CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > News > Industry News Coverage - 2007 Archive  
ID

Industry News Coverage - 2007 Archive
Industry News Coverage - 2007 Archive

Below is a comprehensive monthly review of the news and other media's coverage of CWE. A brief summary of each news item is listed with its title, author (if identified), date, and media source.

August 2007
August 2007

BankInfoSecurity.com, August 2007

CWE Program Manager Robert A. Martin conducted a 10-minute podcast interview with BankInfoSecurity.com about CWE, CVE, and Making Security Measurable at Black Hat Briefings 2007. It is one of nine interviews from the event available at http://www.bankinfosecurity.com/podcasts.php?podcastID=53 (sign-up is required), or you may play or download the podcast now from the CWE Web site.

Computerworld, August 2, 2007

CWE was mentioned in an August 2, 2007 article entitled "Black Hat: NSA guru lauds security intelligence sharing" in Computerworld. The article, which was written by Matt Hines, originally appeared in InfoWorld on August 1, 2007.

InfoWorld, August 1, 2007

CWE was mentioned in an August 1, 2007 article entitled "NSA guru lauds security intelligence sharing" in InfoWorld. The main topic of the article was the keynote speech by National Security Agency Vulnerability Analysis and Operations Group Chief Tony Stager at Black Hat Briefings 2007 about how "U.S. government initiatives aimed at fostering the sharing of security intelligence throughout the federal space are helping to establish the community atmosphere and best practices necessary to help those agencies -- and private enterprises -- improve their network and applications defenses..." that mentioned the CWE and the Common Vulnerabilities and Exposures (CVE) projects.

CWE is first mentioned in the article as follows: "A major element of the vision is pushing for standards that translate security intelligence into language that any organization can interpret, said Sager. He highlighted the Common Weakness Enumeration (CWE) project -- an effort aimed at creating a common language for identifying software vulnerabilities that is backed by the Department of Homeland Security and nonprofit Mitre -- as one example of the types of standards that are delivering on the NSA's goal."

CWE is mentioned again when the author states: "Robert Martin, head of Mitre's CVE (Common Vulnerability Exposures) compatibility effort and a contributor to the CWE initiative, said that momentum is building behind his organization's guidelines and helping many government and private entities to better understand and share their own practices. "With all these different pieces that are coming together, we are standardizing the basic concepts of security themselves as well as methods for reviewing and improving computing and networking systems," said Martin. "I see a future where a tapestry of tools, procedures, and processes are built over time that recognize and address the common problems that exist among all these constituencies." Martin said that Mitre's efforts to add new security policy frameworks will continue to improve as they mature and even more parties begin to contribute their intelligence to the initiatives.

The article was written by Matt Hines.

June 2007
June 2007

Computerworld, June 26, 2007

CWE was mentioned in a June 26, 2007 article entitled "New tool for testing application security: Standards-based system to rate vulnerabilities" on Computerworld. The main topic of the article was Veracode, Inc.'s new Software Security Rating Service for assessing and identifying the severity and exploitability of software flaws.

CWE is mentioned when the author states: "To support its ratings service -- which customers can use to test the code of their own homegrown applications or those of third-party providers -- the company built a scoring system based on the CWE (Common Weakness Enumeration) classification, which has been forwarded by federally funded IT security watchdog Mitre, as well as the CVSS (Common Vulnerability Scoring System), which has been piloted by the FIRST (Forum of Incident Response and Security Teams) industry group."

Veracode is a member of the CWE Community page and its SecurityReview assessment service is listed in the CWE Compatibility and Effectiveness section. The article was written by Matt Hines and is a reprint of the article originally posted on Infoworld as noted below.

Infoworld, June 25, 2007

CWE was mentioned in a a June 25, 2007 article entitled "Veracode debuts system to test binary code: Standards-based method would allow enterprises to scan programs' binary code for problems before they are put into production" on Infoworld. The main topic of the article was Veracode, Inc.'s new Software Security Rating Service for assessing and identifying the severity and exploitability of software flaws.

CWE is mentioned when the author states: "To support its ratings service — which customers can use to test the code of their own homegrown applications or those of third-party providers — the company built a scoring system based on the CWE (Common Weakness Enumeration) classification, which has been forwarded by federally funded IT security watchdog Mitre, as well as the CVSS (Common Vulnerability Scoring System), which has been piloted by the FIRST (Forum of Incident Response and Security Teams) industry group."

Veracode is a member of the CWE Community page and its SecurityReview assessment service is listed in the CWE Compatibility and Effectiveness section. The article was written by Matt Hines.

Veracode Web Site, June 25, 2007

CWE was mentioned in a June 25, 2007 news release by Veracode, Inc. entitled "Veracode Answers Industry Call For Security Insight with Industry's First Software Security Ratings Service" about their new Software Security Rating Service for assessing and identifying the severity and exploitability of software flaws.

CWE is first mentioned as being part of the foundation of the new service: "Veracode's Software Security Rating Service is based on respected industry standards including MITRE's Common Weakness Enumeration (CWE) for classification of software weaknesses and FIRST's Common Vulnerability Scoring System (CVSS) for severity and ease of exploitability." CWE is mentioned again when the release quotes CWE Technical Lead Steve Christey, who states: "We are pleased that Veracode, the first organization to declare Common Weakness Enumeration compatibility for CWE Coverage, CWE Output and CWE Searchable, is committed to promoting standards such as CWE. Early adopters such as Veracode play an important role in bringing clarity to the application security space for their customers."

Veracode is a member of the CWE Community page and its SecurityReview assessment service is listed in the CWE Compatibility and Effectiveness section.

April 2007
April 2007

Network Computing, April 16, 2007

CWE was mentioned in an April 16, 2007 article entitled "Analysis: Automated Code Scanners" in Network Computing. The main focus of the article is that "...makers of automated source-code analysis tools are shifting their focus from commercial software vendors to enterprises. They say adopting their tools will let your developers build more secure software and meet the compliance burden. But are they up to the job?" The remainder of the article is a discussion of the author's review of "three popular static source-code analyzers," Fortify SCA (Source Code Analysis) 4.0, Klocwork K7.5 and Ounce Labs' Ounce 4.1.

CWE is mentioned in a section of the article entitled "Getting to the source" in reference to the "Vulnerability Type Distributions in CVE" white paper by CVE List Editor and CWE Technical Lead Steve Christey when the author states: "In particular, arithmetic vulnerabilities, such as integer overflows and type conversions, were usually missed or detected only at confidence levels that included an extremely high ratio of false positives. We found this a bit disconcerting given the growing trend in reports of these vulnerabilities--in fact, integer overflows rose to the No. 2 position in OS vendor advisories in 2006, just behind buffer overflows, according Mitre's October Common Weakness Enumeration report (cwe.mitre.org/documents/vuln-trends/index.html#overall_trends)."

The article was written by Justin Schuh.

March 2007
March 2007

The Register, March 29, 2007

CWE Technical Lead Steve Christey was quoted in a March 29, 2007 article entitled "Developers' secure-coding skill put to the test" on The Register about the National Secure Programming Skills Assessment (NSPSA) Examination that will allow government and industrial employers to measure how well their programmers know how to avoid security errors in code they write. The author first references Christey, who is also editor of the CVE List, as follows: "Much of the problem is because computer programmers are not trained in secure programming methods in college courses, said Steve Christey, editor of the Common Vulnerability and Exposures (CVE) Project at MITRE." The author also quotes a written statement by Christey, who states: "Most educational institutions have failed to teach the most fundamental skills in making secure products. There needs to be a revolution." The article, which was written by Robert Lemos, also notes that the "[NSPSA] exam will be piloted in August in Washington D.C. and then rolled out worldwide during the remainder of 2007."

SecurityFocus, March 28, 2007

CWE Technical Lead Steve Christey was quoted in a March 28, 2007 article entitled "Groups team to test secure-coding skill" on SecurityFocus about the National Secure Programming Skills Assessment (NSPSA) Examination that will allow government and industrial employers to measure how well their programmers know how to avoid security errors in code they write. The author first references Christey, who is also editor of the CVE List, as follows: "Much of the problem is because computer programmers are not trained in secure programming methods in college courses, said Steve Christey, editor of the Common Vulnerability and Exposures (CVE) Project at MITRE." The author also quotes a written statement by Christey, who states: "Most educational institutions have failed to teach the most fundamental skills in making secure products. There needs to be a revolution." The article, which was written by Robert Lemos, also notes that the "[NSPSA] exam will be piloted in August in Washington D.C. and then rolled out worldwide during the remainder of 2007."

TechTarget.com, March 27, 2007

CWE Technical Lead Steve Christey was quoted in a March 27, 2007 article entitled "SANS: New exam program about more secure code" on TechTarget.com about the National Secure Programming Skills Assessment Examination that will allow government and industrial employers to measure how well their programmers know how to avoid security errors in code they write. The author describes CVE as "[a program that] monitors all security vulnerabilities on behalf of the federal government" and includes a quote by Christey, who is also CVE List Editor, that the exam program was long overdue: "After reviewing more than 7,000 vulnerabilities in 2006 alone, one thing becomes crystal clear: Most of these vulnerabilities could be found very easily, using techniques that require very little expertise. In my CVE work, I regularly interact with vendors who are surprised to hear of vulnerabilities in their products. They react with the classic stages of shock, denial, anger, bargaining, and finally, acceptance." The article was written by Bill Brenner.

InformationWeek, March 26, 2007

CWE Technical Lead Steve Christey was quoted mentioned in a March 26, 2007 article entitled "Coalition Aims To Nip Software Bugs In The Bud" in InformationWeek about the National Secure Programming Skills Assessment Examination that will allow government and industrial employers to measure how well their programmers know how to avoid security errors in code they write. Christey, who is also CVE List Editor, states: "After reviewing more than 7,000 vulnerabilities in 2006 alone, one thing becomes crystal clear. Most of these vulnerabilities could be found very easily, using techniques that require very little expertise. In my CVE work, I regularly interact with vendors who are surprised to hear of vulnerabilities in their products. They react with the classic stages of shock, denial, anger, bargaining, and finally, acceptance." A second quote mentions that most colleges and universities don't teach programmers how to write secure code: "There needs to be a revolution. Secure programming examinations will help everyone draw the line in the sand, to say 'No more,' and to set minimum expectations for the everyday developer." The article was written by Sharon Gaudin.

Washington Post Web Site, March 26, 2007

CWE Technical Lead Steve Christey was referenced in a March 26, 2007 blog article entitled "Security Fix: They Say They Want a Revolution" on WashingtonPost.com about the National Secure Programming Skills Assessment Examination that will allow government and industrial employers to measure how well their programmers know how to avoid security errors in code they write. Christey, who is also CVE List Editor, is referenced as follows: "Educational institutions churn out computer science degrees to fresh faced graduates bursting with new ideas and skills to match, but how well do they hammer home the need to write software securely? Judging from the massive number of software vulnerabilities found each year, not very well at all. MITRE Corp., a nonprofit company maintaining one of the most authoritative catalogs of software security vulnerabilities, tracked more than 7,000 software security flaws in 2006, many of them Web application holes. Steve Christy, editor of MITRE's common vulnerability enumeration (CVE) database, said most of those bugs could have been found and squashed "very easily, using techniques that require very little expertise."

Government Computer News, March 19, 2007

CWE was mentioned in a March 19, 2007 article entitled "All for one, but not one for all" in Government Computer News. The main focus of the article is a National Security Agency (NSA) study of the effectiveness of vulnerability assessment tools, which found that "Organizations trying to automate the process of testing software for vulnerabilities have no choice but to deploy a multitude of tools." The author quotes Kris Britton, technical director at NSA's Center for Assured Software, in describing the results: "No tool stands out as an uber-tool. Each [of the point solution tools] has its strengths and weaknesses."

CWE is mentioned in a discussion about how agreement on what a software weakness is will help the industry in its "quest to find a comprehensive, automated systems analysis of vulnerabilities." The author states: "Mitre Corp. has made some progress on developing a common language for software vulnerabilities, with its initial list of common vulnerabilities and exposures, (CVE) and more recently, the common weakness enumeration (CWE)." He also notes that "CVE includes a list of 20,000 vulnerabilities; CWE includes 600 categories of vulnerabilities." CWE is also mentioned in a quote by Ryan Berg, chief scientist at Ounce Labs, who states: "CVE is a database of vulnerabilities definitions and descriptions [and] CWE is an effort at coming up with a common taxonomy for describing what a particular vulnerability is." CWE is mentioned a third time in a quote by Mike Kass, software assurance project leader at the National Institute of Standards and Technology, who states that the point of CWE is to "enable more effective discussion, description, selection, and use of software security tools. [Still] There is little overlap among tools regarding what they claim to catch in the CWE. This creates questions for purchasers of tools regarding the tool's purported effectiveness and usefulness." The author also notes that: "More than 50 vendors are participating in the [CWE] effort." The article was written by Peter A. Buxbaum.

g2zero, March 17, 2007

CWE was the main topic of a March 17, 2007 article entitled "CWE defect dictionary hopes to make analyzing code analysis vendor claims easier" on g2zero. The article describes what CWE is, lists the organizations involved, states that CWE is "Not just a dictionary, but a way to rate source code analysis tools," and comments that it will be interesting to monitor the impact of CWE on the industry. The article is essentially a review of the article by CWE Program Manager Robert A. Martin in the March 2007 issue of CrossTalk, The Journal of Defense Engineering entitled "Being Explicit About Security Weaknesses."

InfoWorld, March 1, 2007

CWE was the main focus of a March 1, 2007 article in InfoWorld entitled "Software Vulnerability Index making progress." The article describes what CWE is, the benefits it provides for software developers and acquirers, mentions several of the sources used to create the list, and describes how the final draft of the list is being formed. The article also includes quotes by CWE Program Manager Robert A. Martin on the reason for CWE: "We wanted to evaluate what the tools claim to cover and what they are most effective at finding. Right now, best test is to throw tools at a big pile of code and see what tools find the most vulnerabilities, but we're changing that paradigm [with CWE] into test cases where we now look at the answers so we can evaluate what the tools found and what kinds of complexities they can handle."

The author also paraphrases Martin in describing the creation of the CWE List: "CWE's research will not list the names and performance results of the products it is testing -- provided by over 20 firms, including Cenzic, Fortify, SPI Dynamics, Veracode, and Watchfire -- but the work to compile a resource that offers developers an idea of the types of vulnerabilities missed by the tools should provide a great deal of value."

Also included is a quote by Sean Barnum, director of knowledge management at Cigital, regarding the CWE research: "We found that less than half of what we already have in CWE is covered by these tools, so this helps prove that there are a lot of known issues out there that aren't being addressed. We also thought that the tools would look for the same types of things, but they are actually very different, and there's not a lot of overlap; that's something that developers need to be aware of as they choose tools; you want to right set for aggregated coverage."

The author closes the article with a description of how the CWE dictionary is being developed: "Before each release of CWE, workers with the project spend much of their time comparing all the vulnerability definitions and mitigation taxonomies in the index, attempting to refine the language used in the descriptions and add real-world examples of attacks that target the flaws. That work is continuing and will remain the primary focus of CWE's efforts going forward ... including work to de-emphasize nomenclature that describes common problems based on the attack methods used to exploit them."

Computerworld, March 1, 2007

CWE was the main focus of a March 1, 2007 article in Computerworld entitled "Black Hat: Software Vulnerability Index making progress." The article describes what CWE is, the benefits it provides for software developers and acquirers, mentions several of the sources used to create the list, describes how the final draft of the list is being formed, and notes that CWE is sponsored by the U.S. Department of Homeland Security.

The author also notes that while the CWE work completed to date has involved the "gathering of vulnerability formats and the various methods used to identify and remediate the coding problems, the project has recently involved a significant amount of testing of security scanning tools to get a better idea of the capabilities and limitations of those products" and that the "tests ... revealed that the products were looking for only 45 percent of the 600 common vulnerabilities that have already been entered into the CWE index."

A quote by Sean Barnum, director of knowledge management at Cigital, further addresses the results: "We found that less than half of what we already have in CWE is covered by these tools, so this helps prove that there are a lot of known issues out there that aren't being addressed. We also thought that the tools would look for the same types of things, but they are actually very different, and there's not a lot of overlap; that's something that developers need to be aware of as they choose tools; you want to right set for aggregated coverage."

The author concludes the article by describing how the work on CWE is continuing by refining the language used in the descriptions, adding real-world examples of attacks that target the flaws, and "de-emphasizing nomenclature that describes common problems based on the attack methods used to exploit them."

ZDNet.com, March 1, 2007

CWE was the main focus of a March 1, 2007 article on ZDNet.com entitled "Dictionary for software bugs to cut confusion?" The article describes what CWE is, the benefits it provides for software developers and acquirers, mentions that organizations such as Cigital are committing to incorporating CWE in their products, and describes how a final draft of the list is being formed. The article also includes quotes by CWE Technical Lead Steve Christey on the creation of CWE: "Without a common, high-fidelity description of these [software] weaknesses, efforts to address vulnerabilities will be piecemeal at best, only solving part of the problem." The author then paraphrases Christey on the need for CWE because "coverage of early definitions by source code-checking tools is very slim."

The article also describes the creation of CWE: "Mitre has been working on CWE for the past year and a half. People working on the project are pulling together data from multiple sources, including security tool makers, and unifying it. This is proving to be an arduous task. One list alone already contains 300 bug categories."

The article concludes with a progress report on the latest draft: "The dictionary's fifth draft was published December 15. The sixth draft is expected to have merged data regarding weaknesses from 16 tool and knowledge sources participating in the CWE initiative."

CNET News.com, March 1, 2007

CWE was the main focus of a March 1, 2007 article on CNET News.com entitled "Dictionary for software bugs to cut confusion?" The article is a reprint of the ZDNet article above. The article was written by Joris Evers.

Dark Reading, March 1, 2007

CWE was the main focus of a March 1, 2007 article in Dark Reading entitled "Getting to Know the Enemy Better." The author states: "The best way to secure applications is to build security in during the development phase. The problem is that there are few standards or templates for doing it." "In two separate presentations, experts from Mitre and Cigital -- two companies with long track records in government and industry standards -- outlined plans for the implementation of Common Weakness Enumeration (CWE) and Common Attack Pattern Enumeration and Classification (CAPEC), two specifications that could eventually help developers recognize weaknesses in their applications and anticipate common attack patterns that adversaries might use to break in."

The article describes both CAPEC and CWE, including what CWE is, the benefits CWE provides for software developers and acquirers, and how the final draft of the CWE List is being formed. The article also includes a quote by CWE Program Manager Robert A. Martin, who states: "It's a common body of knowledge about software assurance that will help developers to build security into their applications. The initiative, funded largely by the U.S. Department of Homeland Security (DHS), represents some 600 entries from more than 20 vendors of tools that help to identify security weaknesses in software."

CrossTalk, March 2007

CWE was a main topic in an article by CWE Program Manager Robert A. Martin entitled "Being Explicit About Security Weaknesses" in the March 2007 issue of CrossTalk, The Journal of Defense Engineering. The article describes the creation of the CWE initiative and the sources used to develop the initial concept, related efforts, how CWE is a community effort and a list of current members, how the drafts of the CWE dictionary are being developed, an example of a CWE entry, the CWE Compatibility and CWE Effectiveness program, and the additional impact and transition opportunities tied to CWE.

The author describes the importance of community contributions to the initiative as follows: "An important element of the CWE initiative is to be transparent to all on what we are doing, how we are doing it, and what we are using to develop the CWE dictionary. We believe this transparency is important during the initial creation of the CWE dictionary so that all of the participants in the CWE community are comfortable with the end result and will not be hesitant about incorporating CWE into what they do." The CWE dictionary is freely available for the public on the CWE Web site and "... all of the publicly available source content is [also] being hosted on the site for anyone to review or use for their own research and analysis."

The author concludes the article as follows: "This work is already helping to shape and mature the code security assessment industry, and it promises to dramatically accelerate the use and utility of automation-based assessment capabilities for organizations and the software systems they acquire, develop, and use."


More information is available — Please select a different filter.
Page Last Updated: January 12, 2017