Abstract
This paper is a status update on the Common Weakness Enumeration (CWE) initiative [1], one of the efforts focused on improving the utility and effectiveness of code-based security assessment technology. As hoped, the CWE initiative has helped to dramatically accelerate the use of tool-based assurance arguments in reviewing software systems for security issues and invigorated the investigation of code implementation, design, and architecture issues with automation.
- "The Common Weakness Enumeration (CWE) Initiative", MITRE Corporation, (http://cwe.mitre.org/).Google Scholar
- Martin, R., Barnum, S., "A Status Update: The Common Weaknesses Enumeration". Proceedings of the Static Analysis Summit, NIST Special Publication 500--262, July 2006.Google Scholar
- "The Software Assurance Metrics and Tool Evaluation (SAMATE) project", National Institute of Science and Technology (NIST), (http://samate.nist.gov).Google Scholar
- "The OMG Software Assurance (SwA) Special Interest Group", (http://swa.omg.org).Google Scholar
- "ISO/IEC JTC 1/SC22/ Other Working Group: Vulnerabilities", ISO/IEC JTC 1/SC 22 Secretariat, (http://www.aitcnet.org/isai/).Google Scholar
- "SANS Software Security Institute", SANS Institute, (http://www.sans-ssi.org/).Google Scholar
- "The Common Weakness Enumeration (CWE) Community", MITRE Corporation, (http://cwe.mitre.org/community/).Google Scholar
- "The Preliminary List Of Vulnerability Examples for Researchers (PLOVER)", MITRE Corporation, (http://cve.mitre.org/docs/plover/).Google Scholar
- "Introduction to Vulnerability Theory" and "Structured CWE Descriptions Documents", MITRE Corporation, (http://cwe.mitre.org/about/documents.html).Google Scholar
- The Common Attack Pattern Enumeration and Classification (CAPEC) Initiative", Cigital, Inc. and MITRE Corporation, (http://capec.mitre.org/).Google Scholar
- "The Common Weakness Enumeration (CWE) Compatibility Declarations", MITRE Corporation, (http://cwe.mitre.org/compatible/organizations.html).Google Scholar
- Martin, R. A., Christey, S., "Being Explicit About Software Weaknesses". "Black Hat DC Training 2007, "February, 2007 Arlington, VA.Google Scholar
- Martin, R. A., "Being Explicit About Security Weaknesses". "Cross Talk: The Journal of Defense Software Engineering", (http://www.stsc.hill.af.mil/CrossTalk/2007/03/), March 2007.Google Scholar
- Martin, R. A., Christey, S., Jarzombek, J., "The Case for Common Flaw Enumeration". "NIST Workshop on Software Security Assurance Tools, Techniques, and Metrics", November, 2005 Long Beach, CA.Google Scholar
- "OWASP Top Ten Project 2007", Open Web Application Security Project, (http://www.owasp.org/index.php/Top_10_2007).Google Scholar
- "National Vulnerability Database (NVD)", National Institute of Science and Technology (NIST), (http://nvd.nist.gov/nvd.cfm).Google Scholar
Index Terms
Common weakness enumeration (CWE) status update
Recommendations
Constructing a "Common cross site scripting vulnerabilities enumeration (CXE)" using CWE and CVE
ICISS'07: Proceedings of the 3rd international conference on Information systems securityIt has been found that almost 70% of the recent attacks in Web Applications have been carried out even when the systems have been protected with well laid Firewalls and Intrusion Detection Systems. Advisories sites report that more than 20% of the ...
When tolerance causes weakness: the case of injection-friendly browsers
WWW '13: Proceedings of the 22nd international conference on World Wide WebWe present a practical off-path TCP-injection attack for connections between current, non-buggy browsers and web-servers. The attack allows web-cache poisoning with malicious objects; these objects can be cached for long time period, exposing any user ...






Comments