Industry News Coverage - 2015 ArchiveBelow is a comprehensive monthly review of the news and other media's coverage of CWE. A brief summary of each news item is listed with its title, author (if identified), date, and media source. December 2015
CWE Mentioned in "The Most Vulnerable Vector of Attack" Article on The Cipher
Brief CWE is mentioned in a December 6, 2015 article entitled "The Most Vulnerable Vector of Attack" on The Cipher Brief. The article is an interview with U.S. Department of Homeland Security (DHS) Director for Software and Supply Chain Assurance in Cybersecurity and Communications Joe Jarzombek about "threats that face supply chains and the best way to mitigate them." CWE is mentioned by Jarzombek in response to a question about the most effective methods through which businesses can mitigate risks to their supply chains, as follows: "Businesses need to signal that sloppy "manufacturing cyber hygiene" is not acceptable by potential suppliers. The best signals are via purchasing contracts that need to have terms and conditions to address acceptance criteria and liability for non-conforming products. As part of purchasing practices, and prior to being used in operations, ICT components need to have been tested for malware, known vulnerabilities (CVEs in the National Vulnerability Database), and exploitable weaknesses (CWEs) that are most applicable to the technology for the deployed environment – either by testing conducted by the using enterprise or through independent third party evaluation and certification." November 2015
CWE Mentioned in "The Most Vulnerable Vector of Attack" Article on The Cipher Brief December 7, 2015 | Share this article CWE is mentioned in a December 6, 2015 article entitled "The Most Vulnerable Vector of Attack" on The Cipher Brief. The article is an interview with U.S. Department of Homeland Security (DHS) Director for Software and Supply Chain Assurance in Cybersecurity and Communications Joe Jarzombek about "threats that face supply chains and the best way to mitigate them." CWE is mentioned by Jarzombek in response to a question about the most effective methods through which businesses can mitigate risks to their supply chains, as follows: "Businesses need to signal that sloppy "manufacturing cyber hygiene" is not acceptable by potential suppliers. The best signals are via purchasing contracts that need to have terms and conditions to address acceptance criteria and liability for non-conforming products. As part of purchasing practices, and prior to being used in operations, ICT components need to have been tested for malware, known vulnerabilities (CVEs in the National Vulnerability Database), and exploitable weaknesses (CWEs) that are most applicable to the technology for the deployed environment – either by testing conducted by the using enterprise or through independent third party evaluation and certification." CWE Cited as Product Feature in Press Release by IAR Systems CWE is cited as a product feature in a November 30, 2015 press release entitled "IAR Systems enhances 8051 tools with highly requested static code analysis" by IAR Systems. CWE is mentioned as follows: "C-STAT features innovative static analysis that can detect defects, bugs, and security vulnerabilities as defined by CERT C/C++ and the Common Weakness Enumeration (CWE), as well as help keeping code compliant to coding standards like MISRA C:2004, MISRA C++:2008 and MISRA C:2012. By using static analysis, it is possible to identify errors such as memory leaks, access violations, arithmetic errors, and array and string overruns at an early stage. This makes it possible for developers to ensure code quality and minimize the impact of errors on the finished product and on the project timeline." Read the complete press release at: https://www.iar.com/about-us/newsroom/press/?releaseId=2053293. CWE Cited as Product Feature in Press Release by Column Information Security CWE is cited as a product feature in a November 19, 2015 press release by Column Information Security entitled "Column Information Security Announces Partner Agreement with Veracode." CWE is mentioned at the beginning of the press release in bullet number 2 of 4, as follows: "Web Perimeter Security – discovers all web-facing applications associated with a customer — including cloud-hosted sites, temporary marketing sites – and performs a comprehensive deep scan to quickly identifying highly exploitable vulnerabilities such as those found in the OWASP Top 10 and CWE/SANS Top 25." Read the complete press release at: http://www.columninfosec.com/news/column-information-security-announces-partner-agreement-with-veracode.html. CWE-IDs Cited in ToolsWatch.org's
"ICS/SCADA Top 10 Most Dangerous Software Weaknesses" White Paper CWE Identifiers (CWE-IDs) are used to uniquely identify the weakness discussed in a November 5, 2015 white paper entitled "ICS/SCADA Top 10 Most Dangerous Software Weaknesses" on ToolsWatch.org. The white paper discusses the methodology its author used to determine its top 10 weaknesses, and then uses the following CWE-IDs to uniquely identify them: (1) CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer; (2) CWE-20: Improper Input Validation; (3) CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'); (4) CWE-264 Permissions, Privileges, and Access Controls; (5) CWE-200: Information Exposure; (6) CWE-255: Credentials Management; (7) CWE-287: Improper Authentication; (8) CWE-399: Resource Management Errors; (9) CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'); and (10) CWE-189: Numeric Errors. The author also provides additional discussion regarding each weakness, and then lists the top 5 affected vendors the author believes are most affected by each of the ten weaknesses. CWE Mentioned in Article about Secure Application Development on TechTarget CWE is mentioned in a November 2, 2015 article entitled "Q&A: Secure application development in the age of mashups" on TechTarget. The article is an interview with Veracode Chief Strategy Officer Sam King. CWE is mentioned in a response to a question about how it is "…common nowadays to mash up applications using entire programs as components -- and the resulting application inherits a bug stack consisting of the sum of the bugs in the components plus any interactions between them…", as follows: "You need an agreed-on set of quality standards, compliance initiatives with teeth, a way for vendors to signal compliance with those standards, a way to test for compliance that everyone agrees on, and a clear value proposition for both the enterprise and the supply chain to make it work. We are starting to see some of those pieces come to fruition in the context of vendor-supplied applications, between the FS-ISAC recommendation for binary static testing, software component analysis, and VBSIMM (or the equivalent, OpenSAMM); market standards for testing like OWASP, the CWE/SANS Top 25 Most Dangerous Software Errors, and Veracode's Verafied seal; inclusion of software and supply chain security in the PCI standard; and the threat of federal lawsuits for inadequate cybersecurity protection. For mashup applications that leverage third-party Web services, this model -- and some of these specific (risk avoidance) strategies -- may prove helpful for organizations trying to get their arms around this risk." October 2015
CWE Mentioned in Article about Vulnerabilities in LTE Mobile Networks on Fudzilla.com December 7, 2015 | Share this article CWE is mentioned in an October 20, 2015 article entitled "LTE networks have evil bugs" on Fudzilla.com. The main topic of the article is that "Carnegie Mellon University's CERT security vulnerabilities database has issued an alert regarding the status of LTE (Long-Term Evolution) mobile networks." CWE is mentioned as follows: "The technology has four vulnerabilities that allow attackers to spoof phone numbers, overbill clients, create DoS attacks on the phone and network, and obtain free data transfers without being charged … CERT said that the four vulnerabilities (CWE-732, CWE-284, CWE-287, and CWE-384) allow attackers to take advantage of some things like incorrectly set call permissions, the ability to establish direct sessions between phones, improper authentication for SIP messages, and a bug that enables attackers to establish multiple sessions with the same phone number." Visit CWE-732: Incorrect Permission Assignment for Critical Resource; CWE-284: Improper Access Control; CWE-287: Improper Authentication; and CWE-384: Session Fixation to learn more about these issues. CWE Mentioned in Article about Medical Device Cybersecurity on MD+DI CWE is mentioned in an October 12, 2015 article entitled "Getting Started on Medical Device Cybersecurity" on Medical Device and Diagnostic Industry (MD+DI). The main topic of the article is that “Tackling cybersecurity in medical devices can be intimidating, leaving manufacturers overwhelmed and wondering where to start." CWE is mentioned as follows: "The notion of tackling cybersecurity in medical devices can be intimidating, leaving manufacturers overwhelmed and asking where they should start. Before developing plans on where you're going, it's important to figure out where you stand. Performing vulnerability assessments on devices that are currently out in the wild is a great way to figure out where you're at, and the results will enable you to identify what steps could be taken to raise the security posture of the device. Utilize industry best practices such as the SANS and CWE top 25 as well as OWASP top 10 for common weaknesses that are found in application security. These lists are wonderful collations of easily digestible steps that can be taken to improve the security of a device or software application."
September 2015
CWE/CWSS/CAPEC Mentioned in ITU's
"Security in Telecommunications and Information Technology 2015" Common Weakness Enumeration (CWE™), Common Weakness Scoring System (CWSS™), and Common Attack Pattern Enumeration and Classification (CAPEC™) are included in a September 2015 technical report entitled "Security in Telecommunications and Information Technology 2015" on the International Telecommunication Union (ITU) website. The main topic of the report is an “overview of issues and the deployment of existing ITU-T Recommendations for secure telecommunications." CWE, CWSS, and CAPEC—as well as Common Vulnerabilities and Exposures (CVE®) and Malware Attribute Enumeration and Characterization (MAEC™)–are mentioned in "Chapter 11 - Cybersecurity and incident response," as follows: Common Vulnerabilities and Exposures (CVE) is the main topic of section "11.1.2 Exchange of vulnerability information," CWE is the main topic of section "11.1.4 Exchange of weakness information," CWSS is the main topic of section "11.1.5 Weakness scoring," CAPEC is the main topic of section "11.1.5 Exchange of attack pattern information," and Malware Attribute Enumeration and Characterization (MAEC) is the main topic of section "11.1.7 Exchange of malware characteristics information". The report is available for free download from: http://www.itu.int/dms_pub/itu-t/opb/tut/T-TUT-SEC-2015-PDF-E.pdf. CWE is mentioned in a September 15, 2015 press release by the Consortium for IT Software Quality (CISQ) entitled "Consortium for IT Software Quality Announces New Specifications for Measuring Structural Quality of Software". The main topic of the press release is that CISQ announced the release of "new measurement specifications based on detecting weaknesses in the reliability, security, performance efficiency and maintainability of software applications. These quality measures can be used to evaluate the risk in software-intensive systems from such sources as unauthorized penetrations, outages, data corruption, degraded performance, and excessive complexity." CWE is mentioned as follows: "The CISQ measures are developed from counting violations of good architectural and coding practice that are severe enough to be prioritized for remediation. For instance, the security measure is derived from the top 25 violations of good coding practice such as SQL injections, buffer overflows, and cross-site scripting that allow unauthorized intrusions and data theft. This list comes from the Common Weakness Enumeration (CWE) repository which is managed by the MITRE Corporation. The reliability measure incorporates empty exception blocks, unreleased resources, circular dependencies, and other violations that cause outages and slow recovery times. Performance efficiency includes coding weaknesses such as expensive loop operations, un-indexed data access, and unreleased memory that degrade response-time and overuse resources. The maintainability measure includes coding weaknesses such as excessive coupling, dead code, and hard-coded literals that make maintenance and enhancements overly expensive and defect-prone." In addition, the release also announced that CISQ will host a webinar on October 15, 2015 presented by Robert A. Martin, CWE Program Manager/co-author of the CISQ security measure to detect cybersecurity issues in software, entitled "Latest Advances in Cybersecurity and the NEW CISQ Security Standard." The webinar is free and open to the public, but registration is required is required. Three CWE-IDs Cited in Article about Vulnerabilities in Seagate Hard Drives on The Inquirer Three CWE Identifiers (CWE-IDs) are cited in a September 8, 2015 article entitled "Seagate issues fix for wireless hard drive backdoor vulnerability" on The Inquirer. The main topic of the article is the vulnerabilities discovered in Seagate hard drives and that a "CERT announcement confirmed that the flaws could be used to inject malicious files onto the WiFi drives, taking control of or infecting connected devices." The following three CWE-IDs are cited, along with Common Vulnerabilities and Exposures (CVE®) Identifiers, to uniquely identify the three issues: CWE-798: Use of Hard-coded Credentials and CVE-2015-2874; CWE-425: Direct Request ('Forced Browsing') and CVE-2015-2875; and CWE-434: Unrestricted Upload of File with Dangerous Type and CVE-2015-2876.
2nd Product from Suresoft Technologies Now Registered as Officially
"CWE-Compatible" July 2015
CWE Mentioned in Article about Commercial Versus Open Source Code Compliance on Security Week CWE is mentioned in a July 30, 2015 article entitled "Commercial code is more compliant to security standards than open source code" on Security Week. The main topic of the article is the release of Coverity, Inc.'s "Coverity Scan Open Source Report for 2014." CWE is mentioned as follows: "Based on the analysis of more than 10 billion lines of code from thousands of open source and commercial products, experts have determined that while open source projects are doing a better job at addressing quality and security issues, enterprises take the lead when it comes to complying with security standards such as OWASP (Open Web Application Security Project) Top 10 and CWE (Common Weakness Enumeration) 25." CWE Mentioned in Article about Commercial Versus Open Source Code Compliance on Net Security CWE is mentioned in a July 30, 2015 article entitled "Commercial code is more compliant to security standards than open source code" on Net Security. The main topic of the article is the release of Coverity, Inc.'s "Coverity Scan Open Source Report for 2014." CWE is mentioned as follows: "This year the report also compared security compliance standards such as OWASP Top 10 and CWE 25, and found that commercial code is more compliant with these standards than open source code." CWE Mentioned in
Press Release about "Coverity Scan Open Source Report 2014" CWE is mentioned in a July 29, 2015 press release by Coverity, Inc. entitled "Coverity Scan Open Source Report Shows Commercial Code Is More Compliant to Security Standards than Open Source Code." The main topic of the press release is the publication of its annual "Coverity Scan Open Source Report for 2014." CWE is mentioned as follows: "As detailed in the new Coverity Scan Open Source Report, nearly 152,000 defects were fixed in 2014 alone – more than the total amount of defects that had been found in the previous history of the service. Based on static analysis defect density, open source code outpaced commercial code for quality in the 2013 report. This trend continues in 2014; however, this year the report also compared security compliance standards such as OWASP (Open Web Application Security Project) Top 10 and CWE (Common Weakness Enumeration) 25, and found that commercial code is more compliant with these standards than open source code." CWE Mentioned in Article about Tightening Cyber Security Systems on Information Age CWE is mentioned in a July 29, 2015 article entitled "What the US OPM breach teaches us about tightening our security systems" on Information Age. CWE is mentioned in a section entitled "Securing the network and critical applications" in list of preventative measures suggested by the author: "And lastly, ensure Web Applications are developed in line with OWASP and SANS /CWE Secure coding guidelines." CWE Cited as Product Feature in Press Release by Waratek CWE is mentioned in a July 27, 2015 press release by Waratek, Ltd. entitled "CRN Names Waratek Coolest Security Startup of 2015." The main topic of the release is that: 'CRN, the IT channel's leading source for news, has named it a Coolest Security Startup for 2015. CRN recognized Waratek for its secure container technology, which creates a "bulletproof vest" for applications deployed on-premise or in cloud environments." CWE is mentioned in the press release as follows: "Last month, Waratek announced that it has developed the ability for its RASP product to consume CWE (common weakness enumeration) reports from SAST tools like HP Fortify, Veracode, Checkmarx and others to generate rules that immediately address application security vulnerabilities." June 2015
CWE Cited as RASP Product Feature in Press Release by Waratek CWE is mentioned in a June 17, 2015 press release by Waratek, Ltd. entitled "Waratek Integrates Automated Security Vulnerability Remediation with Runtime Application Self-Protection." The main topic of the release is that Waratek added automated security vulnerability remediation to its AppSecurity for Java Runtime Application Self-Protection (RASP) product. CWE is mentioned in the press release as follows: "Waratek has developed the ability to consume CWE (Common Weakness Enumeration) reports form SAST and DAST tools including HP Fortify, Veracode, Checkmarx and others to generate rules that immediately address the top application security flaws identified by SANS and OWASP. This fully automated workflow can immediately protect production applications without any manual intervention or configuration. It can also be integrated into the Software Development Lifecycle." CWE Cited as Product Feature in Press Release by IAS Systems CWE is mentioned in a June 7, 2015 press release by IAR Systems entitled "IAR Systems extends industry-leading Renesas RX tools with static code analysis." The main topic of the release is that version 2.08 of IAR Embedded Workbench for RX adds "integrated static code analysis through C-STAT, which makes it possible for RX developers to take full control of their code and enables companies to save valuable time and money in their development projects." CWE is mentioned in the press release as follows: "C-STAT is a powerful static analysis tool that checks compliance with rules as defined by the coding standards MISRA C:2004, MISRA C++:2008 and MISRA C:2012, as well as hundreds of rules based on, for example, CWE (the Common Weakness Enumeration) and the CERT C/C++ Secure Coding Standards. Users can easily select which ruleset and which individual rules to check the code against, and the analysis results are provided directly in the IAR Embedded Workbench IDE." April 2015
CWE Mentioned in Article about Managing Security Risk on Dark Reading CWE is mentioned in an April 20, 2015 article entitled "DHS: Most Organizations Need Improvement In Managing Security Risk" on Dark Reading. The main topic of the article is that "Government agencies and organizations in the private sector must place more emphasis on software analysis, testing and life-cycle support to mitigate threats exploiting known vulnerabilities and new avenues opened up by the use of open source and re-used software components, according to the Department of Homeland Security (DHS)." CWE is mentioned in section entitled "Third-party code and plug-ins are the achilles heel of web applications," in comments by Joe Jarzombek, director for software and supply chain assurance with the DHS, as follows: "SQL Injection and Cross-Scripting constitute the more frequent and dangerous vector of attacks. IT managers are deploying firewalls, intrusion prevention systems and demilitarized zones, but still wonder why their systems are compromised. They are being exploited at the "soft underbelly of the enterprise" – application software. People know about cross-scripting and SQL injection attacks, but don't understand it. "Someone on your team should know exactly what [these attacks] do and what they are trying to exploit," Jarzombek said. These attacks and their exploits are known as common weakness enumeration (CWE). The attacks and how to defend against them can be found in a free online community dictionary hosted by Mitre Corp. and sponsored by the Homeland Security Department." March 2015
CWE Mentioned in Article about
"Software as a Process" on Electronic Specifier CWE is mentioned in a March 27, 2015 article entitled "Software as a process" on Electronic Specifier. The main topic of the article is that "Today's software products are the result of many suppliers, vendors, open source repositories and legacy code coming together in a mix of different processes, standards and cultures. Each input offers a chance to introduce safety, security, or performance-related errors." "Whether it's the shift towards agile, continuous integration, or the adoption of new standards, embracing new ways of developing software hits organisations where it counts: the delivered product." CWE is mentioned when the author states: "One method that is proven to be successful in mitigating security risks is using automated code analysis to look for potential flaws. Capers Jones of Namcook Analytics found that, without tools such as Static Code Analysis (SCA) in particular, developers are less than 50 percent efficient at finding bugs in their own software. SCA is adept at understanding patterns and behaviours in code, across multiple compilation units and developers, to reveal security holes such as buffer overflows, suspicious incoming data and unvalidated inputs. More sophisticated SCA tools can also compare code against common security standards, such as OWASP and CWE, to determine gaps in coverage or generate compliance reports. Rather than convincing teams to spend more effort on security testing, use tools to reduce the effort for you and your suppliers." CWE Mentioned in Article about Securing Embedded Software on Embedded Computing Design CWE is mentioned in a March 24, 2015 article entitled "5 steps to secure embedded software" on Embedded Computing Design. CWE is first mentioned as follows: "IT standards groups, like the Consortium for IT Software Quality (CISQ), MITRE Common Weakness Enumeration (CWE), and ISO 9000 and ISO 25000, publish guidelines and software quality standards. CISQ has published automated quality measures for security, reliability, performance efficiency, and maintainability. These measures provide some of the specific attributes that should be used as evidence that embedded systems might need to fulfill their business/mission function. While examining the state of embedded systems, it is apparent that security should be engineered in up front." CWE is mentioned again in a section entitled "Follow the standards," as follows: "CISQ has published a security standard that is designed to identify the top 25 known security weaknesses in IT application software as maintained by MITRE in the Common Weakness Enumeration (CWE). The CWEs are a measurable set of items that can be used as evidence for resiliency, security, and safety. Code analyzers such as CAST can pick these out of a complex environment. Developers should stay in constant touch with these important standards." |