CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > News  
ID

News & Events

Right-click and copy a URL to share an article. Send feedback about this page to cwe@mitre.org.

1 Product from Optimyth Software Now Registered as Officially "CWE-Compatible"

June 15, 2017 | Share this article

CWE Compatible

One additional cyber security product has achieved the final stage of MITRE's formal CWE Compatibility Program and is now officially "CWE-Compatible." The product is now eligible to use the CWE-Compatible Product/Service logo, and a completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CWE-Compatible Products and Services page on the CWE Web site. A total of 48 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CWE-Compatible":

Use of the official CWE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting SwA products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CWE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CWE compatibility and to review all products and services listed, visit CWE Compatibility Program and CWE-Compatible Products and Services.

Parasoft Makes 6 Declarations of CWE Compatibility

June 15, 2017 | Share this article

Parasoft Corporation declared that its static code analysis tools, C/C++test Versions 10.x, C/C++test Versions 9.x, Jtest Versions 10.x, Jtest Versions 9.x, dotTEST Versions 10.x, and dotTEST Versions 9.x, are CWE-Compatible. For additional information about these and other compatible products, visit the CWE Compatibility and Effectiveness section.

CWE Version 2.11 Now Available

May 5, 2017 | Share this article

CWE Version 2.11 has been posted on the CWE List page. A detailed report is available that lists specific changes between Version 2.10 and Version 2.11.

CWE 2.11 has one new entry and two deprecated entries. In all, 116 entries had important changes, primarily due to continued reorganization of the Development Concepts View (CWE-699), updated CAPEC mappings, and focused improvements on individual entries.

The main changes include: (1) relationship changes for 28 entries (mostly in the Development View); (2) updates to 52 entries to align with attack pattern mappings from the recently-released Common Attack Pattern Enumeration and Classification (CAPEC™) Version 2.10; (3) error fixes and improved completeness for many individual entries based on external feedback and internal quality review; and (4) small consistency changes to mitigations for 47 entries. The schema was updated to 5.4.3.

There are now 705 weaknesses and a total of 1006 entries on the CWE List.

Changes for the new version includes the following:

  • New Entries Added:
1
  • Entries Deprecated:
2
  • Entries with Important Changes:
30
  • Entries with Major Changes:
116
  • Entries with Minor Changes:
2
  • Entries Unchanged:
887

See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v2.10_v2.11.html.

Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to cwe@mitre.org.

CWE Privacy Policy Updated

May 2, 2017 | Share this article

The CWE Privacy Policy was updated to notify users that cookies are now being used on the CWE website for the sole purpose of saving "Presentation Filter" and "Show Details" (previously "Mapping-Friendly") selections so users do not have to continuously update the filter to navigate the CWE List.

CWE a Major Focus of DARPA’s New System Security Integrated Through Hardware and Firmware (SSITH) Program

April 10, 2017 | Share this article

CWE is cited in an April 10, 2017 article on the DARPA website entitled “Baking Hack Resistance Directly into Hardware” as a major focus of DARPA’s new System Security Integrated Through Hardware and Firmware (SSITH) program.

As stated on the website, the purpose of the SSITH program is to "develop hardware design tools that provide security against hardware vulnerabilities that are exploited through software in Department of Defense (DoD) and commercial electronic systems. SSITH seeks to leverage current research in hardware design and software security to propel new research in the area of hardware security at the microarchitecture level."

CWE is mentioned in the article as follows: "SSITH specifically seeks to address the seven classes of hardware vulnerabilities listed in the Common Weakness Enumeration (cwe.mitre.org), a crowd-sourced compendium of security issues that is familiar to the information technology security community. In cyberjargon, these classes are: permissions and privileges, buffer errors, resource management, information leakage, numeric errors, crypto errors, and code injection. Researchers have documented some 2800 software breaches that have taken advantage of one or more of these hardware vulnerabilities, all seven of which are variously present to in the integrated microcircuitry of electronic systems around the world. Remove those hardware weaknesses … and you would effectively close down more than 40% of the software doors intruders now have available to them."

Read the complete article at http://www.darpa.mil/news-events/2017-04-10.

CWE Mentioned in Article about Software Code and Security on Information Age

March 31, 2017 | Share this article

CWE is mentioned as a main topic in a March 31, 2017 article entitled "Does software quality equal software security? It depends" on Information Age. The main topic of the article is a discussion of software code quality versus software code security.

CWE is the focus of a section of the article entitled "CWE," in which the author describes what CWE is and how to use it and other tools to check code for weaknesses. The author also states: "Checking against various CWEs can also be a step toward achieving industry compliance. And CWEs can also be associated with common vulnerabilities and exposures (CVE), another intersection between quality and security."

CWE is mentioned again as the author concludes the article: "Producing software free of CWEs or CVEs makes it quality code. However, failure to maintain the code with the latest updates of its individual component and/or using fuzz testing to truly harden the code against future threats is vital. Both are necessary to have secure software applications."

Read the complete article at http://www.information-age.com/quality-software-security-123465456/.

CWE Version 2.10 Now Available

January 19, 2017 | Share this article

CWE Version 2.10 has been posted on the CWE List page. A detailed report is available that lists specific changes between Version 2.9 and Version 2.10.

CWE Version 2.10 has one new entry and one deprecated entry. In all, 127 entries had important changes, primarily due to reorganization of higher-level entries in the Development Concepts View (CWE-699), in order to simplify navigation of this view and reduce near-duplicate relationships. These changes were described in a post to the CWE Researcher email discussion list in late 2016, and are expected to continue in future CWE versions.

The main changes include: (1) relationship changes for 126 entries (mostly in the Development Concepts); (2) updates to 16 entries to align with attack pattern mappings from the recently-released Common Attack Pattern Enumeration and Classification (CAPEC™) Version 2.9; and (3) updated maintenance notes for 13 entries, primarily to identify Category entries that might be deprecated in the future as a result of the reorganization of the Development View. No changes were made to the schema.

There are now 707 weaknesses and a total of 1005 entries on the CWE List.

Changes for the new version release include the following:

  • New Entries Added:
1
  • Entries Deprecated:
1
  • Entries with Important Changes:
127
  • Entries with Major Changes:
142
  • Entries with Minor Changes:
5
  • Entries Unchanged:
858

See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v2.9_v2.10.html.

Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to cwe@mitre.org.

CWE Refreshes Website with Easier-to-Use Navigation Menus & Streamlined CWE List Page

January 19, 2017 | Share this article

We have updated the CWE website to streamline site navigation for an improved user experience. The main navigation menu is now located in an easy-to-access menu bar at the top of every page, with Section Contents menus for each section of the website just below the new main menu.

The main CWE List page has also been streamlined for ease-of-use into four main sections:

Navigate CWE – Offers two hierarchical representations, Research Concepts and Development Concepts, to help you navigate all weaknesses according to your specific point of view.
External Mappings – Offers views used to represent mappings to external groupings such as a Top-N list, as well as to express subsets of entries that are related by some external factor.
Helpful Views – Offers additional helpful views based on specific criteria and hopes to provide insight for a certain domain or use case, such as a specific source code language or phase of development.
Release Downloads – Provides an archive of previous release versions of the core content downloads, schemas, schema documentation, and difference reports.

Please send any comments or concerns to cwe@mitre.org.

1 Product from Evenstar Now Registered as Officially "CWE-Compatible"

April 27, 2016 | Share this article

CWE Compatible

One additional information security product has achieved the final stage of MITRE's formal CWE Compatibility Program and is now officially "CWE-Compatible." The product is now eligible to use the CWE-Compatible Product/Service logo, and a completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CWE-Compatible Products and Services page on the CWE Web site. A total of 45 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CWE-Compatible":

Use of the official CWE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting SwA products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CWE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CWE compatibility and to review all products and services listed, visit the CWE Compatibility Program and CWE-Compatible Products and Services.

1 Product from Soft4Soft Now Registered as Officially "CWE-Compatible"

March 15, 2016 | Share this article

CWE Compatible

One additional information security product has achieved the final stage of MITRE's formal CWE Compatibility Program and is now officially "CWE-Compatible." The product is now eligible to use the CWE-Compatible Product/Service logo, and a completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CWE-Compatible Products and Services page on the CWE Web site. A total of 44 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CWE-Compatible":

Use of the official CWE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting SwA products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CWE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CWE compatibility and to review all products and services listed, visit the CWE Compatibility Program and CWE-Compatible Products and Services.

Evenstar Makes Declaration of CWE Compatibility

January 15, 2016 | Share this article

Evenstar declared that its Code verification tool for ensuring source code compliance with domestic and international code security guidelines, BigLook, is CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.

1 Product from AdaCore Now Registered as Officially "CWE-Compatible"

January 4, 2016 | Share this article

CWE Compatible

One additional information security product has achieved the final stage of MITRE's formal CWE Compatibility Program and is now officially "CWE-Compatible." The product is now eligible to use the CWE-Compatible Product/Service logo, and a completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CWE-Compatible Products and Services page on the CWE Web site. A total of 43 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CWE-Compatible":

Use of the official CWE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting SwA products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CWE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CWE compatibility and to review all products and services listed, visit the CWE Compatibility Program and CWE-Compatible Products and Services.

Soft4Soft Co., Ltd. Makes Declaration of CWE Compatibility

January 3, 2016 | Share this article

Soft4Soft Co., Ltd. declared that its static analysis tool and coding rules checker, RESORT Code Analysis, is CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.


More information is available — Please select a different filter.
Page Last Updated: June 14, 2017