CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > News > Industry News Coverage - 2011 Archive  
ID

Industry News Coverage - 2011 Archive
Industry News Coverage - 2011 Archive

Below is a comprehensive monthly review of the news and other media's coverage of CWE. A brief summary of each news item is listed with its title, author (if identified), date, and media source.

December 2011
December 2011

eWeek, December 22, 2011

The CWE/SANS Top 25 Most Dangerous Software Errors list was mentioned in a December 22, 2011 article entitled "Top 25 Flaws Developers Blindly Build Into Applications" on eWeek.com. The article describes how many of the high-profile security breaches in 2011" took advantage of common, well-known software flaws in applications, such as SQL injection, cross-site scripting and buffer overflows" and states that the "development lifecycle needs to start focusing on avoiding security flaws from the beginning".

The Top 25 is mentioned as follows: "Earlier this year, the SANS Institute, in conjunction with the nonprofit technology research corporation MITRE and the Department of Homeland Security, released the annual Common Weakness Evaluation/SANS Top 25 Most Dangerous Software Errors. The top issues were exploited by groups such as LulzSec and Anonymous in their attacks against Sony Pictures, PBS.org and HB Gary Federal in 2011. And a Citigroup breach, which exposed credit card information for more than 300,000 account holders, relied on the "missing authorization" flaw, which meant the site did not check whether the user was allowed to perform a particular action. All of these software flaws are easy for attackers to find using basic scanning tools." The article then goes on to give brief summaries of the weaknesses listed on the 2011 Top 25.

The article was written by Fahmida Y. Rashid.

October 2011
October 2011

SDTimes.com, October 14, 2011

The CWE/SANS Top 25 was mentioned in an October 14, 2011 article entitled "How can you stay one step ahead in security for the cloud?" on SDTimes.com. The Top 25 was mentioned in a quote by Gwyn Fisher, CTO of Klocwork, Inc., regarding the "fact that many programmers are still making the same easily avoided mistakes."

Fisher states: "It's the same set that forms the core of the CWE Top 25, the same set that any two-minute Google search will give you more information on than you could possibly imagine. So is there a light at the end of this particularly repetitive tunnel? I'm much more a fan of removing weakness than managing exploits, as I firmly take the stance that the investment leverage gained from weakness-removal so vastly outweighs any time/effort/money put into exploits as to make the latter laughable. As a counterpoint, however, and as was widely published in a study performed by one of our competitors several years back, the average developer pays way more attention to a report of an identified exploit than they ever do to a report of a weakness, however well-described in their code."

Klockwork, Inc. is a member of the CWE Community and a participant in the CWE Compatibility and Effectiveness Program. The article also included quotes from other CWE Community and CWE Compatibility Program participants.

September 2011
September 2011

U.S. Department of Energy Web site, September 2011

CWE was used in a September 2011 report from the U.S. Department of Energy entitled Vulnerability Analysis of Energy Delivery Control Systems that "describes the common vulnerabilities on energy sector control systems, and provides recommendations for vendors and owners of those systems to identify and reduce those risks." The report findings were "mapped to software weakness types defined by the Common Weakness Enumeration (CWE) to the extent possible … so that Supervisory Control and Data Acquisition (SCADA)" vendors and owners can refer to the CWE for additional guidance in identifying, mitigating, and preventing weaknesses that cause vulnerabilities." Common Vulnerability Scoring System (CVSS) was also used to prioritize the vulnerabilities according to the relative risk they pose to the SCADA system.

The report is available for free download at http://energy.gov/sites/prod/files/Vulnerability Analysis of Energy Delivery Control Systems 2011.pdf.

August 2011
August 2011

Virtualization Practice, August 15, 2011

CWE was the main focus of a Virtualization Security podcast entitled "MITRE – Two New Tools to Help with PaaS and Risk Assessment" on the Virtualization Practice Web site on August 15, 2011. The podcast was an interview with CWE/CAPEC Program Manager Robert A. Martin about how CWE, CWSS, and CWRAF could "be used by those that program within a PaaS environment, make use of SaaS, or other cloud services."

July 2011
July 2011

COTS Journal, July 2011

CWE is the main topic of an article entitled "CWE Initiative Helps Secure Code Development Efforts" in the July 2011 issue of COTS Journal: The Military Journal of Electronics & Computing. The article explains what CWE is, how it is works, its relationship to Common Vulnerabilities and Exposures (CVE), and the benefits of secure coding.

The author states: "As the implementation of standards like CWE becomes more widespread, a tool vendor’s experience and reputation in security- and safety-critical expertise will be invaluable. Use of qualified and well-integrated tools ensures that the developers can automate the process more easily and efficiently. Creating a secure development community using standards, technologies and a well-integrated development environment promotes a continuous process of improvement. And, a focus on secure development lifecycle principles and practices will result in the ongoing production of software systems that are more dependable, trustworthy and extensible."

June 2011
June 2011

2011 CWE/SANS Top 25 Most Dangerous Software Errors List Receives Extensive News Coverage

CWE and the SANS Institute posted the completed 2011 CWE/SANS Top 25 Most Dangerous Software Errors list on the CWE and SANS Web sites on June 27, 2011. A collaboration between the SANS Institute, MITRE, and over top software security experts in the U.S. and Europe, the list provides detailed descriptions of the top 25 programming errors along with authoritative guidance for mitigating and avoiding them.

The release received extensive news media coverage:

SANS Web Site, June 1, 2011

CWE was included in the 2011 Chief Information Officer Federal Information Security Management Act Reporting Metrics document issued on June 1, 2011 by the U.S. Department of Homeland Security and National Institute of Standards and Technology. The document provides cybersecurity status reporting metrics for government agencies under the Federal Information Security Management Act (FISMA) that focus on the ability to automate system monitoring and security controls.

CWE is included as a reporting requirement in Section 12, Software Assurance, subsection 12.1b., which states: "Provide the number of the information systems above (12.1a) where the tools generated output compliant with: 12.1b (1). Common Vulnerabilities and Exposures (CVE) 12.1b (2). Common Weakness Enumeration (CWE) 12.1b (3). Common Vulnerability Scoring System (CVSS) 12.1b (4). Open Vulnerability and Assessment Language (OVAL)."

March 2011
March 2011

DHS Web Site, March 2011

CWE was included in the U.S. Department of Homeland Security (DHS) Enabling Distributed Security in Cyberspace white paper published on March 23, 2011 on the DHS Web site Blog. The main topic of the white paper is "how prevention and defense can be enhanced through three security building blocks: automation, interoperability, and authentication. If these building blocks were incorporated into cyber devices and processes, cyber stakeholders would have significantly stronger means to identify and respond to threats—creating and exchanging trusted information and coordinating courses of action in near real time."

The paper defines Interoperability as already being "enabled through an approach that has been refined over the past decade by many in industry, academia, and government. It is an information-oriented approach, generally referred to as [cyber] security content automation …" and is comprised of (1) Enumerations "of the fundamental entities of cybersecurity" and lists CVE, CCE, CPE, CWE, and CAPEC; (2) Languages and Formats that "incorporate enumerations and support the creation of machine-readable security state assertions, assessment results, audit logs, messages, and reports" and lists OVAL, CEE, and MAEC; and (3) Knowledge Repositories that "contain a broad collection of best practices, benchmarks, profiles, standards, templates, checklists, tools, guidelines, rules, and principles, among others" that are based upon or incorporate data from these standards.

The paper also states that these eight established community enumeration and language standards that have been in use within the community for years can be further leveraged moving forward because they are "standards [that] build upon themselves to expand functionality over time", and projections of that expanding utility are provided through 2014.

The white paper is available to view or download at http://www.dhs.gov/xlibrary/assets/nppd-cyber-ecosystem-white-paper-03-23-2011.pdf.


More information is available — Please select a different filter.
Page Last Updated: January 12, 2017