News & Events - 2024Right-click and copy a URL to share an article. Send feedback about this page to cwe@mitre.org. New CWE Board Member from NVIDIA April 18, 2024 | Share this article Deana O’Meara of NVIDIA has joined the CWE Board. Through open and collaborative discussions, CWE Board members provide critical input regarding domain coverage, coverage goals, operating structure, and strategic direction. Members include technical implementers that provide input and guidance regarding the creation, design, review, maintenance, and applications of CWE entries; subject matter experts who are domain experts in weakness and/or attack pattern fields and represent a significant constituency related to, or affected by, CWE; and advocates who actively support and promote CWE throughout the community in a highly visible and responsible manner. Join the “Root Cause Mapping” Working Group! April 10, 2024 | Share this article Several CWE™ Program and CVE® Program stakeholder organizations — Intel, Microsoft, Red Hat, Rapid 7, CISA, HSSEDI — have established the Root Cause Mapping Working Group (RCM WG) focused on identifying the capabilities, processes, and information needed to improve and scale accurate root cause mapping of vulnerabilities. “Root cause mapping” is the identification of the underlying cause(s) of a vulnerability. Accurate and precise root cause mapping is valuable because it directly illuminates where investments, policy, and practices can address the root causes responsible for vulnerabilities so that they can be eliminated. This applies to both industry and government decision makers. RCM WG efforts will include:
The RCM WG is accepting new members. If you are interested in participating, please email us at cwe@mitre.org. Microsoft Announces It Will Use CWE for Root Cause Mapping of Its CVEs April 10, 2024 | Share this article On April 8, 2024, Microsoft announced in a Microsoft Security Response Center blog article entitled “Toward greater transparency: Adopting the CWE standard for Microsoft CVEs” that it will now “publish root cause data for Microsoft CVEs using the Common Weakness Enumeration (CWE™) industry standard.” In addition to explaining how Microsoft will use CWE, along with providing an example of Microsoft CVE Record with CWE information (i.e., in CVE Record CVE-2024-29990, when viewing the JSON for this record), blog author Lisa Olson, Senior Program Manager Security Release at Microsoft, states: “We believe adopting CWE will better serve our customers, developers, and security practitioners across the industry. This standard will facilitate more effective community discussions about finding and mitigating these weaknesses in existing software and hardware, while also minimizing them in future updates and releases. Ultimately, our commitment to CWE represents a meaningful step toward a more cyber-secure world.” Read the complete “Toward greater transparency: Adopting the CWE standard for Microsoft CVEs” article on the Microsoft website. CWE Program Updates Guidance for the “Root Cause Mapping” of Vulnerabilities March 22, 2024 | Share this article The CWE Program has updated its guidance for mapping the root cause(s) of vulnerabilities on the “Root Cause Mapping Guidance” page on the CWE website. Importance of Root Cause Mapping “Root cause mapping” is the identification of the underlying cause(s) of a vulnerability. Accurate and precise root cause mapping is valuable because it directly illuminates where investments, policy, and practices can address the root causes responsible for vulnerabilities so that they can be eliminated. This applies to both industry and government decision makers. Additionally, it enables:
Today, however, root cause mapping is not done accurately at scale by the vulnerability management ecosystem. The CWE Program’s new and improved guidance addresses this problem. New and Improved Guidance for Root Cause Mapping Root cause mapping is best accomplished by correlating CVE Records and/or bug or vulnerability tickets with CWE entries. The new and improved guidance provides an overview and step-by-step methodologies for mapping CVEs to CWEs. This guidance is intended to help CVE Numbering Authorities (CNAs) and those who produce or analyze CVE Records. It is also likely to be helpful to those who are analyzing vulnerabilities that are not tracked by the CVE Program. View the new and improved root cause mapping guidance here. Working Group Several CVE and CWE stakeholder organizations have established a working group focused on identifying the capabilities, processes, and information needed to improve and scale accurate root cause mapping. Efforts include:
If you are interested in participating, please email us at cwe@mitre.org. CWE at CVE/FIRST VulnCon 2024 March 22, 2024 | Share this article CWE was the main focus of two sessions at CVE/FIRST VulnCon 2024 at the McKimmon Center in Raleigh, North Carolina, USA, held March 25-27, 2024:
Thank you so much to everyone who attended our RCM discussion panel and CWE talk at the first-ever VulnCon conference. We are already looking forward to next year’s event! CWE Version 4.14 Now Available February 29, 2024 | Share this article CWE Version 4.14 has been posted on the CWE List page and includes a number of exciting updates. There are 4 new weakness entries related to related to hardware micro architectures; 1 new View for “Weaknesses Addressed by ISA/IEC 62443 Requirements” for industrial automation and control systems; updates to observed and demonstrative examples; 10 new demonstrative examples from the HACK@DAC security challenge contest; among other changes. Also, a major enhancement has been made to CWE entry pages beginning with this release. All CWE entry web pages will now have vulnerability mapping labels underneath their titles. These include labels for when a CWE is approved, discouraged, or prohibited from vulnerability root cause mapping. In addition, the labels provide a direct link to the entry’s Mapping Notes for quick reference to more detailed information. The CWE Program thanks Intel, AMD, ARM, Cycuity, Riscure, HACK@DAC contributors from Texas A&M University and Technical University of Darmstadt, and members of the CWE ICS/OT Special Interest Group (ICS/OT SIG) and Hardware CWE Special Interest Group (HW CWE SIG) for their collaboration preparing for this new version. Main Changes 4 New Weakness Entries Related to Hardware Micro Architectures:
1 New View:
New and Updated Observed Examples:
New and Updated Demonstrative Examples:
A detailed report is available that lists specific changes between Version 4.13 and Version 4.14. There were no schema updates. Summary There are 938 weaknesses and a total of 1,426 entries on the CWE List. Changes for the new version include the following:
See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v4.13_v4.14.html. Future updates will be noted here, on the CWE Research email discussion list, CWE page on LinkedIn, on @cwecapec on X (formerly Twitter), and on @CWE_Program on Mastodon. Please contact us with any comments or concerns. CWE Podcast: “Red Hat’s CWE Journey” January 18, 2024 | Share this article “Out-Of-Bounds Read” is the CWE Program’s free podcast about common weaknesses in software and hardware, the vulnerabilities they cause, how to reduce them, and how using CWE can help make products more secure by design. In our latest episode, CWE Program Lead Alec Summers talks with Red Hat’s Przemyslaw Roguski, CWE Technical Lead Steve Christey, and CWE Top 25 Lead Connor Mullaly, about Common Weakness Enumeration (CWE™) and the problem it solves; how Red Hat’s experience and relationship with CWE began and developed over time; how Red Hat uses CWE today, especially “CWE-699: Software Development”; how CWE’s different “views” can be used to educate and enable new and/or existing CWE users; CWE mappings and why mapping to CWEs/root cause weaknesses is important in vulnerability disclosure; the CWE Top 25 list; CWE in the software development lifecycle; how ongoing development of CWE benefits users; and more. Additional details about Red Hat’s ongoing use of CWE are included in these two articles on the Red Hat blog, “Red Hat’s CWE journey” and “Weakness risk-patterns: A Red Hat way to identify poor software practices in the secure development lifecycle.” The podcast is available for free on the CWE Program Channel on YouTube. Please give our latest episode a listen and let us know what you think by commenting on YouTube, X-Twitter, LinkedIn, Mastodon, or by email. We look forward to hearing from you! |