presents Briefing to OMG Software Assurance Special Interest Group

CWE Program Manager Robert A. Martin presented a briefing about CWE to the OMG Software Assurance Special Interest Group in Washington, D.C., USA on December 6, 2006. The briefing introduced CWE and software assurance activities to information technology and security professionals and decision-makers from the software, information security, and technology service provider industries.

Visit the CWE Calendar page for information on this and other upcoming events.

December 5, 2006
December 5, 2006

CWE Presents Briefing to IT Information Sharing and Analysis Center (ISAC) Teleconference

CWE Program Manager Robert A. Martin presented a briefing about CWE and software assurance to the IT Information Sharing and Analysis Center (ISAC) teleconference on December 3, 2006. The briefing introduced CWE and software assurance activities to information technology and security professionals and decision-makers from the software, information security and technology service provider industries.

Visit the CWE Calendar page for information on this and other upcoming events.

CWE Presents Briefing at DIA Software Assurance Workshop

CWE Program Manager Robert A. Martin presented briefings about CWE entitled "Certifying Applications for Known Security Weaknesses" and "Malicious Code/Malware Attribute Enumeration" at the DoD's "Defense Intelligence Agency (DIA) Software Assurance Workshop" at DIA on Bolling AFB, D.C., USA on December 4, 2006. The workshop was organized for DIA by the DHS Software Assurance program.

Visit the CWE Calendar page for information on this and other upcoming events.

CWE to Present Briefing to OMG Software Assurance Special Interest Group

CWE Program Manager Robert A. Martin is scheduled to present a briefing about CWE to the OMG Software Assurance Special Interest Group in Washington, D.C., USA on December 6, 2006. The briefing will introduce CWE and software assurance activities to information technology and security professionals and decision-makers from the software, information security, and technology service provider industries.

Visit the CWE Calendar page for information on this and other upcoming events.

CWE to Present Briefing at OMG Software Assurance Information Day

CWE Program Manager Robert A. Martin is scheduled to present a briefing about CWE at OMG Software Assurance Information Day in Washington, D.C., USA on December 7, 2006. The briefing will introduce CWE and software assurance activities to information technology and security professionals and decision-makers from the software, information security, and technology service provider industries.

Visit the CWE Calendar page for information on this and other upcoming events.

CWE to Present Briefing at DHS/DoD SwA Working Group Meeting Session

CWE Program Manager Robert A. Martin is scheduled to present a briefing about CWE, at the "DHS/DoD SwA Working Group Meeting Session" in Arlington, Virginia, USA on December 11, 2006 that will introduce CWE to information security professionals and decision-makers from the DoD and DHS. The CWE Team will also help lead the kick-off of the new Malware Working Group session, which will focus on enumerating the attributes of malware so that the different types of malware can be characterized and the attribute-base characterizations can be combined with the emerging legal definitions for the different types of malware.

'Vulnerability Types Distributions' White Paper Posted on CWE Web Site

A white paper entitled Vulnerability Type Distributions in CVE has been posted on the CWE Documents page. Written by Common Vulnerabilities and Exposures (CVE) Editor Steve Christey, this October 2006 technical white paper discusses the high-level types of vulnerabilities that have been publicly reported over the past five years, such as buffer overflows, cross-site scripting (XSS), SQL injection, and PHP file inclusion. The paper identifies and explains trends such as the rapid rise of web application vulnerabilities, covers the distribution of vulnerability types in operating system vendor advisories, and compares the issues being reported in open and closed source advisories.

November 16, 2006
November 16, 2006

CWE Participates on Discussion Panel at ACM Conference on Computer and Communications Security on October 31st

CWE Program Manager Robert A. Martin participated on a discussion panel at the ACM Computer and Communications Security Conference on October 31, 2006 at the Hilton Alexandria Mark Center in Alexandria, Virginia, USA. The conference, which ran October 30th through November 3rd, is "a forum for the presentation of new research results and the identification of future research directions in the area of computer and communications security."

Visit the CWE Calendar page for information on this and other upcoming events.

October 26, 2006
October 26, 2006

Two Organizations Join the CWE Community

Two additional organizations have joined the CWE Community, Security Innovation Inc. and AppSIC, LLC. Members of the CWE Community work together to create specific and succinct definitions for each of the elements in the CWE List. By leveraging the widest possible group of interests and talents we hope to ensure that the CWE elements are adequately described and differentiated.

There are now 39 organizations from around the world participating in the CWE initiative. Visit the CWE Community page for a complete list.

CWE to Participate on Discussion Panel at ACM Conference on Computer and Communications Security on October 31st

CWE Program Manager Robert A. Martin will participate on a discussion panel at the ACM Computer and Communications Security Conference on October 31, 2006 at the Hilton Alexandria Mark Center in Alexandria, Virginia, USA. The conference, which runs October 30th through November 3rd, is "a forum for the presentation of new research results and the identification of future research directions in the area of computer and communications security."

Visit the CWE Calendar page for information on this and other upcoming events.

CWE Hosts Booth at FIAC 2006

MITRE hosted a CWE/CVE/CCE/OVAL/CME exhibitor booth at Federal Information Assurance Conference (FIAC) 2006, October 25-26, 2006, at the Inn and Conference Center, University of Maryland University College, in Adelphi, Maryland, USA. The conference exposed CWE, CVE, CCE, OVAL, and CME to network and systems administrators, security practitioners, acquisition and procurement officials, systems security officers, federal managers, accreditors, and certifiers from numerous agencies of the U.S. federal government.

Visit the CWE Calendar page for information on this and other upcoming events. Contact cwe@mitre.org to have CWE present a briefing or participate in a panel discussion about CWE, CVE, CCE, OVAL, CME, and/or other vulnerability management topics at your event.

CWE Presents Briefing at Tactical Information Assurance 2006

CWE Program Manager and CVE Compatibility Lead Robert A. Martin presented a briefing about CWE/CVE/OVAL entitled "Securing The IA Perimeter: Automated IAVA & STIG Compliance Through Standards" at Tactical Information Assurance 2006 on October 25, 2006 at the Westin Arlington Gateway in Arlington, Virginia, USA. The conference introduced CWE, CVE, and OVAL to information technology and security professionals and decision-makers from the U.S. military, defense agencies, industry contractors, and technology service providers.

Visit the CWE Calendar page for information on this and other upcoming events.

October 4, 2006
October 4, 2006

CWE to Host Booth at FIAC 2006

MITRE is scheduled to host a CWE/CVE/CCE/OVAL/CME exhibitor booth at Federal Information Assurance Conference (FIAC) 2006, October 25-26, 2006, at the Inn and Conference Center, University of Maryland University College, in Adelphi, Maryland, USA. The conference will expose CWE, CVE, CCE, OVAL, and CME to network and systems administrators, security practitioners, acquisition and procurement officials, systems security officers, federal managers, accreditors, and certifiers from numerous agencies of the U.S. federal government.

Visit the CWE Calendar page for information on this and other upcoming events. Contact cwe@mitre.org to have CWE present a briefing or participate in a panel discussion about CWE, CVE, CCE, OVAL, CME, and/or other vulnerability management topics at your event.

CWE to Present Briefing at Tactical Information Assurance 2006

CWE Program Manager and CVE Compatibility Lead Robert A. Martin is scheduled to present a briefing about CWE/CVE/OVAL entitled "Securing The IA Perimeter: Automated IAVA & STIG Compliance Through Standards" at Tactical Information Assurance 2006 on October 25, 2006 at the Westin Arlington Gateway in Arlington, Virginia, USA. The conference will introduce CWE, CVE, and OVAL to information technology and security professionals and decision-makers from the U.S. military, defense agencies, industry contractors, and technology service providers.

Visit the CWE Calendar page for information on this and other upcoming events.

CWE Hosts Booth at IT Security World 2006

MITRE hosted a CWE/CVE/CCE/OVAL/CME exhibitor booth at MISTI's IT Security World 2006 on September 25-27, 2006 at the Fairmont Hotel in San Francisco, California, USA. The conference exposed CWE, CVE, CCE, OVAL, and CME to security professionals from industry, government, and academia charged with developing and running their organizations' information security programs.

Visit the CWE Calendar page for information on this and other upcoming events.

September 28, 2006
September 28, 2006

Fourth Draft of CWE Now Available

The fourth draft of CWE has been posted on the CWE List page. This update includes (1) additional descriptions and mitigations for about 50 of the items; (2) minor revisions and updates to over 100 items based on the donated information; and (3) revisions to the names and structure of the hierarchical view to reflect the new and revised CWE content. Most of these changes are from the initial insertions of material from three of the fourteen companies that are contributing to CWE under non-disclosure agreements.

CWE is a community-developed formal list of common software weaknesses. The intention of CWE is to serve as a common language for describing software security weaknesses in architecture, design, or code; as a standard measuring stick for software security tools targeting these weaknesses; and to provide a common baseline standard for weakness identification, mitigation, and prevention efforts. Broad community adoption of CWE will help shape and mature the code security assessment industry and also dramatically accelerate the use and utility of software assurance capabilities for organizations in reviewing the software systems they acquire or develop.

This current step of building CWE involves gathering data about weaknesses from the fourteen tool and knowledge sources that are participating in CWE. Additions and revisions from these contributions are in process and will be added when they are ready in a fifth draft in approximately two months. We welcome any comments about CWE at cwe@mitre.org.

CWE to Host Booth at IT Security World 2006

MITRE is scheduled to host a CWE/CVE/CCE/OVAL/CME exhibitor booth at MISTI's IT Security World 2006 on September 25-27, 2006 at the Fairmont Hotel in San Francisco, California, USA. The conference will expose CWE, CVE, CCE, OVAL, and CME to security professionals from industry, government, and academia charged with developing and running their organizations' information security programs.

Visit the CWE Calendar page for information on this and other upcoming events. Contact cwe@mitre.org to have CWE present a briefing or participate in a panel discussion about CWE, CVE, CCE, OVAL, CME, and/or other vulnerability management topics at your event.

CWE Presents Briefing at 5th Annual Cyber Security Executive Summit

MITRE presented a briefing about CWE and CVE at the 5th Annual Cyber Security Executive Summit for the financial services sector on September 13-14, 2006 at the Metropolitan Pavilion in New York City, New York, USA. The event introduced CWE and CVE to financial industry executives and security professionals from around the world.

Visit the CWE Calendar page for information on this and other upcoming events.

Common Weakness Enumeration (CWE) Launches New Web Site

The CWE List is now available on this dedicated Common Weakness Enumeration (CWE) Web site. It was formally hosted on the CVE Web site. The new site includes the CWE List; an About section describing the overall CWE effort and process in more detail; News page; Calendar page; Compatibility page; Community Participation page; and a list of Sources. CWE is based in part on the on the 19,000+ Common Vulnerabilities and Exposures (CVE) identifiers on the CVE List.

August 9, 2006
August 9, 2006

CWE Co-Hosts Booth at Black Hat Briefings 2006

MITRE hosted a CWE/CVE/OVAL/CME exhibitor/meeting booth at Black Hat Briefings 2006 on August 2nd - 3rd, 2006 at Caesars Palace in Las Vegas, Nevada, USA. The event exposed CWE, CVE, OVAL, and CME to a diverse audience of information security-focused attendees from around the world.

Visit the CWE Calendar page for information on this and other upcoming events.

July 19, 2006
July 19, 2006

Third Draft of Common Weakness Enumeration (CWE) Now Available

The third draft of CWE has been posted on the CWE List page on the CVE Web site. Changes include (1) additional descriptions and mitigations for about 150 of the items; (2) adding language specific indicators for those that are tied to language or platform like C, C++, Java, or .NET; (3) minor revisions and updates to many other items; and (4) addition of a first cut at a CWE_ID field that is meant be a unique non-variant identifier for the CWE content.

CWE is a community-developed formal list of common software weaknesses. The intention of CWE is to serve as a common language for describing software security weaknesses in architecture, design, or code; as a standard measuring stick for software security tools targeting these weaknesses; and to provide a common baseline standard for weakness identification, mitigation, and prevention efforts. Broad community adoption of CWE will help shape and mature the code security assessment industry and also dramatically accelerate the use and utility of software assurance capabilities for organizations in reviewing the software systems they acquire or develop.

Our next step in building CWE involves gathering data about weaknesses from fourteen tool and knowledge sources and then merging this new data into the current list to create a fourth draft. We welcome any comments about CWE at cwe@mitre.org.

July 12, 2006
July 12, 2006

CWE Main Topic of Briefing at NIST's Static Analysis Summit

CWE Program Manager Robert A. Martin presented a briefing about the Common Weakness Enumeration (CWE) on June 29, 2006 entitled "Bringing Standards to Software Source Code Security Assessment" at the U.S. National Institute of Standards and Technology's (NIST) "Static Analysis Summit" in Gaithersburg, Maryland, USA.

Visit the CWE Calendar page for information on this and other upcoming events.

May 10, 2006
May 10, 2006

CWE Main Topic of Briefing at DOD System and Software Technology Conference

CWE Program Manager Robert A. Martin presented a briefing about the Common Weakness Enumeration (CWE) on May 4, 2006 entitled "Bringing Standards to Software Source Code Security Assessment" at the U.S. Department of Defense (DOD) Joint Service's "18th Annual System and Software Technology Conference" in Salt Lake City, Utah, USA.

Visit the CWE Calendar page for information on this and other upcoming events.

May 1, 2006
May 1, 2006

Second Draft of Common Weakness Enumeration (CWE) Now Available

The second draft of CWE has been posted on the CWE List page on the CVE Web site. Changes include (1) cleaning up the names of the current elements, and (2) full expansion of the current elements using additional the content from PLOVER, Seven Pernicious Kingdoms, and CLASP.

CWE is a community-developed formal list of common software weaknesses. The intention of CWE is to serve as a common language for describing software security vulnerabilities, a standard measuring stick for software security tools targeting these vulnerabilities, and as a baseline standard for vulnerability identification, mitigation, and prevention efforts. Broad community adoption of CWE will help shape and mature the code security assessment industry and also dramatically accelerate the use and utility of software assurance capabilities for organizations in reviewing the software systems they acquire or develop.

Our next step in building CWE involves gathering data about weaknesses from ten tool and knowledge sources and then merging this new data into the current list to create a third draft. We welcome any comments about CWE at cwe@mitre.org.

March 15, 2006
March 15, 2006

Initial Draft of "Common Weakness Enumeration (CWE)" Now Available

The first draft of the "Common Weakness Enumeration (CWE)" was posted on the Common Vulnerabilities and Exposures (CVE) Web site on March 15, 2006. CWE is a community-developed formal list of common software weaknesses. The intention of CWE is to serve as a common language for describing software security weaknesses in architecture, design, or code; as a standard measuring stick for software security tools targeting these weaknesses; and to provide a common baseline standard for weakness identification, mitigation, and prevention efforts. Broad community adoption of CWE will help shape and mature the code security assessment industry and also dramatically accelerate the use and utility of software assurance capabilities for organizations in reviewing the software systems they acquire or develop.

Based in part on the CVE List's 18,000 plus CVE identifiers—but also including detail and scope from a diverse set of other industry and academic sources and examples including the McGraw/Fortify "Kingdoms" taxonomy; Howard, LeBlanc & Viega's 19 Deadly Sins; and Secure Software's CLASP project; among others—CWE's definitions and descriptions support the finding of common types of software security flaws in code prior to fielding. This means both users and developers now have a mechanism for ensuring that the software products they acquire and develop are free of known types of security flaws by describing their code and assessment capabilities in terms of their coverage of the different CWEs.

Initial information hosted on the CVE Web site included the first draft of the CWE List, offered in a detailed Taxonomy view and a high-level Dictionary view; an About section describing the overall CWE effort and process in more detail; a Compatibility page; a Community Participation page; and list of Sources. The CWE Web site was launched on September 22, 2006.


More information is available — Please select a different filter.
Page Last Updated: January 12, 2017