Industry News Coverage
Below is a comprehensive monthly review of the news and other media’s coverage of CVE. A brief summary of each news item is listed with its title, author (if identified), date, and media source.
CrossTalk Magazine: The Journal of Defense Software Engineering, March/April 2012
CVE, Common Weaknesses Enumeration (CWE™), and the CWE/SANS Top 25 Most Dangerous Programming Errors List are mentioned in an article entitled "Supply Chain Risk Management" in the March/April 2012 issue of CrossTalk Magazine: The Journal of Defense Software Engineering.
CVE, CWE, and the CWE/SANS Top 25 are mentioned in phase 2 of a section entitled "A Three-phase Code Analysis Process": "Look for common vulnerability patterns … analysts [should] make sure that code reviews cover the most common vulnerabilities and weaknesses. Sources for such common vulnerabilities and weaknesses include the Common Vulnerabilities and Exposures (CVE) and Common Weaknesses Enumeration (CWE) databases, maintained by the MITRE Corporation and accessible on the web at: <http://cve.mitre.org/cve/> and <http://cwe.mitre.org/>. MITRE, in cooperation with the SANS Institute, also maintains a list of the "Top 25 Most Dangerous Programming Errors " that can lead to serious vulnerabilities. The top three classes of errors as of December 2010 were cross-site scripting, SQL injection, and buffer overflows. Static code analysis tool and manual techniques should at a minimum, address these Top 25." CWE and the CWE/SANS Top 25 are also cited again and described in more detail at the end of article in a section entitled "Useful Links".
The article was written by Paul R. Croll.
Government Computer News, January 9, 2012
CVE is mentioned in a January 9, 2012 article entitled "Getting the most out of automated IT security management" on Government Computer News.com. The main topic of the article is the National Institute of Standards and Technology (NIST) updating its guidelines for using Security Content Automation Protocol (SCAP) "for checking and validating security settings on IT systems" by releasing "Special Publication 800-117, Guide to Adopting and Using the Security Content Automation Protocol Version 1.2, Revision 1."
CVE is mentioned when the author explains how SCAP combines several existing community standards created and maintained by several different organizations "including MITRE Corp., the National Security Agency, and the Forum for Incident Response and Security Teams", and that the "specifications making up SCAP are divided into languages, reporting formats, enumerations, measurement and scoring systems, and integrity protection." The author then lists the 11 SCAP components, with CVE included under Enumerations. The other MITRE initiatives listed are Common Platform Enumeration (CPE) and Common Configuration Enumeration (CCE), also under Enumerations, and under Languages, Open Vulnerability and Assessment Language (OVAL). The article concludes with a summary of the updates to the guidelines.
The article was written by William Jackson.