Common Weakness Enumeration
The Common Weakness Enumeration (CWE) is a category system for hardware and software weaknesses and vulnerabilities. It is sustained by a community project with the goals of understanding flaws in software and hardware and creating automated tools that can be used to identify, fix, and prevent those flaws.[1] The project is sponsored by the office of the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), which is operated by The MITRE Corporation,[2] with support from US-CERT and the National Cyber Security Division of the U.S. Department of Homeland Security.[3][4]
Version 4.10 of the CWE standard was released in July 2021.[5]
CWE has over 600 categories, including classes for buffer overflows, path/directory tree traversal errors, race conditions, cross-site scripting, hard-coded passwords, and insecure random numbers.[6]
Examples
- CWE category 121 is for stack-based buffer overflows.[7]
CWE compatibility
Common Weakness Enumeration (CWE) Compatibility program allows a service or a product to be reviewed and registered as officially "CWE-Compatible" and "CWE-Effective". The program assists organizations in selecting the right software tools and learning about possible weaknesses and their possible impact.
In order to obtain CWE Compatible status a product or a service must meet 4 out of 6 requirements, shown below:
| CWE Searchable | users may search security elements using CWE identifiers |
| CWE Output | security elements presented to users include, or allow users to obtain, associated CWE identifiers |
| Mapping Accuracy | security elements accurately link to the appropriate CWE identifiers |
| CWE Documentation | capability's documentation describes CWE, CWE compatibility, and how CWE-related functionality in the capability is used |
| CWE Coverage | for CWE-Compatibility and CWE-Effectiveness, the capability's documentation explicitly lists the CWE-IDs that the capability claims coverage and effectiveness against locating in software |
| CWE Test Results | for CWE-Effectiveness, test results from the capability showing the results of assessing software for the CWEs are posted on the CWE Web site |
There are 56 organizations as of September 2019 that develop and maintain products and services that achieved CWE Compatible status.[8]
Research, critiques, and new developments
Some researchers think that ambiguities in CWE can be avoided or reduced.[9]
See also
- Common Vulnerabilities and Exposures (CVE)
- Common Vulnerability Scoring System (CVSS)
- National Vulnerability Database
References
- ↑ "CWE - About CWE". at mitre.org. http://cwe.mitre.org/about/index.html.
- ↑ "CWE - Frequently Asked Questions (FAQ)". https://cwe.mitre.org/about/faq.html#cwe_sponsor.
- ↑ National Vulnerabilities Database CWE Slice at nist.gov
- ↑ Goseva-Popstojanova, Katerina; Perhinschi, Andrei (2015). "On the capability of static code analysis to detect security vulnerabilities" (in en). Information and Software Technology 68: 18–33. doi:10.1016/j.infsof.2015.08.002. https://linkinghub.elsevier.com/retrieve/pii/S0950584915001366.
- ↑ "CWE Version 4.10 Now Available". The MITRE Corporation. https://cwe.mitre.org/news/index.html#january312023_CWE_Version_4.10_Now_Available.
- ↑ The Bugs Framework (BF) / Common Weakness Enumeration (CWE) at nist.gov
- ↑ CWE-121: Stack-based Buffer Overflows
- ↑ "CWE - CWE-Compatible Products and Services". at mitre.org. https://cwe.mitre.org/compatible/compatible.html.
- ↑ Paul E. Black, Irena V. Bojanova, Yaacov Yesha, Yan Wu. 2015. Towards a “Periodic Table” of Bugs
External links
- Certifying Applications for Known Security Weaknesses. The Common Weakness Enumeration (CWE) Effort // 6 March 2007
- "Classes of Vulnerabilities and Attacks". Wiley Handbook of Science and Technology for Homeland Security. http://homes.cerias.purdue.edu/~pmeunier/aboutme/classes_vulnerabilities.pdf.
 |  |
