Common Weakness Enumeration

CWE Glossary Definition

Industry News Coverage - 2008 Archive
Industry News Coverage - 2008 Archive

Below is a comprehensive monthly review of the news and other media's coverage of CWE. A brief summary of each news item is listed with its title, author (if identified), date, and media source.

IEEE Security and Privacy, November/December 2008

CWE was mentioned in an article entitled "State of Application Assessment" in the November/December 2008 issue of IEEE Security and Privacy. The article, which may be downloaded from the IEEE Web site for a fee, "looks at the state of assessment practice and offers some suggestions." CWE is mentioned when the author states: "Using taxonomies such as Mitre's Common Weakness Enumeration (http://cwe.mitre.org) will help organizations that don't have their own internal classifications, but regardless of whether findings are normalized to an internal or industry standard, they should be cross-referenced with corporate security standards where applicable. This helps increase developer awareness of these resources, the state of their code's compliance, and the motivating reasons why compliance is important."

The article was written by John Steven.

Software Development Times, August 2008

CWE Compatibility was included as a product feature in a chart comparing nine static analysis tools in an article entitled "Zero Tolerance for Bugs: Static Analyzers Evolve into Security Safety Net" in the August 2008 issue of Software Development Times. Of the nine, five are listed as having made declarations to be CWE-Compatible and one is listed as planning on making a declaration for future releases.

GrammaTech Web Site, March 18, 2008

CWE Compatibility was the main topic of a GrammaTech, Inc. press release entitled, "GrammaTech Announces First Fully Compatible Static-Analysis Tool for MITRE's Common Weakness Enumeration Security Standard." The release explains what CWE is and how GrammaTech's CodeSonar product "has now entered CWEs Evaluation Phase, after which CWE compatibility will become official."

The release includes a quote by Paul Anderson, GrammaTech's VP of Engineering, who states: "GrammaTech's CodeSonar is a static analysis tool for identifying programming flaws and security vulnerabilities in code. CWE is an important and valuable initiative that will help CodeSonar users understand the state of their code more effectively. GrammaTech is pleased to participate in this effort and proud to be the first vendor to offer a static-analysis tool that is compatible in all aspects."

The release also includes a quote by CWE Project Manager Robert A. Martin, who states: "Leveraging efforts on this topic from academia, the commercial sector, and government, CWE unites the most valuable breadth and depth of content and structure to serve as a unified standard. Our objective is to help shape the code security assessment industry and also dramatically accelerate the use and utility of software assurance capabilities for organizations in reviewing the software systems they acquire or develop."

Embedded Computing, March 18, 2008

CWE was the main topic of a March 18, 2008 article entitled "GrammaTech Announces First Fully Compatible Static-Analysis Tool for MITRE's Common Weakness Enumeration Security Standard" on Embedded Computing. The article was a reprint of GrammaTech's news release.

CWE Mentioned in SC Magazine Article about Vulnerability Management

CWE was mentioned in an article entitled "Vulnerability management: weathering the storm" in the February 1, 2008 issue of SC Magazine. CWE is mentioned in a section entitled "MITIGATING RISKS: The development phase" when the author states: "Common Weakness Enumeration (CWE) [is] a dictionary of common mistakes made when developing software, such as buffer overflows or cross-site scripting. The initiative, which kicked off about a 1 1/2 years ago and is starting to gain momentum, is a natural offshoot of its eight-year-old Common Vulnerabilities and Exposure project."

The article quotes CWE Technical Lead and CVE List Editor Steve Christey, who states: "We found that many programmers make the exact same kind of mistakes, regardless of what kind of software they're developing. CWE starts to catalog those common mistakes that get made." The article also quote CWE Program Manager Robert A. Martin, who states: "The hope is that the CWE lexicon can serve as a reference guide for software developers. There are specific things that people can look for."

The article also mentions MITRE's Common Vulnerabilities and Exposure (CVE) List.