Industry News Coverage
Industry News Coverage
Below is a comprehensive monthly review of the news and other media's coverage of CWE. A brief summary of each news item is listed with its title, author (if identified), date, and media source.
CWE Mentioned in CISQ Press Release Announcing New Specifications for Measuring Structural Quality of Software
CWE is mentioned in a September 15, 2015 press release by the
Consortium for IT Software Quality (CISQ) entitled "Consortium
for IT Software Quality Announces New Specifications for Measuring Structural
Quality of Software". The main topic of the press release is that CISQ
announced the release of "new measurement specifications based on detecting
weaknesses in the reliability, security, performance efficiency and
maintainability of software applications. These quality measures can be used to
evaluate the risk in software-intensive systems from such sources as
unauthorized penetrations, outages, data corruption, degraded performance, and
CWE is mentioned as follows: "The CISQ measures are developed
from counting violations of good architectural and coding practice that are
severe enough to be prioritized for remediation. For instance, the security
measure is derived from the top 25 violations of good coding practice such as
SQL injections, buffer overflows, and cross-site scripting that allow
unauthorized intrusions and data theft. This list comes from the Common Weakness
Enumeration (CWE) repository which is managed by the MITRE Corporation. The
reliability measure incorporates empty exception blocks, unreleased resources,
circular dependencies, and other violations that cause outages and slow recovery
times. Performance efficiency includes coding weaknesses such as expensive loop
operations, un-indexed data access, and unreleased memory that degrade
response-time and overuse resources. The maintainability measure includes coding
weaknesses such as excessive coupling, dead code, and hard-coded literals that
make maintenance and enhancements overly expensive and defect-prone."
In addition, the release also announced that CISQ will host a webinar on October 15, 2015 presented by Robert A. Martin, CWE Program Manager/co-author of the CISQ security measure to detect cybersecurity issues in software, entitled
"Latest Advances in Cybersecurity and the NEW CISQ Security Standard." The webinar is free and open to the public, but registration is
required is required.
CWE Mentioned in Article about Commercial Versus Open Source Code Compliance on Security Week
CWE is mentioned in a July 30, 2015 article entitled "Commercial code is more compliant to security standards than open source code" on Security Week. The main topic of the article is the release of Coverity, Inc.'s
"Coverity Scan Open Source Report for 2014." CWE is mentioned as follows: "Based
on the analysis of more than 10 billion lines of code from thousands of open
source and commercial products, experts have determined that while open source
projects are doing a better job at addressing quality and security issues,
enterprises take the lead when it comes to complying with security standards
such as OWASP (Open Web Application Security Project) Top 10 and CWE (Common
Weakness Enumeration) 25."
CWE Mentioned in Article about Commercial Versus Open Source Code Compliance on Net Security
CWE is mentioned in a July 30, 2015 article entitled "Commercial code is more compliant to security standards than open source code" on Net Security. The main topic of the article is the release of Coverity, Inc.'s
"Coverity Scan Open Source Report for 2014." CWE is mentioned as follows: "This
year the report also compared security compliance standards such as OWASP Top 10
and CWE 25, and found that commercial code is more compliant with these
standards than open source code."
CWE Mentioned in
Press Release about "Coverity Scan Open Source Report 2014"
CWE is mentioned in a July 29, 2015 press release by Coverity,
Inc. entitled "Coverity Scan Open Source Report Shows Commercial Code Is More
Compliant to Security Standards than Open Source Code." The main topic of the
press release is the publication of its annual "Coverity Scan Open Source Report
CWE is mentioned as follows: "As detailed in the new Coverity
Scan Open Source Report, nearly 152,000 defects were fixed in 2014 alone – more
than the total amount of defects that had been found in the previous history of
the service. Based on static analysis defect density, open source code outpaced
commercial code for quality in the 2013 report. This trend continues in 2014;
however, this year the report also compared security compliance standards such
as OWASP (Open Web Application Security Project) Top 10 and CWE (Common Weakness
Enumeration) 25, and found that commercial code is more compliant with these
standards than open source code."
CWE Mentioned in Article about Tightening Cyber Security Systems on Information Age
CWE is mentioned in a July 29, 2015 article entitled "What the US OPM breach teaches us about tightening our security systems" on Information Age. CWE is mentioned in a section entitled
"Securing the network and critical applications" in list of preventative
measures suggested by the author: "And lastly, ensure Web Applications are
developed in line with OWASP and SANS /CWE Secure coding guidelines."
CWE Cited as Product Feature in Press Release by Waratek
CWE is mentioned in a July 27, 2015 press release by Waratek, Ltd. entitled
"CRN Names Waratek Coolest Security Startup of 2015." The main topic of the release is that:
'CRN, the IT channel's leading source for news, has named it a Coolest Security Startup for 2015. CRN recognized Waratek for its secure container technology, which creates a
"bulletproof vest" for applications deployed on-premise or in cloud
CWE is mentioned in the press release as follows: "Last month, Waratek announced that it has developed the ability for its RASP product to consume CWE (common weakness enumeration) reports from SAST tools like HP Fortify, Veracode, Checkmarx
and others to generate rules that immediately address application security
CWE Cited as RASP Product Feature in Press Release by Waratek
CWE is mentioned in a June 17, 2015 press release by Waratek,
Ltd. entitled "Waratek Integrates Automated Security Vulnerability Remediation with Runtime Application Self-Protection." The main topic of the release is that Waratek added automated security vulnerability remediation to its AppSecurity for Java Runtime Application Self-Protection (RASP) product.
CWE is mentioned in the press release as follows: "Waratek has developed the ability to consume CWE (Common Weakness Enumeration) reports form SAST and DAST tools including HP Fortify, Veracode, Checkmarx
and others to generate rules that immediately address the top application
security flaws identified by SANS and OWASP. This fully automated workflow can
immediately protect production applications without any manual intervention or
configuration. It can also be integrated into the Software Development
CWE Cited as Product Feature in Press Release by IAS Systems
CWE is mentioned in a June 7, 2015 press release by IAR Systems entitled
"IAR Systems extends industry-leading Renesas RX tools with static code analysis."
The main topic of the release is that version 2.08 of IAR Embedded Workbench for
RX adds "integrated static code analysis through C-STAT, which makes it possible
for RX developers to take full control of their code and enables companies to
save valuable time and money in their development projects."
CWE is mentioned in the press release as follows: "C-STAT is a powerful static analysis tool that checks compliance with rules as defined by the coding standards MISRA C:2004, MISRA C++:2008 and MISRA C:2012, as well as hundreds of rules based on, for example, CWE (the Common Weakness Enumeration) and the CERT C/C++ Secure Coding Standards. Users can easily select which ruleset
and which individual rules to check the code against, and the analysis results
are provided directly in the IAR Embedded Workbench IDE."
CWE Mentioned in Article about Managing Security Risk on Dark Reading
CWE is mentioned in an April 20, 2015 article entitled "DHS: Most Organizations Need Improvement In Managing Security Risk"
on Dark Reading. The main topic of the article is that "Government agencies and
organizations in the private sector must place more emphasis on software
analysis, testing and life-cycle support to mitigate threats exploiting known
vulnerabilities and new avenues opened up by the use of open source and re-used
software components, according to the Department of Homeland Security (DHS)."
CWE is mentioned in section entitled "Third-party code and plug-ins are the achilles heel of web applications," in comments by Joe Jarzombek, director for software and supply chain assurance with the DHS, as follows:
"SQL Injection and Cross-Scripting constitute the more frequent and dangerous
vector of attacks. IT managers are deploying firewalls, intrusion prevention
systems and demilitarized zones, but still wonder why their systems are
compromised. They are being exploited at the "soft underbelly of the enterprise"
– application software. People know about cross-scripting and SQL injection
attacks, but don't understand it. "Someone on your team should know exactly what
[these attacks] do and what they are trying to exploit," Jarzombek said.
These attacks and their exploits are known as common weakness enumeration (CWE).
The attacks and how to defend against them can be found in a
free online community dictionary hosted by Mitre Corp.
and sponsored by the Homeland Security Department."
CWE Mentioned in Article about
"Software as a Process" on Electronic Specifier
CWE is mentioned in a March 27, 2015 article entitled "Software as a process" on Electronic Specifier. The main topic of the article is that
"Today's software products are the result of many suppliers, vendors, open
source repositories and legacy code coming together in a mix of different
processes, standards and cultures. Each input offers a chance to introduce
safety, security, or performance-related errors." "Whether it's the shift towards agile, continuous integration, or the adoption of new standards, embracing new ways of developing software hits organisations
where it counts: the delivered product."
CWE is mentioned when the author states: "One method that is proven to be successful in mitigating security risks is using automated code analysis to look for potential flaws. Capers Jones of Namcook Analytics found that, without tools such as Static Code Analysis (SCA) in particular, developers are less than 50 percent efficient at finding bugs in their own software. SCA is adept at understanding patterns and behaviours in code, across multiple compilation units and developers, to reveal security holes such as buffer overflows, suspicious incoming data and unvalidated
inputs. More sophisticated SCA tools can also compare code against common
security standards, such as OWASP and CWE, to determine gaps in coverage or
generate compliance reports. Rather than convincing teams to spend more effort
on security testing, use tools to reduce the effort for you and your suppliers."
CWE Mentioned in Article about Securing Embedded Software on Embedded Computing Design
CWE is mentioned in a March 24, 2015 article entitled "5 steps to secure embedded software" on Embedded Computing Design.
CWE is first mentioned as follows: "IT standards groups, like
the Consortium for IT Software
Quality (CISQ), MITRE Common Weakness Enumeration
(CWE), and ISO
ISO 25000, publish guidelines and software quality standards. CISQ has
published automated quality measures for security, reliability, performance
efficiency, and maintainability. These measures provide some of the specific
attributes that should be used as evidence that embedded systems might need to
fulfill their business/mission function. While examining the state of embedded
systems, it is apparent that security should be engineered in up front."
CWE is mentioned again in a section entitled "Follow the standards," as follows:
"CISQ has published a security standard that is designed to identify the top 25
known security weaknesses in IT application software as maintained by MITRE in
the Common Weakness Enumeration (CWE). The CWEs are a measurable
set of items that can be used as evidence for resiliency, security, and safety.
Code analyzers such as
CAST can pick these out of a complex environment. Developers should stay in
constant touch with these important standards."