CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > News  

News & Events

April 10, 2014

Software Assurance Roadmap Briefing at IEEE Chapter Meeting on April 22

CWE/CAPEC Program Manager Robert A. Martin will present a briefing that discusses Common Weakness Enumeration (CWE™) and Common Attack Pattern Enumeration and Classification (CAPEC™) entitled "Building a Software Assurance Road-map and Using It Effectively," at the IEEE Computer Society Northern VA Computer Chapter & ASQ 509 Software SIG Meeting in McLean, Virginia, USA on April 22, 2014.

Visit the CWE Calendar for information on this and other events.

"Advances in Information Assurance Standards" Briefing at CISQ Seminar–Software Quality in Federal Acquisitions

CWE/CAPEC Program Manager Robert A. Martin, Senior Advisor for Cybersecurity at the U.S. General Services Administration Office of Mission Assurance Emile Monette, and Computer Scientist at the U.S. National Institute of Standards and Technology Dr. Paul Black, co-presented a briefing entitled "Advances in Information Assurance Standards," at CISQ Seminar–Software Quality in Federal Acquisitions in Reston, Virginia, USA on March 26, 2014.

The briefing, which included discussion of Common Weakness Enumeration (CWE™) and Common Attack Pattern Enumeration and Classification (CAPEC™), described the "national efforts to identify and eliminate the causes of security breaches through the development of the Common Weakness Enumeration repository … best practices for using information in the repository for improving the security of software … how to measure the security of software and how this is done using the CISQ measure for security."

The slides from this briefing are available at http://it-cisq.org/wp-content/uploads/2014/04/CISQ-Seminar-2014_03_26-Advances-in-Information-Assurance-Standards.pdf.

Visit the CWE Calendar for information on this and other events.

MITRE Hosts Software and Supply Chain Assurance Spring Forum 2014

MITRE hosted the Software and Supply Chain Assurance (SSCA) Spring Forum 2014 March 18-20, 2014 at MITRE Corporation in McLean, Virginia, USA. The theme for this event was "mitigating hardware and software risks in the supply chain."

Visit the CWE Calendar for information on this and other events.

March 14, 2014

OWASP Makes Declaration of CWE Compatibility

Open Web Application Security Project (OWASP) declared that its assessment and remediation tool, Zed Attack Proxy, is CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.

MITRE to Host Software and Supply Chain Assurance Spring Forum 2014, March 18-20

MITRE will host the Software and Supply Chain Assurance (SSCA) Spring Forum 2014 March 18-20, 2014 at MITRE Corporation in McLean, Virginia, USA. The theme for this event is "mitigating hardware and software risks in the supply chain."

See the event agenda, and/or event registration page, for additional information.

Visit the CAPEC Calendar for information on this and other events.

Information Assurance Standards Briefing at CISQ Seminar–Software Quality in Federal Acquisitions on March 26

CWE/CAPEC Program Manager Robert A. Martin, Senior Advisor for Cybersecurity at the U.S. General Services Administration Office of Mission Assurance Emile Monette, and Computer Scientist at the U.S. National Institute of Standards and Technology Dr. Paul Black, will co-present a briefing entitled "Advances in Information Assurance Standards," at CISQ Seminar–Software Quality in Federal Acquisitions in Reston, Virginia, USA on March 26, 2014.

The briefing, which will include discussion of Common Weakness Enumeration (CWE™) and Common Attack Pattern Enumeration and Classification (CAPEC™), will describe the “national efforts to identify and eliminate the causes of security breaches through the development of the Common Weakness Enumeration repository … best practices for using information in the repository for improving the security of software … how to measure the security of software and how this is done using the CISQ measure for security.”

Visit the CWE Calendar for information on this and other events.

Security Assurance Discussion Panel at RSA 2014

CWE/CAPEC Program Manager Robert A. Martin participated on a discussion panel entitled "Measurement as a Key to Confidence: Providing Assurance" on February 27, 2014 at RSA Conference 2014 in San Francisco, California, USA.

Visit the CWE Calendar for information on this and other events.

February 19, 2014

CWE Version 2.6 Now Available

CWE Version 2.6 has been posted on the CWE List page. A detailed report is available that lists specific changes between Version 2.5 and Version 2.6.

There are 3 new entries, mostly related to communication channels. In all, 73 entries were modified. The main changes include: (1) name and description changes for 4 and 8 entries respectively, mostly related to mobile applications; (2) relationship changes for 14 entries, primarily reflecting re-organization of the research view to better handle mobile and communication-channel weaknesses; (3) potential mitigation updates in 22 entries; (4) related attack patterns (CAPEC) updates in 22 entries; (5) new demonstrative examples in 22 entries, primarily for mobile applications; and (6) updates in 18 entries for references.

The CWE Schema was updated to version 5.4 to support another programming language for demonstrative examples.

PDF documents have been updated to display graphs of views such as the Research View (CWE-1000) and the Development View (CWE-699), and a "Printable CWE" document lists all of the entries in CWE.

Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to cwe@mitre.org.

"CWE Mapping and Navigation Guidance" Now Available

A CWE Mapping and Navigation Guidance page has been added to the CWE Web site. The new page provides information for mapping to CWE-IDs as well as tips for searching and navigating CWE content on the CWE Web site, including the following: "Mapping to CWE IDs - Criteria for the Best Match," "Using the Web Site to Map to a CWE-ID," and "Additional Suggestions for Search and Navigation."

SwA On-Ramp Collection Updated with Detection vs. Impact Information

The Getting Started in Software Assurance (SwA) collection on the CWE Web site, also known as the "SwA On-Ramp" collection, has been updated with a new page and enhanced detection method versus technical impact guidance information.

This collection includes an overview of software assurance and then points out the several steps/phases of gaining assurance about software's resilience, reliability, and robustness with appropriate links to further information about these different steps.

The collection includes updates to the following regarding detection versus impact:

Engineering for Attack - discusses the need to consider the attacks that your applications may face as you start your concept definition, design, and architecture efforts as well as your coding and deployment efforts.

Software Quality – about how paying attention to quality can help with the secureness, reliability, and robustness of your software.

Prioritizing Weaknesses Based Upon Your Organization's Mission - this updated page includes a discussion of the Top 25 effort, CWSS, and CWRAF, and a new discussion of a Technical Impact and Detection Method approach.

Detection Methods – this new page provides information on how the different types of weaknesses are findable by different types of detection approaches and that a project team should leverage that to plan which weaknesses they deal with at the various stages of a development effort.

Manageable Steps - summarizes the above and reinforces the need to plan and manages the software assurance effort into accomplishable steps.

Feedback on this collection is welcome at cwe@mitre.org.

Security Assurance Discussion Panel at RSA 2014 on February 27

CWE/CAPEC Program Manager Robert A. Martin will participate on a discussion panel entitled "Measurement as a Key to Confidence: Providing Assurance" on February 27, 2014 at RSA Conference 2014 in San Francisco, California, USA.

Discussion topic summary for this panel is as follows: "Providing security assurance relies on programs, schemes and assessors specifying and performing appropriate measurements. These may include sampling strategies, specification of appropriate boundaries and the rigor of assessment. Confidence in the security assurance claims depends on the conformity of assessments and appropriate measurement of the specification of the assurance requirements."

Visit the CWE Calendar for information on this and other events.

January 17, 2014

The MathWorks, Inc. Makes Declaration of CWE Compatibility

The MathWorks, Inc. declared that its static analysis tool and coding rules checker, Polyspace Bug Finder, will be CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.

CWE Mentioned in "DARPA Cyber Grand Challenge (CGC)"

CWE was mentioned in the U.S. Defense Advanced Research Projects Agency (DARPA) "Cyber Grand Challenge" announcement on December 24, 2013 in a frequently asked questions document. "The DARPA Cyber Grand Challenge (CGC) is a tournament for fully automated network defense. Similar to computer security competitions currently played by expert software analysts, the CGC intends to allow groundbreaking prototype systems to compete for the first time in a "league of their own." During the competition, automatic systems would reason about software flaws, formulate patches and deploy them on a network in real time."

CWE is mentioned in the answers to two DARPA Cyber Grand Challenge (CGC) FAQs, as follows: "Q9: What constitutes a software flaw in Cyber Grand Challenge? A9: DARPA CGC will not provide a formal definition of a software flaw; this question lies outside the scope of the challenge. The CGC will operate in the tradition of existing cyber competitions: a flaw is proven when an input delivered from the network to a flawed software program (CB) creates an effect detectable by instrumentation operated by the competition framework. CGC Challenge Binaries will contain memory corruption flaws representative of flaws categorized by the MITRE CWE (cwe.mitre.org), however, Competitor Systems may prove any software flaw they discover through automated reasoning. A list of representative CWE categories will be released prior to the kickoff of Cyber Grand Challenge." And "Q10: What type of security vulnerabilities will CGC address? A10: CGC Challenge Binaries shall contain traditional memory corruption flaws. A subset of relevant flaw types drawn from the MITRE Common Weakness Enumeration entries as found on http://cwe.mitre.org/ follows; teams are encouraged to make use of this list as a starting point, not a reference." The answer to A10 also lists 39 individual CWE entries by CWE-IDs, for example, "CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'), etc.".

See https://dtsn.darpa.mil/CyberGrandChallenge/default.aspx for additional information.

MITRE Hosts DHS/DoD Software and Supply Chain Assurance Working Group Meeting

MITRE hosted the DHS/DoD Software and Supply Chain Assurance Working Group Meeting on December 17-19, 2013 at MITRE Corporation in McLean, Virginia, USA. Discussion topics included the Software and Supply Chain Assurance (SSCA) Way Ahead, Cyber Executive Order and Framework/Emerging Industry Standards and Best Practices, Tools and Technology State-of-the-Art Report (SOAR), Supply Chain Risk Management (SCRM) Taxonomies for Information Sharing, Education and Training, SSCA Mobile, DHS Research and Development Software Assurance Marketplace (SWAMP), and a SCRM Working Group Workshop.

Visit the CWE Calendar for information on this and other events.

Page Last Updated: April 10, 2014