CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > Community > Use & Citations of CWE  
ID

CWE Community

Use & Citations

This page lists community usage of CWE by Industry, Government, Academia, Policy/Guidance, Reference, and Standards. A running count of the number of citations by category is also included.

Total: 172

Industry

(ISC)2[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Mano Paul. "Official (ISC)2 Guide to the CSSLP". CRC Press. 2011. <http://books.google.com/books?id=8GQuJG-FouEC&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false>.

5 steps to secure embedded software[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Bill Dickenson and Vijayakumar Kabbin. "5 steps to secure embedded software". Embedded Computing Design. June 2015. <http://embedded-computing.com/articles/5-steps-secure-embedded-software/>.

A Backtracking Symbolic Execution Engine with Sound Path Merging[Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Andreas Ibing. "A Backtracking Symbolic Execution Engine with Sound Path Merging". The Eighth International Conference on Emerging Security Information Systems and Technologies - SECURWARE 2014. 2014-11. <https://www.thinkmind.org/index.php?view=article&articleid=securware_2014_8_30_30053>.

A Bug Hunter's Diary[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

Tobias Klein. "A Bug Hunter's Diary". No Starch Press. 2011. <http://books.google.com/books?id=hl-zvFPQAfcC&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false>.

A Cyber Attack Modeling and Impact Assessment Framework[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Standard IdentifierUses CWE IDs as a standard Identifier system.]

Igor Kotenko and Andrey Chechulin. "A Cyber Attack Modeling and Impact Assessment Framework". 5th International Conference on Cyber Conflict IEEE. 2013-06. <http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=6568374>.

A Design of a Korean Programming Language Ensuring Run-Time Safety through Categorizing C Secure Coding Rules[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Yeoneo Kim, Jiwon Song and Gyun Woo. "A Design of a Korean Programming Language Ensuring Run-Time Safety through Categorizing C Secure Coding Rules". Issue 4. Journal of Korean Institute of Information Scientists and Engineers. Volume 42. 2015. <http://dx.doi.org/10.5626/JOK.2015.42.4.487>.

A Fixed-Point Algorithm for Automated Static Detection of Infinite Loops[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

A. Ibing and A. Mai. "A Fixed-Point Algorithm for Automated Static Detection of Infinite Loops". IEEE International Symposium High Assurance Systems Engineering. 2015-01. <https://www.sec.in.tum.de/assets/Uploads/ibing15infloops.pdf>.

A Gold Standard for Assessing the Coverage of Static Analyzers[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Eric Bush. "A Gold Standard for Assessing the Coverage of Static Analyzers". 2013 IEEE International Conference on Technologies for Homeland Security. 2013-11. <http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=6699091>.

A Method for Recommending Computer-Security Training for Software Developers: Leveraging the Power of Static Analysis Techniques and Vulnerability Repositories[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Muhammad Nadeem, Edward B. Allen and Byron J. Williams. "A Method for Recommending Computer-Security Training for Software Developers: Leveraging the Power of Static Analysis Techniques and Vulnerability Repositories". 2015 12th International Conference on Information Technology - New Generations (ITNG). 2015-05. <http://dx.doi.org/10.1109/ITNG.2015.90>.

A Model for Structuring and Reusing Security Requirements Sources and Security Requirements[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Christian Schmitt and Peter Liggesmeyer. "A Model for Structuring and Reusing Security Requirements Sources and Security Requirements". 21st International Conference on Requirements Engineering. 2015-03. <http://ceur-ws.org/Vol-1342/04-CRE.pdf>.

A novel approach to evaluate software vulnerability prioritization[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Chien-Cheng Huang, Feng-Yu Lin, Frank Yeong-Sung Lin and Yeali S. Sun. "A novel approach to evaluate software vulnerability prioritization". Issue 11. The Journal of Systems and Software. Vol.86. Department of Information Management, National Taiwan University. 2013. <http://dx.doi.org/10.1016/j.jss.2013.06.040>.

A Security Analysis Framework Powered by an Expert System[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Maher Mohamed Gamal, Dr. Bahaa Hasan and Dr. Abdel Fatah Hegazy. "A Security Analysis Framework Powered by an Expert System". Book: 2011 Volume 4, Issue 6. International Journal of Computer Science and Security (IJCSS). Computer Science Journals. 2011-08-02. <http://www.cscjournals.org/csc/download/issuearchive/IJCSS/volume4/IJCSS_V4_I6.pdf#page=17>.

A Single-Process Design for Developing Automation Tools for Inspecting the Vulnerabilities of Android Applications[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Da-Woon Leem, Hyun-Ju Jung, Moon-Sung Hwang, Jung-Ah Shim and Hyun-Jung Kwon. "A Single-Process Design for Developing Automation Tools for Inspecting the Vulnerabilities of Android Applications". Advanced Science and Technology Letters (GST 2015). Vol. 120. 2015. <http://dx.doi.org/10.14257/astl.2015.120.59>.

A Software Weakness Analysis Technique for Secure Software[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Uses Specific CWE InfoMakes use of specific information from CWE.]

Yunsik Son, Yangsun Lee and Seman Oh. "A Software Weakness Analysis Technique for Secure Software". Advanced Science and Technology Letters. Vol.93 (Security, Reliability and Safety 2015). 2015. <http://onlinepresent.org/proceedings/vol93_2015/2.pdf>.

A Study on the Secure Software Development Life Cycle for Common Criteria (CC) Certification[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Min-gyu Lee, Hyo-jung Sohn, Baek-min Seong and Jong-Bae Kim. "A Study on the Secure Software Development Life Cycle for Common Criteria (CC) Certification". No. 10. International Journal of Software Engineering and Its Applications. Vol. 9. 2015. <http://dx.doi.org/10.14257/ijseia.2015.9. 10.13>.

A System Engineering and Acquisition Approach for Space System Software Resiliency[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Dewanne Marie Phillips. "A System Engineering and Acquisition Approach for Space System Software Resiliency". 32nd Space Symposium. 2016-04. <http://www.spacesymposium.org/sites/default/files/downloads/Phillips,%20Dewanne%20-%20Presentation-A%20System%20Engineering%20and%20Acquisition%20Approach%20for%20Space%20System%20Software%20Resiliency.pdf>.

A vulnerability's lifetime: enhancing version information in CVE databases[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Leonid Glanz, Sebastian Schmidt, Sebastian Wollny and Ben Hermann. "A vulnerability's lifetime: enhancing version information in CVE databases". Proceedings of the 15th International Conference on Knowledge Technologies and Data-driven Business i-KNOW '15. Article No. 28. 2015. <http://dl.acm.org/citation.cfm?id=2809612>.

Achieving Web Security by Increasing the Web Application Safety[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

Maryam Abedi, Navid Nikmehr and Mohsen Doroodchi. "Achieving Web Security by Increasing the Web Application Safety". The 2014 International Conference on Security and Management (SAM). 2014-07. <http://worldcomp-proceedings.com/proc/p2014/SAM9772.pdf>.

Advanced Detection Tool for PDF Threats[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Quentin Jerome, Samuel Marchal, Radu State and Thomas Engel. "Advanced Detection Tool for PDF Threats". Proceedings of the Sixth International Workshop on Autonomous and Spontaneous Security 2013. . 2013-09. <http://orbilu.uni.lu/handle/10993/13062>.

Algorithmic Approach for Development of Misuse Case Modeling Framework for iMACOQR Metrics[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

C. Banerjee, Arpita Banerjee and P. D. Murarka. "Algorithmic Approach for Development of Misuse Case Modeling Framework for iMACOQR Metrics". 2015 Fifth International Conference on Advanced Computing & Communication Technologies (ACCT). 2014-04. <http://www.ijettcs.org/Volume3Issue2/IJETTCS-2014-04-25-126.pdf>.

An Approach to Counteracting the Common Cyber-attacks According to the Metric-Based Model[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Mohammad Sirwan Geramiparvar and Nasser Modiri. "An Approach to Counteracting the Common Cyber-attacks According to the Metric-Based Model". International Journal of Computer Science and Network Security (IJCSNS). 2015-02. <http://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=12127CB3A99507F7A6897B91CA5B3E10?doi=10.1.1.696.9754&rep=rep1&type=pdf>.

An Information Flow-Based Taxonomy to Understand the Nature of Software Vulnerabilities[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

Daniela Oliveira, Jedidiah Crandall, Harry Kalodner, Nicole Morin, Megan Maher, Jesus Navarro and Felix Emiliano. "An Information Flow-Based Taxonomy to Understand the Nature of Software Vulnerabilities". IFIP Advances in Information and Communication Technology. Volume 471. ICT Systems Security and Privacy Protection. 2016-05. <http://www.daniela.ece.ufl.edu/Research_files/sec16.pdf>.

An overview of vulnerability assessment and penetration testing techniques[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Sugandh Shah and B. M. Mehtre. "An overview of vulnerability assessment and penetration testing techniques". Issue 1. Journal of Computer Virology and Hacking Techniques. Volume 11. 2014-11. <http://rd.springer.com/article/10.1007/s11416-014-0231-x>.

Application of Pedagogical Fundamentals for the Holistic Development of Cybersecurity Professionals[Standard IdentifierUses CWE IDs as a standard Identifier system.]

Barbara E. Endicott-Popovsky and Viatcheslav M. Popovsky. "Application of Pedagogical Fundamentals for the Holistic Development of Cybersecurity Professionals". ACM Inroads Volume 5 Issue 1. pages 57-68. ACM New York, NY, USA. 2014-03. <http://dl.acm.org/citation.cfm?id=2568214>.

Architectural Analysis for Security[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

Jungwoo Ryoo, Rick Kazman and Priya Anand. "Architectural Analysis for Security". Issue No.06. IEEE Security & Privacy 2015. Vol.13. XXX. 2015-11. <http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7349074>.

Architectural Analysis for Security (AAFS)[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

Jungwoo Ryoo, Priya Anand and Rick Kazman. "Architectural Analysis for Security (AAFS)". SEI. 2015. <http://resources.sei.cmu.edu/asset_files/Presentation/2015_017_101_437695.pdf>.

Architecture-Based Self-Protecting Software Systems[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Eric Yuan, Sam Malek, Bradley Schmerl, David Garlan and Jeff Gennari. "Architecture-Based Self-Protecting Software Systems". Proceedings of the Ninth International ACM Sigsoft Conference on the Quality of Software Architectures. 2013. <http://acme.able.cs.cmu.edu/pubs/uploads/pdf/arch-based-self-protection-qosa-v1.0Yuan_2013_ABSS.pdf>.

Aspect Security - The Unfortunate Reality of Insecure Libraries[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Jeff Williams and Arshan Dabirsiaghi. "The Unfortunate Reality of Insecure Libraries". Inadvertent Vulnerabilities in Libraries. Aspect Security, Inc.. 2012-03. <https://www.aspectsecurity.com/uploads/downloads/2012/03/Aspect-Security-The-Unfortunate-Reality-of-Insecure-Libraries.pdf>.

ASVC: An Automatic Security Vulnerability Categorization Framework Based on Novel Features of Vulnerability Data[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Uses Specific CWE InfoMakes use of specific information from CWE.]

Alpana Dubey and Dhivya Muthukrishnan. "ASVC: An Automatic Security Vulnerability Categorization Framework Based on Novel Features of Vulnerability Data". No. 2. Journal of Communications. Vol. 10. 2015-02. <http://www.jocm.us/uploadfile/2015/0309/20150309111444407.pdf>.

ASVC: An Automatic Security Vulnerability Categorization Framework Based on Novel Features of Vulnerability Data[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Tao Wen, Yuqing Zhang, Qianru Wu and Gang Yang. "ASVC: An Automatic Security Vulnerability Categorization Framework Based on Novel Features of Vulnerability Data". No. 2. Journal of Communications. Vol. 10. 2015-02. <http://www.jocm.us/uploadfile/2015/0309/20150309111444407.pdf>.

Automated analysis of security requirements through risk-based argumentation[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Yijun Yu, Thein Than Tun, Roel J. Wieringa and Bashar Nuseibeh. "Automated analysis of security requirements through risk-based argumentation". Journal of Systems and Software. Volume 106. 2015-08. <http://dx.doi.org/10.1016/j.jss.2015.04.065>.

Automatic detection of vulnerabilities for advanced security analytics[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

Marian Gawron, Feng Cheng and Christoph Meinel. "Automatic detection of vulnerabilities for advanced security analytics". 2015 17th Asia-Pacific Network Operations and Management Symposium (APNOMS). 2015-08. <http://dx.doi.org/10.1109/APNOMS.2015.7275369>.

Automatic Vulnerability Detection for Weakness Visualization and Advisory Creation[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Marian Gawron, Aragats Amirkhanyan, Feng Cheng and Christoph Meinel. "Automatic Vulnerability Detection for Weakness Visualization and Advisory Creation". 8th International Conference on Security of Information and Networks (SIN '15). 2015-09. <http://dx.doi.org/10.1145/2799979.2799986>.

Automating Risk Analysis of Software Design Models[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Maxime Frydman, Guifré Ruiz, Elisa Heymann and Barton P. Miller. "Automating Risk Analysis of Software Design Models". The Scientific World Journal 2014. 2014-06. <http://www.jornadassarteco.org/js2012/papers/paper_92.pdf>.

Automating Threat Modeling through the Software Development Life-Cycle[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Guifre Ruiz, Elisa Heymann, Eduardo Cesar and Barton P. Miller. "Automating Threat Modeling through the Software Development Life-Cycle". Jornadas Sarteco. 2012-09. <http://www.jornadassarteco.org/js2012/papers/paper_92.pdf>.

BackTrack 4: Assuring Security by Penetration Testing[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Shakeel Ali and Tedi Heriyanto. "BackTrack 4: Assuring Security by Penetration Testing". Packt Publishing. 2011. <http://books.google.com/books?id=SodvK4NMBgwC&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false>.

Case Base for Secure Software Development Using Software Security Knowledge Base[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

A. Hazeyama, M. Saito, N. Yoshioka, A. Kumagai, T. Kobashi, H. Washizaki, H. Kaiya and T. Okubo. "Case Base for Secure Software Development Using Software Security Knowledge Base". IEEE 39th Annual Computer Software and Applications Conference (COMPSAC). Volume 3. 2015-07. <http://dx.doi.org/10.1109/COMPSAC.2015.86>.

Cisco 2014 Annual Security Report[Standard IdentifierUses CWE IDs as a standard Identifier system., Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

"Cisco 2014 Annual Security Report". Cisco. 2014. <https://www.cisco.com/web/offer/gist_ty2_asset/Cisco_2014_ASR.pdf>.

CISQ Insecure Software[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

B. Curtis. "Insecure Software and My Supersonic Trip around the World". Consortium for IT Software Quality (CISQ). 2013-07-26. <http://it-cisq.org/insecure-software-and-my-supersonic-trip-around-the-world/>.

CMU/SEI-2010-TR-028[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

Lisa Brownsword, Carol C. Woody, Christopher J. Alberts and Andrew P. Moore. "A Framework for Modeling the Software Assurance Ecosystem: Insights from the Software Assurance Landscape Project". Carnegie Mellon Software Engineering Institute. 2010-08. <http://www.sei.cmu.edu/reports/10tr028.pdf>.

Computational ontology of network operations[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Alessandro Oltramari, Lorrie Faith Cranor, Robert J. Walls and Patrick McDaniel. "Computational ontology of network operations". Military Communications Conference - MILCOM 2015. 2015-10. <http://ieeexplore.ieee.org/xpl/mostRecentIssue.jsp?punumber=7347040>.

CORE Security - Advisories[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

"Core Advisories Grid". CoreLabs Research. CORE Security. <http://www.coresecurity.com/grid/advisories>.

Coverity Coverage for Common Weakness Enumeration (CWE): C#[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

"Coverity Coverage for Common Weakness Enumeration (CWE): C#". Coverity Software Testing Platform version 7.5 and CWE version 2.5. Data Sheet. Coverity, Inc.. 2014. <http://www.coverity.com/wp-content/uploads/2014/01/Coverity-CWE-for-C-Sharp.pdf>.

Coverity Coverage For Common Weakness Enumeration (CWE): C/C++[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

"Coverity Coverage For Common Weakness Enumeration (CWE): C/C++". Coverity Software Testing Platform version 7.5 and CWE version 2.5. Data Sheet. Coverity, Inc.. 2014. <http://www.coverity.com/wp-content/uploads/2012/09/Coverity-CWE-for-C_CPlusPlus.pdf>.

Coverity Coverage For Common Weakness Enumeration (CWE): Java[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

"Coverity Coverage For Common Weakness Enumeration (CWE): Java". Coverity Software Testing Platform version 7.5 and CWE version 2.5. Data Sheet. Coverity, Inc.. 2014. <https://www.coverity.com/wp-content/uploads/2013/03/Coverity-CWE-for-Java.pdf>.

Coverity Scan - Open Source Report 2014[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

"Coverity Scan - Open Source Report 2014". Coverity Scan – Open Source Report 2014. Synopsys, Inc.. 2014. <http://go.coverity.com/rs/157-LQW-289/images/2014-Coverity-Scan-Report.pdf>.

Critical Code: Software Producibility for Defense[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Standard IdentifierUses CWE IDs as a standard Identifier system.]

National Research Council. "Critical Code: Software Producibility for Defense". Washington, DC: The National Academies Press. 2010. <http://www.nap.edu/catalog.php?record_id=12979>.

Critical Watch - OWASP to WASC to CWE Mapping - Correlating Different Industry Taxonomy[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

Jesper Jurcenoks. "OWASP to WASC to CWE Mapping - Correlating Different Industry Taxonomy". Critical Watch. 2013-06. <http://www.criticalwatch.com/assets/c-Owasp-to-Wasc-to-CWE-Mapping-Tech-Paper-0710131.pdf>.

Cross-technology, cross-layer defect detection in IT systems: challenges and achievements[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Philippe-Emmanuel Douziech and Bill Curtis. "Cross-technology, cross-layer defect detection in IT systems: challenges and achievements". Proceedings of the First International Workshop on Complex faUlts and Failures in LargE Software Systems (COUFLESS '15). 2015. <http://dl.acm.org/ft_gateway.cfm?id=2819424&ftid=1617355&dwn=1&CFID=787064171&CFTOKEN=78525653>.

CrossTalk[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Joe Jarzombek. "From the Sponsor". From the Sponsor. CrossTalk. September/October 2015. <http://www.crosstalkonline.org/storage/issue-archives/2015/201509/201509-Jarzombek.pdf>.

CrossTalk - Applying Software Assurance Concepts to the Cloud[Standard IdentifierUses CWE IDs as a standard Identifier system., and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

Randall Brooks and John Whited. "Applying Software Assurance Concepts to the Cloud". CrossTalk. U.S. Air Force Software Technology Support Center (STSC), Lumin Publishing. 2013-09. <http://www.crosstalkonline.org/storage/issue-archives/2013/201309/201309-Brooks.pdf>.

CrossTalk - Software Assurance, Trustworthiness, and Rigor[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Don O'Neill. "Software Assurance, Trustworthiness, and Rigor". Crosstalk. U.S. Air Force Software Technology Support Center (STSC), Independent Consultant. 2014-09. <http://www.crosstalkonline.org/storage/issue-archives/2014/201409/201409-ONeill.pdf>.

CrossTalk - Static Analysis is Not Enough: The Role of Architecture and Design in Software Assurance[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Standard IdentifierUses CWE IDs as a standard Identifier system.]

Walter Houser. "From the Publisher". Crosstalk. U.S. Air Force Software Technology Support Center (STSC), NIST. 2014 November/December. <http://www.crosstalkonline.org/storage/issue-archives/2014/201409/201409-Hill.pdf>.

CSAAES: An expert system for cyber security attack awareness[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Cheshta Rani and Shivani Goel. "CSAAES: An expert system for cyber security attack awareness". International Conference on Computing, Communication and Automation (ICCCA2015). 2015. <http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7148381&tag=1>.

Cyber Security Policy Guidebook[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Jennifer L. Bayuk, Jason Healey, Paul Rohmeyer, Marcus H. Sachs, Jeffrey Schmidt and Joseph Weiss. "Cyber Security Policy Guidebook". Wiley. 2012. <http://books.google.com/books?id=E08UPzu42xoC&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false>.

Cyberspace and Cybersecurity[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

George Kostopoulos. "Cyberspace and Cybersecurity". CRC Press. 2012. <http://books.google.com/books?id=w6_jwEj9ZicC&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false>.

CyberV@R[Standard IdentifierUses CWE IDs as a standard Identifier system., and Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Dr. Mark Raugus, Dr. James Ulrich, Roberta Faux, Scott Finkelstein and Charlie Cabot. "A Cyber Security Model for value at Risk". Cyber Point International. 2013-01. <http://cyberpointllc.com/openResearch/CyberV@R.pdf>.

Denim Group Blog - Mapping Between OWASP Top 10 (2004, 2007), WASC 24+2 and SANS CWE/25[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Dan Cornell. "Mapping Between OWASP Top 10 (2004, 2007), WASC 24+2 and SANS CWE/25". Denim Group Blog. Denim Group. 2010-01-13. <http://blog.denimgroup.com/denim_group/2010/01/mapping-between-owasp-top-10-2004-2007-wasc-242-and-sans-cwe25.html>.

Design and Implementation of the Compiler with Secure Coding Rules for Developing Secure Mobile Applications in Memory Usages[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

YunSik Son, YangSun Lee and SeMan Oh. "Design and Implementation of the Compiler with Secure Coding Rules for Developing Secure Mobile Applications in Memory Usages". Vol. 6, No. 4. International Journal of Smart Home. 2012-10. <http://www.sersc.org/journals/IJSH/vol6_no4_2012/15.pdf>.

Design and implementation of the secure compiler and virtual machine for developing secure IoT services[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

YangSun Leea, Junho Jeongb and Yunsik Son. "Design and implementation of the secure compiler and virtual machine for developing secure IoT services". Future Generation Computer Systems. 2016-04. <http://ac.els-cdn.com/S0167739X16300589/1-s2.0-S0167739X16300589-main.pdf?_tid=711a1fde-1cfe-11e6-bae0-00000aab0f27&acdnat=1463579162_4e7d24a0ea28e5ad8ba198ff84edd89a>.

Design of the Secure Compiler for the IoT Services[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Yunsik Son, Junho Jeong and YangSun Lee. "Design of the Secure Compiler for the IoT Services". Advanced Science and Technology Letters. Vol. 110 (ISI 2015). 2015. <http://dx.doi.org/10.14257/astl.2015.110.14>.

Developers and the Software Supply Chain[Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Andy Chou. "Developers and the Software Supply Chain". 18th Semi-Annual Software Assurance Forum – March 5-7, 2013. Coverity, Inc.. 2011. <https://buildsecurityin.us-cert.gov/sites/default/files/Andy-Chou-Developers-and-the-Software-Supply-Chain.pdf>.

DOI 10.1109/DASC.2011.25[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

Per Hakon Meland. "Service Injection: A Threat to Self-managed Complex Systems". 2011 Ninth IEEE International Conference on Dependable, Autonomic and Secure Computing. DOI 10.1109/DASC.2011.25. IEEE Computer Society. 2011-12-12. <http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=6118344>.

DOI 10.1109/DEPEND.2010.22[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Aime, M.D. and Guasconi, F.. "Enhanced Vulnerability Ontology for Information Risk Assessment and Dependability Management ". 2010 Third International Conference on Dependability (DEPEND). 10.1109/DEPEND.2010.22. CPS Conference Publishing Services. 2010-07-18. <http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=5562843>.

DOI 10.1109/ITNG.2009.249[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Suzanna Schmeelk, William Mills and Robert Noonan. "Managing Post-Development Fault Removal". 2009 Sixth International Conference on Information Technology: New Generations. DOI 10.1109/ITNG.2009.249. IEEE Computer Society. 2009-07-21. <http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=5070618>.

DOI 10.1145/1806672.1806684[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Suzanna Schmeelk. "Towards a Unified Fault-Detection Benchmark". PASTE '10 Proceedings of the 9th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering. DOI 10.1145/1806672.1806684. ACM Digital Library. 2010-06-05. <http://dl.acm.org/ft_gateway.cfm?id=1806684&ftid=802806&dwn=1&CFID=255953881&CFTOKEN=27890399>.

DOI : 10.5121/ijsea.2012.3101 1[Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

Suzanna Schmeelk, William Mills and Leif Hedstrom. "Standardizing Source Code Security Audits". Vol. 3, No. 1. International Journal of Software Engineering & Applications (IJSEA). DOI : 10.5121/ijsea.2012.3101 1. 2012-01. <http://www.doaj.org/doaj?func=fulltext&aId=955562>.

Eleventh Hour CISSP: Study Guide[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Eric Conrad, Seth Misenar and Joshua Feldman. "Eleventh Hour CISSP: Study Guide". Syngress. 2010. <http://books.google.com/books?id=BNUryGI3YvsC&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false>.

Embedded Web Device Security[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Michael Riegler and Johannes Sametinger. "Embedded Web Device Security". International Conference on Emerging Security Information Systems and Technologies - SECURWARE 2014. 2014-11. <https://www.thinkmind.org/index.php?view=article&articleid=securware_2014_1_10_30011>.

Employing Enterprise Architecture for Applications Assurance[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Walter Houser. "Employing Enterprise Architecture for Applications Assurance". IEEE IT Professional. February 2015. <http://www.infoq.com/articles/employing-enterprise-architecture-for-applications-assurance?utm_campaign=infoq_content&utm_source=infoq&utm_medium=feed&utm_term=global>.

Employing secure coding practices into industrial applications: a case study[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Abdullah Khalili, Ashkan Sami, Mahdi Azimi, Sara Moshtari, Zahra Salehi, Mahboobe Ghiasi and Ali Akbar Safavi. "Employing secure coding practices into industrial applications: a case study". Issue 1. Empirical Software Engineering. Volume 21. 2016002. < http://dx.doi.org/10.1007/s10664-014-9341-9>.

Engineering Safe and Secure Software Systems[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

C. Warren Axelrod. "Engineering Safe and Secure Software Systems". Artech House. 2012. <http://books.google.com/books?id=sshk_-cWQKcC&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false>.

Evaluating Bug Finders -- Test and Measurement of Static Code Analyzers[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Aurelien Delaitre, Bertrand Stivalet, Elizabeth Fong and Vadim Okun. "Evaluating Bug Finders -- Test and Measurement of Static Code Analyzers". 2015 IEEE/ACM 1st International Workshop on Complex Faults and Failures in Large Software Systems (COUFLESS). 2015-05. <http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7181477>.

Extracting Cybersecurity Related Linked Data from Text[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Arnav Joshi, Ravendar Lal, Tim Finin and Anupam Joshi. "Extracting Cybersecurity Related Linked Data from Text". 2013 IEEE Seventh International Conference on Semantic Computing (ICSC). 2013-09. <http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6693525>.

From the Publisher[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Justin Hill. "From the Publisher". Crosstalk. The Journal of Defense Software Engineering. 2014 September/October. <http://www.crosstalkonline.org/storage/issue-archives/2014/201409/201409-Hill.pdf>.

From the Sponsor[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Roberta Stempfley. "From the Sponsor". March/April 2014. Crosstalk: The Journal of Defense Software Engineering. Preface. <http://www.crosstalkonline.org/storage/issue-archives/2014/201403/201403-Stempfley.pdf>.

Fuzzing: Brute Force Vulnerability Discovery[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Uses Specific CWE InfoMakes use of specific information from CWE.]

Michael Sutton, Adam Greene and Pedram Amini. "Fuzzing: Brute Force Vulnerability Discovery". Pearson Education. 2007. <http://books.google.com/books?id=DPAwwn7QDy8C&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false>.

Ghost Map: Proving Software Correctness using Games[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Uses Specific CWE InfoMakes use of specific information from CWE.]

Ronald Watro, Kerry Moffitt, Talib Hussain, Daniel Wyschogrod, John Ostwald and Derrick Kong. "Ghost Map: Proving Software Correctness using Games". The Eighth International Conference on Emerging Security Information Systems and Technologies - SECURWARE 2014. 2014-11. <https://www.thinkmind.org/index.php?view=article&articleid=securware_2014_9_40_30144>.

Guide to Developing a Cyber Security and Risk Mitigation Plan – Update 1[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Evgeny Lebanidze and Daniel Ramsbrock. "Guide to Developing a Cyber Security and Risk Mitigation Plan – Update 1". National Rural Electric Cooperative Association: Smart Grid Demonstration Project. National Rural Electric Cooperative Association. 2014. <https://groups.cooperative.com/smartgriddemo/public/CyberSecurity/Documents/CyberSecurityGuideforanElectricCooperative-U1.pdf>.

HACKAR: Helpful Advice for Code Knowledge and Attack Resilience[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Uses Specific CWE InfoMakes use of specific information from CWE.]

Ugur Kuter, Mark Burstein, J. Benton, Daniel Bryce, Jordan Thayer and Steve McCoy. "HACKAR: Helpful Advice for Code Knowledge and Attack Resilience". Proceedings of the Twenty-Seventh Conference on Innovative Applications of Artificial Intelligence. 2015. <http://www.aaai.org/ocs/index.php/IAAI/IAAI15/paper/view/9726/9903>.

Hacking Web Apps: Detecting and Preventing Web Application Security Problems[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Mike Shema. "Hacking Web Apps: Detecting and Preventing Web Application Security Problems". Syngress. 2012. <http://books.google.com/books?id=OOqH8NsLeLkC&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false>.

Hovac: A Configurable Fault Injection Framework for Benchmarking the Dependability of C/C++ Applications[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Lena Herscheid, Daniel Richter and Andreas Polze. "Hovac: A Configurable Fault Injection Framework for Benchmarking the Dependability of C/C++ Applications". Version X. PUBLICATION. XXX. Reliability and Security (QRS), 2015 IEEE International Conference on Software Quality. 2015-08. <http://journal-s.org/index.php/ijas/article/download/8529/pdf_80>.

How Would We Know?[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Edmund O. Schweitzer III, David Whitehead, Allen Risley and Rhett Smith. "How Would We Know?". Schweitzer Engineering Laboratories, Inc. 2011. <https://www.selinc.com/workarea/downloadasset.aspx?id=8510>.

HP Fortify Vulncat[Standard IdentifierUses CWE IDs as a standard Identifier system., and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

HP Fortify Taxonomy: Software Security Errors. HP Enterprise Security. <http://www.hpenterprisesecurity.com/vulncat/en/vulncat/index.html>.

IATAC/DACS SOAR[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Karen Mercedes Goertzel, Theodore Winograd, Holly Lynne McKinley, Lyndon Oh, Michael Colon, Thomas McGibbon, Elaine Fedchak and Robert Vienneau. "State-of-the-Art Report (SOAR)". Software Security Assurance. Information Assurance Technology Analysis Center (IATAC), Data and Analysis Center for Software (DACS). 2007-07-31. <http://iac.dtic.mil/csiac/download/security.pdf>.

IBM Secure Engineering Framework[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Danny Allan, Tim Hahn, Andras Szakal, Jim Whitmore and Axel Buecker. "Security in Development: The IBM Secure Engineering Framework". Redguides for Business Leaders. IBM Corp. 2010. <http://www.redbooks.ibm.com/redpapers/pdfs/redp4641.pdf>.

Identifying performance assurance challenges for smart manufacturing[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Uses Specific CWE InfoMakes use of specific information from CWE.]

Moneer Helu, Katherine Morris, Kiwook Jung, Kevin Lyons and Swee Leong. "Identifying performance assurance challenges for smart manufacturing". Society of Manufacturing Engineers. 2015-11. <http://www.sciencedirect.com/science/article/pii/S2213846315000139/pdfft?md5=56d24ab13efdec24eef940cd50e5212d&pid=1-s2.0-S2213846315000139-main.pdf>.

Improving prioritization of software weaknesses using security models with AVUS[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Stephan Renatus, Corrie Bartelheimer and Jörn Eichler. "Improving prioritization of software weaknesses using security models with AVUS". PUBLICATION. 2015 IEEE 15th International Working Conference on Source Code Analysis and Manipulation (SCAM). 2015-09. <http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=7335423>.

Improving Web Application Security by Eliminating CWEs[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Weijie Chen and Maurice Dawson. "Improving Web Application Security by Eliminating CWEs". INFSY 6891 Software Assurance. 2015-12. <http://blogs.umsl.edu/infosec/files/2016/01/Weijie_Chen_ResearchPaper.pdf>.

Instantiating a model for structuring and reusing security requirements sources[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Christian Schmitt and Peter Liggesmeyer. "Instantiating a model for structuring and reusing security requirements sources". 2015 IEEE 2nd Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE). 2015-08. <http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=7330164>.

Interoperability and Cyber Security Plan[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Cigital, Inc. , Cornice Engineering, Inc. and Power Systems Engineering . "Interoperability and Cyber Security Plan". National Rural Electric Cooperative Association: Smart Grid Regional Demonstration. National Rural Electric Cooperative Association. May 2010. <https://www.smartgrid.gov/files/Interoperability_Cyber_Security_Plan_NRECA_CRN_Smart_Grid_Re_201001.pdf>.

Intrinsically Secure Next-Generation Networks[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Suhasini Sabnis, Marc Verbruggen, John Hickey and Alan J. McBride. "Intrinsically Secure Next-Generation Networks". Issue 3. Bell Labs Technical Journal. Vol. 17. Alcatel-Lucent. April 2014. <DOI: 10.1002/bltj.21556>.

Managing Risk and Information Security: Protect to Enable[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Malcolm Harkins. "Managing Risk and Information Security: Protect to Enable". Apress Media. 2012. <http://books.google.com/books?id=YWdrcDqvjdwC&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false>.

MARFCAT: Fast Code Analysis for Defects and Vulnerabilities[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Serguei A. Mokhov, Joey Paquet and Mourad Debbabi. "MARFCAT: Fast Code Analysis for Defects and Vulnerabilities". 2015 IEEE 1st International Workshop on Software Analytics (SWAN). 2015-03. <http://dx.doi.org/10.1109/SWAN.2015.7070488>.

Misuse Case-Oriented Quality Requirements (MCOQR) Metrics Framework[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

Chitreshh Banerjee, Arpita Banerjee and Santosh K. Pandey. "Misuse Case-Oriented Quality Requirements (MCOQR) Metrics Framework". Problem Solving and Uncertainty Modeling through Optimization and Soft Computing Applications. Chapter 9. 2016-03. <http://www.igi-global.com/chapter/mcoqr-misuse-case-oriented-quality-requirements-metrics-framework/147090>.

MITRE SEG Cyber Threat Susceptibility Assessment[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

"Enterprise Engineering: Systems Engineering for Mission Assurance". Systems Engineering Guide. Cyber Threat Susceptibility Assessment. The MITRE Corporation. <http://www.mitre.org/publications/systems-engineering-guide/enterprise-engineering/systems-engineering-for-mission-assurance/cyber-threat-susceptibility-assessment‎>.

Model-Assisted Access Control Implementation for Code-Centric Ruby-on-Rails Web Application Development[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Seiji Munetoh and Nobukazu Yoshioka. "Model-Assisted Access Control Implementation for Code-Centric Ruby-on-Rails Web Application Development". 2013 International Conference on Availability, Reliability and Security. 2013-09. <http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=6657263>.

Model-Based Engineering for Supply Chain Risk Management[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Dan Shoemaker and Carol Woody. "Model-Based Engineering for Supply Chain Risk Management". CrossTalk. Carnegie Mellon University. September/October 2015. <http://www.crosstalkonline.org/storage/issue-archives/2015/201509/201509-Shoemaker.pdf>.

MSDN - MS SDL[Standard IdentifierUses CWE IDs as a standard Identifier system., and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

SDL Team. "The Microsoft SDL and the CWE/SANS Top 25". Security Development Lifecycle Blog. Microsoft. 2009-01-27. <http://blogs.msdn.com/b/sdl/archive/2009/01/27/sdl-and-the-cwe-sans-top-25.aspx>.

Net-centric security and CWE[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Uses Specific CWE InfoMakes use of specific information from CWE.]

Chris Tapp. "Net-centric security and CWE". Military Embedded Systems. Liverpool Data Research Associates (LDRA). 2012-09-04. <http://mil-embedded.com/articles/net-centric-security-cwe/>.

Non-Malicious Taint: Bad Hygiene is as Dangerous to the Mission as Malicious Intent[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Robert A. Martin. "Non-Malicious Taint: Bad Hygiene is as Dangerous to the Mission as Malicious Intent". March/April 2014. Crosstalk: The Journal of Defense Software Engineering. <http://www.crosstalkonline.org/storage/issue-archives/2014/201403/201403-Martin.pdf>.

On the capability of static code analysis to detect security vulnerabilities[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Katerina Goseva-Popstojanova and Andrei Perhinschi. "On the capability of static code analysis to detect security vulnerabilities". Version X. Information and Software Technology. Volume 68. 2015-12. <http://dx.doi.org/10.1016/j.infsof.2015.08.002>.

Ontology-based modeling of DDoS attacks for attack plan detection[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Uses Specific CWE InfoMakes use of specific information from CWE.]

Morteza Ansarinia, Seyyed Amir Asghari, Afshin Souzani and Ahmadreza Ghaznavi. "Ontology-based modeling of DDoS attacks for attack plan detection". 2012 Sixth International Symposium on Telecommunications (IST). 2011-11. <http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6483131>.

OOPN-SRAM: A Novel Method for Software Risk Assessment[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Xiaofei Wu, Xiaohong Li, Ruitao Feng, Guangquan Xu, Jing Hu and Zhiyong Feng. "OOPN-SRAM: A Novel Method for Software Risk Assessment". Engineering of Complex Computer Systems (ICECCS). pp. 150 - 153. IEEE. 2014-08. <http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=6923130&tag=1>.

OWASP Testing Guide v4[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

"OWASP Testing Guide v4". The Open Web Application Security Project (OWASP). 2014-09-17. <https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents>.

Parallel SMT-Constrained Symbolic Execution for Eclipse CDTCodan[Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Andreas Ibing. "Parallel SMT-Constrained Symbolic Execution for Eclipse CDTCodan". IFIP International Federation for Information Processing CTSS 2013. 2013. <http://rd.springer.com/content/pdf/10.1007%2F978-3-642-41707-8_13.pdf>.

Path-Sensitive Race Detection with Partial Order Reduced Symbolic Execution[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Andreas Ibing. "Path-Sensitive Race Detection with Partial Order Reduced Symbolic Execution". Software Engineering and Formal Methods, SEFM 2014. 2014-09. <http://rd.springer.com/content/pdf/10.1007%2F978-3-319-15201-1_20.pdf>.

Predicting Cyber Vulnerability Exploits with Machine Learning[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Michael Edkrantz and Alan Said. "Predicting Cyber Vulnerability Exploits with Machine Learning". Thirteenth Scandinavian Conference on Artificial Intelligence: SCAI 2015. 2015-11. <http://dx.doi.org/10.3233/978-1-61499-589-0-48>.

Predicting cybersecurity using quality data[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Carol Woody, Robert Ellison and William Nichols. "Predicting cybersecurity using quality data". 2015 IEEE International Symposium on Technologies for Homeland Security (HST). 2015-04. <http://dx.doi.org/10.1109/THS.2015.7225327>.

Predicting Network Attacks Using Ontology-Driven Inference[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Uses Specific CWE InfoMakes use of specific information from CWE.]

Ahmad Salahi and Morteza Ansarinia. "Predicting Network Attacks Using Ontology-Driven Inference". Computing Research Repository (CoRR). 2013. <https://arxiv.org/ftp/arxiv/papers/1304/1304.0913.pdf>.

Principles and Measurement Models for Software Assurance[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Nancy R. Mead, Dan Shoemaker and Carol Woody. "Principles and Measurement Models for Software Assurance". International Journal of Secure Software Engineering (IJSSE). 2013-01. <http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=298843>.

Principles for Software Assurance Assessment[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Shaun Gilmore, Reeny Sondhi and Stacy Simpson. "Principles for Software Assurance Assessment". SAFECode. 2015. <http://www.safecode.org/publication/SAFECode_Principles_for_Software_Assurance_Assessment.pdf>.

Process Firewalls: Protecting Processes During Resource Access[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Hayawardh Vijayakumar, Joshua Schiffman and Trent Jaeger. "Process Firewalls: Protecting Processes During Resource Access". Proceedings of the 8th ACM European Conference on Computer Systems. 2013-04. <http://dl.acm.org/citation.cfm?id=2465358>.

Quantitative Scoring System on the Importance of Software Vulnerabilities[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Joonseon Ahn, Byeong-Mo Chang and Eunyoung Lee. "Quantitative Scoring System on the Importance of Software Vulnerabilities". Issue 4. Journal of the Korea Institute of Information Security and Cryptology. Volume 25. 2015. <http://www.koreascience.or.kr/search/articlepdf_ocean.jsp?url=http://ocean.kisti.re.kr/downfile/volume/kiisc/JBBHCB/2015/v25n4/JBBHCB_2015_v25n4_921.pdf&admNo=JBBHCB_2015_v25n4_921>.

Red Hat - CWE Coverage for Red Hat Customer Portal[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

Ramon de C Valle. "CWE Coverage for Red Hat Customer Portal". Security Blog. Red Hat, Inc.. 2013-06-19. <http://securityblog.redhat.com/2013/05/22/outside-in-vulnerability-assessment-for-secure-software-development/>.

Refactoring of Security Antipatterns in Distributed Java Components[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Marc Schönefeld. "Refactoring of Security Antipatterns in Distributed Java Components". University of Bamberg Press. 2010. <http://books.google.com/books?id=cUWFz3oZLyAC&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false>.

Reference Ontology for Cybersecurity Operational Information[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Takahashi, T. and Kadobayashi, Y.. "Reference Ontology for Cybersecurity Operational Information". The Computer Journal. October 2014. <http://comjnl.oxfordjournals.org/content/early/2014/10/07/comjnl.bxu101.full.pdf>.

Research on Parallel Vulnerabilities Discovery Based on Open Source Database and Text Mining[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Zhao Xianghui, Peng Yong, Zhai Zan, Jin Yi and Yao Yuangang. "Research on Parallel Vulnerabilities Discovery Based on Open Source Database and Text Mining". 2015 International Conference on Intelligent Information Hiding and Multimedia Signal Processing. 2015-09. <http://dx.doi.org/10.1109/IIH-MSP.2015.84>.

Risk Assessment and Security Testing of Large Scale Networked Systems with RACOMAT[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Johannes Viehmann and Frank Werner. "Risk Assessment and Security Testing of Large Scale Networked Systems with RACOMAT". Springer International Publishing Switzerland. 2015. <http://rd.springer.com/content/pdf/10.1007%2F978-3-319-26416-5_1.pdf>.

Risk Management: The Open Group Guide[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

The Open Group, Ian Dobson and Jim Hietala. "Risk Management: The Open Group Guide". Van haren Publishing. 2011-05. <http://books.google.com/books?id=p4f8jUT2wgUC&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false>.

RSA Conference Europe 2010 - AND-105[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

Chris Eng. "Avoiding the CWE/SANS Top 25 Most Dangerous Software Errors". RSA Conference Europe 2010. AND-105. EMC Corporation. 2010. <http://365.rsaconference.com/servlet/JiveServlet/previewBody/2696-102-1-3442/AND-105%20-%20Avoiding%20the%20CWE-SANS%20Top%2025%20Most%20Dangerous%20Programming%20Errors.pdf>.

S-compiler: A code vulnerability detection method[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Monica Catherine S and Geogen George. "S-compiler: A code vulnerability detection method". 2015 International Conference on Electrical, Electronics, Signals, Communication and Optimization (EESCO). 2015-01. <http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7254018>.

Secure Software Development Lifecycle which supplements security weakness for CC certification[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Min-gyu Lee, Hyo-jung Sohn, Baek-min Seong and Jong-bae Kim. "Secure Software Development Lifecycle which supplements security weakness for CC certification". No. 10. International Journal of Software Engineering and Its Applications. Vol. 9. 2016-01. <http://www.sersc.org/journals/IJSEIA/vol9_no10_2015/13.pdf>.

Securing VoIP Networks[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Peter Thermos and Ari Takanen. "Securing VoIP Networks". Pearson Education. 2007. <http://books.google.com/books?id=5F76E72oIR0C&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false>.

Security Automation and Threat Information-Sharing Options[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Panos Kampanakis. "Security Automation and Threat Information-Sharing Options". Volume:12, Issue:5. Security & Privacy, IEEE. pp. 42 - 51. IEEE Computer Society. 2014-Septemnber/October. <http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=6924671&tag=1>.

Security countermeasure management platform[Standard IdentifierUses CWE IDs as a standard Identifier system.]

Michael S. Curtis, Audian H. Paxson, Eva E. Bunker, Nelson W. Bunker and Kevin M. Mitchell. "Security countermeasure management platform". U.S. Patent Application 20140344940. Achilles Guard, Inc. D.B.A. Critical Watch. 2014-11-20. <http://www.freepatentsonline.com/y2014/0344940.html>.

Security for Web Services and Service-Oriented Architectures[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Elisa Bertino, Lorenzo Martino, Federica Paci and Anna Squicciarini. "Security for Web Services and Service-Oriented Architectures". Springer. 2009. <http://books.google.com/books?id=RYBKAAAAQBAJ&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false>.

Security Management of Next Generation Telecommunications Networks and Services[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Stuart Jacobs. "Security Management of Next Generation Telecommunications Networks and Services". IEEE Press Series on Networks and Services Management. Wiley. 2013. <http://books.google.com/books?id=AfpeAQAAQBAJ&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false>.

SecuWear: An open source, multi-component hardware/software platform for exploring wearable security[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Uses Specific CWE InfoMakes use of specific information from CWE.]

Matthew L. Hale, Dalton Ellis, Rose Gamble, Charles Walter and Jessica Lin. "SecuWear: An open source, multi-component hardware/software platform for exploring wearable security". 2015 IEEE International Conference on Mobile Services. 2015-07. <http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=7226677>.

Selecting security control portfolios: a multi-objective simulation-optimization approach[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Andreas Ekelhart, Bernhard Grill, Elmar Kiesling, Christine Strauss and Christian Stummer. "Selecting security control portfolios: a multi-objective simulation-optimization approach". EURO Journal on Decision Processes. Springer-Verlag. 2016-04. <http://rd.springer.com/article/10.1007%2Fs40070-016-0055-7>.

SHIELDS FP7-ICT-2007 215995 D1.1[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Standard IdentifierUses CWE IDs as a standard Identifier system.]

"Initial architecture and requirements specification ". v.1. FP7-ICT-2007 215995. D1.1. SHIELDS. 2008-05-31. <http://www.shields-project.eu/files/docs/D1.1%20Initial%20architecture%20and%20requirements%20specification.pdf>.

SHIELDS FP7-ICT-2007 215995 D1.3[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Standard IdentifierUses CWE IDs as a standard Identifier system.]

"Revised Architecture and Requirements Specification". 2.0. FP7-ICT-2007 215995. D1.3. SHIELDS. 2009-03-30. <http://www.shields-project.eu/files/docs/D1.3%20Revised%20Architecture%20and%20Requirements%20Specification.pdf>.

SHIELDS FP7-ICT-2007 215995 D1.4[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

"Final SHIELDS approach guide". 2.3. FP7-ICT-2007 215995. D1.4. SHIELDS. 2010-09-28. <http://www.shields-project.eu/files/docs/D1.4%20Final%20SHIELDS%20Approach%20Guide.pdf>.

SHIELDS FP7-ICT-2007 215995 D2.1[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

"Formalism Definitions and Representation Schemata ". v2.0. FP7-ICT-2007 215995. D2.1. SHIELDS. 2008-06-25. <http://www.shields-project.eu/files/docs/D2.1%20Formalism%20Definitions%20and%20Representation%20Schemata.pdf>.

SHIELDS FP7-ICT-2007 215995 D2.2[Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

"Initial Modelling Methods and Prototype Modelling Tools". 2.0. FP7-ICT-2007 215995. D2.2. SHIELDS. 2008-09-30. <http://www.shields-project.eu/files/docs/D2.2%20Initial%20Modelling%20Methods%20and%20Prototype%20Modelling%20Tools.pdf>.

SHIELDS FP7-ICT-2007 215995 D2.3[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

"Final Modelling Methods, Formalisms and Prototype Modelling Tools". 2.1. FP7-ICT-2007 215995. D2.3. SHIELDS. 2010-09-28. <http://www.shields-project.eu/files/docs/D2.3%20Final%20modelling%20methods,%20formalisms%20and%20prototype%20modelling%20tools.pdf>.

SHIELDS FP7-ICT-2007 215995 D4.1[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Standard IdentifierUses CWE IDs as a standard Identifier system.]

"Initial specifications of the security methods and tools". 2.1. FP7-ICT-2007 215995. D4.1. SHIELDS. 2008-07-01. <http://www.shields-project.eu/files/docs/D4.1%20Initial%20specifications%20of%20the%20security%20methods%20and%20tools.pdf>.

SHIELDS FP7-ICT-2007 215995 D4.2[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

"Initial Prototypes of Vulnerability Recognition Tools". 2.0. FP7-ICT-2007 215995. D4.2. SHIELDS. 2009-05-25. <http://www.shields-project.eu/files/docs/D4.2%20Initial%20Prototypes%20of%20Vulnerability%20Recognition%20Tools.pdf>.

SHIELDS FP7-ICT-2007 215995 D4.3[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

"Final report on inspection methods and prototype vulnerability recognition tools". 2.0. FP7-ICT-2007 215995. D4.3. SHIELDS. 2010-04-22. <http://www.shields-project.eu/files/docs/D4.3%20Final%20report%20on%20inspection%20methods%20and%20prototype%20vulnerability%20recognition%20tools.pdf>.

SHIELDS FP7-ICT-2007 215995 D5.1[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

"Results of First Evaluation of the Technical Work Packages". 2.0. FP7-ICT-2007 215995. D5.1. SHIELDS. 2008-10-31. <http://www.shields-project.eu/files/docs/D5.1%20Results%20of%20First%20Evaluation%20of%20the%20Technical%20Work%20Packages.pdf>.

SHIELDS FP7-ICT-2007 215995 D5.3[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

"Final Evaluation Report". 2.0. FP7-ICT-2007 215995. D5.3. SHIELDS. 2010-06-22. <http://www.shields-project.eu/files/docs/D5.3%20Final%20Evaluation%20Report.pdf>.

SHIELDS FP7-ICT-2007 215995 D1.2[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

"Initial SHIELDS approach guide". Version 1.0. FP7-ICT-2007 215995. D1.2. SHIELDS. 2008-09-30. <http://www.shields-project.eu/files/docs/D1.2%20Initial%20SHIELDS%20approach%20guide.pdf>.

SHIELDS FP7-ICT-2007 215995 D3.2[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Standard IdentifierUses CWE IDs as a standard Identifier system.]

"Repository Service Prototype". 2.0. FP7-ICT-2007 215995. D3.2. SHIELDS. 2009-12-04. <http://www.shields-project.eu/files/docs/D3.2%20Repository%20service%20prototype.pdf>.

Software Assurance, Trustworthiness, and Rigor[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Don O’Neill. "Software Assurance, Trustworthiness, and Rigor". Acquisition of Software-Reliant Capabilities. CrossTalk. September/October 2014. <http://static1.1.sqspcdn.com/static/f/702523/25389270/1409614172627/201409-ONeill.pdf>.

Software Change Management: Case Studies and Practical Advice[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Donald J. Reifer. "Software Change Management: Case Studies and Practical Advice". Microsoft Press. 2011. <http://books.google.com/books?id=_qHskeb87gEC&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false>.

Software Engineering and the Persistent Pursuit of Software Quality[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Paul D. Nielsen. "Software Engineering and the Persistent Pursuit of Software Quality". What is Software Engineering?. CrossTalk. Carnegie Mellon University. 2014. <http://static1.1.sqspcdn.com/static/f/702523/26194068/1430694655517/201505-Nielsen.pdf>.

Software Engineering Issues Regarding Securing ICS: An Industrial Case Study[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Abdullah Khalili, Ashkan Sami, Mahboobe Ghiasi, Sara Moshtari, Zahra Salehi and Mahdi Azimi. "Software Engineering Issues Regarding Securing ICS: An Industrial Case Study". ICSE Workshop on Modern Software Engineering Methods for Industrial Automation (MoSEMInA’14). 2014-05. <http://dl.acm.org/ft_gateway.cfm?id=2593789&ftid=1468132&dwn=1&CFID=787064171&CFTOKEN=78525653>.

Software Security Engineering: A Guide for Project Managers[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Nancy R. Mead, Julia H. Allen, Sean J. Barnum, Robert J. Ellison and Gary McGraw. "Software Security Engineering: A Guide for Project Managers". Carnegie Mellon SEI Series. Pearson Education. 2004. <http://books.google.com/books?id=hl-zvFPQAfcC&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false>.

SQL Injection Attacks and Defense[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Justin Clarke. "SQL Injection Attacks and Defense". Syngress. 2012. <http://books.google.com/books?id=KKqiht2IsrcC&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false>.

State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

David A. Wheeler and Rama S. Moorthy. "State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation". IDA Paper P-5061. Defense Technical Information Center - Science & Technology (DTIC). Institute for Defense Analysis (IDA). July 2014. <http://www.dtic.mil/dtic/tr/fulltext/u2/a607954.pdf>.

Static Analysis of Source Code Security: Assessment of Tools Against SAMATE Tests[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Gabriel Diaz and Juan Ramon Bermejo. "Static Analysis of Source Code Security: Assessment of Tools Against SAMATE Tests". Information and Software Technology. 2013. <http://www.sciencedirect.com/science/article/pii/S0950584913000384>.

Static Code Analysis: Best Practices for Software Assurance in the Acquisition Life Cycle[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Paul R. Croll. "Static Code Analysis: Best Practices for Software Assurance in the Acquisition Life Cycle". 12th Annual NDIA Systems Engineering Conference. 2009-10-29. <http://www.dtic.mil/ndia/2009systemengr/9104ThursdayTrack8Croll.pdf>.

Strategies for Program Protection – Identifying Risks and Setting Requirements[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Paul R. Croll. "Strategies for Program Protection – Identifying Risks and Setting Requirements". 15th Annual NDIA Systems Engineering Conference. 2012-10-24. <http://www.dtic.mil/ndia/2012system/track514763.pdf>.

Study on Diffusion of Protection/Mitigation against Memory Corruption Attack in Linux Distributions[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Takamichi Saitoi, Hiroyuki Miyazaki, Takaaki Baba, Yoshifumi Sumida and Yosuke Hori. "Study on Diffusion of Protection/Mitigation against Memory Corruption Attack in Linux Distributions". 2015 9th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS). 2015-07. <http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7285008>.

System Assurance: Beyond Detecting Vulnerabilities[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Nikolai Mansourov and Djenana Campara. "System Assurance: Beyond Detecting Vulnerabilities". Morgan Kaufmann Publishers. 2010. <http://books.google.com/books?id=9F8oIIPdqiIC&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false>.

The CAPEC based generator of attack scenarios for network security evaluation[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Igor Kotenko and Elena Doynikova. "The CAPEC based generator of attack scenarios for network security evaluation". 2015 IEEE 8th International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS). 2015-09. <http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=7340774>.

The cyber simulation terrain: Towards an open source cyber effects simulation ontology[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Kent O’Sullivan and Benjamin Turnbull. "The cyber simulation terrain: Towards an open source cyber effects simulation ontology". Proceedings of the 16th Australian Information Warfare Conference. 2015-12. <http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1059&context=isw>.

The Defender’s Dilemma: Charting a Course Toward Cybersecurity[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

Martin C. Libicki, Lillian Ablon and Tim Webb. "The Defender’s Dilemma: Charting a Course Toward Cybersecurity". Defense Technical Information Center - Science & Technology (DTIC). RAND Corporation. 2015-01-01. <http://www.dtic.mil/dtic/tr/fulltext/u2/a620191.pdf>.

The Experience of Comparison of Static Security Code Analyzers[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Alexey Markov, Andrew Fadin, Vladislav Shvets and Valentin Tsirlov. "The Experience of Comparison of Static Security Code Analyzers". No 3. International Journal of Advanced Studies. Vol 5. 2015-08. <XXX>.

The Prediction of Code Clone Quality Based on Bayesian Network[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Uses Specific CWE InfoMakes use of specific information from CWE.]

Dongrui Liu, Dongsheng Liu, Liping Zhang, Min Hou and Chunhui Wang. "The Prediction of Code Clone Quality Based on Bayesian Network". No. 4. International Journal of Software Engineering and Its Applications. Vol. 10. 2016. <http://www.sersc.org/journals/IJSEIA/vol10_no4_2016/5.pdf>.

The weak point: A framework to enhance operational mission data systems security[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Uses Specific CWE InfoMakes use of specific information from CWE.]

Daniel Fischer, Mariella Spada, Jean-Fran-rois Job, Tom Leclerc, Cedric Mauny and Jeremy Thimont. "The weak point: A framework to enhance operational mission data systems security". IEEE Aerospace Conference. 2015-03. <http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7118924&tag=1>.

Theorem Prover Based Static Analyzer: Comparison Analysis Between ESC/Java2 and KeY[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Standard IdentifierUses CWE IDs as a standard Identifier system.]

Aneesa Saeed and S.H.A. Hamid. "Theorem Prover Based Static Analyzer: Comparison Analysis Between ESC/Java2 and KeY". Volume:315, Chapter:68 . Advanced Computer and Communication Engineering Technology. pp. 727 - 737. Springer International Publishing. 2015-01. <http://rd.springer.com/chapter/10.1007/978-3-319-07674-4_68#>.

They Know Your Weaknesses – Do You? : Reintroducing Common Weakness Enumeration[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Yan Wu, Irena Bojanova and Yaacov Yesha. "They Know Your Weaknesses – Do You? : Reintroducing Common Weakness Enumeration". Supply Chain Assurance. CrossTalk. September/October 2015. <http://static1.1.sqspcdn.com/static/f/702523/26523304/1441780301827/201509-Wu.pdf>.

Towards An Analysis of Software Supply Chain Risk Management[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Shixian Du, Tianbo Lu, Lingling Zhao, Bing Xu, Xiaobo Guo and Hongyu Yang. "Towards An Analysis of Software Supply Chain Risk Management". Proceedings of the World Congress on Engineering and Computer Science (Vol. 1).. 2013-10. <http://www.iaeng.org/publication/WCECS2013/WCECS2013_pp162-167.pdf>.

Towards Vulnerability Discovery Using Staged Program Analysis[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Bhargava Shastry, Fabian Yamaguchi, Konrad Rieck and Jean-Pierre Seifert. "Towards Vulnerability Discovery Using Staged Program Analysis". Braunschweig University of Technology. 2016-04. <https://pdfs.semanticscholar.org/340b/d3f7405e7ba7182db9369e951f8722bba2cd.pdf>.

Trustwave Spiderlabs[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

"CWE the VOTE". SpiderLabs Blog. Trustwave. 2012-11-06. <http://blog.spiderlabs.com/2012/11/cwe-the-vote.html>.

Using CAPEC for Risk-Based Security Testing[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Fredrik Seehusen. "Using CAPEC for Risk-Based Security Testing". Springer International Publishing Switzerland. 2015. <http://rd.springer.com/content/pdf/10.1007%2F978-3-319-26416-5_6.pdf>.

Vulnerability Analysis and Development of Secure Coding Rules for PHP[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

KyungSook Han, Wooyeol Park, Ilgwon Yang, Changhwan Son and Changwoo Pyo. "Vulnerability Analysis and Development of Secure Coding Rules for PHP". Transactions on Computing Practices. Korean Institute of Information Scientists and Engineers (KIISE). 2015. <http://dx.doi.org/10.5626/KTCP.2015.21.11.721>.

Vulnerability Analysis of A Device Connected to The Internet[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Harish Pichukala and K P Raghuraman. "Vulnerability Analysis of A Device Connected to The Internet". Vol. 2, Issue 4. International Journal of Advanced Research in Computer Science & Technology (IJARCST). 2014 October - December. <http://ijarcst.com/doc/vol2-issue4/ver.1/harish_p.pdf>.

Web Application Defender's Cookbook: Battling Hackers and Protecting Users[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Ryan C. Barnett. "Web Application Defender's Cookbook: Battling Hackers and Protecting Users". Wiley. 2013. <http://books.google.com/books?id=flC9dFFLWIsC&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false>.

What Does OWASP Top 10 Coverage Mean to You…and Do You Have It?[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

David Lindsay. "What Does OWASP Top 10 Coverage Mean to You…and Do You Have It?". Software Testing. Coverity, Inc.. 2014-03-24. <http://blog.coverity.com/2014/03/24/owasp-top-10-coverage/#.VfcM4BFVhBc>.

What Every Engineer Should Know About Cyber Security and Digital Forensics[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Joanna F. DeFranco. "What Every Engineer Should Know About Cyber Security and Digital Forensics". CRC Press. 2013. <http://books.google.com/books?id=TWpmAQAAQBAJ&printsec=frontcover&source=gbs_ge_summary_r&cad=0#v=onepage&q&f=false>.

Total: 31

Government

A Proven Methodology for Developing Secure Software and Applying It to Ground Systems[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Brandon Bailey. "A Proven Methodology for Developing Secure Software and Applying It to Ground Systems". NASA Goddard Space Flight Center. 2016-02. <http://hdl.handle.net/2060/20160003695>.

A Test Suite for Basic CWE Effectiveness[Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Paul E. Black. "A Test Suite for Basic CWE Effectiveness". SAMATE - Software Assurance Metrics and Tool Evaluation. National Institute of Standards and Technology (NIST). 2013-03. <https://buildsecurityin.us-cert.gov/sites/default/files/Paul-Black-basic-CWE-Effect-SwAForum-Mar-2013.pdf>.

Addressing Software Security[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Brandon Bailey. "Addressing Software Security". NASA Goddard Space Flight Center. 2015-11. <http://ntrs.nasa.gov/archive/nasa/casi.ntrs.nasa.gov/20150023414.pdf>.

CDM Vulnerability Management (VUL) Capability[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Uses Specific CWE InfoMakes use of specific information from CWE.]

"CDM Vulnerability Management (VUL) Capability". Vulnerability Management – Continuous Diagnostics and Mitigation. Department of Homeland Security, Office of Cybersecurity and Communications. 2013. <https://www.us-cert.gov/sites/default/files/cdm_files/Intro_to_VUL.pdf>.

CIO Mobile Security Reference Architecture[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

"Mobile Security Reference Architecture". v1.0. Federal CIO Council and Department of Homeland Security National Protection and Program Directorate Office of Cybersecurity and Communications Federal Network Resilience. 2013-05-23. <https://cio.gov/wp-content/uploads/downloads/2013/05/Mobile-Security-Reference-Architecture.pdf>.

Computer Security Division: Annual Report 2014[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Patrick O’Reilly, Larry Feldman and Greg Witte. "Computer Security Division: Annual Report 2014". Revision 4. NIST Special Publication. 800-53. CSD Publications. 2015-8. <http://dx.doi.org/10.6028/NIST.SP.800-176>.

Context Model Fusion for Multistage Network Attack Simulation[Standard IdentifierUses CWE IDs as a standard Identifier system., and Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Stephen Moskal, Ben Wheeler, Derek Kreider, Michael E. Kuhl and Shanchieh Jay Yang. "Context Model Fusion for Multistage Network Attack Simulation". Military Communications Conference (MILCOM). pp. 158 - 163. IEEE. 2014-10-06. <http://ieeexplore.ieee.org/xpls/icp.jsp?arnumber=6956753&tag=1>.

Continuous Diagnostics and Mitigation (CDM)[Uses Specific CWE InfoMakes use of specific information from CWE., and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

"Continuous Diagnostics and Mitigation (CDM)". Version 1.0. CDM Training Modules. Department of Homeland Security (DHS). 2014-09-29. <https://www.us-cert.gov/sites/default/files/cdm_files/VulnerabilityManagementImplementation.pdf>.

CSIS Commission on Cybersecurity[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

"Technical Proficiency Matters". A Human Capital Crisis in Cybersecurity. A White Paper of the CSIS Commission on Cybersecurity for the 44th Presidency. Center for Strategic & International Studies (CSIS). 2010-07. <http://csis.org/files/publication/100720_Lewis_HumanCapital_WEB_BlkWhteVersion.pdf>.

DHS CAESARS[Standard IdentifierUses CWE IDs as a standard Identifier system.]

"Continuous Asset Evaluation, Situational Awareness, and Risk Scoring Reference Architecture Report (CAESARS)". Version 1.8. Document No. MP100146. Department of Homeland Security Federal Network Security Branch. 2010-09. <https://www.dhs.gov/xlibrary/assets/fns-caesars.pdf>.

DHS NCS FISMA Reporting Metrics FY2012[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Standard IdentifierUses CWE IDs as a standard Identifier system.]

"Chief Information Officer Federal Information Security Management Act Reporting Metrics". FY 2012. US Department of Homeland Security National Cyber Security Division Federal Network Security. 2012-02-14. <https://www.dhs.gov/xlibrary/assets/nppd/ciofismametricsfinal.pdf>.

DHS NCS FISMA Reporting Metrics FY2013[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Standard IdentifierUses CWE IDs as a standard Identifier system.]

"Chief Information Officer Federal Information Security Management Act Reporting Metrics". FY 2013. US Department of Homeland Security Office of Cybersecurity and Communications Federal Network Resilience. 2012-11-30. <https://www.dhs.gov/sites/default/files/publications/FY13%20CIO%20FISMA%20Metrics.pdf.pdf>.

Establishing and Maintaining Trust for an Airborne Network[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Djenana Campara. "Establishing and Maintaining Trust for an Airborne Network". AFRL-RY-WP-TR-2014-0251. Defense Technical Information Center - Science & Technology (DTIC). Air Force Research Laboratory – Sensors Directorate. December 2014. <http://www.dtic.mil/dtic/tr/fulltext/u2/a614972.pdf>.

General Requirements of a Hybrid-Modeling Framework for Cyber Security[Standard IdentifierUses CWE IDs as a standard Identifier system.]

Alessandro Oltramari, Noam Ben-Asher, Lorrie Cranor, Lujo Bauer and Nicolas Christin. "General Requirements of a Hybrid-Modeling Framework for Cyber Security". Military Communications Conference (MILCOM). pp. 129 - 135. IEEE. 2014-10-06. <http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=6956749&tag=1>.

MINESTRONE[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

Columbia University:, Salvatore Stolfo, Angelos D. Keromytis, Junfeng Yang, Dimitris Geneiatakis, Michalis Polychronakis, Georgios Portokalidis, AUTHOR, AUTHOR, Kangkook Jee, Vasileios P. Kemerlis, George Mason University:, Angelos Stavrou, Dan Fleck, Symantec:, Nathan Evans, Matthew Elder and Azzedine Benameur. "MINESTRONE". AFRL-RY-WP-TR-2015-0002. Air Force Research Laboratory - Sensors Directorate. IARPA Public Affairs Office (PAO). 2015-03. <http://samate.nist.gov/SARD/resources/STONESOUP_AFRL-RY-WP-TR-2015-0002.pdf>.

NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 3.0[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

): Smart Grid and Cyber-Physical Systems Program Office and Energy and Environment Division, Engineering Laboratory in collaboration with Physical Measurement Laboratory and Information Technology Laboratory. "NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 3.0". Release 3.0. NIST Special Publication (Draft). 1108. National Institute of Standards and Technology (NIST). 2014-05. <http://www.nist.gov/smartgrid/upload/Draft-NIST-SG-Framework-3.pdf>.

NSA CAS Analyzing Static Analysis Tools[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

"On Analyzing Static Analysis Tools". The National Security Agency (NSA) Center for Assured Software (CAS). 2011-07-26. <http://media.blackhat.com/bh-us-11/Willis/BH_US_11_WillisBritton_Analyzing_Static_Analysis_Tools_WP.pdf>.

NSA IAD CAS Stick to Facts II[Standard IdentifierUses CWE IDs as a standard Identifier system., and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

"Sticking to the Facts II: Scientific Study of Static Analysis Tools". SATE IV Workshop. National Security Agency (NSA) Information Assurance Division (IAD) Center for Assured Software (CAS). 2012-03-29. <http://samate.nist.gov/docs/SATE4/SATE%20IV%206%20Stick%20to%20Facts%20II%20Erno.pdf>.

PPP Outline and Guidance[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Standard IdentifierUses CWE IDs as a standard Identifier system.]

Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics. "Program Protection Plan Outline & Guidance". Version 1.0. Deputy Assistant Secretary of Defense Systems Engineering. 2011-07-18. <http://www.acq.osd.mil/se/docs/PPP-Outline-and-Guidance-v1-July2011.docx>.

PPP Software Assurance Chapter [Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Standard IdentifierUses CWE IDs as a standard Identifier system.]

Office of Assistant Secretary of Defense for Research and Engineering. "Defense Acquisition Guidebook - Your Acquisition Policy and Discretionary Best Practice Guide". PPP Software Assurance Chapter. DAU Information Systems Service Center (ISSC). 2013-09-17. <https://acc.dau.mil/dag13.7.3>.

Practical Identification of SQL Injection Vulnerabilities[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Uses Specific CWE InfoMakes use of specific information from CWE.]

Chad Dougherty. "Practical Identification of SQL Injection Vulnerabilities". United States Computer Emergency Readiness Team (US-CERT). Carnegie Mellon University. 2012. <https://www.us-cert.gov/sites/default/files/publications/Practical-SQLi-Identification.pdf>.

Preventing Exploits against Software of Uncertain Provenance (PEASOUP)[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

David Melski. "Preventing Exploits against Software of Uncertain Provenance (PEASOUP)". AFRL-RY-WP-TR-2015-0017. Air Force Research Laboratory - Sensors Directorate. USAF 88th Air Base Wing (88 ABW) Public Affairs Office (PAO). 2015-05. <http://samate.nist.gov/SRD/resources/STONESOUP_RYWA-Y0LG-AFRL-RY-WP-TR-2015-0017_FINAL.pdf>.

Public Safety Mobile Application Security Requirements Workshop Summary[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Michael Ogata, Barbara Guttman and Nelson Hastings. "Public Safety Mobile Application Security Requirements Workshop Summary". National Institute of Standards and Technology Internal Report 8018 (NISTIR). 8018. National Institute of Standards and Technology (NIST). 2015-01. <http://dx.doi.org/10.6028/NIST.IR.8018>.

Req Challenges SC Threats[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Paul R. Popick and Melinda Reed. "Requirements Challenges in Addressing Malicious Supply Chain Threats". Vol. 16, Issue 2. INCOSE INSIGHT. International Council on Systems Engineering (INCOSE). 2013-07. <http://www.acq.osd.mil/se/docs/ReqChallengesSCThreats-Reed-INCOSE-Vol16-Is2.pdf>.

Software Assurance Reference Dataset (SARD)[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Multiple Authors. "Software Assurance Reference Dataset (SARD)". Version 4.6. Information Technology Laboratory, Software and Systems Division. The National Institute of Standards and Technology (NIST). last update 2015-07-06. <http://samate.nist.gov/SARD/testsuite.php>.

SSE-Language-for-TSN-in-DoD-RFPs[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Standard IdentifierUses CWE IDs as a standard Identifier system.]

Deputy Assistant Secretary of Defense for Systems Engineering and Department of Defense Chief Information Officer. "Suggested Language to Incorporate System Security Engineering for Trusted Systems and Networks into Department of Defense Requests for Proposals". DoD. 2014-01. <http://www.acq.osd.mil/se/docs/SSE-Language-for-TSN-in-DoD-RFPs.pdf>.

Standards and Tools for Exchange and Processing of Actionable Information Inventory[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

This document was created by the CERT capability team at ENISA in consultation with CERT Polska / NASK (Poland). "Standards and Tools for Exchange and Processing of Actionable Information Inventory". European Union Agency for Network and Information Security. November 2014. <https://www.enisa.europa.eu/activities/cert/support/actionable-information/standards-and-tools-for-exchange-and-processing-of-actionable-information/at_download/fullReport>.

Suggested Language to Incorporate System Security Engineering for Trusted Systems and Networks into Department of Defense Requests for Proposals[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Deputy Assistant Secretary of Defense for Systems Engineering and Department of Defense Chief Information Officer. "Suggested Language to Incorporate System Security Engineering for Trusted Systems and Networks into Department of Defense Requests for Proposals". Deputy Assistant Secretary of Defense. 2014 January. <http://www.acq.osd.mil/se/docs/SSE-Language-for-TSN-in-DoD-RFPs.pdf>.

Supply Chain Risk Management Practices for Federal Information Systems and Organizations[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Jon Boyens, Celia Paulsen, Rama Moorthy and Nadya Bartol. "Supply Chain Risk Management Practices for Federal Information Systems and Organizations". NIST Special Publication (SP). 800-161. National Institute of Standards and Technology (NIST). 2015-04. <http://dx.doi.org/10.6028/NIST.SP.800-161>.

SwA-CM-in-PPP[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Deputy Assistant Secretary of Defense for Systems Engineering and Department of Defense Chief Information Officer. "Software Assurance Countermeasures in Program Protection Planning". DoD. 2014-03. <http://www.acq.osd.mil/se/docs/SwA-CM-in-PPP.pdf>.

Vulnerabilities in Bytecode Removed by Analysis, Nuanced Confinement and Diversification (VIBRANCE)[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Kestrel Institute:, Alessandro Coglio, Marcel Becker, Stephen Fitzpatrick, Limei Gilham, Cordell Green, Eric McCarthy, Kestrel Technology, LLC:, Henny Sipma, Matthew Barry, Anca Browne, Eric Bush, Doug Smith, Arnaud Venet, MIT CSAIL:, Martin Rinard, Jeff Perkins, Jordan Eikenberry, Douglas Kramm, Paolo Piselli, Daniel Willenson, Sasa Misailovic, Fan Long, Michael Carbin, DOLL Inc.:, Robert Laddaga, Paul Robertson and Prakash Manghwani . "Vulnerabilities in Bytecode Removed by Analysis, Nuanced Confinement and Diversification (VIBRANCE)". AFRL-RY-WP-TR-2015-0019. Air Force Research Laboratory Sensors Directorate. USAF 88th Air Base Wing (88 ABW) Public Affairs Office (PAO). 2015-06. <http://samate.nist.gov/SARD/resources/STONESOUP_RYWA-Y0LH-AFRL-RY-WP-TR-2015-0019_FINAL.pdf>.

Total: 35

Academia

A Comparison of Software Design Security Metrics[Standard IdentifierUses CWE IDs as a standard Identifier system.]

Daniel Mellado, Eduardo Fernández-Medina and Mario Piattini. "A Comparison of Software Design Security Metrics". University of Castilla-La Mancha. 2010. <http://dbonline.igroupnet.com/ACM.FT/1850000/1842797/p236-mellado.pdf>.

A Cyber Attack Modeling and Impact Assessment Framework[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Igor Kotenko and Andrey Chechulin. "A Cyber Attack Modeling and Impact Assessment Framework". Cyber Conflict (CyCon), 2013 5th International Conference. IEEE. June 2013. <https://ccdcoe.org/cycon/2013/proceedings/d1r2s3_kotenko.pdf>.

Analysis and recommendations for standardization in penetration testing and vulnerability assessment: Penetration testing market survey[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

William Knowles, Alistair Baron and Tim McGarr. "Analysis and recommendations for standardization in penetration testing and vulnerability assessment: Penetration testing market survey". E-print Network. BSI Group, Inc.. 2015-01. <http://eprints.lancs.ac.uk/74275/1/Penetration_testing_online_2.pdf>.

Categorizing Code Complexities in Support of Analysis[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Yan Wu and Frederick Tim Boland. 11th International Conference on Cyber Warfare and Security: ICCWS2016. Reading: Academic Conferences International Limited. 2016. <http://search.proquest.com/openview/16016445fbacbcbcb07646a9c459b9f1/1?pq-origsite=gscholar&cbl=396500>.

CERT CMU/SEI-2009-SR-001[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Nancy R. Mead, Julia H. Allen, W. Arthur Conklin, Antonio Drommi, John Harrison, Jeff Ingalsbe, James Rainey and Dan Shoemaker. "Making the Business Case for Software Assurance". Special Report. CMU/SEI-2009-SR-001. Software Engineering Institute (SEI) Carnegie Mellon. 2009-04. <http://www.cert.org/archive/pdf/09sr001.pdf>.

CLABUREDB: Classified Bug-Reports Database[Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Jiri Slaby, Jan Strejček and Marek Trtík. "CLABUREDB: Classified Bug-Reports Database". Volume 7737 of the series Lecture Notes in Computer Science. 14th International Conference, VMCAI 2013. pp 268-274. Springer Berlin Heidelberg. January 2013. <http://www.fi.muni.cz/~xstrejc/publications/vmcai2013preprint.pdf>.

CMU/SEI-2007-TN-025[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

Carol Woody, PhD. "Process Improvement Should Link to Security: SEPG 2007 Security Track Recap". Technical Note. CMU/SEI-2007-TN-025. Software Engineering Institute (SEI) Carnegie Mellon. 2007-09. <http://repository.cmu.edu/sei/22/>.

CMU/SEI-2010-TN-016[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

Robert J. Ellison, John B. Goodenough, Charles B. Weinstock and Carol Woody. "Evaluating and Mitigating Software Supply Chain Security Risks". Technical Note. CMU/SEI-2010-TN-016. Software Engineering Institute (SEI) Carnegie Mellon. 2010-05. <http://repository.cmu.edu/sei/22/>.

CMU/SEI-2010-TN-026[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Standard IdentifierUses CWE IDs as a standard Identifier system.]

Robert J. Ellison, Christopher J. Alberts, Rita C. Creel, Audrey J. Dorofee and Carol C. Woody. "Software Supply Chain Risk Management: From Products to Systems of Systems". Research Showcase. CMU/SEI-2010-TN-026. Software Engineering Institute (SEI) Carnegie Mellon. 2010-12-01. <http://repository.cmu.edu/sei/603/>.

CMU/SEI-2010-TR-015[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

Fred Long, Dhruv Mohindra, Robert Seacord and David Svoboda. "Java Concurrency Guidelines". Technical Report. CMU/SEI-2010-TR-015. Software Engineering Institute (SEI) Carnegie Mellon. 2010-05-01. <http://repository.cmu.edu/sei/18/>.

CMU/SEI-2010-TR-028[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

Lisa Brownsword, Carol C. Woody, PhD, Christopher J. Alberts and Andrew P. Moore. "A Framework for Modeling the Software Assurance Ecosystem: Insights from the Software Assurance Landscape Project". Technical Report. CMU/SEI-2010-TR-028. Software Engineering Institute (SEI) Carnegie Mellon. 2010-08. <http://repository.cmu.edu/sei/1/>.

CSIIR[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Standard IdentifierUses CWE IDs as a standard Identifier system.]

Ju An Wang, Minzhe Guo, Hao Wang, Min Xia and Linfeng Zhou. "Ontology-based Security Assessment for Software Products". 8th Cyber Security and Information Intelligence Research Workshop. Southern Polytechnic State University Cyberspace Sciences and Information Intelligence Research Group. 2009. <http://csiir.ornl.gov/csiirw/09/CSIIRW09-Proceedings/Abstracts/Wang-abstract.pdf>.

Design of Exploitable Automatic Verification System for Secure Open Source Software[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Bumryong Kim, Jun-ho Song, Jae-Pye Park and Moon-seog Jun. "Design of Exploitable Automatic Verification System for Secure Open Source Software". Lecture Notes in Electrical Engineering in Advances in Computer Science and Ubiquitous Computing, CSA&CUTE. Volume 373. 2015-12. <http://rd.springer.com/content/pdf/10.1007%2F978-981-10-0281-6_40.pdf>.

Detecting Logic Vulnerabilities in E-Commerce Applications[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

Fangqi Sun, Liang Xu and Zhendong Su. "Detecting Logic Vulnerabilities in E-Commerce Applications". University of California Davis. 2014. <http://sun.cs.ucdavis.edu/papers/ndss14_logic.pdf>.

DOI 10.1109/DASC.2011.42[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Aleem Khalid Alvi and Mohammad Zulkernine. "A Natural Classification Scheme for Software Security Patterns". 2011 Ninth IEEE International Conference on Dependable, Autonomic and Secure Computing. DOI 10.1109/DASC.2011.42. IEEE Computer Society. 2011-12-12. <http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=6118361&tag=1>.

DOI 10.1109/HICSS.2010.313[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

Ju An Wang, Minzhe Guo, Hao Wang, J. Camargo and Linfeng Zhou. "Ranking Attacks Based on Vulnerability Analysis". 2010 43rd Hawaii International Conference on System Sciences (HICSS). DOI 10.1109/HICSS.2010.313. IEEE Computer Society. 2010. <http://xplqa30.ieee.org/stamp/stamp.jsp?tp=&arnumber=5428663>.

Herodotos: A Tool to Expose Bugs' Lives[Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

Nicolas Palix, Julia Lawall and Gilles Muller. "Herodotos: A Tool to Expose Bugs' Lives". Version 1. Domaine 3— Reseaux, systemes et services, calcul distribue Equipes-Projets Regal. inria-00406306. Institut National de Recherche en Informatique et en Automatique. 2009-06-21. <http://hal.inria.fr/docs/00/40/63/06/PDF/RR-6984.pdf>.

Hunting bugs with Coccinelle[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

Henrik Stuart. "Hunting bugs with Coccinelle". 2008-08-08. <http://www.emn.fr/z-info/coccinelle/stuart_thesis.pdf>.

Introduction to the Security Engineering Risk Analysis (SERA) Framework[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Christopher Alberts, Carol Woody and Audrey Dorofee. "Introduction to the Security Engineering Risk Analysis (SERA) Framework". Technical Note CMU/SEI-2014-TN-025. Carnegie Mellon Software Engineering Institute – CERT Division. 2014–11. <http://www.dtic.mil/dtic/tr/fulltext/u2/a617945.pdf>.

Klocwork - Secure Coding Learning Center[Standard IdentifierUses CWE IDs as a standard Identifier system., and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

Secure Coding Learning Center. Klocwork Inc.. <http://www.klocwork.com/elearning/secure-programming-courses/>.

Measuring Systems Security[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Jennifer Bayuk and Ali Mostashari. "Measuring Systems Security". No. 1. Systems Engineering. Vol. 16. Wiley Periodicals, Inc. 2012. <http://www.bayuk.com/publications/Bayuk-MeasuringSysSecurity.pdf>.

Ontology-Based Model of Network and Computer Attacks for Security Assessment[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

High Jianbo, Zhang Bao stable, Chen Xiaohua and Luo Zheng. "Ontology-Based Model of Network and Computer Attacks for Security Assessment". Journal of Shanghai Jiaotong University (Science). China Academic Journal. 2013-05. <http://www.cnki.com.cn/Article/CJFDTotal-TRAN201305007.htm>.

Ontology-based modeling of DDoS attacks for attack plan detection[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Uses Specific CWE InfoMakes use of specific information from CWE.]

Morteza Ansarinia, Seyyed Amir Asghari, Afshin Souzani and Ahmadreza Ghaznavi. "Ontology-based modeling of DDoS attacks for attack plan detection". 2012 Sixth International Symposium on Telecommunications (IST). 2012-11-6. <http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=6483131&tag=1>.

OVM: Ontology for Vulnerability Management[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

"OVM: Ontology for Vulnerability Management". SSE Lab School of Computing and Software Engineering Southern Polytechnic State University. 2009. <http://cse.spsu.edu/jwang/research/Ontology/main.html>.

Predicting Network Attacks Using Ontology-Driven Inference[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Uses Specific CWE InfoMakes use of specific information from CWE.]

Ahmad Salahi and Morteza Ansarinia. "Predicting Network Attacks Using Ontology-Driven Inference". Volume 4, Issue 1. International Journal of Information and Communication Technology (IJICT). 2012-1. <http://arxiv.org/pdf/1304.0913v1>.

Predicting Software Assurance Using Quality and Reliability Measures[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Carol Woody, Ph.D, Robert Ellison, Ph.D and William Nichols, Ph.D.. "Predicting Software Assurance Using Quality and Reliability Measures". Technical Note CMU/SEI-2014-TN-026. Carnegie Mellon Software Engineering Institute - CERT Division/SSD. December 2014. <http://www.dtic.mil/dtic/tr/fulltext/u2/a617961.pdf>.

Security Application of Failure Mode and Effect Analysis (FMEA)[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Christoph Schmittner, Thomas Gruber, Peter Puschner and Erwin Schoitsch. "Security Application of Failure Mode and Effect Analysis (FMEA)". 33rd International Conference, SAFECOMP. pp 310-325. Springer International Publishing. September 2014. <http://www.arrowhead.eu/wp-content/uploads/2013/03/FMVEA_camera_ready.pdf>.

Signature Based Intrusion Detection for Zero-Day Attacks: (Not) A Closed Chapter?[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Hannes Holm. "Signature Based Intrusion Detection for Zero-Day Attacks: (Not) A Closed Chapter?". 2014 47th Hawaii International Conference on System Sciences (HICSS). pages 4895-4904. IEEE. 2014-01. <http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6759203>.

Strategies for Secure Software Development[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Standard IdentifierUses CWE IDs as a standard Identifier system.]

Sydney Pratte, Shena Fortozo, Gellert Kispal, Adesh Banvait, Alaa Azazi and Naomi Hiebert. "Strategies for Secure Software Development". University of Calgary. 2013. <http://kremer.cpsc.ucalgary.ca/courses/seng403/W2013/papers/08SoftwareSecurity.pdf>.

Supporting Situationally Aware Cybersecurity Systems[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Zareen Syed, Tim Finin, Ankur Padia and Lisa Mathews. "Supporting Situationally Aware Cybersecurity Systems". University of Maryland Baltimore County. 2015-09. <http://ebiquity.umbc.edu/_file_directory_/papers/778.pdf>.

TA-CS03[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Pascal Meunier. "Classes of Vulnerabilities and Attacks". Wiley Handbook of Science and Technology for Homeland Security. Technial article - CS03. The Center for Education and Research in Information Assurance and Security (CERIAS), Purdue University. 2007. <http://homes.cerias.purdue.edu/~pmeunier/aboutme/classes_vulnerabilities.pdf>.

The Impact of Contextual Factors on the Security of Code[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Carol Woody, Ph.D. and Dan Shoemaker, Ph.D.. "The Impact of Contextual Factors on the Security of Code". Defense Technical Information Center - Science & Technology (DTIC). Carnegie Mellon Software Engineering Institute - CERT Division/SSD. 2014-12. <http://www.dtic.mil/dtic/tr/fulltext/u2/a617283.pdf>.

The Knowledge Based Authentication Attacks[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Farnaz Towhidi, Azizah Abdul Manaf, Salwani Mohd Daud and Arash Habibi Lashkari. "The Knowledge Based Authentication Attacks". The 2011 World Congress in Computer Science, Computer Engineering, and Applied Computing. Universidad Nacional de La Plata. 2013-5. <http://weblidi.info.unlp.edu.ar/WorldComp2011-Mirror/SAM8123.pdf>.

Using Malware Analysis to Tailor SQUARE for Mobile Platforms[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

Gregory Paul Alice and Nancy R. Mead. "Using Malware Analysis to Tailor SQUARE for Mobile Platforms". Technical Note. CMU/SEI-2014-TN-018. Software Engineering Institute (SEI) Carnegie Mellon. 2014-11. <http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=425994>.

Why Do Software Assurance Tools Have Problems Finding Bugs Like Heartbleed?[Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

James A. Kupsch and Barton P. Miller. "Why Do Software Assurance Tools Have Problems Finding Bugs Like Heartbleed?". Version 1.3. Software Assurance Marketplace (SWAMP). University of Wisconsin in Madison, Wisconsin, USA. 2014-05-16. <https://continuousassurance.org/swamp/SWAMP-Heartbleed-White-Paper-22Apr2014-current.pdf>.

Total: 1

Academia

Evaluating a Method to Develop and Rank Abuse Cases based on Threat Modeling, Attack Patterns and Common Weakness Enumeration[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Imano Williams. "Evaluating a Method to Develop and Rank Abuse Cases based on Threat Modeling, Attack Patterns and Common Weakness Enumeration". Master of Science Thesis. North Carolina Agricultural and Technical State University. 2015. <http://search.proquest.com/docview/1761832676>.

Total: 11

Policy/Guidance

CISQ–TR–2012–01[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

"CISQ Specifications for Automated Quality Characteristic Measures". CISQ–TR–2012–01. Consortium for IT Software Quality (CISQ). 2012. <http://it-cisq.org/wp-content/uploads/2012/09/CISQ-Specification-for-Automated-Quality-Characteristic-Measures.pdf>.

DHS CSSP Common Cybersecurity Vulnerabilities ICS[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

"DHS Control Systems Security Program (CSSP) Common Cybersecurity Vulnerabilities in Industrial Control Systems". 2011-05. <http://ics-cert.us-cert.gov/sites/default/files/documents/DHS_Common_Cybersecurity_Vulnerabilities_ICS_2010.pdf>.

Gauging the Impact of FISMA on Software Security[]

Robin A Gandhi, Keesha Crosby, Harvey Siy and Sayonnha Mandal. "Gauging the Impact of FISMA on Software Security". Volume:47, Issue:9. Computer. pp. 103 - 107. IEEE Computer Society. 2014-09. <http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=6898784&tag=1>.

SAFECode Development Practices[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

Stacy Simpson, Mark Belk, Matt Coles, Cassio Goldschmidt, Michael Howard, Kyle Randolph, Mikko Saario, Reeny Sondhi, Izar Tarandach, Antti Vähä-Sipilä and Yonko Yonchev. "A Guide to the Most Effective Secure Development Practices in Use Today". 2nd Edition. Fundamental Practices for Secure Software Development. Software Assurance Forum for Excellence in Code (SAFECode). 2011-02-08. <http://www.safecode.org/publications/SAFECode_Dev_Practices0211.pdf>.

SAFECode Security for Agile[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

Vishal Asthana, Izar Tarandach, Niall O'Donoghue, Bryan Sullivan and Mikko Saario. "Practical Security Stories and Security Tasks for Agile Development Environments". Software Assurance Forum for Excellence in Code (SAFECode). 2012-07-17. <http://www.safecode.org/publications/SAFECode_Agile_Dev_Security0712.pdf>.

SANS Exchanging Assessment Results[Standard IdentifierUses CWE IDs as a standard Identifier system.]

Jason Lam. "Exchanging and sharing of assessment results". SANS Software Security with Frank Kim - AppSec Blog. The SANS Institute. 2010-11-19. <http://software-security.sans.org/blog/2010/11/19/exchanging-sharing-assessment-results/>.

SANS SWAT Checklist[Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

"Securing Web Application Technologies (SWAT) Checklist". 23rd Edition. Securing the Human. Winter 2013. The SANS Institute. 2010. <http://www.securingthehuman.org/developer/swat>.

SANS SWAT Poster[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Standard IdentifierUses CWE IDs as a standard Identifier system.]

"Securing Web Application Technologies (SWAT) Checklist". 23rd Edition. Security Awareness Roadmap Poster. Winter 2013. The SANS Institute. 2010. <http://software-security.sans.org/downloads/appsec_keys.pdf>.

SANS Top 35 Secure Development Techniques[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Standard IdentifierUses CWE IDs as a standard Identifier system.]

Johannes Ullrich, PhD, Jason D. Montgomery, David Rice, Frank Kim, Rohit Sethi and Roert Seacord. "Top 35 Secure Development Techniques and Common Security Errors in Programming". 19th Edition. Keys to Building a Great Application Security Program. Spring 2010. The SANS Institute. 2010. <http://software-security.sans.org/downloads/appsec_keys.pdf>.

STONESOUP[Standard IdentifierUses CWE IDs as a standard Identifier system.]

Dr. Carl Landwehr. "Securely Taking On New Executable Software of Uncertain Provenance". STONESOUP Proposers Day. IARPA-BAA-09-08. Intelligence Advanced Research Projects Activity (IARPA), Safe and Secure Operations Office, Office of the Director of National Intelligence, Intelligence Advanced Research Projects Activity. <http://www.iarpa.gov/Programs/sso/STONESOUP/presentations/Stonesoup_Proposer_Day_Brief.pdf>.

SwA Pocket Guide[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

"Key Practices for Mitigating the Most Egregious Exploitable Software Weaknesses". Version 2.4. Software Assurance (SwA) Pocket Guide Series: Development. Volume II. DHS NCSD Software Assurance Community Resources and Information Clearinghouse. 2012-11-01. <ftp://ftp.sei.cmu.edu/pub/pruggiero/bsi-swa/1/KeyPracticesMWV22_20121101.pdf>.

Total: 8

Reference

CERT/CC VNDB[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

CERT/CC Vulnerability Notes Database. Software Engineering Institute (SEI) Carnegie Mellon. <http://www.kb.cert.org/vuls/>.

High-Tech Bridge[Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

"CWE Vulnerabilities Glossary". Research. High-Tech Bridge. <https://www.htbridge.com/vulnerability/>.

NIST NVD[Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

National Vulnerability Database (NVD). National Institute of Standards and Technology (NIST). <http://nvd.nist.gov/cwe.cfm>.

NIST SAMATE[Standard IdentifierUses CWE IDs as a standard Identifier system., and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

"NIST SAMATE Reference Dataset Project". SAMATE - Software Assurance Metrics And Tool Evaluation. National Institute of Standards and Technology (NIST). <http://samate.nist.gov/SRD/>.

OWASP ESAPI[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

"ESAPI control coverage of CWEs". Enterprise Security API (ESAPI). The Open Web Application Security Project (OWASP). <https://www.owasp.org/index.php/CWE_ESAPI>.

OWASP Top 10 (2010)[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

"OWASP Top 10". 2010. The Open Web Application Security Project (OWASP). <https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#OWASP_Top_10_for_2010>.

OWASP Top 10 (2013)[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

"OWASP Top 10". 2013. The Open Web Application Security Project (OWASP). <https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#OWASP_Top_10_for_2013>.

WASC TC[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

"WASC Threat Classification". Version 2.00. The Web Application Security Consortium (WASC). 2010-01-01. <http://projects.webappsec.org/f/WASC-TC-v2_0.pdf>.

Total: 23

Standards

ISO/IEC 24772[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Standard IdentifierUses CWE IDs as a standard Identifier system.]

"Information technology -- Programming languages -- Guidance to avoiding vulnerabilities in programming languages through language selection and use". 2013. ISO/IEC TR 24772. ISO. <http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=61457>.

ISO/IEC 29147:2014[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

"ISO/IEC 29147:2014 Information Technology -- Security Techniques -- Vulnerability Disclosure". ISO. 2014. <http://www.iso.org/iso/catalogue_detail.htm?csnumber=45170>.

ISO/IEC TR 20004:2012[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., and Uses Specific CWE InfoMakes use of specific information from CWE.]

"ISO/IEC TR 20004:2012 Information Technology -- Security Techniques -- Refining Software Vulnerability Analysis under ISO/IEC 15408 and ISO/IEC 18045". ISO. 2012. <http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=50951>.

ITU-T X.1524[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

"Common weakness enumeration". SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Cybersecurity information exchange – Vulnerability/state exchange. Recommendation ITU-T X.1524. ITU-T Telecommunication Standardization Sector of ITU. 2012-03. <http://www.itu.int/rec/T-REC-X.1524-201203-I/en>.

ITU-T X.1544[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

"Common attack pattern enumeration and classification". SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Cybersecurity information exchange – Event/incident/heuristics exchange. Recommendation ITU-T X.1544. ITU-T Telecommunication Standardization Sector of ITU. 2013-04. <http://www.itu.int/rec/T-REC-X.1544-201304-I>.

NIST SP 500-268[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Elizabeth N. Fong, Paul E. Black, Michael J. Kass and Hsiao-Ming M. Koo. "Source Code Security Analysis Tool Function Specification". Version 1.0. NIST Special Publication (NIST SP). 500-268. National Institute of Standards and Technology. 2007-05-01. <http://www.nist.gov/customcf/get_pdf.cfm?pub_id=51171>.

NIST SP 500-269[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Paul E. Black, Elizabeth N. Fong, Vadim Okun and Romain Gaucher. "Software Assurance Tools: Web Application Security Scanner Functional Specification". Version 1.0. NIST Special Publication (NIST SP). 500-269. National Institute of Standards and Technology. 2008-02-14. <http://www.nist.gov/customcf/get_pdf.cfm?pub_id=51294>.

NIST SP 500-270[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Hsiao-Ming M. Koo, Romain Gaucher, Charline Cleraux and Jenise Reyes Rodriguez. "Source Code Security Analysis Tool Test Plan". NIST Special Publication (NIST SP). 500-270. National Institute of Standards and Technology. 2011-10-04. <http://www.nist.gov/customcf/get_pdf.cfm?pub_id=908921>.

NIST SP 500-279[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID., and Uses Specific CWE InfoMakes use of specific information from CWE.]

Vadim Okun, Romain Gaucher and Paul E. Black. "Static Analysis Tool Exposition (SATE) 2008". NIST Special Publication (NIST SP). 500-279. National Institute of Standards and Technology. 2009-06-22. <http://www.nist.gov/customcf/get_pdf.cfm?pub_id=902679>.

NIST SP 500-283[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

Vadim Okun, Paul E. Black and Aurelien M. Delaitre. "Report on the Third Static Analysis Tool Exposition (SATE 2010)". NIST Special Publication (NIST SP). 500-283. National Institute of Standards and Technology. 2011-10-27. <http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909407>.

NIST SP 500-297[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

Vadim Okun, Aurelien M. Delaitre and Paul E. Black. "Report on the Static Analysis Tool Exposition (SATE) IV". NIST Special Publication (NIST SP). 500-297. National Institute of Standards and Technology. 2013-02-04. <http://www.nist.gov/customcf/get_pdf.cfm?pub_id=912378>.

NIST SP 800-115[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Murugiah P. Souppaya and Karen A. Scarfone. "Technical Guide to Information Security Testing and Assessment". NIST Special Publication (NIST SP). 800-115. National Institute of Standards and Technology. 2008-09-30. <http://www.nist.gov/customcf/get_pdf.cfm?pub_id=152164>.

NIST SP 800-137[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Kelley L. Dempsey, L A. Johnson, Matthew A. Scholl, Kevin M. Stine, Alicia Clay Jones, Angela Orebaugh, Nirali S. Chawla and Ronald Johnston. "Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations". NIST Special Publication (NIST SP). 800-137. National Institute of Standards and Technology. 2011-09-30. <http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909726>.

NIST SP 800-150[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Chris Johnson, Lee Badger and David Waltermire. "Guide to Cyber Threat Information Sharing (Draft)". Draft. NIST Special Publication (NIST SP). 800-150. National Institute of Standards and Technology. 2014-10. <http://csrc.nist.gov/publications/drafts/800-150/sp800_150_draft.pdf>.

NIST SP 800-153[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Murugiah P. Souppaya and Karen A. Scarfone. "Guidelines for Securing Wireless Local Area Networks (WLANs)". NIST Special Publication (NIST SP). 800-153. National Institute of Standards and Technology. 2012-02-21. <http://www.nist.gov/customcf/get_pdf.cfm?pub_id=910174>.

NIST SP 800-163[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Ronald S. Ross. "Security and Privacy Controls for Federal Information Systems and Organizations". NIST Special Publication (NIST SP). 800-163. National Institute of Standards and Technology. 2015-01. <http://dx.doi.org/10.6028/NIST.SP.800-163>.

NIST SP 800-53[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Ronald S. Ross. "Security and Privacy Controls for Federal Information Systems and Organizations". Revision 4. NIST Special Publication (NIST SP). 800-53. National Institute of Standards and Technology. 2013-04-30. <http://dx.doi.org/10.6028/NIST.SP.800-53r4>.

NISTIR 7435[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Peter M. Mell, Karen A. Scarfone and Sasha Romanosky. "The Common Vulnerability Scoring System (CVSS) and its Applicability to Federal Agency Systems". NIST Interagency/Internal Report (NISTIR). 7435. National Institute of Standards and Technology. 2007-08-30. <http://www.nist.gov/customcf/get_pdf.cfm?pub_id=51231>.

NISTIR 7622[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid]

Jon M. Boyens, Celia Paulsen, Nadya Bartol, Rama Moorthy and Stephanie Shankles. "Notional Supply Chain Risk Management Practices for Federal Information Systems". NIST Interagency/Internal Report (NISTIR). 7622. National Institute of Standards and Technology. 2012-10-16. <http://dx.doi.org/10.6028/NIST.IR.7622>.

NISTIR 7628[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, Standard IdentifierUses CWE IDs as a standard Identifier system., and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

Annabelle Lee. "Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements". Vol. 1. NIST Interagency/Internal Report (NISTIR). 7628. National Institute of Standards and Technology. 2010-08-31. <http://www.nist.gov/customcf/get_pdf.cfm?pub_id=906224>.

NISTIR 7628[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Uses Specific CWE InfoMakes use of specific information from CWE.]

The Smart Grid Interoperability Panel - Smart Grid Cybersecurity Committee. "Guidelines for Smart Grid Cybersecurity Volume 1 - Smart Grid Cybersecurity Strategy, Architecture, and High - Level Requirements ". Revision 1. NISTIR. 7628. National Institute of Standards and Technology Interagency Report. 2014-09. <http://dx.doi.org/10.6028/NIST.IR.7628r1>.

NISTIR 7946[Standard IdentifierUses CWE IDs as a standard Identifier system., and Specific CWE IDs UsedDiscusses specific CWE issues by their CWE ID.]

Joshua Franklin, Charles Wergin and Harold Booth. "CVSS Implementation Guidance". Draft. NIST Interagency/Internal Report (NISTIR). 7946. National Institute of Standards and Technology. 2013-09. <http://csrc.nist.gov/publications/drafts/nistir-7946/draft_nistir_7946.pdf>.

PCI DSS[Knowledge SourceUses CWE as a Knowledge Catalog of Issues to Avoid, and Standard IdentifierUses CWE IDs as a standard Identifier system.]

"Requirements and Security Assessment Procedures". Version 2.0. Payment Card Industry (PCI) Data Security Standard. PCI Security Standards Council. 2010-10. <https://www.pcisecuritystandards.org/documents/pa-dss_v2.pdf>.


More information is available — Please select a different filter.
Page Last Updated: May 19, 2017