Common Weakness Enumeration

CWE Glossary Definition

Industry News Coverage - 2009 Archive
Industry News Coverage - 2009 Archive

Below is a comprehensive monthly review of the news and other media's coverage of CWE. A brief summary of each news item is listed with its title, author (if identified), date, and media source.

SearchCIO, October 23, 2009

CWE was mentioned in an article about the recently formed Consortium for IT Software Quality (CISQ) entitled "CISQ plans software quality standards" in SearchCIO on October 19, 2009. CWE was mentioned when the author referenced William Curtis, Director of CISQ: "Curtis said CISQ will also leverage the security world's body of work on good coding practices, the Common Weakness Enumeration (CWE), a community-developed dictionary of software weakness types maintained by MITRE. Curtis said CISQ will 'look at bad coding for all kinds of coding issues, and we need a common, defined way of how to represent a violation, which is what the OMG will work on.' Ideally, he said, companies will be able to leverage the standards to build technology that looks for and identifies patterns of quality violations in the code. And the CISQ will develop a certification for those providing services to assess the quality of IT application software, based on the standards."

The article was written by Colleen Frye.

Government Computer News, September 23, 2009

CWE was mentioned in an article about CVE's 10-year anniversary entitled "CVE: Ten years and more than 38,000 vulnerabilities catalogued," published in Government Computer News on September 23, 2009. CWE was mentioned by the author when he explains how the success of CVE inspired follow-on efforts such as CWE and its Top 25 list. The article also includes quotes from CWE Program Lead and CVE Compatibility Lead Robert A. Martin and CWE Technical Lead and CVE Co-Creator and Technical Lead Steve Christey.

The article was written by William Jackson.

IEEE Security and Privacy, May/June 2009

CWE was the main topic of an article entitled "Improving Software Security by Eliminating the CWE Top 25 Vulnerabilities" in the May/June 2009 issue of IEEE Security and Privacy. The article, which may be downloaded from the IEEE Web site for a fee, provides best practices for specific weaknesses identified in the article by their CWE-IDs that can help users eliminate the CWE Top 25 vulnerabilities in their own development environment and products.

The article was written by Michael Howard.

DarkReading.com, April 8, 2009

CWE Technical Lead Steve Christey was quoted in an article entitled "The Rocky Road To More Secure Code" on DarkReading.com on April 8, 2009: "Steve Christey, principal information security engineer for MITRE, who also works on the Common Vulnerability and Exposures (CVE) [and CWE programs], says CVE data shows vulnerabilities in major software products, such as those from Microsoft, are becoming less rampant. "Vulnerabilities in products from major vendors like Microsoft still get announced every month. But it's often very difficult to detect [these vulnerabilities], and they require a large amount of time and investment from the people who discover them. That's one way to measure that software is becoming more secure: It's taking longer to find significant vulnerabilities in software." Christey says the good news is these more obscure bugs are more difficult to detect and, therefore, more difficult and expensive to exploit. The bad news is that has put the bull's eye on third-party applications, especially in the Web 2.0 space: "Web 2.0 doesn't have a culture of security from the moment of conception of an idea all the way to deployment," he says. "Software assurance needs to be a holistic approach that crosses all phases of development. But many of the third-party developers have not gone down this road."

SANS Web Site, January 23, 2009

CWE was mentioned in Draft 1.0 of the "Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance" consensus list released by a consortium of federal agencies and private organizations on February 23, 2009. The document, which uses "knowledge of actual attacks and defines controls that would have stopped those attacks from being successful," includes 15 critical controls that are subject to automated measurement and validation and an additional 5 critical controls that are not.

CWE is mentioned as follows in a section about why the list is so important for chief information security officers (CISOs), chief information officers (CIOs), federal inspectors general, and auditors: "This effort also takes advantage of the success and insights from the development and usage of standardized concepts for identifying, communicating, and documenting security-relevant characteristics/data. These standards include the following: common identification of vulnerabilities (Common Vulnerabilities and Exposures-CVE), definition of secure configurations (Common Configuration Enumeration-CCE), inventory of systems and platforms (Common Platform Enumeration-CPE), vulnerability severity (Common Vulnerability Scoring System-CVSS) and identification of application weaknesses (Common Weaknesses Enumeration-CWE). These standards have emerged over the last decade through collaborative research and deliberation between government, academia and industry. While still evolving, several of these efforts in standardization have made their way into commercial solutions and government, industry, and academic usage. Perhaps most visible of these has been the Federal Desktop Core Configuration (FDCC) which leveraged the Security Content Automation Program (SCAP)."

The draft is available for public review and comment at www.sans.org/cag, www.csis.org, and www.gilligangroupinc.com until March 23, 2009.

CWE/SANS Top 25 Programming Errors List Receives Extensive News Coverage

CWE and the SANS Institute posted the completed 2009 CWE/SANS Top 25 Programming Errors on the CWE and SANS Web sites on January 12, 2009. A collaboration between the SANS Institute, MITRE, and over 40 top software security experts in the U.S. and Europe, the list provides detailed descriptions of the top 25 programming errors along with authoritative guidance for mitigating and avoiding them.

The release received extensive news media coverage: