News & Events
News & Events

Security-Database Makes Declaration of CWE Compatibility

Security-Database declared that its Security-Database Web Services will be CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.

CWE Scheduled to Present Briefing to Software Quality Group of New England on May 9

CWE Program Manager Robert A. Martin is scheduled to present a briefing about CWE to the Software Quality Group of New England (SQNE) on May 9, 2008 in Burlington, Massachusetts, USA.

Visit the CWE Calendar for information on this and other events. Contact cwe@mitre.org to have CWE present a briefing or participate in a panel discussion about CWE, CAPEC, CVE, CCE, CEE, CPE, CRF, OVAL, and/or Making Security Measurable at your event.

MITRE Scheduled to Present CWE and "Making Security Measurable" Briefings at 2008 IEEE Conference on the Technologies for Homeland Security on May 12-13

CWE Program Manager Robert A. Martin is scheduled to present a briefing about CWE and a briefing about Making Security Measurable to the 2008 IEEE Conference on Technologies for Homeland Security on May 12-13, 2008 at the Westin Hotel in Waltham, Massachusetts, USA.

Visit the CWE Calendar for information on this and other events.

MITRE Scheduled to Present "Making Security Measurable" Briefing and Conduct a Full-Day Tutorial at AusCERT 2008 on May 18-23

CWE Program Manager Robert A. Martin and CWE Technical Lead Steven M. Christey are scheduled to present a briefing about Making Security Measurable and conduct a full-day Making Security Measurable tutorial at AusCERT 2008 on May 18-23, 2008 at the Crowne Plaza Royal Pines Resort in Gold Coast, Australia.

Visit the CWE Calendar for information on this and other events.

MITRE Presents CWE Briefing at DHS/DoD Software Assurance Forum on May 6-7

CWE Program Manager Robert A. Martin presented a briefing about CWE at the DHS/DoD SwA Forum on May 6-7, 2008 in McLean, Virginia, USA.

Visit the CWE Calendar for information on this and other events.

CWE Presents Briefing/Participates on Discussion Panel at Systems & Software Technology Conference 2008 on April 29-May 2

CWE Program Manager Robert A. Martin presented a briefing about CWE entitled "Creating the Secure Software Testing Target List" and participated on a discussion panel entitled "Practical Application of Software Assurance Assessment" at the 20th annual Systems & Software Technology Conference (SSTC 2008) on April 29 – May 2, 2008 at the Las Vegas Hilton in Las Vegas, NV, USA.

Visit the CWE Calendar for information on this and other events.

MITRE Presents "Making Security Measurable" Briefing at CSI Security Exchange 2008 on April 27

CWE Program Manager Robert A. Martin presented a Making Security Measurable briefing entitled "Architecting Security Measurement and Management for Compliance" at CSI Security Exchange 2008 on April 27, 2008 at Mandalay Bay Convention Center in Las Vegas, Nevada, USA.

Visit the CWE Calendar for information on this and other events.

CWE Scheduled to Present Briefing/Participate on Discussion Panel at Systems & Software Technology Conference 2008 on April 29-May 2

CWE Program Manager Robert A. Martin is scheduled to present a briefing about CWE entitled "Creating the Secure Software Testing Target List" and participate on a discussion panel entitled "Practical Application of Software Assurance Assessment" at the 20th annual Systems & Software Technology Conference (SSTC 2008) on April 29 - May 2, 2008 at the Las Vegas Hilton in Las Vegas, NV, USA.

Visit the CWE Calendar for information on this and other events. Contact cwe@mitre.org to have CWE present a briefing or participate in a panel discussion about CWE, CAPEC, CVE, CCE, CEE, CPE, CRF, OVAL, and/or Making Security Measurable at your event.

CWE Scheduled to Present Briefing to DHS/DoD SwA Forum on May 6-7

CWE Program Manager Robert A. Martin is scheduled to present a briefing about CWE to the DHS/DoD SwA Forum on May 6-7, 2008 in McLean, Virginia, USA.

Visit the CWE Calendar page for information on this and other upcoming events.

MITRE Presents "Making Security Measurable" Briefing at GOVSEC on April 24

CWE Project Manager/CVE Compatibility Lead Robert A. Martin presented a Making Security Measurable briefing entitled "Architecting Your IT Security Standards to Secure your Enterprise" at GOVSEC on April 24, 2008 at Walter E. Washington Convention Center in Washington, D.C., USA.

Visit the CWE Calendar for information on this and other events.

Ninth Draft of CWE Now Available

The ninth draft of CWE has been posted on the CWE List page. It includes several important changes. A report is available that lists specific differences between Draft 8 and Draft 9.

Specific changes for Draft 9 include: significant schema changes to better distinguish and link between Weaknesses, Categories, Views, Chains, and Composites; 39 new entries, many of which improve the organization of CWE; changes to the names or descriptions of over 200 entries, in order to more accurately reflect each entry; modification of relationships related to classification under a "natural hierarchy" view; addition of a Status field to reflect the maturity of each entry; an updated report on prioritization of fields; the introduction of named chains; and many other changes affecting over 450 entries.

We welcome any comments about CWE at cwe@mitre.org.

MITRE Hosts "Making Security Measurable" Booth at RSA 2008, April 7-11

MITRE hosted a Making Security Measurable exhibitor booth at RSA 2008 on April 7-11, 2008 at the Moscone Center in San Francisco, California, USA.

The conference exposed the CWE, CAPEC, CVE, CCE, CME, CEE, CPE, CRF, OVAL, and Making Security Measurable efforts to information security professionals from government and industry. Visit the CWE Calendar for information on this and other events.

Checkmarx Ltd. Makes Declaration of CWE Compatibility

Checkmarx Ltd. declared that its assessment and remediation tool, CxSuite, will be CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.

Core Security Technologies Includes CWE Identifier in Security Advisory

Core Security Technologies included CWE-ID 196 as a reference in a March 25, 2008 vulnerability advisory entitled "SILC pkcs_decode buffer overflow." This is the first time a CWE-ID has been included as a reference in a security advisory.

CWE Compatibility Main Topic of GrammaTech News Release

CWE Compatibility was the main topic of a GrammaTech, Inc. press release entitled, "GrammaTech Announces First Fully Compatible Static-Analysis Tool for MITRE's Common Weakness Enumeration Security Standard." The release explains what CWE is and how GrammaTech's CodeSonar product "has now entered CWEs Evaluation Phase, after which CWE compatibility will become official."

The release includes a quote by Paul Anderson, GrammaTech's VP of Engineering, who states: "GrammaTech's CodeSonar is a static analysis tool for identifying programming flaws and security vulnerabilities in code. CWE is an important and valuable initiative that will help CodeSonar users understand the state of their code more effectively. GrammaTech is pleased to participate in this effort and proud to be the first vendor to offer a static-analysis tool that is compatible in all aspects."

The release also includes a quote by CWE Project Manager Robert A. Martin, who states: "Leveraging efforts on this topic from academia, the commercial sector, and government, CWE unites the most valuable breadth and depth of content and structure to serve as a unified standard. Our objective is to help shape the code security assessment industry and also dramatically accelerate the use and utility of software assurance capabilities for organizations in reviewing the software systems they acquire or develop."

MITRE Scheduled to Host "Making Security Measurable" Booth at RSA 2008, April 7-11

MITRE is scheduled to host a Making Security Measurable exhibitor booth at RSA 2008 on April 7-11, 2008 at the Moscone Center in San Francisco, California, USA.

The conference will expose the CWE, CAPEC, CVE, CCE, CME, CEE, CPE, CRF, OVAL, and Making Security Measurable efforts to information security professionals from government and industry. Visit the CWE Calendar for information on this and other events.

MITRE Scheduled to Present "Making Security Measurable" Briefing at GOVSEC on April 24

CWE Project Manager/CVE Compatibility Lead Robert A. Martin is scheduled to present a Making Security Measurable briefing entitled "Architecting Your IT Security Standards to Secure your Enterprise" at GOVSEC on April 24, 2008 at Walter E. Washington Convention Center in Washington, D.C., USA.

Visit the CWE Calendar for information on this and other events. Contact cwe@mitre.org to have CWE present a briefing or participate in a panel discussion about CWE, CAPEC, CVE, CCE, CME, CEE, CPE, CRF, OVAL, and/or Making Security Measurable at your event.

MITRE Scheduled to Present "Making Security Measurable" Briefing at CSI Security Exchange 2008 on April 27

CWE Project Manager/CVE Compatibility Lead Robert A. Martin is scheduled to present a Making Security Measurable briefing entitled "Architecting Security Measurement and Management for Compliance" at CSI Security Exchange 2008 on April 27, 2008 at Mandalay Bay Convention Center in Las Vegas, Nevada, USA.

Visit the CWE Calendar for information on this and other events.

MITRE Presents "Making Security Measurable" Briefing at SEPG North America 2008 on March 18

CWE Project Manager/CVE Compatibility Lead Robert A. Martin presented a Making Security Measurable briefing entitled "Architecting Security for Enterprise Process Improvement" at SEPG North America 2008 on March 1, 2008 at the Tampa Convention Center in Tampa, Florida, USA.

Visit the CWE Calendar for information on this and other events.

U.S. National Vulnerability Database (NVD) Now Includes CWE Mappings

The U.S. National Institute of Standards and Technology's (NIST) National Vulnerability Database (NVD) now uses CWE mappings to differentiate the CVE Identifiers upon which NVD is built by the type of vulnerabilities they represent.

As detailed on the dedicated "CWE - Common Weakness Enumeration" page on the NVD Web site: "NVD integrates CWE into the scoring of CVE vulnerabilities by providing a cross section of the overall CWE structure. NVD analysts score CVEs using CWEs from different levels of the hierarchical structure. This cross section of CWEs allows analysts to score CVEs at both a fine and coarse granularity, which is necessary due to the varying levels of specificity possessed by different CVEs." Visit NVD to view the CWE subset.

NVD, CVE, and CWE are sponsored by National Cyber Security Division of the U.S. Department of Homeland Security.

MITRE Scheduled to Present "Making Security Measurable" Briefing at SEPG North America 2008 on March 18

CWE Project Manager/CVE Compatibility Lead Robert A. Martin is scheduled to present a Making Security Measurable briefing entitled "Architecting Security for Enterprise Process Improvement" at SEPG North America 2008 on March 1, 2008 at the Tampa Convention Center in Tampa, Florida, USA.

Visit the CWE Calendar for information on this and other events. Contact cwe@mitre.org to have CWE present a briefing or participate in a panel discussion about CWE, CAPEC, CVE, CCE, CME, CEE, CPE, CRF, OVAL, and/or Making Security Measurable at your event.

CWE Presents Briefing to Source Boston 2008 on March 12

CWE Program Manager Robert A. Martin presented a briefing about CWE entitled "Having a Defined Target for Software Security Testing" at SOURCE Boston 2008 on March 12, 2008 in Cambridge, Massachusetts, USA.

Visit the CWE Calendar page for information on this and other upcoming events.

MITRE Hosts "Making Security Measurable" Booth at InfoSec World 2008, March 10-11

MITRE hosted a Making Security Measurable exhibitor booth at InfoSec World Conference & Expo 2008 on March 10-11, 2008 at the Rosen Shingle Creek Resort in Orlando, Florida, USA.

The conference will expose the CWE, CAPEC, CVE, CCE, CME, CEE, CPE, CRF, OVAL, and Making Security Measurable efforts to information security professionals from government and industry. Visit the CWE Calendar for information on this and other events.

CWE Mentioned in SC Magazine Article about Vulnerability Management

CWE was mentioned in an article entitled "Vulnerability management: weathering the storm" in the February 1, 2008 issue of SC Magazine. CWE is mentioned in a section entitled "MITIGATING RISKS: The development phase" when the author states: "Common Weakness Enumeration (CWE) [is] a dictionary of common mistakes made when developing software, such as buffer overflows or cross-site scripting. The initiative, which kicked off about a 1 1/2 years ago and is starting to gain momentum, is a natural offshoot of its eight-year-old Common Vulnerabilities and Exposure project."

The article quotes CWE Technical Lead and CVE List Editor Steve Christey, who states: "We found that many programmers make the exact same kind of mistakes, regardless of what kind of software they're developing. CWE starts to catalog those common mistakes that get made." The article also quote CWE Program Manager Robert A. Martin, who states: "The hope is that the CWE lexicon can serve as a reference guide for software developers. There are specific things that people can look for."

The article also mentions MITRE's Common Vulnerabilities and Exposure (CVE) List.

MITRE to Host "Making Security Measurable" Booth at InfoSec World 2008, March 10-11

MITRE is scheduled to host a Making Security Measurable exhibitor booth at InfoSec World Conference & Expo 2008 on March 10-11, 2008 at the Rosen Shingle Creek Resort in Orlando, Florida, USA.

The conference will expose the the CWE, CAPEC, CVE, CCE, CME, CEE, CPE, CRF, OVAL, and Making Security Measurable efforts to information security professionals from government and industry. Visit the CWE Calendar for information on this and other events.

CWE to Present Briefing to SEPG North America 2008 on March 18-20

CWE Program Manager Robert A. Martin is scheduled to present a briefing about CWE/Making Security Measurable at SEPG North America 2008 on Mar 18-20, 2008 in Tampa, Florida, USA.

Visit the CWE Calendar page for information on this and other upcoming events. Contact cwe@mitre.org to have CWE present a briefing or participate in a panel discussion about CWE, CAPEC, CVE, CCE, CME, CEE, CPE, CRF, OVAL, and/or Making Security Measurable at your event.

CWE Presents Briefing to DHS/DoD SwA Forum on January 30 - February 2

CWE Program Manager Robert A. Martin presented a briefing about CWE to the DHS/DoD SwA Working Group Meeting Session on January 30 - February 2, 2008 in McLean, Virginia, USA.

Visit the CWE Calendar page for information on this and other upcoming events.

Eighth Draft of CWE Now Available

The eighth draft of CWE has been posted on the CWE List page. It includes several important changes. A report is available that lists specific differences between Draft 7 and Draft 8.

Specific changes for Draft 8 include: modification of the schema and updated documentation; addition of support for related projects including mappings to CAPEC and white box definitions for CWE formalization; new nodes for secure design principles and to fill some gaps with CAPEC; modification of other nodes to concentrate more on the underlying weakness instead of the attack; new relationships defined to support chains and composites that illustrate how weaknesses can be combined to form vulnerabilities; each node has been labeled with the role it plays with respect to others; and, two new reports are available regarding prioritization of elements.

We welcome any comments about CWE at cwe@mitre.org.

MITRE Hosts "Making Security Measurable" Booth at 2008 Information Assurance Workshop, January 28 - February 1

MITRE hosted a Making Security Measurable exhibitor booth at the 2008 Information Assurance Workshop on January 28 - February 1, 2008 at the Philadelphia Marriott Downtown in Philadelphia, Pennsylvania, USA.

The conference exposed the CWE, CAPEC, CVE, CCE, CME, CEE, CPE, CRF, OVAL, and Making Security Measurable efforts to information security professionals from government and industry. Visit the CWE Calendar for information on this and other events.

SkillBridge, LLC Makes Declaration of CWE Compatibility

SkillBridge, LLC declared that its Secure Application Development Training Courses will be CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.

MITRE Announces Initial 'Making Security Measurable' and CWE Calendar of Events for 2008

MITRE has announced its initial Making Security Measurable and CWE-specific calendar of events for the first half of 2008. Details regarding MITRE's scheduled participation at these events are noted on the CWE Calendar page. Each listing includes the event name with URL, date of the event, location, and a description of our activity at the event.

Making Security Measurable booths and/or briefings:

CWE-specific briefings:

Other events will be added throughout the year. Visit the CWE Calendar for information or contact cwe@mitre.org to have CWE present a briefing or participate in a panel discussion about CWE, CAPEC, CVE, CCE, CME, CEE, CPE, CRF, OVAL, and/or Making Security Measurable at your event. at your event.