News & Events - 2012 Archive
News & Events - 2012 Archive
KDM Analytics Makes Declaration of CWE Compatibility
KDM Analytics declared that its open source vulnerability detection platform, Tool Output Integration Framework (TOIF), is CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.
CXSecurity Makes Declaration of CWE Compatibility
CXSecurity declared that its free source code security research tool, cIFrex, is CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.
CWE/CAPEC/MAEC/SwA briefings at DHS/DoD SwA Working Group Meeting Session
CWE/CAPEC Program Manager Robert A. Martin presented a briefing about Common Weakness Enumeration (CWE™), CAPEC/CWE Co-Founder and Architect Sean Barnum presented a briefing about Common Attack Pattern Enumeration and Classification (CAPEC™), and MAEC Program Manager Penny Chase presented a briefing about Malware Attribute Enumeration and Characterization (MAEC™), to the DHS/DoD SwA Working Group Meeting Session on November 27-29, 2012 at MITRE Corporation in McLean, Virginia, USA.
Visit the CWE Calendar for information on this and other events.
CWE/CAPEC/MAEC/SwA briefings at DHS/DoD SwA Working Group Meeting Session, November 27-29
CWE/CAPEC Program Manager Robert A. Martin will present a briefing about Common Weakness Enumeration (CWE™), CAPEC/CWE Co-Founder and Architect Sean Barnum will present a briefing about Common Attack Pattern Enumeration and Classification (CAPEC™), and MAEC Program Manager Penny Chase will present a briefing about Malware Attribute Enumeration and Characterization (MAEC™), to the DHS/DoD SwA Working Group Meeting Session on November 27-29, 2012 at MITRE Corporation in McLean, Virginia, USA.
Visit the CWE Calendar for information on this and other events.
CWE Version 2.3 Now Available
CWE Version 2.3 has been posted on the CWE List page. A detailed report is available that lists specific changes between Version 2.2 and Version 2.3.
The main changes include: (1) updates for mitigations in 373 entries; (2) updates for demonstrative examples in 42 entries; and (3) name changes in 3 entries. In all, 395 entries were modified.
The schema was updated to version 5.2 with some new mitigation strategy elements.
The Top 25 Pocket Guide ("Key Practices for Mitigating the Most Egregious Exploitable Software Weaknesses Development") was updated to reflect changes in mitigations.
PDF documents have been updated to display graphs of views such as the Research View (CWE-1000) and the Development View (CWE-699), and a "Printable CWE" document lists all of the entries in CWE.
Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to cwe@mitre.org.
1 Product from Red Hat, Inc. Now Registered as Officially "CWE-Compatible"
One additional information security product has achieved the final stage of MITRE’s formal CWE Compatibility Program and is now officially "CWE-Compatible." The product is now eligible to use the CWE-Compatible Product/Service logo, and a completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization’s listing on the CWE-Compatible Products and Services page on the CWE Web site. A total of 20 products to-date have been recognized as officially compatible.
The following product is now registered as officially "CWE-Compatible":
Use of the official CWE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting SwA products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CWE compatibility requirements, and therefore which specific implementations are best for their networks and systems.
For additional information about CVE compatibility and to review all products and services listed, visit the CWE Compatibility Program and CWE-Compatible Products and Services.
CWE/Making Security Measurable Booth and SwA-Related Briefings at IT Security Automation Conference 2012
MITRE hosted a CWE/Making Security Measurable booth at IT Security Automation Conference 2012 on October 3-5, 2012 at Baltimore Convention Center in Baltimore Inner Harbor, Maryland, USA. Attendees learned how information security data standards such as CVE®, CCE™, CPE™, CWE™, CWSS™, CAPEC™, MAEC™, CybOX™, STIX™, CEE™, OVAL®, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.
In addition, Common Weakness Enumeration (CWE™), Structured Threat Information Expression (STIX™), Trusted Automated eXchange of Indicator Information (TAXII™), Malware Attribute Enumeration and Characterization (MAEC™), and Open Vulnerability and Assessment Language (OVAL®) were briefing discussion topics.
Visit the CWE Calendar for information on this and other events.
2 Products from Coverity, Inc. Now Registered as Officially "CWE-Compatible"
Two additional information security products have achieved the final stage of MITRE's formal CWE Compatibility Program and are now officially "CWE-Compatible." The products are now eligible to use the CWE-Compatible Product/Service logo, and a completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization’s listing on the CWE-Compatible Products and Services page on the CWE Web site. A total of 19 products to-date have been recognized as officially compatible.
The following products are now registered as officially "CWE-Compatible":
Use of the official CWE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting SwA products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CWE compatibility requirements, and therefore which specific implementations are best for their networks and systems.
For additional information about CVE compatibility and to review all products and services listed, visit the CWE Compatibility Program and CWE-Compatible Products and Services.
Fasoo.com, Inc. Makes Declaration of CWE Compatibility
Fasoo.com, Inc. declared that its semantic-based static program analysis engine, SPARROW, is CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.
CWE/CAPEC/MAEC/CybOX/STIX/TAXII/SwA Briefings at DHS/DoD SwA Forum Session
CWE/CAPEC/CybOX/STIX Program Manager Robert A. Martin, CWE/CAPEC/CybOX/STIX Co-Founder and Architect Sean Barnum, and Oxford Brookes University’s Clive Blackwell presented a briefing entitled "Continuous Monitoring via Software Assurance Automation" that will include discussion of the Common Weakness Enumeration (CWE™), Common Attack Pattern Enumeration and Classification (CAPEC™), Cyber Observable Expression (CybOX™), Malware Attribute Enumeration and Characterization (MAEC™), and Structured Threat Information Expression (STIX™) efforts, and Sean Barnum and U.S. Department of Homeland Security’s Deputy Director of Software Assurance Richard Struse presented a briefing about STIX/Trusted Automated eXchange of Indicator Information (TAXII™), to the DHS/DoD SwA Forum Session on September 18-20, 2012 at MITRE Corporation in McLean, Virginia, USA.
Visit the CWE Calendar for information on this and other events.
CWE/CAPEC/MAEC/CybOX/STIX/SwA Briefings at DHS/DoD SwA Forum Session, September 18-20
CWE/CAPEC/CybOX/STIX Program Manager Robert A. Martin, CWE/CAPEC/CybOX/STIX Co-Founder and Architect Sean Barnum, and Oxford Brookes University’s Clive Blackwell will present a briefing on September 18th entitled "Continuous Monitoring via Software Assurance Automation" that will include discussion of the Common Weakness Enumeration (CWE™), Common Attack Pattern Enumeration and Classification (CAPEC™), Cyber Observable Expression (CybOX™), Malware Attribute Enumeration and Characterization (MAEC™), and Structured Threat Information Expression (STIX™) efforts to the DHS/DoD SwA Forum Session on September 18-20, 2012 at MITRE Corporation in McLean, Virginia, USA.
Visit the CWE Calendar for information on this and other events.
MITRE Hosts CWE/Making Security Measurable Booth at 2012 Information Assurance Expo
MITRE hosted a CWE/Making Security Measurable booth at 2012 Information Assurance Expo on August 27-30, 2012 at Gaylord Opryland Resort and Convention Center in Nashville, Tennessee, USA. Attendees learned how information security data standards such as CVE®, CCE™, CPE™, CWE™, CWSS™, CAPEC™, MAEC™, CybOX™, STIX™, CEE™, OVAL®, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.
Visit the CWE Calendar for information on this and other events.
1 Product from High-Tech Bridge Now Registered as Officially "CWE-Compatible"
One additional information security product has achieved the final stage of MITRE's formal CWE Compatibility Program and is now officially "CWE-Compatible." The product is now eligible to use the CWE-Compatible Product/Service logo, and a completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization’s listing on the CWE-Compatible Products and Services page on the CWE Web site. A total of 17 products to-date have been recognized as officially compatible.
The following product is now registered as officially "CWE-Compatible":
Use of the official CWE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting SwA products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CWE compatibility requirements, and therefore which specific implementations are best for their networks and systems.
For additional information about CVE compatibility and to review all products and services listed, visit the CWE Compatibility Program and CWE-Compatible Products and Services.
CWE/CWRAF Main Topics of Two Briefings at GFIRST 2012
CWE/CAPEC/CybOX Program Manager Robert A. Martin and Director for Software Assurance at U.S. Department of Homeland Security (DHS) National Cyber Security Division (NCSD) Joe Jarzombek presented a two-part briefing about Common Weakness Enumeration (CWE™) and Common Weakness Risk Analysis Framework (CWRAF™) entitled "Measuring Software Security, Parts 1&2" at GFIRST 2012 on August 21, 2012 in Atlanta, Georgia, USA.
Visit the CWE Calendar for information on this and other events.
CWE/CWRAF Briefing at GFIRST 2012, August 21
CWE/CAPEC/CybOX Program Manager Robert A. Martin and Director for Software Assurance at U.S. Department of Homeland Security (DHS) National Cyber Security Division (NCSD) Joe Jarzombek will present a two-part briefing about Common Weakness Enumeration (CWE™) and Common Weakness Risk Analysis Framework (CWRAF™) entitled "Measuring Software Security, Parts 1&2" at GFIRST 2012 on August 21, 2012 in Atlanta, Georgia, USA. The conference itself runs August 19-24.
Visit the CWE Calendar for information on this and other events.
CWE/Making Security Measurable Booth at 2012 Information Assurance Expo, August 27-30
MITRE will host a CWE/Making Security Measurable booth at 2012 Information Assurance Expo on August 27-30, 2012 at Gaylord Opryland Resort and Convention Center in Nashville, Tennessee, USA. Please visit us at Booth 217 and say hello!
Visit the CWE Calendar for information on this and other events.
MITRE Hosts CWE/Making Security Measurable Booth at Black Hat Briefings 2012
MITRE hosted a CWE/Making Security Measurable booth at Black Hat Briefings 2012 on July 25-26, 2012 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA. Attendees learned how information security data standards such as CVE®, CCE™, CPE™, CWE™, CWSS™, CAPEC™, MAEC™, CybOX™, CEE™, OVAL®, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.
Visit the CWE Calendar for information on this and other events.
1 Product from IBM Security Systems Now Registered as Officially "CWE-Compatible"
One additional information security product has achieved the final stage of MITRE's formal CWE Compatibility Program and is now officially "CWE-Compatible." The product is now eligible to use the CWE-Compatible Product/Service logo, and a completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization’s listing on the CWE-Compatible Products and Services page on the CWE Web site. A total of 16 products to-date have been recognized as officially compatible.
The following product is now registered as officially "CWE-Compatible":
Use of the official CWE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting SwA products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CWE compatibility requirements, and therefore which specific implementations are best for their networks and systems.
For additional information about CVE compatibility and to review all products and services listed, visit the CWE Compatibility Program and CWE-Compatible Products and Services.
CWE and CWE/SANS Top 25 Mentioned in Article about Supply Chain Risk Management in CrossTalk Magazine
CWE, the CWE/SANS Top 25 Most Dangerous Programming Errors List, and Common Vulnerabilities and Exposures (CVE®) are mentioned in an article entitled "Supply Chain Risk Management" in the March/April 2012 issue of CrossTalk Magazine: The Journal of Defense Software Engineering.
CWE, the CWE/SANS Top 25, and CVE are mentioned in phase 2 of a section entitled "A Three-phase Code Analysis Process": "Look for common vulnerability patterns … analysts [should] make sure that code reviews cover the most common vulnerabilities and weaknesses. Sources for such common vulnerabilities and weaknesses include the Common Vulnerabilities and Exposures (CVE) and Common Weaknesses Enumeration (CWE) databases, maintained by the MITRE Corporation and accessible on the web at: <http://cve.mitre.org/cve/> and <http://cwe.mitre.org/>. MITRE, in cooperation with the SANS Institute, also maintains a list of the "Top 25 Most Dangerous Programming Errors [13]" that can lead to serious vulnerabilities. The top three classes of errors as of December 2010 were cross-site scripting, SQL injection, and buffer overflows. Static code analysis tool and manual techniques should at a minimum, address these Top 25."
CWE and the CWE/SANS Top 25 are cited again and described in more detail at the end of article in a section entitled "Useful Links".
Briefing Slides from Security Automation Developer Days 2012 Now Available
22 briefing presentations from the Security Automation Developer Days 2012 conference held on July 9-13, 2012 at MITRE in Bedford, Massachusetts, USA are now available for download on the Events and Participation page on the Making Security Measurable Web site, including those for the Malware Attribute Enumeration and Characterization (MAEC™), Cyber Observable Expression (CybOX™), Structured Threat Information eXpression (STIX™), and Trusted Automated eXchange of Indicator Information (TAXII™) presentations.
CAPEC/CybOX/STIX Keynote Briefing at CyberPatterns 2012
CWE/CAPEC/CybOX Co-Founder and Architect Sean Barnum presented a keynote briefing entitled “Leveraging Structured Pattern Representations for Cyber Threat Management” that focuses on Common Attack Pattern Enumeration and Classification (CAPEC™), Cyber Observable Expression (CybOX™), and Structured Threat Information eXpression (STIX) at CyberPatterns 2012 on July 10, 2012 in Abingdon, Oxfordshire, United Kingdom.
Visit the CWE Calendar for information on this and other events.
CWE, CWSS, and CWRAF Are Main Topics of Article in IEEE Security and Privacy Magazine
CWE, CWSS, and CWRAF are the main topics of an article entitled “The Software Industry’s ‘Clean Water Act’ Alternative” in the May/June 2012 issue of IEEE Security and Privacy Magazine by CWE Program Manager Robert A. Martin and CWE Technical Lead Steven M. Christey.
The article advocates following the water industry’s example and “implementing processes that can examine software and remove the most dangerous contaminants, given its intended use.” To help enterprises achieve this, the article defines an “approach for organizations to document software’s security-relevant capabilities and rank the various potential technical impacts from CWEs so those CWEs with the most impact to an organization can be prioritized for mitigation. By addressing vulnerable software and finding systematic and verifiable ways to remove these weaknesses, software providers can improve customers’ trust in their systems and possibly avoid a regulatory solution, which might have unintended consequences.”
How to use Common Weakness Scoring System (CWSS) and Common Weakness Risk Analysis Framework (CWRAF) are also described.
MITRE to Host CWE/Making Security Measurable Booth at Black Hat Briefings 2012
MITRE will host a CWE/Making Security Measurable booth at Black Hat Briefings 2012 on July 25-26, 2012 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA. Please visit us at Booth 216 and say hello!
Visit the CWE Calendar for information on this and other events.
CAPEC/CybOX/STIX Keynote Briefing at CyberPatterns 2012, July 10
CWE/CAPEC/CybOX Co-Founder and Architect Sean Barnum will present a keynote briefing entitled “Leveraging Structured Pattern Representations for Cyber Threat Management” that focuses on Common Attack Pattern Enumeration and Classification (CAPEC™), Cyber Observable Expression (CybOX™), and Structured Threat Information eXpression (STIX) at CyberPatterns 2012 on July 10, 2012 in Abingdon, Oxfordshire, United Kingdom.
Visit the CWE Calendar for information on this and other events.
CWE/CAPEC/CybOX/SwA Briefings at DHS/DoD/NIST SwA Working Group Meeting
CWE/CAPEC/CybOX Program Manager Robert A. Martin presented a briefing about CWE, and CAPEC/CybOX/CWE Co-Founder and Architect Sean Barnum presented briefings about Common Attack Pattern Enumeration and Classification (CAPEC™) and Cyber Observable Expression (CybOX™), to the DHS/DoD SwA Working Group Meeting Session on June 25-29, 2012 at MITRE Corporation in McLean, Virginia, USA.
Visit the CWE Calendar for information on this and other events.
Checkmarx Makes Three Declarations of CWE Compatibility
Checkmarx declared that its static application security testing/application security code review tool, CxSuite, static code analysis on premise tool, CxEnteprise, and static code analysis on demand tool, CxCloud, are CWE-Compatible.
For additional information about these and other compatible products, visit the CWE Compatibility and Effectiveness section.
CWE/CAPEC/CybOX/SwA Briefings at DHS/DoD/NIST SwA Working Group Meeting, June 26-28
CWE/CAPEC/CybOX Program Manager Robert A. Martin will present a briefing about CWE, and CAPEC/CybOX/CWE Co-Founder and Architect Sean Barnum will present briefings about Common Attack Pattern Enumeration and Classification (CAPEC™) and Cyber Observable Expression (CybOX™), to the DHS/DoD SwA Working Group Meeting Session on June 26-28, 2012 at MITRE Corporation in McLean, Virginia, USA.
Visit the CWE Calendar for information on this and other events.
“Getting Started in Software Assurance (SwA)” Section Added to CWE Web Site
A Getting Started in Software Assurance (SwA) section has been added to the Community section of the CWE Web site. Intended to serve as an “SwA On-Ramp” for the community, the new section introduces specific steps users can take to assess their individual software assurance situation and compose a tailored plan to strengthen their assurance of the integrity, reliability, and robustness of their software supply chain.
The new section includes an introductory landing page along with pages focusing on Engineering for Attacks, Software Quality, Prioritizing Common Weaknesses Based Upon Your Environment, Manageable Steps, Software Assurance Pocket Guide Series, Staying Informed, and Finding More Information about Software Assurance.
Feedback on the new section is welcome at cwe@mitre.org.
CWE/CWSS/CWRAF Briefing and SwA Supply Chain Risk Management Briefing at (ISC)² SecureSDLC 2012
CWE/CAPEC/CybOX Program Manager Robert A. Martin presented a briefing about CWE, Common Weakness Scoring System (CWSS), and Common Weakness Risk Analysis Framework (CWRAF) entitled "The Software Industry's 'Clean Water Act' Alternative", and Director for Software Assurance at U.S. Department of Homeland Security (DHS) National Cyber Security Division (NCSD) Joe Jarzombek presented a briefing entitled "Software Security Assurance: Software Supply Chain Risk Management," at (ISC)² SecureSDLC 2012 on May 17, 2012 in Washington, D.C., USA.
Visit the CWE Calendar for information on this and other events.
CWE Version 2.2 Now Available
CWE Version 2.2 has been posted on the CWE List page. A detailed report is available that lists specific changes between Version 2.1 and Version 2.2.
The main changes include: (1) creation of 23 new entries for two new views: CWE cross-section and Software Fault Patterns; (2) updates for demonstrative examples in 118 entries, and observed examples in 72 entries; (3) improvements to common consequences in 85 entries, improving support of Common Weakness Scoring System (CWSS™) and Common Weakness Risk Analysis Framework (CWRAF™); (4) Common Attack Pattern Enumeration and Classification (CAPEC™) updates for 78 entries; (5) 95 taxonomy mapping modifications to reflect the various CERT secure coding standards; and (6) additional references for 192 entries. In all, 683 entries were modified.
There were no schema modifications for this version.
PDF documents have been updated to display graphs of views such as the Research View (CWE-1000) and the Development View (CWE-699), and a "Printable CWE" document lists all of the entries in CWE.
Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to cwe@mitre.org.
1 Product from National Institute of Standards and Technology Now Registered as Officially "CWE-Compatible"
One additional information security product has achieved the final stage of MITRE's formal CWE Compatibility Program and is now officially "CWE-Compatible." The product is now eligible to use the CWE-Compatible Product/Service logo, and a completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CWE-Compatible Products and Services page on the CWE Web site. A total of 15 products to-date have been recognized as officially compatible.
The following product is now registered as officially "CWE-Compatible":
Use of the official CWE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting SwA products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CWE compatibility requirements, and therefore which specific implementations are best for their networks and systems.
For additional information about CWE compatibility and to review all products and services listed, visit the CWE Compatibility Program and CWE-Compatible Products and Services.
WebLayers, Inc. Makes Declaration of CWE Compatibility
WebLayers, Inc. declared that its software development lifecycle guidance and governance tool, WebLayers Center Security Policy Library, will be CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.
CWE/CWSS/CWRAF Briefing and SwA Supply Chain Risk Management Briefing at (ISC)² SecureSDLC 2012, May 17
CWE/CAPEC/CybOX Program Manager Robert A. Martin will present a briefing about CWE, Common Weakness Scoring System (CWSS), and Common Weakness Risk Analysis Framework (CWRAF) entitled "The Software Industry's 'Clean Water Act' Alternative", and Director for Software Assurance at U.S. Department of Homeland Security (DHS) National Cyber Security Division (NCSD) Joe Jarzombek will present a briefing entitled "Software Security Assurance: Software Supply Chain Risk Management," at (ISC)² SecureSDLC 2012 on May 17, 2012 in Washington, D.C., USA.
Visit the CWE Calendar for information on this and other events.
CWRAF/CAPEC Briefings at Systems & Software Technology Conference 2012
CWE/CAPEC/CybOX Program Manager Robert A. Martin and Director for Software Assurance at U.S. Department of Homeland Security (DHS) National Cyber Security Division (NCSD) Joe Jarzombek presented a briefing about the Common Weakness Risk Analysis Framework (CWRAF), and CAPEC/CybOX/CWE Co-Founder and Architect Sean Barnum presented a briefing about multi-perspective risk analysis that included discussion of CWE, Common Attack Pattern Enumeration and Classification (CAPEC), and Software Assurance Findings Expression Schema (SAFES), at the Systems & Software Technology Conference 2012 on April 23-26, 2012 in Salt Lake City, Utah, USA
Visit the CWE Calendar for information on this and other events.
Registration Now Open for Security Automation Developer Days 2012, July 9-13
MITRE Corporation will host the fourth Security Automation Developer Days conference on July 9-13, 2012, at MITRE in Bedford, Massachusetts, USA. This five-day conference is technical in nature and will focus on the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP).
The purpose of the event is for the community to discuss SCAP — and those existing standards upon which it is based including Open Vulnerability and Assessment Language (OVAL®), Common Configuration Enumeration (CCE™), Common Platform Enumeration (CPE™), Extensible Configuration Checklist Description Format (XCCDF) — in technical detail and to derive solutions that benefit all concerned parties. All current and emerging SCAP standards are addressed at this workshop.
MITRE first hosted Developer Days in 2005 and has been running them annually ever since. The model for these technical exchanges has since been adopted as the format used by the Security Automation community.
An agenda will be available soon. For registration, lodging, and other conference details, please visit: https://register.mitre.org/devdays/.
SD Elements Makes Declaration of CWE Compatibility
SD Elements declared that its secure application lifecycle management (SALM) tool, SD Elements, is CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.
April 25, 2012
April 25, 2012
1 Product from SECURITY-DATABASE Now Registered as Officially "CWE-Compatible"
One additional information security product has achieved the final stage of MITRE's formal CWE Compatibility Program and is now officially "CWE-Compatible." The product is now eligible to use the CWE-Compatible Product/Service logo, and a completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CWE-Compatible Products and Services page on the CWE Web site. A total of 14 products to-date have been recognized as officially compatible.
The following product is now registered as officially "CWE-Compatible":
Use of the official CWE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting SwA products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CWE compatibility requirements, and therefore which specific implementations are best for their networks and systems.
For additional information about CWE compatibility and to review all products and services listed, visit the CWE Compatibility Program and CWE-Compatible Products and Services.
Participated in “Software Assurance in the DoD” Discussion Panel at Security Solutions 2012
CWE/CAPEC/CybOX Co-Founder and Architect Sean Barnum participated on a discussion panel entitled “Software Assurance in the DoD” at Security Solutions 2012 on April 16-19, 2012 in Tampa, Florida, USA.
Visit the CWE Calendar for information on this and other events.
April 5, 2012
April 5, 2012
CWRAF/CAPEC Briefings at Systems & Software Technology Conference 2012, April 23-26
CWE/CAPEC/CybOX Program Manager Robert A. Martin and Director for Software Assurance at U.S. Department of Homeland Security (DHS) National Cyber Security Division (NCSD) Joe Jarzombek will present a briefing about the
Common Weakness Risk Analysis Framework (CWRAF), and CAPEC/CybOX/CWE Co-Founder and Architect Sean Barnum will present a briefing about multi-perspective risk analysis that will include discussion of CWE, Common Attack Pattern Enumeration and Classification (CAPEC), and Software Assurance Findings Expression Schema (SAFES), at the Systems & Software Technology Conference 2012 on April 23-26, 2012 in Salt Lake City, Utah, USA
Visit the CWE Calendar for information on this and other events.
MITRE Hosts CWE/Making Security Measurable Booth at InfoSec World 2012
MITRE hosted a CWE/Making Security Measurable booth at InfoSec World Conference & Expo 2012 at Disney’s Contemporary Resort in Orlando, Florida, USA, on April 2-4, 2012. Attendees learned how information security data standards such as CWE, CAPEC, CybOX, MAEC, CVE, CCE, CPE, CEE, OVAL, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.
Visit the CWE Calendar for information on this and other events.
CWE/CAPEC/CybOX/MAEC Briefings at DHS/DoD/NIST SwA Forum
CWE/CAPEC/CybOX Program Manager Robert A. Martin presented a briefing about CWE, CWE/CAPEC/CybOX Co-Founder and Architect Sean Barnum presented briefings about CAPEC and CybOX, and MAEC Program Manager Penny Chase and MAEC Architect Ivan Kirillov presented a briefing about MAEC at the DHS/DoD/NIST SwA Forum on March 26–30, 2012 at MITRE Corporation in McLean, Virginia, USA.
Visit the CWE Calendar for information on this and other events.
March 13, 2012
March 13, 2012
National Institute of Standards and Technology Makes Declaration of CWE Compatibility
The U.S. National Institute of Standards and Technology (NIST) declared that its Web-based software security assurance application, SAMATE Reference Dataset (SRD), is CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.
CWE/CAPEC/CybOX/MAEC Briefings at DHS/DoD/NIST SwA Forum, March 26-30
CWE/CAPEC/CybOX Program Manager Robert A. Martin will present a briefing about CWE, CWE/CAPEC/CybOX Co-Founder and Architect Sean Barnum will present briefings about CAPEC and CybOX, and MAEC Program Manager Penny Chase and MAEC Architect Ivan Kirillov will present a briefing about MAEC at the DHS/DoD/NIST SwA Forum on March 26–30, 2012 at MITRE Corporation in McLean, Virginia, USA.
Visit the CWE Calendar for information on this and other events.
Photos from CWE/Making Security Measurable Booth at RSA 2012
MITRE hosted a CWE/Making Security Measurable booth at RSA Conference 2012 at the Moscone Center in San Francisco, California, USA, on February 27 - March 2, 2012. Attendees learned how information security data standards such as CAPEC, CybOX, MAEC, CWE, CWSS, CEE, CVE, CCE, CPE, OVAL, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.
Making Security Measurable booth photos:
MITRE Issues Press Release Announcing First-Ever CWE-Compatible Products
MITRE Corporation issued a press release on March 5, 2011 entitled “CWE Compatibility Certificates Awarded” announcing that 13 products from 5 organizations in 3 countries were the first-ever to be recognized as “Officially CWE-Compatible”: Veracode, Inc.'s Veracode Static Analysis, Veracode Dynamic Analysis, Veracode Manual Testing, and Veracode Analytics; Klocwork, Inc.'s Klocwork Insight; CXSecurity's World Laboratory of Bugtraq 2; Hewlett-Packard's HP Fortify Static Code Analyzer, HP Fortify Real-Time Analyzer, HP Fortify Software Security Center, HP Fortify On Demand, HP WebInspect, and HP Assessment Management Platform; and GrammaTech, Inc.'s CodeSonar.
The release also included quotes from CWE Technical Lead Steve Christey and CWE Program Manager Robert A. Martin, as well as from MITRE Vice President and Chief Security Officer Gary Gagnon, who stated: "These companies have demonstrated a commitment to providing their customers with application security solutions that leverage the best information and mitigation strategies available. By integrating CWE Identifiers into their products, customers can feel secure using these companies' tools and service offerings."
February 28, 2012
February 28, 2012
13 Products from 5 Organizations Now Registered as Officially "CWE-Compatible"
CWE has awarded its first-ever Official Certificates of CWE Compatibility to thirteen information security products from five organizations, all of which have achieved the final stage of MITRE's formal CWE Compatibility Program and are now officially "CWE-Compatible." The product is now eligible to use the CWE-Compatible Product/Service logo, and a completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CWE-Compatible Products and Services page on the CWE Web site. A total of 13 products to-date have been recognized as officially compatible.
The following products are now registered as officially "CWE-Compatible":
For additional information about CWE Compatibility and to review all products and services listed, visit the CWE Compatibility Program and CWE-Compatible Products and Services.
February 20, 2012
February 20, 2012
Red Hat, Inc. Makes Declaration of CWE Compatibility
Red Hat, Inc. declared that its customer assessment service, Red Hat Customer Portal, will be CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.
February 9, 2012
February 9, 2012
CWE/Making Security Measurable Booth at RSA 2012, February 27 – March 2
MITRE will host a CWE/Making Security Measurable booth at RSA Conference 2012 at the Moscone Center in San Francisco, California, USA, on February 27 - March 2, 2012. Attendees will learn how information security data standards such as CWE, CWSS, CAPEC, CybOX, MAEC, CEE, CVE, CCE, CPE, OVAL, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.
Members of the CWE Team will be in attendance. Please stop by Booth 2617 and say hello!
Visit the CWE Calendar for information on this and other events.
January 25, 2012
January 25, 2012
NETpeas, SA Makes Declaration of CWE Compatibility
NETpeas, SA declared that its cloud-based, multi-engines vulnerability management service, COREvidence, is CWE-Compatible.
For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.
January 6, 2012
January 6, 2012
CXSecurity Makes Declaration of CWE Compatibility
CXSecurity declared that its vulnerability database, and security audit and computer forensic services, World Laboratory of Bugtraq (WLB), is CWE-Compatible.
For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.
CWE/SANS Top 25 Is Main Focus of Article in eWeek
The CWE/SANS Top 25 Most Dangerous Software Errors list was mentioned in a December 22, 2011 article entitled "Top 25 Flaws Developers Blindly Build Into Applications" on eWeek.com. The article describes how many of the high-profile security breaches in 2011" took advantage of common, well-known software flaws in applications, such as SQL injection, cross-site scripting and buffer overflows" and states that the "development lifecycle needs to start focusing on avoiding security flaws from the beginning".
The Top 25 is mentioned as follows: "Earlier this year, the SANS Institute, in conjunction with the nonprofit technology research corporation MITRE and the Department of Homeland Security, released the annual Common Weakness Evaluation/SANS Top 25 Most Dangerous Software Errors. The top issues were exploited by groups such as LulzSec and Anonymous in their attacks against Sony Pictures, PBS.org and HB Gary Federal in 2011. And a Citigroup breach, which exposed credit card information for more than 300,000 account holders, relied on the "missing authorization" flaw, which meant the site did not check whether the user was allowed to perform a particular action. All of these software flaws are easy for attackers to find using basic scanning tools." The article then goes on to give brief summaries of the weaknesses listed on the 2011 Top 25.
MITRE Announces Initial "Making Security Measurable" Calendar of Events for 2012
MITRE has announced its initial Making Security Measurable calendar of events for 2012. Details regarding MITRE's scheduled participation at these events are noted on the CWE Calendar page. Each listing includes the event name with URL, date of the event, location, and a description of our activity at the event.
- RSA Conference 2012, February 27-March 2, 2012
- InfoSec World Conference & Expo 2012, April 2-4, 2012
- Black Hat Briefings 2012, July 25-26, 2012
- Information Assurance Expo 2012, August 27-30, 2012
- Black Hat DC 2012, November 1-2, 2012
Other events may be added throughout the year. Visit the CWE Calendar for information or contact cwe@mitre.org to have MITRE present a briefing or participate in a panel discussion about CWE,
CAPEC, MAEC, CybOX, CVE, CCE, CPE, CEE, OVAL, Software Assurance, and/or
Making Security Measurable at your event.
More information is available — Please edit the custom filter or select a different filter.
|
