Industry News Coverage
Industry News Coverage
Below is a comprehensive monthly review of the news and other media's coverage of CWE. A brief summary of each news item is listed with its title, author (if identified), date, and media source.
DARPA Web Site, December 24, 2013
CWE was mentioned in the U.S. Defense Advanced Research Projects Agency (DARPA) "Cyber Grand Challenge" announcement on December 24, 2013 in an frequently asked questions document. "The DARPA Cyber Grand Challenge (CGC) is a tournament for fully automated network defense. Similar to computer security competitions currently played by expert software analysts, the CGC intends to allow groundbreaking prototype systems to compete for the first time in a "league of their own." During the competition, automatic systems would reason about software flaws, formulate patches and deploy them on a network in real time."
CWE is mentioned in the answers to two
DARPA Cyber Grand Challenge (CGC) FAQs, as follows: "Q9: What constitutes a software flaw in Cyber Grand Challenge? A9: DARPA CGC will not provide a formal definition of a software flaw; this question lies outside the scope of the challenge. The CGC will operate in the tradition of existing cyber competitions: a flaw is proven when an input delivered from the network to a flawed software program (CB) creates an effect detectable by instrumentation operated by the competition framework. CGC Challenge Binaries will contain memory corruption flaws representative of flaws categorized by the MITRE CWE (cwe.mitre.org), however, Competitor Systems may prove any software flaw they discover through automated reasoning. A list of representative CWE categories will be released prior to the kickoff of Cyber Grand Challenge." And "Q10: What type of security vulnerabilities will CGC address? A10: CGC Challenge Binaries shall contain traditional memory corruption flaws. A subset of relevant flaw types drawn from the MITRE Common Weakness Enumeration entries as found on
http://cwe.mitre.org/ follows; teams are encouraged to make use of this list as a starting point, not a reference." The answer to A10 also lists 39 individual CWE entries by CWE-IDs, for example, "CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'), etc.".
https://dtsn.darpa.mil/CyberGrandChallenge/default.aspx for additional information.
High-Tech Bridge Web Site, July 2, 2013
CWE and Common Vulnerabilities and Exposures (CVEÂ®) were the main topics of a July 2, 2013 press release by
High-Tech Bridge SA entitled â€œImmuniWeb Web Security Assessment SaaS is certified CVE and CWE Compatibleâ€ about their ImmuniWeb product achieving both
Official CWE-Compatible status and
Official CVE-Compatible status.
The release also includes a quote by CWE Program Manager Robert A. Martin, who states: â€œWe are always excited about having the CVE and CWE efforts adopted and used within commercial offerings but it is especially gratifying when it is by companies in other countries and markets, like High-Tech Bridge. Leveraging CVE and CWE in ImmuniWeb clearly makes business sense and it is directly helping their customers improve the speed and directness as they address vulnerabilities and weaknesses that are putting their organizationâ€™s at risk."
High-Tech Bridgeâ€™s CWE Compatibility Questionnaire for ImmuniWeb is available as part of the organization's listing on the
CWE-Compatible Products and Services page on the CWE Web site.
NetworkWorld.com, June 14, 2013
CWE and Common Vulnerabilities and Exposures (CVEÂ®) were mentioned in a June 14, 2013 article entitled â€œBreaking down the OWASP Top 10 security flaws for 2013: What's changed from OWASP's 2010 list and whyâ€ on
NetworkWorld.comâ€™s â€œSecurity Blanketâ€ blog.
CWE and CVE were mentioned in a section about why web application denial-of-service attacks (DoS) attacks were not included on the OWASP list in quotes by CWE/CVE Technical Lead Steve Christey, as follows: â€œRegarding application DoS â€“ I donâ€™t know if we should be so dismissive of it. The (negative) commentary Iâ€™ve seen on application DoS is concentrating on network-based attacks. (However,) there are other resource-consumption vulnerabilities that are gaining popularity in CVE, such as unrestricted XML entity expansion, a.k.a. â€œbillion laughsâ€ (CWE-776) (that causes a DoS due to) memory consumption. Another example is algorithmic complexity involving hash collisions that slow down hash-table lookups, which was all the rage about a year ago, (that causes a DoS due to) CPU consumption. More recently, Ruby and/or Ruby-based applications have been getting hit with a number of other resource-consumption issues, such as a memory DoS by forcing the creation of a large number of symbols.â€
Christey continued, â€œWhile I donâ€™t know how often these are exploited, and they may be difficult to detect, or how often theyâ€™ll be exploited in the future, these kinds of application DoS issues are becoming popular. As code-execution vulnerabilities get harder to find, I suspect we will see more of these. This might not be enough to merit inclusion in the OWASP Top Ten, but is definitely something to watch out for.â€
The article was written by Jonathan Lampe.
BrightTalk.com, February 21, 2013
The "Measurable Software Assurance Against Expected Threats" briefing is available as a webcast on BrightTalk.com. The briefing, which was presented by CWE/CAPEC Program Manager Robert A. Martin at DHS Software Assurance Summit 2013 on February 21, 2013 in Gaithersburg, Maryland, USA, includes discussion of Common Weakness Enumeration (CWE™), Common Attack Pattern Enumeration and Classification (CAPEC™), Common Weakness Scoring System (CWSS™), and Common Weakness Risk Analysis Framework (CWRAF™), and details how the "use of structured assurance case tools and methods can ease the navigation and explanation of what was done to address the weaknesses of a system for third party review and the evolution and understanding of why someone should have confidence and assurance about a system throughout its lifetime."