Industry News Coverage - 2014 Archive
Industry News Coverage - 2014 Archive
Below is a comprehensive monthly review of the news and other media's coverage of CWE. A brief summary of each news item is listed with its title, author (if identified), date, and media source.
MITRE Cybersecurity Blog, May 7, 2014
CWE, CAPEC, and CVE are the main topics of an article "Security Standards Help Stop Heartbleed" by CAPEC Technical Lead Drew Buttner on MITRE's
Cybersecurity blog on May 7, 2014. "Heartbleed," or
CVE-2014-0160, is a serious vulnerability in
"certain versions of OpenSSL where it enables remote attackers to obtain
sensitive information, such as passwords and encryption keys. Many popular
websites have been affected or are at risk, which in turn, puts countless users
and consumers at risk."
The article defines the Common Vulnerabilities and Exposures (CVE®),
Common Weakness Enumeration (CWE™), and
Common Attack Pattern Enumeration and Classification (CAPEC™) efforts and explains the problem each solves.
In sections entitled "CVE and Heartbleed," "CWE and Heartbleed,"and
"CAPEC and Heartbleed," the article describes how CVE helped when the issue became public by assigning CVE-2014-0160 to what also was referred to as the Heartbleed bug, and how CWE and CAPEC can help prevent future Heartbleeds.
The author then concludes the article as follows: "Security automation efforts such as CVE, CWE, and CAPEC can help reduce the possibility of similar severe vulnerabilities such as Heartbleed in the future. But it is incumbent upon developers and other security professionals to actively leverage resources such as these to be better prepared for the next Heartbleed."
Read the complete article at
http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/security-standards-help-stop-heartbleed.
ContinuousAssurance.org Website, April 29, 2014
CWE and Common Vulnerabilities and Exposures (CVE®) are included as references in an April 29, 2014 white paper entitled
"Why Do Software Assurance Tools Have Problems Finding Bugs Like Heartbleed?" by James A. Kupsch and Barton P. Miller of the Software Assurance Marketplace (SWAMP) at the University of Wisconsin
in Madison, Wisconsin, USA. The following were cited as references in the white paper, which also included the urls:
CVE-2014-0160,
CWE-130: Improper Handling of Length Parameter Inconsistency, and
CWE-125: Out-of-Bounds Read.
CrosstalkOnline.org Website, March/April 2014
CWE is mentioned in the preface to the March/April 2014 issue of
Crosstalk: The Journal of Defense Software Engineering, the main topic of which is
"Mitigating Risks of Counterfeit and Tainted Components."
The preface was written by Roberta Stempfley, Acting Assistant Secretary at the
U.S. Department of Homeland Security's
Office of Cybersecurity and Communications, and CVE is mentioned as follows:
"How can we collaboratively orchestrate industry and government response to these attacks
[on information and communications technology (ICT) assets]? One way is through the Common Vulnerabilities and Exposures (CVE) List, which is an extensive listing of publicly known vulnerabilities found after ICT components have been deployed. Sponsored by the Department of Homeland Security (DHS), the ubiquitous adoption of CVE has enabled the public and private sectors to communicate domestically and internationally in a consistent manner the vulnerabilities in commercial and open source software. CVE has enabled our operations groups to prioritize, patch, and remediate nearly 60,000 openly reported vulnerabilities. Unfortunately, vulnerabilities are proliferating rapidly thus stretching our capabilities and resources. As we seek to discover and mitigate the root causes of these vulnerabilities, sharing the knowledge we have of them helps to mitigate their impact. In order to keep pace with the threat, we must facilitate the automated exchange of information. To achieve that, DHS sponsors
"free for use" standards, such as: Common Weakness Enumeration (CWE), which provides for the discussion and mitigation of architectural, design, and coding flaws introduced during development and prior to use; Common Attack Pattern Enumeration and Classification (CAPEC), which enables developers and defenders to discern the attacks and build software resistant to them; Malware Attribute Enumeration and Characterization (MAEC), which encodes and communicates high-fidelity information about malware based upon behaviors, artifacts, and attack patterns; Structured Threat Information eXpression (STIX), which conveys the full range of potential cyber threat information using the Trusted Automated eXchange
of Indicator Information."
The entire issue is available for free in a variety of formats at
http://www.crosstalkonline.org/.
CrosstalkOnline.org Website, March/April 2014
CWE and Common
Vulnerabilities and Exposures (CVE®) are included in an article written by MITRE Senior Principal Engineer Robert A. Martin entitled
"Non-Malicious Taint: Bad Hygiene is as Dangerous to the Mission as Malicious Intent" in March/April 2014 issue of
Crosstalk: The Journal of Defense Software Engineering, the main topic of which is
"Mitigating Risks of Counterfeit and Tainted Components."
CWE and CVE are mentioned in a section entitled "Making Change through Business Value," as follows:
"For an example of a behavior change in an industry motivated by a new perceived
business value, consider that many of the vendors currently doing public
disclosures are doing so because they wanted to include CVE [14] Identifiers in
their advisories to their customers. However, they could not have CVE
Identifiers assigned to a vulnerability issue until there was publicly available
information on the issue for CVE to correlate. The vendors were motivated to
include CVE Identifiers due to requests from their large enterprise customers
who wanted that information so they could track their vulnerability
patch/remediation efforts using commercially available tools. CVE Identifiers
were the way they planned to integrate those tools. Basically the community
created an ecosystem of value propositions that influenced the software product
vendors (as well as the vulnerability management vendors) to do things that
helped the community, as a whole, work more efficiently and effectively.
Similarly, large enterprises are leveraging CWE Identifiers to coordinate and
correlate their internal software quality/security reviews and other assurance
efforts. From that starting point, they have been asking the Pen Testing
Services and Tools community to include CWE identifiers in their findings. While
CWE Identifiers in findings was something that others had cited as good
practice, it was not until the business value to Pen Testing industry players
made sense that they started adopting them and pushing the state-of-the-art to
better utilize them."
CWE is also mentioned in a section entitled "Assurance for the Most Dangerous Non-Malicious Issues"
that explains what CWE is and how the information "can assist project staff in
planning their assurance activities; it will better enable them to combine the
groupings of weaknesses that lead to specific technical impacts with the listing
of specific detection methods. This provides information about the presence of
specific weaknesses, enabling them to make sure the dangerous ones are
addressed."
The entire issue is available for free in a variety of formats at
http://www.crosstalkonline.org/.
More information is available — Please edit the custom filter or select a different filter.
|