Industry News Coverage
Industry News Coverage
Below is a comprehensive monthly review of the news and other media's coverage of CWE. A brief summary of each news item is listed with its title, author (if identified), date, and media source.
High-Tech Bridge Web Site, July 2, 2013
CWE and Common Vulnerabilities and Exposures (CVE®) were the main topics of a July 2, 2013 press release by
High-Tech Bridge SA entitled “ImmuniWeb Web Security Assessment SaaS is certified CVE and CWE Compatible” about their ImmuniWeb product achieving both
Official CWE-Compatible status and
Official CVE-Compatible status.
The release also includes a quote by CWE Program Manager Robert A. Martin, who states: “We are always excited about having the CVE and CWE efforts adopted and used within commercial offerings but it is especially gratifying when it is by companies in other countries and markets, like High-Tech Bridge. Leveraging CVE and CWE in ImmuniWeb clearly makes business sense and it is directly helping their customers improve the speed and directness as they address vulnerabilities and weaknesses that are putting their organization’s at risk."
High-Tech Bridge’s CWE Compatibility Questionnaire for ImmuniWeb is available as part of the organization's listing on the
CWE-Compatible Products and Services page on the CWE Web site.
NetworkWorld.com, June 14, 2013
CWE and Common Vulnerabilities and Exposures (CVE®) were mentioned in a June 14, 2013 article entitled “Breaking down the OWASP Top 10 security flaws for 2013: What's changed from OWASP's 2010 list and why” on
NetworkWorld.com’s “Security Blanket” blog.
CWE and CVE were mentioned in a section about why web application denial-of-service attacks (DoS) attacks were not included on the OWASP list in quotes by CWE/CVE Technical Lead Steve Christey, as follows: “Regarding application DoS – I don’t know if we should be so dismissive of it. The (negative) commentary I’ve seen on application DoS is concentrating on network-based attacks. (However,) there are other resource-consumption vulnerabilities that are gaining popularity in CVE, such as unrestricted XML entity expansion, a.k.a. “billion laughs” (CWE-776) (that causes a DoS due to) memory consumption. Another example is algorithmic complexity involving hash collisions that slow down hash-table lookups, which was all the rage about a year ago, (that causes a DoS due to) CPU consumption. More recently, Ruby and/or Ruby-based applications have been getting hit with a number of other resource-consumption issues, such as a memory DoS by forcing the creation of a large number of symbols.”
Christey continued, “While I don’t know how often these are exploited, and they may be difficult to detect, or how often they’ll be exploited in the future, these kinds of application DoS issues are becoming popular. As code-execution vulnerabilities get harder to find, I suspect we will see more of these. This might not be enough to merit inclusion in the OWASP Top Ten, but is definitely something to watch out for.”
The article was written by Jonathan Lampe.
BrightTalk.com, February 21, 2013
The "Measurable Software Assurance Against Expected Threats" briefing is available as a webcast on BrightTalk.com. The briefing, which was presented by CWE/CAPEC Program Manager Robert A. Martin at DHS Software Assurance Summit 2013 on February 21, 2013 in Gaithersburg, Maryland, USA, includes discussion of Common Weakness Enumeration (CWE™), Common Attack Pattern Enumeration and Classification (CAPEC™), Common Weakness Scoring System (CWSS™), and Common Weakness Risk Analysis Framework (CWRAF™), and details how the "use of structured assurance case tools and methods can ease the navigation and explanation of what was done to address the weaknesses of a system for third party review and the evolution and understanding of why someone should have confidence and assurance about a system throughout its lifetime."