News & Events - 2019 ArchiveRight-click and copy a URL to share an article. Send feedback about this page to cwe@mitre.org. CWE List Expanding to Include Hardware Weaknesses October 10, 2019 | Share this article In an effort to expand the scope of the CWE List from solely software weaknesses, we are excited to announce that the team has begun to explore integrating hardware weaknesses into the CWE corpus. This is something that we’ve been considering for a number of years, and with our goal to further grow CWE as a valuable resource for the security community, the time seems right to revisit and make it happen. Hardware security issues (e.g., LoJax, Rowhammer, Meltdown/Spectre) are becoming increasingly important concerns for both enterprise IT, OT, and IoT in general, from industrial control systems and medical devices to automobiles and wearable technologies. It is essential to understand the different types of weaknesses in this space so that hardware designers can begin to understand and take action against these types of flaws. We hope to work with the community actively on this and are looking for opportunities to engage experts in this field to help us understand the types of hardware weaknesses that are common today. Please let us know if you would like to get involved by contacting us on the CWE Research email list, CWE page on LinkedIn, cwecapec on Twitter, or directly to cwe@mitre.org. We look forward to hearing from you! 2019 “CWE Top 25” Receives Extensive News Media Coverage October 4, 2019 | Share this article The recently released “2019 CWE Top 25 Most Dangerous Software Errors” list received extensive global media coverage, and feedback from the community. We thank the community for all your feedback regarding the new CWE Top 25. News media articles that include interviews and quotes from the CWE Team: MITRE Releases 2019 List of Top 25 Software Weaknesses, Dark Reading:
MITRE Names 2019’s Most Dangerous Software Errors, Infosecurity Magazine:
Revealed: The 25 most dangerous software bug types – mem corruption, so hot right now, The Register:
A partial list of other articles from around the world about the 2019 CWE Top 25: These software vulnerabilities top MITRE’s most dangerous list, ZD Net CWE Top 25 (2019) – List of Top 25 Most Dangerous Software Weakness that Developers Need to Focus, GBHackers MITRE Releases 2019 List of Top 25 Software Weaknesses, Hacker News Memory Errors Top MITRE’s ‘Most Dangerous’ List, Security Boulevard These software vulnerabilities top MITRE’s most dangerous list, The Breaking News List of Top 25 Most Dangerous Software Flaws that Developers Need to Focus – 2019 CWE Top 25, IT Security News Revealed: The 25 most dangerous software bug types – mem corruption, so hot right now, World News Network MITRE’s 2019 CWE Top 25 most dangerous software errors list released, Security Boulevard Nueva lista de vulnerabilidad comunes (MITRE CWE Top 25), Segu Info No surprises in the top 25 most dangerous software errors, Naked Security MITRE’s Top 25 Most Dangerous Software Errors, Information Security Buzz MITRE’s 2019 CWE Top 25 most dangerous software errors list released, Packt Hub 2019 CWE Top 25 Most Dangerous Software Errors, Mag-Securs MITRE publiceert Top 25 van gevaarlijkste softwarefouten, Security.nl Estas son las 25 debilidades de software más importantes, Redes Zone Топ 25 самых опасных уязвимостей 2019 года, Securitylab.ru Bös, böser, Bugs: Das sind die gefährlichsten, Inside IT Please send any feedback about the new CWE Top 25 to us on the CWE Research email list, CWE page on LinkedIn, cwecapec on Twitter, or directly to cwe@mitre.org. CWE Version 3.4.1 Update Release Now Available September 23, 2019 | Share this article CWE Version 3.4.1 has been posted on the CWE List page to address an oversight in the initial release that was identified by the community. We thank the community for all of your feedback regarding the new CWE Top 25. This minor update release adds a parent Class to the CWE View 1003: Weaknesses for Simplified Mapping of Published Vulnerabilities view, so that CWE-667 Improper Locking is now a child of CWE-662 Improper Synchronization. A detailed report is available that lists specific changes between Version 3.4 and Version 3.4.1. Future updates will be noted here, on the CWE Research email discussion list, CWE page on LinkedIn, and on @cwecapec on Twitter. Please send any comments or concerns to cwe@mitre.org. CWE Version 3.4 Now Available September 19, 2019 | Share this article CWE Version 3.4 has been posted on the CWE List page to add support for the recently released "2019 CWE Top 25 Most Dangerous Software Errors" list. A detailed report is available that lists specific changes between Version 3.3 and Version 3.4. Main Changes: CWE 3.4 includes 1 new view, CWE 1200: Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors, to support the release of the 2019 CWE Top 25. In all, there were 50 major changes to relationships. There were no schema changes. Summary: There are 808 weaknesses and a total of 1189 entries on the CWE List. Changes for the new version include the following:
See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v3.3_v3.4.html. Future updates will be noted here, on the CWE Research email discussion list, CWE page on LinkedIn, and on @cwecapec on Twitter. Please send any comments or concerns to cwe@mitre.org. 2019 "CWE Top 25" Now Available! September 17, 2019 | Share this article The official version of the "2019 CWE Top 25 Most Dangerous Software Errors," a demonstrative list of the most widespread and critical weaknesses that can lead to serious vulnerabilities in software, is now available on the CWE website. The weaknesses listed in the CWE Top 25 are often easy to find and exploit. They are dangerous because they will frequently allow adversaries to completely take over execution of software, steal data, or prevent the software from working. The CWE Top 25 can be used by software developers, software testers, software customers, software project managers, security researchers, and educators to provide insight into some of the most prevalent security threats in the software industry. Leveraging Real-World Data To create the 2019 list, the CWE Team used a data-driven approach that leverages published Common Vulnerabilities and Exposures (CVE®) data and related CWE mappings found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), as well as the Common Vulnerability Scoring System (CVSS) scores associated with each of the CVEs. A scoring formula was then applied to determine the level of prevalence and danger each weakness presents. This data-driven approach can be used as a repeatable, scripted process to generate a CWE Top 25 list on a regular basis with minimal effort. The 2019 CWE Top 25 leverages NVD data from the years 2017 and 2018, which consisted of approximately twenty-five thousand CVEs. The CWE Team developed a scoring formula to calculate a rank order of weaknesses. The scoring formula combines the frequency that a CWE is the root cause of a vulnerability with the projected severity of its exploitation. In both cases, the frequency and severity are normalized relative to the minimum and maximum values seen. For detailed information about this new approach, including methodology, rankings, scoring, and refined mappings, visit the CWE Top 25 page. Future Releases and Feedback Welcome Moving forward, our goal is to update the CWE Top 25 annually using the new methodology described on the CWE Top 25 page. Please send any feedback to us on the CWE Research email discussion list, @cwecapec on Twitter, CWE page on LinkedIn, or directly to cwe@mitre.org. We look forward to hearing from you! "2019 CWE Top 25" Draft Now Available September 12, 2019 | Share this article A draft version of the "2019 CWE Top 25 Most Dangerous Software Errors" is now available in our announcement message. These rankings may change before the final release, as we re-evaluate certain Common Vulnerabilities and Exposures (CVE®) <-> CWE mappings. New Methodology For an overview of the new methodology used to calculate this new release of the CWE Top 25, see "2019 Update of the "CWE Top 25" Now Underway." In short, we are pulling CWE-related data directly from the U.S. National Vulnerability Database (NVD) and using both frequency and an average Common Vulnerability Scoring System (CVSS) score to determine a rank order. The main advantage of this approach is that the CWE Top 25 will be an objective look at what we are actually seeing in the real-world. Refined Mappings for the 2019 Release For the 2019 CWE Top 25, vulnerabilities for the calendar years 2017 and 2018 are used. The CWE Team has worked very hard over the last few months to correct several thousand mis-mapped CVE Entries, and we have worked with the National Institute of Standards and Technology (NIST) to help improve the mapping of newly reported vulnerabilities with the updated CWE View 1003: Weaknesses for Simplified Mapping of Published Vulnerabilities view. We will continue our efforts to evaluate these mappings over the coming year to improve things further in advance of a 2020 CWE Top 25. For this upcoming 2019 release, we will provide some explanations for a few inconsistencies such as why CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer is in the list, along with some of its children. In short, this is a cue that we need to improve the mappings that are currently being done, when enough detail is available. The same is true for CWE-20: Improper Input Validation and CWE-200: Information Exposure, both of which are very broad and more specific CWEs are desired. Feedback Encouraged! We look forward to addressing any questions, as well as hearing any thoughts and comments you might have. Please send any feedback to us on the CWE Research email discussion list, @cwecapec on Twitter, CWE page on LinkedIn, or directly to cwe@mitre.org. 2019 Update of the "CWE Top 25" Now Underway August 7, 2019 | Share this article The CWE Team is currently working towards the generation and publication of a new 2019 release of the "CWE Top 25 Most Dangerous Software Errors." After this initial announcement, our next step will be to release a draft in the coming weeks for community review and comment. Once those comments are reviewed and incorporated, we will officially publish the new Top 25 for the community. A New Approach for the Top 25 In previous releases, the Top 25 list was constructed through aggregating survey responses from a wide selection of organizations, and by engaging developers, security analysts, researchers, and vendors. Respondents were asked to nominate weaknesses that they considered to be the most prevalent or important, and then a customized part of the Common Weakness Scoring System (CWSS™) was used to determine a ranking. There were a number of positives in this approach, but it was also labor-intensive and subjective. For the upcoming Top 25, we are using a more rigorous and statistical process leveraging information about actual reported vulnerabilities to determine the prevalence and dangerousness of the given weakness. The CWE Team will use weakness data pulled directly from the U.S. National Vulnerability Database (NVD) to calculate metrics for CWEs. While this method introduces a bias through analyzing only reported vulnerabilities and could potentially exclude some software and a breadth of other data, the CWE Team believes it will result in a more repeatable and accurate Top 25 list. Scoring for the New Top 25 There are two components in our scoring process that will be combined to determine the total score for a CWE. The first component is the frequency that a CWE is the root cause of a vulnerability. The second component is a weakness' average Common Vulnerability Scoring System (CVSS) score, which is meant to determine the overall severity of a weakness. We determine the average CVSS score for a CWE by calculating the sum of all of the CVSS scores for Common Vulnerabilities and Exposures (CVE®) Entries that map to a given CWE, and then dividing this sum by the total number of CVE Entries with that CWE. These two components are normalized before being multiplied together. This process is represented below: W = All CWEs The CWE Team is still reviewing this formula, and it may change before the new Top 25 List is published. Mapping to CVE Entries One of the challenges that we are faced with is addressing the many CVE Entries currently mapped to CWE Categories. Categories are not technically weaknesses and therefore any existing mapping to them is considered incorrect. As such, we have coordinated with NVD and are in the process of finalizing a "mapping analysis" on these CVE Entries to map them to more accurate CWEs at lower levels of abstraction. Relatedly, on June 20, 2019 we published our most recent minor version release, CWE Version 3.3, in which we include a new CWE View: "CWE View 1003: Weaknesses for Simplified Mapping of Published Vulnerabilities." Going forward, newly reported vulnerabilities will be mapped to the entries in View 1003 where possible. If over time vulnerability data indicates that certain weaknesses not currently part of View 1003 are occurring more frequently in the wild, View 1003 will evolve as needed to accommodate these new trends. CWE Top 25 Draft Coming Soon This is a large undertaking, but we hope that it will result in a repeatable and more accurate Top 25 list, as well as drive discussions about better ways to approach CVE<->CWE mapping in the future. As stated above, our next step will be to release a draft in the coming weeks for community review and comment and once those comments are reviewed and incorporated, we will officially publish the new Top 25 for the community. Please send any initial feedback to us on the CWE Research email discussion list, @cwecapec on Twitter, CWE page on LinkedIn, or directly to cwe@mitre.org. CWE Launches "@cwecapec" Twitter Feed August 7, 2019 | Share this article Please follow our new Twitter account at https://twitter.com/cwecapec to get the latest CWE news and announcements. CWE Version 3.3 Now Available June 20, 2019 | Share this article CWE Version 3.3 has been posted on the CWE List page. A detailed report is available that lists specific changes between Version 3.2 and Version 3.3. Main Changes: CWE 3.3 has 1 new view, 1 updated view with 2 new entries, and 2 deprecated entries. In all, 238 entries had major changes to relationship, references, names, fields, and descriptions. The main changes include: (1) adding 1 new view, CWE-1178: Weaknesses Addressed by the SEI CERT Perl Coding Standard, which identifies weaknesses in Perl that may be fully or partially prevented by following the SEI CERT Perl Coding Standard; (2) adding 8 new categories related to CWE-1178; (2) updating the CWE-1003: Weaknesses for Simplified Mapping of Published Vulnerabilities view, which may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the U.S. National Vulnerability Database (NVD); and adding 2 new weaknesses related to CWE-1003, CWE-1187: Use of Uninitialized Resource, which occurs when a resource has not been properly initialized and the software may behave unexpectedly, and CWE-1188: Insecure Default Initialization of Resource, which occurs when the software initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure. There were no schema changes. Summary: There are now 808 weaknesses and a total of 1188 entries on the CWE List. Changes for the new version include the following:
See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v3.2_v3.3.html. Future updates will be noted here and on the CWE Research email discussion list. Please send any comments or concerns to cwe@mitre.org. CWE Is Main Topic of Article on Military Embedded Systems June 20, 2019 | Share this article CWE is the main topic of a March 2019 article entitled "Common Weakness Enumeration (CWE) defines cybersecurity vulnerability landscape for mission-critical applications" on Military Embedded Systems. In the article, the author describes the purpose and possible uses of CWE and CWE-Compatible products, its connection to Common Vulnerabilities and Exposures (CVE®), and discusses examples from the CWE List. The author states: "The Common Weakness Enumeration (CWE, at http://cwe.mitre.org) has emerged as a de facto reference resource to every security-conscious developer of mission-critical embedded systems." "[CWE] has made an important contribution to the overall process of developing more secure and robust software-intensive systems. It provides a common vocabulary that helps internal communications within software development organizations, as well as allowing users to understand and compare the capabilities of tools designed for scanning and analyzing the source code for mission-critical software. Designers will find that including CWE-compatible features into static-analysis and formal method toolsets enables users to readily understand the kinds of security and robustness issues that can be eliminated." CWE Version 3.2 Now Available January 03, 2019 | Share this article CWE Version 3.2 has been posted on the CWE List page. A detailed report is available that lists specific changes between Version 3.1 and Version 3.2. Main Changes CWE 3.2 has 137 new entries and 1 deprecated entry. In all, 534 entries had important changes, primarily due to relationship changes, references, names, and descriptions. The main changes include: (1) adding 89 new entries related to quality issues that only indirectly make it easier to introduce a vulnerability and/or make the vulnerability more difficult to detect or mitigate (see the CWE-1040: Quality Weaknesses with Indirect Security Impacts view); (2) adding 1 new weakness, CWE-1173: Improper Use of Validation Framework, detailing the improper use of an available input validation framework; (3) adding 1 new view, CWE-1128: CISQ Quality Measures (2016), to map to the Consortium for IT Software Quality (CISQ) Automated Quality Characteristic Measures released in 2016; and (4) updating the views and categories associated with the Software Engineering Institute (SEI) Computer Emergency Response Team (CERT) Coding Standards. The CWE Schema was updated to v6.1. Summary: There are now 806 weaknesses and a total of 1177 entries on the CWE List. Changes for the new version include the following:
See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v3.1_v3.2.html. Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to cwe@mitre.org. |