CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities

New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > News > News & Events - 2008 Archive  
ID

News & Events - 2008 Archive
News & Events - 2008 Archive

December 10, 2008
December 10, 2008

CWE Presents Briefing to DHS/DoD SwA Forum Working Group Meeting on December 2-4

CWE Program Manager Robert A. Martin presented a briefing about CWE/Making Security Measurable to the DHS/DoD SwA Working Group Meeting Session on December 2-4, 2008 in Balston, Virginia, USA.

Visit the CWE Calendar page for information on this and other upcoming events.

November 25, 2008
November 25, 2008

CWE Version 1.1 Now Available

CWE Version 1.1 has been posted on the CWE List page. Content changes include 16 new entries, a new view related to the CERT C Secure Coding Standard, and updates to 141 entries. There was also a small change to the schema, which has been updated to version 4.0.1. A detailed report is available that lists specific changes between Version 1.0.1 and Version 1.1.

Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to cwe@mitre.org.

CWE the Basis of SANS/MITRE Top 25 Most Dangerous Programming Errors

CWE entries are the basis of the SANS/MITRE Top 25 Most Dangerous Programming Errors, which are "a list of the 25 most significant programming errors that can lead to serious software vulnerabilities."

The main goal for the Top 25 list, which leverages the CWE List and the SANS Top 20 attack vectors, is to "stop vulnerabilities at the source by educating programmers on how to eliminate all-too-common mistakes before software is even shipped. The list will be a tool for education and awareness that will help programmers to prevent the kinds of vulnerabilities that plague the software industry. Software consumers could use the same list to help them to ask for more secure software. Lastly, and maybe more importantly, software managers and CIOs can use the Top 25 list as a measuring stick of progress in their efforts to secure their software."

The Top 25 is scheduled for initial release on December 10, 2008. Following a period of public comment, the list will be released officially and provided to application software security testing vendors so they can integrate the Top 25 into their security assessment reporting.

Contact top25@sans.org or cwe@mitre.org for additional information.

MITRE Presents Making Security Measurable White Paper at MILCOM 2008 on November 19

CWE Program Manager Robert A. Martin presented a white paper entitled "Making Security Measurable and Manageable" at MILCOM 2008 on November 19, 2008 in San Diego, California, USA. The paper introduces MITRE's Making Security Measurable effort by explaining in detail how information security data standards such as CWE, CVE, CCE, CPE, CAPEC, OVAL, and others facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Visit the CWE Calendar page for information on this and other upcoming events.

November 12, 2008
November 12, 2008

MITRE Scheduled to Present Making Security Measurable White Paper at MILCOM 2008 on November 19

CWE Program Manager Robert A. Martin is scheduled to present a white paper entitled "Making Security Measurable and Manageable" at MILCOM 2008 on November 19, 2008 in San Diego, California, USA.

The paper introduces MITRE's Making Security Measurable effort by explaining in detail how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

The conference itself runs November 17-19. Visit the CWE Calendar page for information on this and other upcoming events.

October 14, 2008
October 14, 2008

CWE Version 1.0.1 Now Available

CWE Version 1.0.1 has been posted on the CWE List page. No changes have been made to the schema. Content changes include one new entry, modifications to over 130 description summaries for brevity and clarity, and updates to 166 entries. A detailed report is available that lists specific changes between Version 1.0 and Version 1.0.1.

Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to cwe@mitre.org.

SecurityReason Makes Declaration of CWE Compatibility

SecurityReason declared that its database/knowledge repository, SecurityAlert, will be CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.

Information-Technology Promotion Agency, Japan Makes Declaration of CWE Compatibility

Information-Technology Promotion Agency (IPA), Japan declared that its vulnerability countermeasure information database, JVN iPedia, will be CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.

CWE Presents Briefing to DHS/DoD SwA Forum on October 14-16

CWE Program Manager Robert A. Martin presented a briefing about CWE to the DHS/DoD SwA Forum on October 14-16, 2008 in McLean, Virginia, USA.

See the CWE Calendar for information on this and other upcoming events.

October 2, 2008
October 2, 2008

CWE Scheduled to Present Briefing to DHS/DoD SwA Forum on October 14-16

CWE Program Manager Robert A. Martin is scheduled to present a briefing about CWE to the DHS/DoD SwA Forum on October 14-16, 2008 in McLean, Virginia, USA.

See the CWE Calendar for information on this and other upcoming events.

MITRE Hosts "Making Security Measurable" Table Booth at Security Automation Conference 2008

MITRE hosted a Making Security Measurable table booth at the U.S. National Institute of Standards and Technology's (NIST) Security Automation Conference & Workshop 2008 on September 23-25, 2008 in Gaithersburg, Maryland, USA. Booth visitors learned how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

See the CWE Calendar for information on this and other upcoming events.

September 9, 2008
September 9, 2008

CWE Version 1.0 Now Available

CWE Version 1.0 has been posted on the CWE List page. It includes several important changes. Detailed reports are available that list specific changes between Draft 9 and Version 1.0, for schema and for content. A separate summary of the major changes is also available.

The most significant changes from the draft versions include: two new views into the list, one a "Development Concepts" view (CWE-699) that organizes weaknesses around concepts that are frequently used or encountered in software development, and the other a "Research Concepts" view (CWE-1000) intended to facilitate research into weaknesses that is mainly organized according to abstractions of software behaviors; an improved and stabilized schema; several other new views; 39 new entries; graphical presentations of views; several new white papers on CWE evolution, terminology, and mapping; and hundreds of changes to CWE content, covering all entries.

The creation of Version 1.0 was truly a community effort and we would especially like to thank the following organizations for their contributions and feedback: Cigital, Inc., KDM Analytics, Veracode, NIST, Fortify Software Inc., an anonymous contributor, and many others. Additional thanks go to CWE team members Conor Harris, Janis Kenderdine, and Mark Loveless.

With the completion of Version 1.0, the CWE Team's next step is refinement of individual entries for greater accuracy and completeness. Updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to cwe@mitre.org.

Cenzic, Inc, Makes Two Declarations of CWE Compatibility

Cenzic, Inc. declared that its Web application security risk management platform, Cenzic Hailstrom Enterprise ARC, and its Web application penetration testing and vulnerability management system, Cenzic Hailstorm Professional, will be CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.

CWE Compatibility Used as Feature to Compare Products in Software Development Times

CWE Compatibility was included as a product feature in a chart comparing nine static analysis tools in an article entitled "Zero Tolerance for Bugs: Static Analyzers Evolve into Security Safety Net" in the August 2008 issue of Software Development Times. Of the nine, five are listed as having made declarations to be CWE-Compatible and one is listed as planning on making a declaration for future releases.

August 14, 2008
August 14, 2008

CWE Participates in 'Making Security Measurable' Booth at Black Hat Briefings 2008

CWE participated in a Making Security Measurable booth at Black Hat Briefings 2008 on August 6-7, 2008 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA. Booth visitors learned how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

See the CWE Calendar for information on this and other events.

July 9, 2008
July 9, 2008

CWE Version 1.0 Scheduled for Release in August

CWE Version 1.0 is currently scheduled to be released in August. The goals for the 1.0 release of CWE include:

1) Finishing the existing systemic changes — CWE 1.0 is meant to be a stable point in CWE's development, which means finalizing the systemic changes that have been on-going over the past year or two. To do this, general "content maintenance" (i.e., localized modification of individual entries) is being de-prioritized except as those modifications might relate to the systemic changes. After CWE 1.0 is released, the focus will shift to content development and refinement, in which there will be greater emphasis on accuracy and completeness of individual entries.

2) A stabilized schema — There have been significant schema changes over the past year, primarily to support the development of views, as well as the needs of stakeholders. The primary goal for CWE 1.0 is to have the schema be stable. As an outcome of an internal review we have outlined the major limitations that still need to be addressed.

3) Finalizing multiple views that support different use cases and stakeholders — For the past year we have been developing the view concept and implementation and the CWE Team thinks we have a handle on how to support them. So CWE 1.0 will have multiple views that support different use cases and stakeholders, and the schema infrastructure will be in place to support adding more views without requiring schema modifications.

4) Refinement of the Natural Hierarchy — The CWE Team has come to realize that we need to do a better job of communicating what we're trying to accomplish with the Natural Hierarchy (CWE-1000). In short, we are attempting to build a classification scheme based on inherent features of weaknesses of large portions of CWE weaknesses, and their interrelationships. We hope this will take Seven Pernicious Kingdoms and CLASP one step further. All past versions of CWE have had multiple ways of grouping weaknesses together that would lead to difficulty or inconsistency in performing mappings. It would also be difficult to infer where knowledge gaps existed. The CWE Team has found that the ongoing development of the natural hierarchy has helped us significantly in understanding much of what we have in CWE, and why. Academic researchers might be especially interested in its development.

Ironically, the natural hierarchy might not seem so "natural" to regular developers; so, we need to actively support the developer view. This is one major challenge that we face.

In the coming weeks, we will be releasing a more detailed white paper to the community on the CWE Team's goals for the natural hierarchy. Traces of it exist in CWE Draft 9, but it is far from complete (and we've since made significant inroads in our 1.0 development). To get an idea of where we are headed, see: CWE-664 ("Insufficient Control of a Resource Through its Lifetime"), CWE-682 ("Incorrect Calculation"), and CWE-691 ("Insufficient Control Flow Management"). If you are particularly interested in this effort, then contact us at cwe@mitre.org and we will give you our current status.

5) Increasing community engagement — Leading up to CWE 1.0, we will be actively engaging community members on important issues for CWE through the CWE-Research discussion list. This discussion list will be one of the main places in which we solicit feedback. So, this summer is the time to sign-up to the CWE-Research list and voice any concerns or ideas you have.

6) Resolution of outstanding issues related to CWE content maintenance — In fall 2007 we brought up various issues related to CWE content maintenance, including which types of issues we should include, and what level of abstraction we should use. We will be actively resolving many of those issues. See the Working Documents section at http://cwe.mitre.org/community/workingdocs.html for a refresher.

7) Identifying and addressing CWE gaps with respect to current tools and providing guidance for mapping — Under non-disclosure agreements, several tool vendors have sent us updated lists of their checks, some of which had CWE mappings. We are evaluating these mappings to ensure that CWE 1.0 will be able to support the existing perspectives under which these tools operate. This might include creating high-level entries that act as placeholders for future content creation of lower-level entries. We will not have the time to create new entries for every gap that we encounter, at least by the release of 1.0, but we will have a solid understanding of what remains to be done.

The current version of CWE is Draft 9. Please send any comments or concerns to cwe@mitre.org.

CWE to Participate in 'Making Security Measurable' Booth at Black Hat Briefings 2008 on August 6-7

CWE is scheduled to participate in a Making Security Measurable booth at Black Hat Briefings 2008 on August 6-7, 2008 at Caesars Palace Las Vegas n Las Vegas, Nevada, USA.

Visit us at Booth A and learn how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

See the CWE Calendar for information on this and other events.

CWE Presents Briefing at SAW 2008

CWE Technical Lead Steve Christey presented a summary of CWE's experiences with Software Assurance Metrics and Tool Evaluation's (SAMATE) Static Analysis Tool Exposition (SATE) and its implications for CWE at the ACM SIGPLAN Static Analysis Workshop (SAW 2008) on June 12, 2008 in Tucson, Arizona, USA.

Visit the CWE Calendar for information on this and other events. Contact cwe@mitre.org to have CWE present a briefing or participate in a panel discussion about CWE, CAPEC, CVE, CCE, CEE, CPE, CRF, OVAL, and/or Making Security Measurable at your event.

June 25, 2008
June 25, 2008

CWE/Making Security Measurable Booth at 2008 Cyberspace Symposium on June 16-19

MITRE hosted a Making Security Measurable booth at the 2008 Cyberspace Symposium on June 16-19, 2008 at the Best Westin Royal Plaza Hotel and Trade Center in Marlborough, Massachusetts, USA.

Visit the CWE Calendar for information on this and other events.

June 4, 2008
June 4, 2008

MITRE Scheduled to Host "Making Security Measurable" Booth at 2008 Cyberspace Symposium on June 16-19

MITRE is scheduled to host a Making Security Measurable booth at the 2008 Cyberspace Symposium on June 16-19, 2008 at the Best Westin Royal Plaza Hotel and Trade Center in Marlborough, Massachusetts, USA.

Visit the CWE Calendar for information on this and other events.

MITRE Presents "Making Security Measurable" Briefing at 4th Annual GFIRST Conference on June 2-4

CWE Program Manager Robert A. Martin presented a briefing about Making Security Measurable at the 4th Annual GFIRST Conference on June 2-4, 2008 at the Caribe Royale Hotel in Orlando, Florida, USA.

Visit the CWE Calendar for information on this and other events. Contact cwe@mitre.org to have CWE present a briefing or participate in a panel discussion about CWE, CAPEC, CVE, CCE, CEE, CPE, CRF, OVAL, and/or Making Security Measurable at your event.

MITRE Presents "Making Security Measurable" Briefing and Conducts a Half-Day Tutorial at AusCERT 2008 on May 18-23

CWE Program Manager Robert A. Martin and CWE Technical Lead Steven M. Christey presented a briefing about Making Security Measurable and conducted a half-day Making Security Measurable tutorial at AusCERT 2008 on May 18-23, 2008 at the Crowne Plaza Royal Pines Resort in Gold Coast, Australia.

Visit the CWE Calendar for information on this and other events.

MITRE Presents CWE and "Making Security Measurable" Briefings at 2008 IEEE Conference on the Technologies for Homeland Security on May 12-13

CWE Program Manager Robert A. Martin presented a briefing about CWE and a briefing about Making Security Measurable to the 2008 IEEE Conference on Technologies for Homeland Security on May 12-13, 2008 at the Westin Hotel in Waltham, Massachusetts, USA.

Visit the CWE Calendar for information on this and other events.

CWE Presents Briefing to Software Quality Group of New England on May 9

CWE Program Manager Robert A. Martin presented a briefing about CWE to the Software Quality Group of New England (SQNE) on May 9, 2008 in Burlington, Massachusetts, USA.

Visit the CWE Calendar for information on this and other events.

May 7, 2008
May 7, 2008

Security-Database Makes Declaration of CWE Compatibility

Security-Database declared that its Security-Database Web Services will be CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.

CWE Scheduled to Present Briefing to Software Quality Group of New England on May 9

CWE Program Manager Robert A. Martin is scheduled to present a briefing about CWE to the Software Quality Group of New England (SQNE) on May 9, 2008 in Burlington, Massachusetts, USA.

Visit the CWE Calendar for information on this and other events. Contact cwe@mitre.org to have CWE present a briefing or participate in a panel discussion about CWE, CAPEC, CVE, CCE, CEE, CPE, CRF, OVAL, and/or Making Security Measurable at your event.

MITRE Scheduled to Present CWE and "Making Security Measurable" Briefings at 2008 IEEE Conference on the Technologies for Homeland Security on May 12-13

CWE Program Manager Robert A. Martin is scheduled to present a briefing about CWE and a briefing about Making Security Measurable to the 2008 IEEE Conference on Technologies for Homeland Security on May 12-13, 2008 at the Westin Hotel in Waltham, Massachusetts, USA.

Visit the CWE Calendar for information on this and other events.

MITRE Scheduled to Present "Making Security Measurable" Briefing and Conduct a Full-Day Tutorial at AusCERT 2008 on May 18-23

CWE Program Manager Robert A. Martin and CWE Technical Lead Steven M. Christey are scheduled to present a briefing about Making Security Measurable and conduct a full-day Making Security Measurable tutorial at AusCERT 2008 on May 18-23, 2008 at the Crowne Plaza Royal Pines Resort in Gold Coast, Australia.

Visit the CWE Calendar for information on this and other events.

MITRE Presents CWE Briefing at DHS/DoD Software Assurance Forum on May 6-7

CWE Program Manager Robert A. Martin presented a briefing about CWE at the DHS/DoD SwA Forum on May 6-7, 2008 in McLean, Virginia, USA.

Visit the CWE Calendar for information on this and other events.

CWE Presents Briefing/Participates on Discussion Panel at Systems & Software Technology Conference 2008 on April 29-May 2

CWE Program Manager Robert A. Martin presented a briefing about CWE entitled "Creating the Secure Software Testing Target List" and participated on a discussion panel entitled "Practical Application of Software Assurance Assessment" at the 20th annual Systems & Software Technology Conference (SSTC 2008) on April 29 - May 2, 2008 at the Las Vegas Hilton in Las Vegas, NV, USA.

Visit the CWE Calendar for information on this and other events.

MITRE Presents "Making Security Measurable" Briefing at CSI Security Exchange 2008 on April 27

CWE Program Manager Robert A. Martin presented a Making Security Measurable briefing entitled "Architecting Security Measurement and Management for Compliance" at CSI Security Exchange 2008 on April 27, 2008 at Mandalay Bay Convention Center in Las Vegas, Nevada, USA.

Visit the CWE Calendar for information on this and other events.

April 24, 2008
April 24, 2008

CWE Scheduled to Present Briefing/Participate on Discussion Panel at Systems & Software Technology Conference 2008 on April 29-May 2

CWE Program Manager Robert A. Martin is scheduled to present a briefing about CWE entitled "Creating the Secure Software Testing Target List" and participate on a discussion panel entitled "Practical Application of Software Assurance Assessment" at the 20th annual Systems & Software Technology Conference (SSTC 2008) on April 29 - May 2, 2008 at the Las Vegas Hilton in Las Vegas, NV, USA.

Visit the CWE Calendar for information on this and other events. Contact cwe@mitre.org to have CWE present a briefing or participate in a panel discussion about CWE, CAPEC, CVE, CCE, CEE, CPE, CRF, OVAL, and/or Making Security Measurable at your event.

CWE Scheduled to Present Briefing to DHS/DoD SwA Forum on May 6-7

CWE Program Manager Robert A. Martin is scheduled to present a briefing about CWE to the DHS/DoD SwA Forum on May 6-7, 2008 in McLean, Virginia, USA.

Visit the CWE Calendar page for information on this and other upcoming events.

MITRE Presents "Making Security Measurable" Briefing at GOVSEC on April 24

CWE Project Manager/CVE Compatibility Lead Robert A. Martin presented a Making Security Measurable briefing entitled "Architecting Your IT Security Standards to Secure your Enterprise" at GOVSEC on April 24, 2008 at Walter E. Washington Convention Center in Washington, D.C., USA.

Visit the CWE Calendar for information on this and other events.

April 11, 2008
April 11, 2008

Ninth Draft of CWE Now Available

The ninth draft of CWE has been posted on the CWE List page. It includes several important changes. A report is available that lists specific differences between Draft 8 and Draft 9.

Specific changes for Draft 9 include: significant schema changes to better distinguish and link between Weaknesses, Categories, Views, Chains, and Composites; 39 new entries, many of which improve the organization of CWE; changes to the names or descriptions of over 200 entries, in order to more accurately reflect each entry; modification of relationships related to classification under a "natural hierarchy" view; addition of a Status field to reflect the maturity of each entry; an updated report on prioritization of fields; the introduction of named chains; and many other changes affecting over 450 entries.

We welcome any comments about CWE at cwe@mitre.org.

MITRE Hosts "Making Security Measurable" Booth at RSA 2008, April 7-11

MITRE hosted a Making Security Measurable exhibitor booth at RSA 2008 on April 7-11, 2008 at the Moscone Center in San Francisco, California, USA.

The conference exposed the CWE, CAPEC, CVE, CCE, CME, CEE, CPE, CRF, OVAL, and Making Security Measurable efforts to information security professionals from government and industry. Visit the CWE Calendar for information on this and other events.

See photos below:

RSA 2008 RSA 2008 RSA 2008 RSA 2008 RSA 2008 RSA 2008 RSA 2008
March 26, 2008
March 26, 2008

Checkmarx Ltd. Makes Declaration of CWE Compatibility

Checkmarx Ltd. declared that its assessment and remediation tool, CxSuite, will be CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.

Core Security Technologies Includes CWE Identifier in Security Advisory

Core Security Technologies included CWE-ID 196 as a reference in a March 25, 2008 vulnerability advisory entitled "SILC pkcs_decode buffer overflow." This is the first time a CWE-ID has been included as a reference in a security advisory.

CWE Compatibility Main Topic of GrammaTech News Release

CWE Compatibility was the main topic of a GrammaTech, Inc. press release entitled, "GrammaTech Announces First Fully Compatible Static-Analysis Tool for MITRE's Common Weakness Enumeration Security Standard." The release explains what CWE is and how GrammaTech's CodeSonar product "has now entered CWEs Evaluation Phase, after which CWE compatibility will become official."

The release includes a quote by Paul Anderson, GrammaTech's VP of Engineering, who states: "GrammaTech's CodeSonar is a static analysis tool for identifying programming flaws and security vulnerabilities in code. CWE is an important and valuable initiative that will help CodeSonar users understand the state of their code more effectively. GrammaTech is pleased to participate in this effort and proud to be the first vendor to offer a static-analysis tool that is compatible in all aspects."

The release also includes a quote by CWE Project Manager Robert A. Martin, who states: "Leveraging efforts on this topic from academia, the commercial sector, and government, CWE unites the most valuable breadth and depth of content and structure to serve as a unified standard. Our objective is to help shape the code security assessment industry and also dramatically accelerate the use and utility of software assurance capabilities for organizations in reviewing the software systems they acquire or develop."

MITRE Scheduled to Host "Making Security Measurable" Booth at RSA 2008, April 7-11

MITRE is scheduled to host a Making Security Measurable exhibitor booth at RSA 2008 on April 7-11, 2008 at the Moscone Center in San Francisco, California, USA.

The conference will expose the CWE, CAPEC, CVE, CCE, CME, CEE, CPE, CRF, OVAL, and Making Security Measurable efforts to information security professionals from government and industry. Visit the CWE Calendar for information on this and other events.

MITRE Scheduled to Present "Making Security Measurable" Briefing at GOVSEC on April 24

CWE Project Manager/CVE Compatibility Lead Robert A. Martin is scheduled to present a Making Security Measurable briefing entitled "Architecting Your IT Security Standards to Secure your Enterprise" at GOVSEC on April 24, 2008 at Walter E. Washington Convention Center in Washington, D.C., USA.

Visit the CWE Calendar for information on this and other events. Contact cwe@mitre.org to have CWE present a briefing or participate in a panel discussion about CWE, CAPEC, CVE, CCE, CME, CEE, CPE, CRF, OVAL, and/or Making Security Measurable at your event.

MITRE Scheduled to Present "Making Security Measurable" Briefing at CSI Security Exchange 2008 on April 27

CWE Project Manager/CVE Compatibility Lead Robert A. Martin is scheduled to present a Making Security Measurable briefing entitled "Architecting Security Measurement and Management for Compliance" at CSI Security Exchange 2008 on April 27, 2008 at Mandalay Bay Convention Center in Las Vegas, Nevada, USA.

Visit the CWE Calendar for information on this and other events.

MITRE Presents "Making Security Measurable" Briefing at SEPG North America 2008 on March 18

CWE Project Manager/CVE Compatibility Lead Robert A. Martin presented a Making Security Measurable briefing entitled "Architecting Security for Enterprise Process Improvement" at SEPG North America 2008 on March 1, 2008 at the Tampa Convention Center in Tampa, Florida, USA.

Visit the CWE Calendar for information on this and other events.

March 12, 2008
March 12, 2008

U.S. National Vulnerability Database (NVD) Now Includes CWE Mappings

The U.S. National Institute of Standards and Technology's (NIST) National Vulnerability Database (NVD) now uses CWE mappings to differentiate the CVE Identifiers upon which NVD is built by the type of vulnerabilities they represent.

As detailed on the dedicated "CWE - Common Weakness Enumeration" page on the NVD Web site: "NVD integrates CWE into the scoring of CVE vulnerabilities by providing a cross section of the overall CWE structure. NVD analysts score CVEs using CWEs from different levels of the hierarchical structure. This cross section of CWEs allows analysts to score CVEs at both a fine and coarse granularity, which is necessary due to the varying levels of specificity possessed by different CVEs." Visit NVD to view the CWE subset.

NVD, CVE, and CWE are sponsored by National Cyber Security Division of the U.S. Department of Homeland Security.

MITRE Scheduled to Present "Making Security Measurable" Briefing at SEPG North America 2008 on March 18

CWE Project Manager/CVE Compatibility Lead Robert A. Martin is scheduled to present a Making Security Measurable briefing entitled "Architecting Security for Enterprise Process Improvement" at SEPG North America 2008 on March 1, 2008 at the Tampa Convention Center in Tampa, Florida, USA.

Visit the CWE Calendar for information on this and other events. Contact cwe@mitre.org to have CWE present a briefing or participate in a panel discussion about CWE, CAPEC, CVE, CCE, CME, CEE, CPE, CRF, OVAL, and/or Making Security Measurable at your event.

CWE Presents Briefing to Source Boston 2008 on March 12

CWE Program Manager Robert A. Martin presented a briefing about CWE entitled "Having a Defined Target for Software Security Testing" at SOURCE Boston 2008 on March 12, 2008 in Cambridge, Massachusetts, USA.

Visit the CWE Calendar page for information on this and other upcoming events.

MITRE Hosts "Making Security Measurable" Booth at InfoSec World 2008, March 10-11

MITRE hosted a Making Security Measurable exhibitor booth at InfoSec World Conference & Expo 2008 on March 10-11, 2008 at the Rosen Shingle Creek Resort in Orlando, Florida, USA.

The conference will expose the CWE, CAPEC, CVE, CCE, CME, CEE, CPE, CRF, OVAL, and Making Security Measurable efforts to information security professionals from government and industry. Visit the CWE Calendar for information on this and other events.

February 13, 2008
February 13, 2008

CWE Mentioned in SC Magazine Article about Vulnerability Management

CWE was mentioned in an article entitled "Vulnerability management: weathering the storm" in the February 1, 2008 issue of SC Magazine. CWE is mentioned in a section entitled "MITIGATING RISKS: The development phase" when the author states: "Common Weakness Enumeration (CWE) [is] a dictionary of common mistakes made when developing software, such as buffer overflows or cross-site scripting. The initiative, which kicked off about a 1 1/2 years ago and is starting to gain momentum, is a natural offshoot of its eight-year-old Common Vulnerabilities and Exposure project."

The article quotes CWE Technical Lead and CVE List Editor Steve Christey, who states: "We found that many programmers make the exact same kind of mistakes, regardless of what kind of software they're developing. CWE starts to catalog those common mistakes that get made." The article also quote CWE Program Manager Robert A. Martin, who states: "The hope is that the CWE lexicon can serve as a reference guide for software developers. There are specific things that people can look for."

The article also mentions MITRE's Common Vulnerabilities and Exposure (CVE) List.

MITRE to Host "Making Security Measurable" Booth at InfoSec World 2008, March 10-11

MITRE is scheduled to host a Making Security Measurable exhibitor booth at InfoSec World Conference & Expo 2008 on March 10-11, 2008 at the Rosen Shingle Creek Resort in Orlando, Florida, USA.

The conference will expose the the CWE, CAPEC, CVE, CCE, CME, CEE, CPE, CRF, OVAL, and Making Security Measurable efforts to information security professionals from government and industry. Visit the CWE Calendar for information on this and other events.

CWE to Present Briefing to SEPG North America 2008 on March 18-20

CWE Program Manager Robert A. Martin is scheduled to present a briefing about CWE/Making Security Measurable at SEPG North America 2008 on Mar 18-20, 2008 in Tampa, Florida, USA.

Visit the CWE Calendar page for information on this and other upcoming events. Contact cwe@mitre.org to have CWE present a briefing or participate in a panel discussion about CWE, CAPEC, CVE, CCE, CME, CEE, CPE, CRF, OVAL, and/or Making Security Measurable at your event.

CWE Presents Briefing to DHS/DoD SwA Forum on January 30 - February 2

CWE Program Manager Robert A. Martin presented a briefing about CWE to the DHS/DoD SwA Working Group Meeting Session on January 30 - February 2, 2008 in McLean, Virginia, USA.

Visit the CWE Calendar page for information on this and other upcoming events.

January 30, 2008
January 30, 2008

Eighth Draft of CWE Now Available

The eighth draft of CWE has been posted on the CWE List page. It includes several important changes. A report is available that lists specific differences between Draft 7 and Draft 8.

Specific changes for Draft 8 include: modification of the schema and updated documentation; addition of support for related projects including mappings to CAPEC and white box definitions for CWE formalization; new nodes for secure design principles and to fill some gaps with CAPEC; modification of other nodes to concentrate more on the underlying weakness instead of the attack; new relationships defined to support chains and composites that illustrate how weaknesses can be combined to form vulnerabilities; each node has been labeled with the role it plays with respect to others; and, two new reports are available regarding prioritization of elements.

We welcome any comments about CWE at cwe@mitre.org.

MITRE Hosts "Making Security Measurable" Booth at 2008 Information Assurance Workshop, January 28 - February 1

MITRE hosted a Making Security Measurable exhibitor booth at the 2008 Information Assurance Workshop on January 28 - February 1, 2008 at the Philadelphia Marriott Downtown in Philadelphia, Pennsylvania, USA.

The conference exposed the CWE, CAPEC, CVE, CCE, CME, CEE, CPE, CRF, OVAL, and Making Security Measurable efforts to information security professionals from government and industry. Visit the CWE Calendar for information on this and other events.

January 16, 2008
January 16, 2008

SkillBridge, LLC Makes Declaration of CWE Compatibility

SkillBridge, LLC declared that its Secure Application Development Training Courses will be CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.

January 3, 2008
January 3, 2008

MITRE Announces Initial 'Making Security Measurable' and CWE Calendar of Events for 2008

MITRE has announced its initial Making Security Measurable and CWE-specific calendar of events for the first half of 2008. Details regarding MITRE's scheduled participation at these events are noted on the CWE Calendar page. Each listing includes the event name with URL, date of the event, location, and a description of our activity at the event.

Making Security Measurable booths and/or briefings:

CWE-specific briefings:

Other events will be added throughout the year. Visit the CWE Calendar for information or contact cwe@mitre.org to have CWE present a briefing or participate in a panel discussion about CWE, CAPEC, CVE, CCE, CME, CEE, CPE, CRF, OVAL, and/or Making Security Measurable at your event. at your event.

Page Last Updated: March 30, 2018