Common Weakness Enumeration

CWE Glossary Definition

Industry News Coverage - 2012 Archive
Industry News Coverage - 2012 Archive

Below is a comprehensive monthly review of the news and other media's coverage of CWE. A brief summary of each news item is listed with its title, author (if identified), date, and media source.

IEEE Security and Privacy Magazine, May/June 2012

CWE, CWSS, and CWRAF are the main topics of an article entitled “The Software Industry’s ‘Clean Water Act’ Alternative” in the May/June 2012 issue of IEEE Security and Privacy Magazine.

The article advocates following the water industry’s example and “implementing processes that can examine software and remove the most dangerous contaminants, given its intended use.” To help enterprises achieve this, the article defines an “approach for organizations to document software’s security-relevant capabilities and rank the various potential technical impacts from CWEs so those CWEs with the most impact to an organization can be prioritized for mitigation. By addressing vulnerable software and finding systematic and verifiable ways to remove these weaknesses, software providers can improve customers’ trust in their systems and possibly avoid a regulatory solution, which might have unintended consequences.”

How to use Common Weakness Scoring System (CWSS) and Common Weakness Risk Analysis Framework (CWRAF) are also described.

The article was written by CWE Program Manager Robert A. Martin and CWE Technical Lead Steven M. Christey

CrossTalk Magazine: The Journal of Defense Software Engineering, March/April 2012

Common Vulnerabilities and Exposures (CVE®), CWE, and the CWE/SANS Top 25 Most Dangerous Programming Errors List are mentioned in an article entitled “Supply Chain Risk Management” in the March/April 2012 issue of CrossTalk Magazine: The Journal of Defense Software Engineering.

CVE, CWE, and the CWE/SANS Top 25 are mentioned in phase 2 of a section entitled “A Three-phase Code Analysis Process”: “Look for common vulnerability patterns … analysts [should] make sure that code reviews cover the most common vulnerabilities and weaknesses. Sources for such common vulnerabilities and weaknesses include the Common Vulnerabilities and Exposures (CVE) and Common Weaknesses Enumeration (CWE) databases, maintained by the MITRE Corporation and accessible on the web at: <http://cve.mitre.org/cve/> and <http://cwe.mitre.org/>. MITRE, in cooperation with the SANS Institute, also maintains a list of the “Top 25 Most Dangerous Programming Errors [13]” that can lead to serious vulnerabilities. The top three classes of errors as of December 2010 were cross-site scripting, SQL injection, and buffer overflows. Static code analysis tool and manual techniques should at a minimum, address these Top 25.”

CWE and the CWE/SANS Top 25 are cited again and described in more detail at the end of article in a section entitled “Useful Links”.

The article was written by Paul R. Croll.

MITRE Web Site, March 5, 2012

MITRE Corporation issued a press release on March 5, 2011 entitled “CWE Compatibility Certificates Awarded” announcing that 13 products from 5 organizations in 3 countries were the first-ever to be recognized as “Officially CWE-Compatible”: Veracode, Inc.'s Veracode Static Analysis, Veracode Dynamic Analysis, Veracode Manual Testing, and Veracode Analytics; Klocwork, Inc.'s Klocwork Insight; CXSecurity's World Laboratory of Bugtraq 2; Hewlett-Packard's HP Fortify Static Code Analyzer, HP Fortify Real-Time Analyzer, HP Fortify Software Security Center, HP Fortify On Demand, HP WebInspect, and HP Assessment Management Platform; and GrammaTech, Inc.'s CodeSonar.

The release also included quotes from CWE Program Manager Robert A. Martin and CWE Technical Lead Steve Christey, as well as from MITRE Vice President and Chief Security Officer Gary Gagnon, who states: "These companies have demonstrated a commitment to providing their customers with application security solutions that leverage the best information and mitigation strategies available. By integrating CWE Identifiers into their products, customers can feel secure using these companies' tools and service offerings."