News & Events - 2006 Archive
News & Events - 2006 Archive
December 29, 2006
December 29, 2006
CWE Compatibility & Effectiveness Section Added to CWE Web Site
A CWE Compatibility and Effectiveness section has been added to the CWE Web site. CWE Compatibility and Effectiveness provides for a product or service to be reviewed and registered as officially "CWE-Compatible" and "CWE-Effective," thereby assisting organizations in their selection and evaluation of tools and/or services for assessing their acquired software for known types of weaknesses and flaws, for learning about the various weaknesses and their possible impact, or to obtain training and education about these issues. The new section includes a description of the program, a list of the specific compatibility requirements, and instructions for how to make a declaration.
December 15, 2006
December 15, 2006
Fifth Draft of CWE Now Available
The fifth draft of CWE has been posted on the CWE
List page. This update includes (1) additional descriptions and mitigations for about 40 of the items, (2) minor revisions and updates to approximately 100 items based on the donated information, and (3) revisions to the names and structure of the hierarchical view to reflect the new and revised CWE content. Most of these changes are from the initial insertions of material from three more of the sixteen companies that are contributing to CWE under non-disclosure agreements.
CWE is a community-developed formal list of common software weaknesses. The intention of CWE is to serve as a common language for describing software security weaknesses in architecture, design, or code; as a standard measuring stick for software security tools targeting these weaknesses; and to provide a common baseline standard for weakness identification, mitigation, and prevention efforts. Broad community adoption of CWE will help shape and mature the code security assessment industry and also dramatically accelerate the use and utility of software assurance capabilities for organizations in reviewing the software systems they acquire or develop.
This current step of building CWE involves gathering data about weaknesses from the sixteen tool and knowledge sources that are participating in CWE. Additions and revisions from these contributions are in process and will be added when they are ready in a sixth draft. We welcome any comments about CWE at cwe@mitre.org.
CWE Presents Briefing at DHS/DoD SwA Working Group Meeting Session
CWE Program Manager Robert A. Martin presented a briefing about CWE at the "DHS/DoD SwA Working Group Meeting Session" in Arlington, Virginia, USA on December 11, 2006 that introduced CWE to information security professionals and decision-makers from the DoD and DHS. The CWE Team also helped lead the kick-off of the new Malware Working Group session, which focused on enumerating the attributes of malware so that the different types of malware can be characterized and the attribute-base characterizations can be combined with the emerging legal definitions for the different types of malware.
Visit the CWE Calendar page for information on this and other upcoming events.
CWE Presents Briefing at OMG Software Assurance Information Day
CWE Program Manager Robert A. Martin presented a briefing about CWE at OMG
Software Assurance Information Day in Washington, D.C., USA on December 7, 2006. The briefing introduced CWE and software assurance activities to information technology and security professionals and decision-makers from the software, information security, and technology service provider industries.
Visit the CWE Calendar page for information on this and other upcoming events.
CWE Presents Briefing to OMG Software Assurance Special Interest Group
CWE Program Manager Robert A. Martin presented a briefing about CWE to the OMG
Software Assurance Special Interest Group in Washington, D.C., USA on December 6, 2006. The briefing introduced CWE and software assurance activities to information technology and security professionals and decision-makers from the software, information security, and technology service provider industries.
Visit the CWE Calendar page for information on this and other upcoming events.
December 5, 2006
December 5, 2006
CWE Presents Briefing to IT Information Sharing and Analysis Center (ISAC) Teleconference
CWE Program Manager Robert A. Martin presented a briefing about CWE and software assurance to the IT
Information Sharing and Analysis Center (ISAC) teleconference on December 3, 2006. The briefing introduced CWE and software assurance activities to information technology and security professionals and decision-makers from the software, information security and technology service provider industries.
Visit the CWE Calendar page for information on this and other upcoming events.
CWE Presents Briefing at DIA Software Assurance Workshop
CWE Program Manager Robert A. Martin presented briefings about CWE entitled "Certifying Applications for Known
Security Weaknesses" and "Malicious Code/Malware Attribute Enumeration" at
the DoD's "Defense Intelligence Agency (DIA) Software Assurance Workshop" at
DIA on Bolling AFB, D.C., USA on December 4, 2006. The workshop was organized for DIA by
the DHS Software Assurance program.
Visit the CWE Calendar page for information on this and other upcoming events.
CWE to Present Briefing to OMG Software Assurance Special Interest Group
CWE Program Manager Robert A. Martin is scheduled to present a briefing about CWE to the OMG
Software Assurance Special Interest Group in Washington, D.C., USA on
December 6, 2006. The briefing will introduce CWE and software assurance
activities to information technology and security professionals and decision-makers
from the software, information security, and technology service provider
industries.
Visit the CWE Calendar page for information on this and other upcoming events.
CWE to Present Briefing at OMG Software Assurance Information Day
CWE Program Manager Robert A. Martin is scheduled to present a briefing about CWE at OMG
Software Assurance Information Day in Washington, D.C., USA on December
7, 2006. The briefing will introduce CWE and software assurance activities
to information technology and security professionals and decision-makers
from the software, information security, and technology service provider
industries.
Visit the CWE Calendar page for information on this and other upcoming events.
CWE to Present Briefing at DHS/DoD SwA Working Group Meeting Session
CWE Program Manager Robert A. Martin is scheduled to present a briefing about CWE, at the "DHS/DoD SwA Working Group Meeting Session" in
Arlington, Virginia, USA on December 11, 2006 that will introduce CWE to information security professionals
and decision-makers from the DoD and DHS. The CWE Team will also help lead the
kick-off of the new Malware Working Group session, which will focus on enumerating
the attributes of malware so that the different types of malware can be characterized
and the attribute-base characterizations can be combined with the emerging legal
definitions for the different types of malware.
'Vulnerability Types Distributions' White Paper Posted on CWE Web Site
A white paper entitled Vulnerability
Type Distributions in CVE has been posted on the CWE
Documents page. Written by Common Vulnerabilities
and Exposures (CVE) Editor Steve Christey, this October 2006 technical white paper discusses the high-level types of vulnerabilities that have been publicly reported over the past five years, such as buffer overflows, cross-site scripting (XSS), SQL injection, and PHP file inclusion. The paper identifies and explains trends such as the rapid rise of web application vulnerabilities, covers the distribution of vulnerability types in operating system vendor advisories, and compares the issues being reported in open and closed source advisories.
November 16, 2006
November 16, 2006
CWE Participates on Discussion Panel at ACM
Conference on Computer and Communications Security on October 31st
CWE Program Manager Robert A. Martin participated on a discussion panel at the ACM
Computer and Communications Security Conference on October 31, 2006 at the Hilton Alexandria Mark Center in Alexandria, Virginia, USA. The conference, which ran October 30th through November 3rd, is "a forum for the presentation of new research results and the identification of future research directions in the area of computer and communications security."
Visit the CWE Calendar page for information on this and other upcoming events.
October 26, 2006
October 26, 2006
Two Organizations Join the CWE Community
Two additional organizations have joined the CWE Community, Security
Innovation Inc. and AppSIC, LLC. Members of the CWE Community work together to create specific and succinct definitions for each of the elements in the CWE
List. By leveraging the widest possible group of interests and talents we hope to ensure that the CWE elements are adequately described and differentiated.
There are now 39 organizations from around the world participating in the CWE initiative. Visit the CWE
Community page for a complete list.
CWE to Participate on Discussion Panel at ACM
Conference on Computer and Communications Security on October 31st
CWE Program Manager Robert A. Martin will participate on a discussion panel at the ACM
Computer and Communications Security Conference on October 31, 2006 at the Hilton Alexandria Mark Center in Alexandria, Virginia, USA. The conference, which runs October 30th through November 3rd, is "a forum for the presentation of new research results and the identification of future research directions in the area of computer and communications security."
Visit the CWE Calendar page for information on this and other upcoming events.
CWE Hosts Booth at FIAC 2006
MITRE hosted a CWE/CVE/CCE/OVAL/CME exhibitor booth at Federal
Information Assurance Conference (FIAC) 2006, October 25-26, 2006, at the Inn and Conference Center, University of Maryland University College, in Adelphi, Maryland, USA. The conference exposed CWE, CVE, CCE, OVAL, and CME to network and systems administrators, security practitioners, acquisition and procurement officials, systems security officers, federal managers, accreditors, and certifiers from numerous agencies of the U.S. federal government.
Visit the CWE Calendar page
for information on this and other upcoming events. Contact cwe@mitre.org to
have CWE present a briefing or participate in a panel discussion about CWE, CVE, CCE, OVAL, CME,
and/or other vulnerability management topics at your event.
CWE Presents Briefing at Tactical Information Assurance 2006
CWE Program Manager and CVE Compatibility Lead Robert A. Martin presented a briefing about CWE/CVE/OVAL entitled "Securing The IA Perimeter: Automated IAVA & STIG Compliance Through Standards" at Tactical
Information Assurance 2006 on October 25, 2006 at the Westin Arlington Gateway in Arlington, Virginia, USA. The conference introduced CWE, CVE, and OVAL to information technology and security professionals and decision-makers from the U.S. military, defense agencies, industry contractors, and technology service providers.
Visit the CWE Calendar page for information on this and other upcoming events.
October 4, 2006
October 4, 2006
CWE to Host Booth at FIAC 2006
MITRE is scheduled to host a CWE/CVE/CCE/OVAL/CME exhibitor booth at Federal
Information Assurance Conference (FIAC) 2006, October 25-26, 2006, at the Inn and Conference Center, University of Maryland University College, in Adelphi, Maryland, USA. The conference will expose CWE, CVE, CCE, OVAL, and CME to network and systems administrators, security practitioners, acquisition and procurement officials, systems security officers, federal managers, accreditors, and certifiers from numerous agencies of the U.S. federal government.
Visit the CWE Calendar page for information on this and other upcoming events. Contact cwe@mitre.org to
have CWE present a briefing or participate in a panel discussion about CWE, CVE, CCE, OVAL, CME, and/or
other vulnerability management topics at your event.
CWE to Present Briefing at Tactical Information Assurance 2006
CWE Program Manager and CVE Compatibility Lead Robert A. Martin
is scheduled to present a briefing about CWE/CVE/OVAL entitled "Securing
The IA Perimeter: Automated IAVA & STIG Compliance Through Standards" at Tactical
Information Assurance 2006 on October 25, 2006 at the Westin Arlington Gateway
in Arlington, Virginia, USA. The conference will introduce CWE, CVE, and OVAL
to information technology and security professionals and decision-makers from
the U.S. military, defense agencies, industry contractors, and technology service
providers.
Visit the CWE Calendar page for information on this and other upcoming events.
CWE Hosts Booth at IT Security World 2006
MITRE hosted a CWE/CVE/CCE/OVAL/CME exhibitor booth at MISTI's IT
Security World 2006 on September 25-27, 2006 at the Fairmont Hotel in San Francisco, California, USA. The conference exposed CWE, CVE, CCE, OVAL, and CME to security professionals from industry, government, and academia charged with developing and running their organizations' information security programs.
Visit the CWE Calendar page for information on this and other upcoming events.
September 28, 2006
September 28, 2006
Fourth Draft of CWE Now Available
The fourth draft of CWE has been posted on the CWE
List page. This update includes (1) additional descriptions and mitigations for about 50 of the items; (2) minor revisions and updates to over 100 items based on the donated information; and (3) revisions to the names and structure of the hierarchical view to reflect the new and revised CWE content. Most of these changes are from the initial insertions of material from three of the fourteen companies that are contributing to CWE under non-disclosure agreements.
CWE is a community-developed formal list of common software weaknesses. The intention of CWE is to serve as a common language for describing software security weaknesses in architecture, design, or code; as a standard measuring stick for software security tools targeting these weaknesses; and to provide a common baseline standard for weakness identification, mitigation, and prevention efforts. Broad community adoption of CWE will help shape and mature the code security assessment industry and also dramatically accelerate the use and utility of software assurance capabilities for organizations in reviewing the software systems they acquire or develop.
This current step of building CWE involves gathering data about weaknesses from the fourteen tool and knowledge sources that are participating in CWE. Additions and revisions from these contributions are in process and will be added when they are ready in a fifth draft in approximately two months. We welcome any comments about CWE at cwe@mitre.org.
CWE to Host Booth at IT Security World 2006
MITRE is scheduled to host a CWE/CVE/CCE/OVAL/CME exhibitor booth at MISTI's IT
Security World 2006 on September 25-27, 2006 at the Fairmont Hotel in San Francisco, California, USA. The conference will expose CWE, CVE, CCE, OVAL, and CME to security professionals from industry, government, and academia charged with developing and running their organizations' information security programs.
Visit the CWE Calendar page for information on this and other upcoming events. Contact cwe@mitre.org to have CWE present a briefing or participate in a panel discussion about CWE, CVE, CCE, OVAL, CME, and/or other vulnerability management topics at your event.
CWE Presents Briefing at 5th Annual Cyber Security Executive Summit
MITRE presented a briefing about CWE and CVE at the 5th
Annual Cyber Security Executive Summit for the financial services sector
on September 13-14, 2006 at the Metropolitan Pavilion in New York City, New York,
USA. The event introduced CWE and CVE to financial industry executives and security
professionals from around the world.
Visit the CWE Calendar page for information on this and other upcoming events.
Common Weakness Enumeration (CWE) Launches New Web Site
The CWE List is now available on this dedicated Common
Weakness Enumeration (CWE) Web site. It was formally hosted on the CVE
Web site. The new site includes the CWE List; an About section describing the overall CWE effort and process in more detail; News page; Calendar page; Compatibility page; Community
Participation page; and a list of Sources. CWE is based in part on the on the 19,000+ Common Vulnerabilities and Exposures (CVE) identifiers on the CVE
List.
August 9, 2006
August 9, 2006
CWE Co-Hosts Booth at Black Hat Briefings 2006
MITRE hosted a CWE/CVE/OVAL/CME exhibitor/meeting
booth at Black
Hat Briefings 2006 on August 2nd - 3rd, 2006 at Caesars Palace
in Las Vegas, Nevada, USA. The event exposed CWE, CVE, OVAL, and CME to a diverse
audience of information security-focused attendees from around the world.
Visit the CWE Calendar page for information on this and other upcoming events.
July 19, 2006
July 19, 2006
Third Draft of Common Weakness Enumeration (CWE) Now Available
The third draft of CWE has been posted on the CWE
List page on the CVE Web site. Changes include (1) additional descriptions and mitigations for about 150 of the items; (2) adding language specific indicators for those that are tied to language or platform like C, C++, Java, or .NET; (3) minor revisions and updates to many other items; and (4) addition of a first cut at a CWE_ID field that is meant be a unique non-variant identifier for the CWE content.
CWE is a community-developed formal list of common software weaknesses. The intention of CWE is to serve as a common language for describing software security weaknesses in architecture, design, or code; as a standard measuring stick for software security tools targeting these weaknesses; and to provide a common baseline standard for weakness identification, mitigation, and prevention efforts. Broad community adoption of CWE will help shape and mature the code security assessment industry and also dramatically accelerate the use and utility of software assurance capabilities for organizations in reviewing the software systems they acquire or develop.
Our next step in building CWE involves gathering data about weaknesses from fourteen tool and knowledge sources and then merging this new data into the current list to create a fourth draft. We welcome any comments about CWE at cwe@mitre.org.
July 12, 2006
July 12, 2006
CWE Main Topic of Briefing at NIST's Static Analysis Summit
CWE Program Manager Robert A. Martin presented a briefing about the Common Weakness Enumeration (CWE) on June 29, 2006 entitled "Bringing Standards to Software Source Code Security Assessment" at the U.S. National
Institute of Standards and Technology's (NIST) "Static
Analysis Summit" in Gaithersburg, Maryland, USA.
Visit the CWE Calendar page for information on this and other upcoming events.
May 10, 2006
May 10, 2006
CWE Main Topic of Briefing at DOD System and Software Technology Conference
CWE Program Manager Robert A. Martin presented a briefing about the Common Weakness Enumeration (CWE) on May 4, 2006 entitled "Bringing
Standards to Software Source Code Security Assessment" at the U.S. Department of Defense (DOD) Joint Service's "18th
Annual System and Software Technology Conference" in Salt Lake City, Utah, USA.
Visit the CWE Calendar page for information on this and other upcoming events.
Second Draft of Common Weakness Enumeration (CWE) Now Available
The second draft of CWE has been posted on the CWE
List page on the CVE Web site. Changes include (1) cleaning up the names of the current elements, and (2) full expansion of the current elements using additional the content from PLOVER, Seven Pernicious Kingdoms, and CLASP.
CWE is a community-developed formal list of common software weaknesses. The intention of CWE is to serve as a common language for describing software security vulnerabilities, a standard measuring stick for software security tools targeting these vulnerabilities, and as a baseline standard for vulnerability identification, mitigation, and prevention efforts. Broad community adoption of CWE will help shape and mature the code security assessment industry and also dramatically accelerate the use and utility of software assurance capabilities for organizations in reviewing the software systems they acquire or develop.
Our next step in building CWE involves gathering data about weaknesses from ten tool and knowledge sources and then merging this new data into the current list to create a third draft. We welcome any comments about CWE at cwe@mitre.org.
March 15, 2006
March 15, 2006
Initial Draft of "Common Weakness Enumeration (CWE)" Now Available
The first draft of the "Common Weakness Enumeration (CWE)" was posted on the Common Vulnerabilities and Exposures (CVE) Web site on March 15, 2006. CWE is a community-developed formal list of common software weaknesses. The intention of CWE is to serve as a common language for describing software security weaknesses in architecture, design, or code; as a standard measuring stick for software security tools targeting these weaknesses; and to provide a common baseline standard for weakness identification, mitigation, and prevention efforts. Broad community adoption of CWE will help shape and mature the code security assessment industry and also dramatically accelerate the use and utility of software assurance capabilities for organizations in reviewing the software systems they acquire or develop.
Based in part on the CVE
List's 18,000 plus CVE identifiers—but also including detail and scope from a diverse set of other industry and academic sources and examples including the McGraw/Fortify "Kingdoms" taxonomy; Howard, LeBlanc & Viega's 19 Deadly Sins; and Secure Software's CLASP project; among others—CWE's definitions and descriptions support the finding of common types of software security flaws in code prior to fielding. This means both users and developers now have a mechanism for ensuring that the software products they acquire and develop are free of known types of security flaws by describing their code and assessment capabilities in terms of their coverage of the different CWEs.
Initial information hosted on the CVE Web site included the first draft of the CWE List, offered in a detailed Taxonomy view and a high-level Dictionary view; an About section describing the overall CWE effort and process in more detail; a Compatibility page; a Community Participation page; and list of Sources. The CWE
Web site was launched on September 22, 2006.
More information is available — Please edit the custom filter or select a different filter.
|
