Announcement: CWE 4.4 Released 3/15!

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Announcement: CWE 4.4 Released 3/15!

asummers
Administrator

Dear CWE Research Community,

 

I hope you are all well!

 

I am pleased to announce that CWE Version 4.4 was released on Monday, March 15th. The update adds 1 new ViewCWE Entries with Maintenance Notes, which assessment vendors may use to anticipate future changes to CWE and help their customers prepare for those changes; 2 new Software Development Weakness entries: Generation of Weak Initialization Vector (IV) and Inefficient Regular Expression Complexity; as well as updates to 244 other entries. A detailed report is available that lists specific changes between Version 4.3 and Version 4.4.

 

The CWE Content Team conducted in-depth research and analysis in the following areas:

  • Hardware: identified overlapping/duplicate issues, which will need community consultation to resolve. Also investigating a different way to organize entries besides the hardware view (CWE-1194), and adding Functional_Area elements related to Power and Clock.
  • Cryptography/randomness subtree analysis (CWE-330): the team began investigating how to describe randomness, entropy, and unpredictability in a consistent way and created a new Base (CWE-1204) prompted by community feedback about CWE-329. More changes for randomness are planned, and the CWE research community will be consulted for important decisions.
  • Root cause analysis for access of unintialized memory: this led to updates to several entries, with more demonstrative and observed examples, and identified the need to clarify differences between CWE-456 and CWE-457, and possibly deprecate CWE-456 in the future.
  • Maintenance view: created new maintenance view (CWE-1081) to make it easier for CWE users to anticipate future changes. Reviewed and updated maintenance notes for over 130 entries.
  • Content checks: improved checks for invalid or inconsistent content, such as relationship gaps (e.g., a Class being a parent of a Variant), incorrect relationships (e.g., a Weakness that is a “ChildOf” a category), or entries where more than one relationship is labeled “Primary”. This work will be ongoing.
  • Consistency: phrasing of mitigations was made more consistent. This work will be ongoing, in collaboration with the Common Attack Pattern Enumeration and Classification (CAPEC™) Team.
  • SEI CERT Perl secure coding view (CWE-1178): added member weaknesses to categories.

 

See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v4.3_v4.4.html.

 

As always, thank you so much for your continued interest and support! We’d love to hear your thoughts and comments.

Here’s all our points of contact:

CWE page on LinkedIn, @cwecapec on Twitter, and our usual email channels [hidden email] (this email list) or [hidden email] to reach the team directly.

 

Cheers,

Alec

 

-- 

Alec J. Summers

Cyber Solutions Innovation Center

Group Leader, Software Assurance Research & Practice

Cyber Security Engineer, Lead

O: (781) 271-6970

C: (781) 496-8426

––––––––––––––––––––––––––––––––––––

MITRE - Solving Problems for a Safer World