CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities

New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > News > News & Events - 2011 Archive  
ID

News & Events - 2011 Archive
News & Events - 2011 Archive

December 7, 2011
December 7, 2011

CWE/CAPEC/MAEC Briefings at DHS/DoD/NIST SwA Working Group Meeting

CWE/CAPEC Program Manager Robert A. Martin presented a briefing about CWE, CAPEC/CWE Co-Founder and Architect Sean Barnum presented a briefing about CAPEC, and MAEC Program Manager Penny Chase presented a briefing about MAEC, to the DHS/DoD SwA Working Group Meeting Session on November 28 – December 2, 2011 at MITRE Corporation in McLean, Virginia, USA.

Visit the CWE Calendar for information on this and other events.

November 22, 2011
November 22, 2011

CWE/CAPEC/MAEC Briefings at DHS/DoD/NIST SwA Working Group Meeting, November 28 – December 2

CWE/CAPEC Program Manager Robert A. Martin will present a briefing about CWE, CAPEC/CWE Co-Founder and Architect Sean Barnum will present a briefing about CAPEC, and MAEC Program Manager Penny Chase will present a briefing about MAEC, to the DHS/DoD SwA Working Group Meeting Session on November 28 – December 2, 2011 at MITRE Corporation in McLean, Virginia, USA.

Visit the CWE Calendar for information on this and other events.

CAPEC/CybOX/MAEC Briefings at Open Group Security Workshop

CWE/CAPEC Co-Founder and Architect Sean Barnum presented briefings about Common Attack Pattern Enumeration and Classification (CAPEC) and Cyber Observable Expression (CybOX) and MAEC Architect Ivan Kirillov presented a briefing about Malware Attribute Enumeration and Characterization (MAEC) at Open Group Security Workshop on November 16, 2011 in Washington, D.C., USA.

Visit the CWE Calendar for information on this and other events.

CWE/SANS Top 25 Briefing at Massachusetts Institute of Technology

CWE Program Manager Robert A. Martin presented a briefing about the CWE/SANS Top 25 Most Dangerous Software Errors List as part of MIT's "Architecting Software Systems - Applied Cyber/Physical Security Speaker" Series at the Massachusetts Institute of Technology (MIT) on November 15, 2011 in Cambridge, Massachusetts, USA.

Visit the CWE Calendar for information on this and other events.

CWE/CAPEC/SwA Briefing at U.S Coast Guard Operations Systems Center

CWE/CAPEC Co-Founder and Architect Sean Barnum presented a briefing about CWE/CAPEC/SwA at the Operations Systems Center of the U.S. Coast Guard on November 15, 2011 in Kearneysville, West Virginia, USA.

Visit the CWE Calendar for information on this and other events.

CAPEC Briefing and Open Architecture Panel Discussion at Defense Daily Open Architecture Summit 2011

CWE/CAPEC Co-Founder and Architect Sean Barnum presented a briefing about Common Attack Pattern Enumeration and Classification (CAPEC) and participated on a discussion panel entitled "DHS Enterprise and Open Architecture" at Defense Daily Open Architecture Summit 2011 on November 9, 2011 in Washington, D.C., USA.

Visit the CWE Calendar for information on this and other events.

November 4, 2011
November 4, 2011

CWE Used in U.S. Department of Energy Vulnerability Analysis Report of Energy Delivery Control Systems

CWE was used in a September 2011 report from the U.S. Department of Energy entitled Vulnerability Analysis of Energy Delivery Control Systems that "describes the common vulnerabilities on energy sector control systems, and provides recommendations for vendors and owners of those systems to identify and reduce those risks." The report findings were "mapped to software weakness types defined by the Common Weakness Enumeration (CWE) to the extent possible … so that Supervisory Control and Data Acquisition (SCADA)" vendors and owners can refer to the CWE for additional guidance in identifying, mitigating, and preventing weaknesses that cause vulnerabilities." Common Vulnerability Scoring System (CVSS) was also used to prioritize the vulnerabilities according to the relative risk they pose to the SCADA system.

The report is available for free download at http://energy.gov/sites/prod/files/Vulnerability Analysis of Energy Delivery Control Systems 2011.pdf.

CWE Mentioned in Article about Cloud Security in SDTimes.com

The CWE/SANS Top 25 was mentioned in an October 14, 2011 article entitled "How can you stay one step ahead in security for the cloud?" on SDTimes.com. The Top 25 was mentioned in a quote by Gwyn Fisher, CTO of Klocwork, Inc., regarding the "fact that many programmers are still making the same easily avoided mistakes."

Fisher states: "It's the same set that forms the core of the CWE Top 25, the same set that any two-minute Google search will give you more information on than you could possibly imagine. So is there a light at the end of this particularly repetitive tunnel? I'm much more a fan of removing weakness than managing exploits, as I firmly take the stance that the investment leverage gained from weakness-removal so vastly outweighs any time/effort/money put into exploits as to make the latter laughable. As a counterpoint, however, and as was widely published in a study performed by one of our competitors several years back, the average developer pays way more attention to a report of an identified exploit than they ever do to a report of a weakness, however well-described in their code."

Klockwork, Inc. is a member of the CWE Community and a participant in the CWE Compatibility and Effectiveness Program. The article also included quotes from other CWE Community and CWE Compatibility Program participants.

CAPEC Briefing and Panel Discussion at Defense Daily Open Architecture Summit 2011, November 9

CWE/CAPEC Co-Founder and Architect Sean Barnum will present a briefing about Common Attack Pattern Enumeration and Classification (CAPEC) and participate on discussion panel entitled "DHS Enterprise and Open Architecture" at Defense Daily Open Architecture Summit 2011 on November 9, 2011 in Washington, D.C., USA.

Visit the CWE Calendar for information on this and other events.

CAPEC and CybOX Briefings at Open Group Security Workshop, November 16

CWE/CAPEC Co-Founder and Architect Sean Barnum will present briefings about Common Attack Pattern Enumeration and Classification (CAPEC) and Cyber Observable Expression (CybOX) at Open Group Security Workshop on November 16, 2011 in Washington, D.C., USA.

Visit the CWE Calendar for information on this and other events.

CWE/MAEC/SwA Workshops and CWE/Making Security Measurable Booth at IT Security Automation Conference 2011

CWE, CWRAF, CCR, Cyber Observable Expression (CybOX), MAEC, and Making Security Measurable were discussion topics at the U.S. National Institute of Standards and Technology’s (NIST) 7th Annual IT Security Automation Conference on October 31 – November 2, 2011 in Arlington, Virginia, USA. The CWE Team also to contributed to the CWE, CWRAF, CCR, CybOX, and SwA-related workshops, and MITRE hosted a CWE/Making Security Measurable booth.

Visit the CWE Calendar for information on this and other events.

CWE/CAPEC/SwA Briefings at Industrial Control Systems Joint Working Group 2011 Fall Conference

CWE/CAPEC Program Manager Robert A. Martin and Deputy Director for Software Assurance at U.S. Department of Homeland Security (DHS) National Cyber Security Division (NCSD) Richard J. Struse presented briefings about CWE, CAPEC, and Software Assurance (SwA) at Industrial Control Systems Joint Working Group 2011 Fall Conference on October 24-27, 2011 in Long Beach, California, USA.

Visit the CWE Calendar for information on this and other events.

October 7, 2011
October 7, 2011

CWE/CAPEC/SwA Briefings at Industrial Control Systems Joint Working Group 2011 Fall Conference, October 24-27

CWE/CAPEC Program Manager Robert A. Martin and Deputy Director for Software Assurance at U.S. Department of Homeland Security (DHS) National Cyber Security Division (NCSD) Richard J. Struse will present briefings about CWE, CAPEC, and Software Assurance (SwA) at Industrial Control Systems Joint Working Group 2011 Fall Conference on October 24-27, 2011 in Long Beach, California, USA.

Visit the CWE Calendar for information on this and other events.

CWE/MAEC/SwA Workshops at IT Security Automation Conference 2011, October 31 – November 2

CWE, CWRAF, CCR, Cyber Observable Expression (CybOX), MAEC, and Making Security Measurable will be discussion topics at the U.S. National Institute of Standards and Technology’s (NIST) 7th Annual IT Security Automation Conference on October 31 – November 2, 2011 in Arlington, Virginia, USA. The CWE Team is also scheduled to contribute to the CWE, CWRAF, CCR, CybOX, and SwA-related workshops, and MITRE will host a CWE/Making Security Measurable booth.

The main purpose of the conference is to discuss Security Content Automation Protocol (SCAP) and "strategies for implementing continuous monitoring, using security automation tools and technologies to ease the technical burdens of policy compliance, and innovated uses of automation across the enterprise in both government and industry applications". SCAP uses the CVE, CCE, CPE, OVAL, XCCDF, and CVSS community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation."

Visit the CWE Calendar for information on this and other events.

CWE/CAPEC/Software Assurance Briefings at (ISC)² Security Congress 2011

CWE/CAPEC Program Manager Robert A. Martin presented a briefing entitled "How to Measure Software Security"; Michele Moss, CISSP, CSSLP, and lead associate at Booz Allen Hamilton, Inc. presented a briefing entitled "Why Do Developers Make Dangerous Software Errors?"; and Paul Nguyen, CISSP, CISA, CGEIT, and vice president of cyber solutions for Knowledge Consulting Group presented a briefing entitled "Improve Your SDLC with CAPEC and CWE" at (ISC)² Security Congress 2011 on September 19-21, 2011 at Orange County Convention Center in Orlando, Florida, USA.

In addition, Director for Software Assurance at U.S. Department of Homeland Security (DHS) National Cyber Security Division (NCSD) Joe Jarzombek participated in a Software Assurance wrap-up discussion panel.

Visit the CWE Calendar for information on this and other events.

CWE/CAPEC/MAEC Briefing and Making Security Measurable Briefing at Software Assurance Enabling Reliability, Resilience, Robustness, and Security Workshop

CWE/CAPEC Program Manager Robert A. Martin presented a CWE/CAPEC/MAEC briefing and a Making Security Measurable briefing at Software Assurance Enabling Reliability, Resilience, Robustness, and Security Workshop on September 26, 2011 in Linthicum Heights, Maryland, USA.

In addition, Director for Software Assurance at U.S. Department of Homeland Security (DHS) National Cyber Security Division (NCSD) Joe Jarzombek presented a Software Assurance briefing.

Visit the CWE Calendar for information on this and other events.

September 13, 2011
September 13, 2011

CWE Celebrates 5 Years!

CWE began five years ago this month with just under 500 separate weakness types listed for the first time on the public CWE Web site and 37 information security community organizations participating in the CWE Community. Since then, CWE has truly become an industry standard. The CWE List has grown to 807 individual weakness types and the CWE Community has grown to 49 organizations along with 506 members participating in the development of CWE on the CWE Researcher email discussion list. In addition, more than 31 organizations from around the world have made declarations of CWE Compatibility for 53 products and services.

In 2009, CWE and SANS Institute issued their first-ever "Top 25" community consensus list of the most widespread and critical CWEs that could allow attackers to completely take over software, steal data, or prevent software from working at all. A second version was released in 2010, and the most recent version of the CWE/SANS Top 25 Most Dangerous Software Errors List was released in June 2011. The 2011 Top 25 also included a set of "Monster Mitigations" to help developers more easily reduce or eliminate entire groups of the Top 25 weaknesses, as well as many of the hundreds of other weaknesses that are documented by CWE. The Top 25 list has been extremely popular since its inception and each annual release continues to generate significant news media coverage worldwide.

CWE in Use

The information security community endorsed the importance of "CWE-Compatible Products and Services" from the moment the compatibility program was launched in late December 2006. As quickly as January 2007 there were 7 organizations participating with declarations of compatibility for 15 products. Today, there are 53 organizations and 31 products and services listed on the CWE Web site and use of CWE is actively enhancing these areas of enterprise security: assessment and remediation tools, assessment services, database/knowledge repositories, education offerings, and software development practices. And the list of products and services continues to grow, with new updates announced regularly on the CWE News and Events page.

In 2011, a major milestone was achieved in the compatibility program with the launch of CWE Coverage Claims Representation (CCR), a means for software analysis vendors to convey to their customers exactly which CWE-identified weaknesses they claim to be able to locate in software via standardized CCR documents written in XML.

MITRE also launched two additional efforts in 2011 to help the community further leverage CWE for their enterprises: the Common Weakness Scoring System (CWSS), a community-based effort for scoring software coding errors found in software applications in a consistent, flexible, and open manner while accommodating context for the various stakeholders and business domains across government, academia, and industry; and Common Weakness Risk Analysis Framework (CWRAF), a way for organizations to apply CWSS using specialized scenarios, or "vignettes," that identify the business-value context of deployed applications in order to prioritize those software weaknesses in CWE that are most relevant to their own businesses, missions, and deployed technologies. We are now actively advising organizations in using the Top 25, CWSS, and CWRAF in their enterprises.

Our Anniversary Celebration

It is your participation and endorsement that have transformed CWE into the community standard for software weakness types. We thank all you who have in any way used CWE, the Top 25, CWSS, or CWRAF in your products, research, or processes; promoted the use of CWE, the Top 25, CWSS, or CWRAF; and/or adopted products or services that incorporate CWE for your enterprise. We would also like to thank our sponsor throughout these five years, the National Cyber Security Division (NCSD) of the U.S. Department of Homeland Security (DHS), for their past and current funding and support.

We welcome any comments or feedback about CWE at cwe@mitre.org.

CWE Version 2.1 Now Available

CWE Version 2.1 has been posted on the CWE List page. A detailed report is available that lists specific changes between Version 2.0 and Version 2.1.

In total, 133 entries had major changes. The most significant changes include: (1) creation of 16 new entries for the CERT C++ Secure Coding Standard; (2) changes to 97 taxonomy mappings to support the various CERT coding standards for C, C++, and Java; and (3) modifications to over 30 entries for potential mitigations and references, in support of an updated pocket guide for mitigating the Top 25 Most Dangerous Software Errors, which will be released in the future.

The schema was updated to support reference management in future CWE versions (Local_Reference_ID attribute). The Likelihood attribute for Impact_Type was also defined to identify how likely it is for a given technical impact to occur when a particular weakness is present.

PDF documents have been updated to display graphs of views such as the Research View (CWE-1000) and the Development View (CWE-699), and a "Printable CWE" document lists all of the entries in CWE.

Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to cwe@mitre.org.

CWE Is Main Topic of Secure Coding Article in COTS Journal

CWE is the main topic of an article entitled "CWE Initiative Helps Secure Code Development Efforts" in the July 2011 issue of COTS Journal: The Military Journal of Electronics & Computing. The article explains what CWE is, how it is works, its relationship to Common Vulnerabilities and Exposures (CVE), and the benefits of secure coding.

The author states: "As the implementation of standards like CWE becomes more widespread, a tool vendor’s experience and reputation in security- and safety-critical expertise will be invaluable. Use of qualified and well-integrated tools ensures that the developers can automate the process more easily and efficiently. Creating a secure development community using standards, technologies and a well-integrated development environment promotes a continuous process of improvement. And, a focus on secure development lifecycle principles and practices will result in the ongoing production of software systems that are more dependable, trustworthy and extensible."

CWE, CWSS, and CWRAF Are Main Topics of Virtualization Practice Interview

CWE was the main focus of a Virtualization Security podcast entitled "MITRE – Two New Tools to Help with PaaS and Risk Assessment" on the Virtualization Practice Web site on August 15, 2011. The podcast was an interview with CWE/CAPEC Program Manager Robert A. Martin about how CWE, CWSS, and CWRAF can "be used by those that program within a PaaS environment, make use of SaaS, or other cloud services."

CWE/CAPEC/Software Assurance Briefings at (ISC)² Security Congress 2011, September 19-21

CWE/CAPEC Program Manager Robert A. Martin will present a briefing entitled "How to Measure Software Security"; Michele Moss, CISSP, CSSLP, and lead associate at Booz Allen Hamilton, Inc. will present a briefing entitled "Why Do Developers Make Dangerous Software Errors?"; and Paul Nguyen, CISSP, CISA, CGEIT, and vice president of cyber solutions for Knowledge Consulting Group will present a briefing entitled "Improve Your SDLC with CAPEC and CWE" at (ISC)² Security Congress 2011 on September 19-21, 2011 at Orange County Convention Center in Orlando, Florida, USA.

In addition, Director for Software Assurance at U.S. Department of Homeland Security (DHS) National Cyber Security Division (NCSD) Joe Jarzombek will participate in a Software Assurance wrap-up discussion panel.

Visit the CWE Calendar for information on this and other events.

CWE/CAPEC/MAEC Briefing and Making Security Measurable Briefing at Software Assurance Enabling Reliability, Resilience, Robustness, and Security Workshop, September 26

CWE/CAPEC Program Manager Robert A. Martin will present a CWE/CAPEC/MAEC briefing and a Making Security Measurable briefing at Software Assurance Enabling Reliability, Resilience, Robustness, and Security Workshop on September 26, 2011 in Linthicum Heights, Maryland, USA.

In addition, Director for Software Assurance at U.S. Department of Homeland Security (DHS) National Cyber Security Division (NCSD) Joe Jarzombek will present a Software Assurance briefing.

August 19, 2011
August 19, 2011

Astyran Pte Ltd. Makes Three Declarations of CWE Compatibility

Astyran Pte Ltd. declared that its Web Application Vulnerability Assessment, Secure Design Review, and Secure Code Review services are CWE-Compatible.

For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.

CWE/CAPEC/MAEC Briefing and Making Security Measurable Briefing at GFIRST 2011

CWE/CAPEC Program Manager Robert A. Martin, CWE/CAPEC Co-Founder and Architect Sean Barnum, and MAEC Program Manager Penny Chase presented a CWE/CAPEC/MAEC briefing and a Making Security Measurable at GFIRST National Conference 2011 on August 8-12, 2011 at the Gaylord Opryland Hotel & Convention Center in Nashville, Tennessee, USA.

Visit the CWE Calendar for information on this and other events.

August 4, 2011
August 4, 2011

CWE/CAPEC/MAEC Briefing and Making Security Measurable Briefing at GFIRST 2011, August 8-12

CWE/CAPEC Program Manager Robert A. Martin, CWE/CAPEC Co-Founder and Architect Sean Barnum, and MAEC Program Manager Penny Chase will present a CWE/CAPEC/MAEC briefing and a Making Security Measurable at GFIRST National Conference 2011 on August 8-12, 2011 at the Gaylord Opryland Hotel & Convention Center in Nashville, Tennessee, USA.

Visit the CWE Calendar for information on this and other events.

CWE/Making Security Measurable Booth at Black Hat Briefings 2011

MITRE hosted a CWE/Making Security Measurable booth at Black Hat Briefings 2011 on August 3-4, 2011 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA. Attendees learned how the CWE, CAPEC, MAEC, CVE, CCE, CPE, CEE, OVAL, etc., information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Visit the CWE Calendar for information on this and other events.

July 20, 2011
July 20, 2011

2011 CWE/SANS Top 25 Most Dangerous Software Errors List Receives Extensive News Coverage

CWE and the SANS Institute posted the completed 2011 CWE/SANS Top 25 Most Dangerous Software Errors list on the CWE and SANS Web sites on June 27, 2011. A collaboration between the SANS Institute, MITRE, and over top software security experts in the U.S. and Europe, the list provides detailed descriptions of the top 25 programming errors along with authoritative guidance for mitigating and avoiding them.

The release received extensive news media coverage:

EC-Council Makes Declaration of CWE Compatibility

EC-Council declared that its educational offering, EC-Council Certified Secure Programmer, will be CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.

CWE/Making Security Measurable Booth at Black Hat Briefings 2011

MITRE will host a CWE/Making Security Measurable booth at Black Hat Briefings 2011 on August 3-4, 2011 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA. Please visit us at Booth 307 and say hello!

Visit the CWE Calendar for information on this and other events.

CWE/CAPEC/MAEC Briefings at DHS/DoD/NIST SwA Working Group Meeting

CWE/CAPEC Program Manager Robert A. Martin and CWE/CAPEC Co-Founder and Architect Sean Barnum presented briefings about the Top 25, CWE, CWSS, CWRAF, CAPEC, MAEC, CybOX, SAFES, and CEE to the DHS/DoD SwA Working Group Meeting Session on June 28-30, 2011 at MITRE Corporation in McLean, Virginia, USA.

MITRE also hosted a press conference at the event for the release of the 2011 CWE/SANS Top 25 Software Errors list, which resulted in extensive news coverage.

Visit the CWE Calendar for information on this and other events.

June 27, 2011
June 27, 2011

2011 Top 25 Most Dangerous Software Errors List Now Available

The 2011 version of the SANS/MITRE Top 25 Most Dangerous Software Errors that can lead to serious software vulnerabilities is now available on the CWE and SANS Web sites. Based primarily on the CWE List and leveraging the SANS Top 20 attack vectors, the main goal of the Top 25 list is to stop vulnerabilities at the source by educating programmers on how to eliminate all-too-common mistakes before software is even shipped. The list is a tool for education and awareness that will help programmers to prevent the kinds of vulnerabilities that plague the software industry. Software consumers may also use the list to help them to ask for more secure software, and software managers and CIOs can use the Top 25 as a measuring stick of progress in their efforts to secure their software.

The 2011 Top 25 makes improvements to the 2010 list, but the spirit and goals remain the same. This year's Top 25 entries are prioritized using inputs from over 20 different organizations, who evaluated each weakness based on prevalence, importance, and likelihood of exploit. It uses the Common Weakness Scoring System (CWSS) to score and rank the final results. The Top 25 list covers a small set of the most effective "Monster Mitigations," which help developers to reduce or eliminate entire groups of the Top 25 weaknesses, as well as many of the hundreds of weaknesses that are documented by CWE.

Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to cwe@mitre.org.

CWE Version 2.0 Now Available

CWE Version 2.0 has been posted on the CWE List page. A detailed report is available that lists specific changes between Version 1.13 and Version 2.0.

CWE 2.0 represents a significant milestone since the original release of CWE 1.0 in September 2008. Since then, 136 new entries have been added. Major changes were made to 93% of the 734 entries that were in CWE 1.0. More than half of the CWE 1.0 entries had their descriptions or relationships change; more than 30% had changes in their names or demonstrative code examples. The release of CWE 2.0 coincides with the release of the 2011 CWE/SANS Top 25, CWSS 0.8, and CWRAF 0.8, all of which also drove improvements to CWE itself.

The schema was updated to extend the Technical Impact enumeration and reorganize some elements so they could be used externally.

PDF documents have been updated to display graphs of views such as the Research View (CWE-1000) and the Development View (CWE-699), and a "Printable CWE" document lists all of the entries in CWE.

Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to cwe@mitre.org.

CWSS Version 0.8 Now Available

Version 0.8 of the Common Weakness Scoring System (CWSS) is now available for community review and comment on the CWE Web site. A detailed report is available that lists specific changes between Version 0.4 and Version 0.8.

CWSS 0.8 is a significant revision over the previous versions with a better formula, and improvements in the values and weights for individual factors. Comments on CWSS and CWRAF are welcome at cwss@mitre.org.

CWSS is being developed by the Common Weakness Enumeration (CWE) project, which is co-sponsored by the National Cyber Security Division (NCSD) of the U.S. Department of Homeland Security (DHS).

CWRAF Version 0.8 Now Available

Version 0.8 of the Common Weakness Risk Analysis Framework (CWRAF) is now available for community review and comment on the CWE Web site. CWRAF provides a way for organizations to apply the Common Weakness Scoring System (CWSS) using specialized scenarios ("vignettes") that identify the business value context of deployed applications in order to prioritize those software weaknesses in CWE that are most relevant to their own businesses, missions, and deployed technologies. In conjunction with other activities, CWRAF ultimately helps software developers and consumers to introduce more secure software into their operational environments.

CWRAF, which is a part of the CWE project, is co-sponsored by the Software Assurance program in the National Cyber Security Division of the U.S. Department of Homeland Security. We encourage members of the community to review the CWRAF specification and send feedback to cwss@mitre.org.

Coverage Claims Representation (CCR) Added to CWE Compatibility Program

Coverage Claims Representation (CCR) is a means for software analysis vendors to convey to their customers exactly which CWE-identified weaknesses they claim to be able to locate in software. CCR documents are written in Extensible Markup Language (XML) based upon the CCR schema.

Each CCR claim document will include the name of the organization making the claim and its product, date the coverage claim was made, where the tool or service claims to be able to find weaknesses (i.e., which programming languages and/or binary formats are being analyzed), and will list the specific CWE Identifiers for which coverage is claimed and details of that coverage.

Note that organizations make these claims on the honor system and neither the CCR itself nor the CWE Compatibility and Effectiveness Program verify or otherwise vet the CCR statements of coverage. See the CCR page for an example and/or more information.

CWE Compatibility Requirements Document Updated

The Requirements and Recommendations for CWE Compatibility and CWE Effectiveness document has been updated to reflect the addition of Coverage Claims Representation (CCR) to the CWE Compatibility and Effectiveness Program section.

CWE Included as Reporting Requirement in 2011 FISMA Continuous Monitoring Compliance Document

CWE was included in the 2011 Chief Information Officer Federal Information Security Management Act Reporting Metrics document issued on June 1, 2011 by the U.S. Department of Homeland Security and National Institute of Standards and Technology. The document provides cybersecurity status reporting metrics for government agencies under the Federal Information Security Management Act (FISMA) that focus on the ability to automate system monitoring and security controls.

CWE is included as a reporting requirement in Section 12, Software Assurance, subsection 12.1b., which states: "Provide the number of the information systems above (12.1a) where the tools generated output compliant with: 12.1b (1). Common Vulnerabilities and Exposures (CVE) 12.1b (2). Common Weakness Enumeration (CWE) 12.1b (3). Common Vulnerability Scoring System (CVSS) 12.1b (4). Open Vulnerability and Assessment Language (OVAL)."

June 1, 2011
June 1, 2011

CWE Version 1.13 Now Available

CWE Version 1.13 has been posted on the CWE List page. A detailed report is available that lists specific changes between Version 1.12 and Version 1.13.

In total, 682 entries had major changes. The main changes for the new release include: (1) creation of 21 new entries, mostly related to type confusion, authorization, and the CERT Oracle secure coding standard for Java; (2) changes in the relationships of 136 entries and taxonomy mappings of 127 entries, mostly in support of the CERT/Oracle Java coding standard; and (3) modified or updated common consequences for 678 entries to provide technical impacts to support the Common Weakness Risk Analysis Framework (CWRAF) customization of Common Weakness Scoring System (CWSS).

The schema was updated to extend the Technical Impact enumeration and reorganize some elements so they could be used externally.

PDF documents have been updated to display graphs of views such as the Research View (CWE-1000) and the Development View (CWE-699), and a "Printable CWE" document lists all of the entries in CWE.

Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to cwe@mitre.org.

CWE/CAPEC/MAEC Briefings at DHS/DoD/NIST SwA Working Group Meeting, June 28-30

CWE/CAPEC Program Manager Robert A. Martin will present a briefing about CWE, CWE/CAPEC Co-Founder and Architect Sean Barnum will present a briefing about CAPEC, and MAEC Program Manager Penny Chase will present a briefing about MAEC to the DHS/DoD SwA Working Group Meeting Session on June 28-30, 2011 at MITRE Corporation in McLean, Virginia, USA.

Visit the CWE Calendar for information on this and other events.

May 26, 2011
May 26, 2011

Agenda Now Available for MITRE's 2011 Security Automation Developer Days Conference on June 14-17

The agenda for MITRE's free Security Automation Developer Days 2011 conference scheduled for June 14-17, 2011 at MITRE in Bedford, Massachusetts, USA is now available at https://register.mitre.org/devdays/agenda.pdf.

For registration, lodging, and other conference details please visit the conference registration page.

CWE/CAPEC Tutorial and Software Assurance Panel Discussion at Systems & Software Technology Conference 2011

CWE/CAPEC Program Manager Robert A. Martin and CWE/CAPEC Co-Founder and Architect Sean Barnum presented a CWE/CAPEC tutorial entitled "Understanding System Weaknesses and How They Could Be Attacked" and participated on a Software Assurance discussion panel at Systems & Software Technology Conference 2011 on May 16-19, 2011 in Salt Lake City, Utah, USA.

In addition, Director for Software Assurance at U.S. Department of Homeland Security (DHS) National Cyber Security Division (NCSD) Joe Jarzombek presented a briefing entitled "Resilient Software: Security Automation and Measurement Enablers" on May 18.

Visit the CWE Calendar for information on this and other events.

May 11, 2011
May 11, 2011

CWE/CAPEC Tutorial and Software Assurance Panel Discussion at Systems & Software Technology Conference 2011, May 16-19

CWE/CAPEC Program Manager Robert A. Martin and CWE/CAPEC Co-Founder and Architect Sean Barnum will present a CWE/CAPEC tutorial entitled "Understanding System Weaknesses and How They Could Be Attacked" and participate on a Software Assurance discussion panel at Systems & Software Technology Conference 2011 on May 16-19, 2011 in Salt Lake City, Utah, USA.

In addition, Director for Software Assurance at U.S. Department of Homeland Security (DHS) National Cyber Security Division (NCSD) Joe Jarzombek will present a briefing entitled "Resilient Software: Security Automation and Measurement Enablers" on May 18.

Visit the CWE Calendar for information on this and other events.

MITRE to Host Security Automation Developer Days 2011 on June 14-17

MITRE Corporation will host the third Security Automation Developer Days conference on June 14-17, 2011 at MITRE in Bedford, Massachusetts, USA. This four-day conference is technical in nature and will focus on the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP) — and the existing CVE, OVAL, CCE, CPE, XCCDF, OCIL, and CVSS community standards it uses — in technical detail and to derive solutions that benefit all concerned parties. All current and emerging security automation standards are addressed at this workshop.

An agenda will be available soon. For registration, lodging, and other conference details please visit https://register.mitre.org/devdays/.

April 28, 2011
April 28, 2011

Common Weakness Risk Analysis Framework for CWSS Now Available

The Common Weakness Risk Analysis Framework (CWRAF) provides a way for organizations to apply the Common Weakness Scoring System (CWSS) using specialized scenarios ("vignettes") that identify the business value context of deployed applications in order to prioritize those software weaknesses in CWE that are most relevant to their own businesses, missions, and deployed technologies. In conjunction with other activities, CWRAF ultimately helps software developers and consumers to introduce more secure software into their operational environments.

CWRAF includes a mechanism for measuring risk of weaknesses in a way that is closely linked with the risk to the business or mission; supports the automatic selection and prioritization of relevant weaknesses, customized to the specific needs of the business or mission; can be used by consumers to identify the most important weaknesses for their business domains, in order to inform their acquisition and protection activities as one part of the larger process of achieving software assurance; and allows users to create custom Top-N lists to rank classes of weaknesses independent of any particular software package, in order to prioritize them relative to each other (e.g., "buffer overflows are higher priority than memory leaks"). This "Top-N list" approach is also used by the CWE/SANS Top 25, OWASP Top Ten, and similar efforts.

CWRAF, which is a part of the CWE project, is co-sponsored by the Software Assurance program in the National Cyber Security Division of the U.S. Department of Homeland Security. We encourage members of the community to review the CWRAF specification and send feedback to cwss@mitre.org.

CWSS Version 0.4 Now Available

Version 0.4 of the Common Weakness Scoring System (CWSS) white paper is now available for community review and comment on the CWE Web site. A detailed report is available that lists specific changes between Version 0.3 and Version 0.4.

The CWSS 0.4 white paper is a significant revision over the previous version, based on important feedback from the community. The most systemic change was moving the vignette-related concepts to the new Common Weakness Risk Analysis Framework (CWRAF) so that CWSS is now focused solely on the metrics and formulas. Documentation was also updated to better explain how CWSS is different from the Common Vulnerability Scoring System (CVSS) and that the two efforts operate mostly in different stages also of the software lifecycle. It also includes systemic changes to factors with the addition of four factors (for a new total of 18) for scoring as part of the new approach of having four "layers" of concern—System, Application, Network, and Enterprise (SANE)—that overcomes the previous system-only bias of CVSS. By using SANE layers in conjunction with factors related to technical impact a more fine-grained description of attack scenarios can now be represented. A "default" value was also added for each factor for consumers unable to do their own customization, which also provides tool vendors or services with a reasonable, repeatable starting value in low-information scenarios. Other factor and formula changes were also made. Comments on CWSS and CWRAF are welcome at cwss@mitre.org.

CWSS is being developed by the Common Weakness Enumeration (CWE) project, which is co-sponsored by the National Cyber Security Division (NCSD) of the U.S. Department of Homeland Security (DHS).

MITRE Hosts CWE/Making Security Measurable Booth at InfoSec World 2011

MITRE hosted a CWE/Making Security Measurable booth at InfoSec World Conference & Expo 2011 at Disney's Contemporary Resort in Orlando, Florida, USA, on April 19-21, 2011. Attendees learned how information security data standards such as CWE, CAPEC, MAEC, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Visit the CWE Calendar for information on this and other events.

April 15, 2011
April 15, 2011

CWE Included in Department of Homeland Security’s Enabling Distributed Security in Cyberspace White Paper

CWE was included in the U.S. Department of Homeland Security (DHS) Enabling Distributed Security in Cyberspace white paper published on March 23, 2011 on the DHS Web site Blog. The main topic of the white paper is "how prevention and defense can be enhanced through three security building blocks: automation, interoperability, and authentication. If these building blocks were incorporated into cyber devices and processes, cyber stakeholders would have significantly stronger means to identify and respond to threats — creating and exchanging trusted information and coordinating courses of action in near real time."

The paper defines Interoperability as already being "enabled through an approach that has been refined over the past decade by many in industry, academia, and government. It is an information-oriented approach, generally referred to as [cyber] security content automation …" and is comprised of (1) Enumerations "of the fundamental entities of cybersecurity" and lists CVE, CCE, CPE, CWE, and CAPEC; (2) Languages and Formats that "incorporate enumerations and support the creation of machine-readable security state assertions, assessment results, audit logs, messages, and reports" and lists OVAL, CEE, and MAEC; and (3) Knowledge Repositories that "contain a broad collection of best practices, benchmarks, profiles, standards, templates, checklists, tools, guidelines, rules, and principles, among others" that are based upon or incorporate data from these standards.

The paper also states that these eight established community enumeration and language standards that have been in use within the community for years can be further leveraged moving forward because they are "standards [that] build upon themselves to expand functionality over time", and projections of that expanding utility are provided through 2014.

The white paper is available to view or download at http://www.dhs.gov/xlibrary/assets/nppd-cyber-ecosystem-white-paper-03-23-2011.pdf.

MITRE to Host CWE/Making Security Measurable Booth at InfoSec World 2011, April 19-21

MITRE will host a CWE/Making Security Measurable booth at InfoSec World Conference & Expo 2011 at Disney’s Contemporary Resort in Orlando, Florida, USA, on April 19-21, 2011.

Members of the CWE Team will be in attendance. Please stop by Booth 307 and say hello!

Visit the CWE Calendar for information on this and other events.

CWE/CAPEC Briefing and Software Assurance Panel at Quality Engineered Software and Testing (QUEST) Conference

CWE/CAPEC Program Manager Robert A. Martin presented a briefing about CWE/CAPEC and participated on a panel discussion entitled "Software Assurance: Enabling Quality Assurance to Better Address Software Security and Resilience" at the Quality Engineered Software and Testing (QUEST) Conference on April 6, 2011 in Boston, Massachusetts, USA. The discussion panel was moderated by Director for Software Assurance at U.S. Department of Homeland Security (DHS) National Cyber Security Division (NCSD) Joe Jarzombek.

Visit the CWE Calendar for information on this and other events.

March 30, 2011
March 30, 2011

CWE Version 1.12 Now Available

CWE Version 1.12 has been posted on the CWE List page. A detailed report is available that lists specific changes between Version 1.11 and Version 1.12.

The main changes for the new release include: (1) creation of 9 new entries, mostly related to iteration, authentication, and business logic; (2) changes in the names of 38 entries, and descriptions of 37 entries; (4) modified mitigations for 80 entries, primarily to further normalize the mitigation text; (5) updates to relationships for 58 entries, many for sub-tree reorganization for access control; (6) updates to the demonstrative examples in 42 entries, primarily using PHP examples; and (7) major changes to 236 entries. There were no deprecations or schema changes.

PDF documents have been updated to display graphs of views such as the Research View (CWE-1000) and the Development View (CWE-699), and a "Printable CWE" document lists all of the entries in CWE.

The CWE/SANS Top 25 has been updated to reflect the changes in CWE content.

Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to cwe@mitre.org.

CWE/CAPEC Briefing and Software Assurance Panel at Quality Engineered Software and Testing (QUEST) Conference, April 4-8

CWE/CAPEC Program Manager Robert A. Martin will present a briefing about CWE/CAPEC and participate on a panel discussion entitled "Software Assurance: Enabling Quality Assurance to Better Address Software Security and Resilience" at the Quality Engineered Software and Testing (QUEST) Conference on April 6, 2011 in Boston, Massachusetts, USA. The discussion panel will be moderated by Director for Software Assurance at U.S. Department of Homeland Security (DHS) National Cyber Security Division (NCSD) Joe Jarzombek.

Visit the CWE Calendar for information on this and other events.

MITRE Hosts CWE/Making Security Measurable Booth at 2011 Information Assurance Symposium

MITRE hosted a CWE/Making Security Measurable booth at the 2011 Information Assurance Symposium in Nashville, Tennessee, USA, on March 8-10, 2011. The symposium is designed to bring together industry, government, and military information assurance (IA) professionals with the latest available IA products and solutions. Attendees learned how information security data standards such as CWE, CAPEC, MAEC, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Visit the CWE Calendar for information on this and other events.

March 7, 2011
March 7, 2011

Revised Common Weakness Scoring System (CWSS) White Paper Now Available

A revised version of the Introduction to the Common Weakness Scoring System (CWSS) white paper is now available for community review and download on the CWE Web site. The majority of the development and refinement of the first major version of CWSS is expected to occur during 2011.

The CWSS 0.3 white paper is a significant improvement over the first release, based on important feedback from the community. It includes several overview images for the framework. It defines technology groups, adds more business domains, and defines more vignettes. It provides more details on the scoring methods and provides more details for each factor, including which factors may be considered for removal. It also provides some example scores and defines CWSS vectors. The white paper concludes by presenting future activities and ways that the community can participate, and providing appendices that cover related efforts.

CWSS is being developed by the Common Weakness Enumeration (CWE) project, which is co-sponsored by the National Cyber Security Division (NCSD) of the US Department of Homeland Security (DHS).

IBM Rational Makes Two Declarations of CWE Compatibility

IBM Rational declared that its two web application security assessment tools, Rational AppScan Standard Edition and Rational AppScan Express Edition, are CWE-Compatible.

For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.

MITRE to Host CWE/Making Security Measurable Booth at the 2011 Information Assurance Symposium, March 8-10

MITRE will host a CWE/Making Security Measurable booth at the 2011 Information Assurance Symposium in Nashville, Tennessee, USA, on March 8-10, 2011. The symposium is designed to bring together industry, government, and military information assurance (IA) professionals with the latest available IA products and solutions.

Members of the CWE Team will be in attendance. Please stop by Booth 217 and say hello!

Visit the CWE Calendar for information on this and other events.

CWE/CAPEC/MAEC Briefings at DHS/DoD/NIST SwA Forum

CWE/CAPEC Program Manager Robert A. Martin presented a briefing about CWE, CWE/CAPEC Co-Founder and Architect Sean Barnum presented a briefing about CAPEC, and MAEC Program Manager Penny Chase presented a briefing about MAEC to the DHS/DoD/NIST SwA Forum on February 28 – March 4, 2011 at MITRE Corporation in McLean, Virginia, USA.

Visit the CWE Calendar for information on this and other events.

MITRE Hosts CWE/Making Security Measurable Booth at RSA 2011

MITRE hosted a CWE/Making Security Measurable booth at RSA 2011 at the Moscone Center in San Francisco, California, USA, on February 14-18, 2011. Attendees learned how information security data standards such as CWE, CAPEC, MAEC, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

CWE Adopter photos:

Photo from RSA 2011 Photo from RSA 2011 Photo from RSA 2011 Photo from RSA 2011 Photo from RSA 2011 Photo from RSA 2011

Making Security Measurable booth photos:

Photo from RSA 2011 Photo from RSA 2011 Photo from RSA 2011 Photo from RSA 2011 Photo from RSA 2011 Photo from RSA 2011 Photo from RSA 2011 Photo from RSA 2011 Photo from RSA 2011

Visit the CWE Calendar for information on this and other events.

February 14, 2011
February 14, 2011

Updated Common Weakness Scoring System (CWSS) White Paper Now Available

An updated version of the Introduction to the Common Weakness Scoring System (CWSS) white paper is now available for community review and download on the CWE Web site. The majority of the development and refinement of the first major version of CWSS is expected to occur during 2011.

The CWSS 0.2 white paper is a significant improvement over the first release, based on important feedback from the community. It further clarifies the "vignette" concept to allow users to integrate business considerations into the scoring, as captured in the Business Value Context. Nine different vignettes are provided as examples. CWSS 0.2 identifies 14 separate factors that may contribute to a CWSS score. The white paper concludes by presenting future activities and ways that the community can participate, and providing appendices that cover related efforts.

CWSS is being developed by the Common Weakness Enumeration (CWE) project, which is co-sponsored by the National Cyber Security Division (NCSD) of the US Department of Homeland Security (DHS).

CWE/CAPEC/MAEC Briefings at DHS/DoD/NIST SwA Forum, February 28 - March 4

CWE/CAPEC Program Manager Robert A. Martin will present a briefing about CWE, CWE/CAPEC Co-Founder and Architect Sean Barnum will present a briefing about CAPEC, and MAEC Program Manager Penny Chase will present a briefing about MAEC to the DHS/DoD/NIST SwA Forum on February 28 – March 4, 2011 at MITRE Corporation in McLean, Virginia, USA.

Visit the CWE Calendar for information on this and other events.

February 11, 2011
February 11, 2011

LDRA Makes Two Declarations of CWE Compatibility

LDRA declared that its two static and dynamic software analysis tools, LDRA Testbed and TBvision, are CWE-Compatible.

For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.

Software Assurance Keynote and Making Security Measurable Table Booth at International Conference on Software Quality

Director for Software Assurance at U.S. Department of Homeland Security (DHS) National Cyber Security Division (NCSD) Joe Jarzombek presented a Keynote entitled "Software Assurance: Building in Security as a Requisite Enabler for Safety Critical Software" at the International Conference on Software Quality on February 8, 2011 in San Diego, California, USA. There was also a Making Security Measurable table booth during the expo portion of the event from February 8-10.

Visit the CWE Calendar for information on this and other events.

February 7, 2011
February 7, 2011

Software Assurance Keynote at International Conference on Software Quality, February 8

Director for Software Assurance at U.S. Department of Homeland Security (DHS) National Cyber Security Division (NCSD) Joe Jarzombek will present a Keynote entitled "Software Assurance: Building in Security as a Requisite Enabler for Safety Critical Software" at the International Conference on Software Quality on February 8, 2011 in San Diego, California, USA.

There will also be a Making Security Measurable table booth during the expo portion of the event, which runs February 8-10.

Visit the CWE Calendar for information on this and other events.

MITRE to Host CWE/Making Security Measurable Booth at RSA 2011, February 14-18

MITRE will host a CWE/Making Security Measurable at RSA 2011 at the Moscone Center in San Francisco, California, USA, on February 14-18, 2011. Attendees will learn how information security data standards such as CWE, CAPEC, MAEC, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Members of the CWE Team will be in attendance. Please stop by Booth 2617 and say hello!

Visit the CWE Calendar for information on this and other events.

CWE/Making Security Measurable Booth at Black Hat DC 2011

MITRE hosted a CWE/Making Security Measurable booth at Black Hat DC 2011, on January 18-19, 2011 in Arlington, Virginia, USA. Attendees learned how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Visit the CWE Calendar for information on this and other events.

January 6, 2011
January 6, 2011

MITRE Announces Initial "Making Security Measurable" Calendar of Events for 2011

MITRE has announced its initial Making Security Measurable calendar of events for 2011. Details regarding MITRE's scheduled participation at these events are noted on the CWE Calendar page. Each listing includes the event name with URL, date of the event, location, and a description of our activity at the event.

Other events may be added throughout the year. Visit the CWE Calendar for information or contact cwe@mitre.org to have MITRE present a briefing or participate in a panel discussion about CWE, CAPEC, MAEC, CVE, CCE, CPE, CEE, OVAL, Software Assurance, and/or Making Security Measurable at your event.

CAPEC/CWE/MAEC Briefings at DHS/DoD/NIST SwA Working Group Meeting

CWE/CAPEC Program Manager Robert A. Martin presented a briefing about CWE, CWE/CAPEC Co-Founder and Architect Sean Barnum presented a briefing about CAPEC, and MAEC Program Manager Penny Chase presented a briefing about MAEC to the DHS/DoD SwA Working Group Meeting Session on December 14-16, 2010 at MITRE Corporation in McLean, Virginia, USA.

Visit the CWE Calendar for information on this and other events.

Page Last Updated: February 21, 2020