Common Weakness Enumeration
_logo.svg){kind=logo}
The Common Weakness Enumeration (CWE) is a category system for hardware and software weaknesses and vulnerabilities. It is sustained by a community project with the goals of understanding flaws in software and hardware and creating automated tools that can be used to identify, fix, and prevent those flaws.[1] The project is sponsored by the office of the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), which is operated by The MITRE Corporation,[2] with support from US-CERT and the National Cyber Security Division of the U.S. Department of Homeland Security.[3][4]
The first release of the list and associated classification taxonomy was in 2006.[5] Version 4.15 of the CWE standard was released in July 2024.[6]
CWE has over 600 categories, including classes for buffer overflows, path/directory tree traversal errors, race conditions, cross-site scripting, hard-coded passwords, and insecure random numbers.[7]
Examples
- CWE category 121 is for stack-based buffer overflows.[8]
CWE compatibility
Common Weakness Enumeration (CWE) Compatibility program allows a service or a product to be reviewed and registered as officially "CWE-Compatible" and "CWE-Effective". The program assists organizations in selecting the right software tools and learning about possible weaknesses and their possible impact.
In order to obtain CWE Compatible status a product or a service must meet 4 out of 6 requirements, shown below:
| CWE Searchable | users may search security elements using CWE identifiers |
| CWE Output | security elements presented to users include, or allow users to obtain, associated CWE identifiers |
| Mapping Accuracy | security elements accurately link to the appropriate CWE identifiers |
| CWE Documentation | capability's documentation describes CWE, CWE compatibility, and how CWE-related functionality in the capability is used |
| CWE Coverage | for CWE-Compatibility and CWE-Effectiveness, the capability's documentation explicitly lists the CWE-IDs that the capability claims coverage and effectiveness against locating in software |
| CWE Test Results | for CWE-Effectiveness, test results from the capability showing the results of assessing software for the CWEs are posted on the CWE Web site |
There are 56 organizations as of September 2019 that develop and maintain products and services that achieved CWE Compatible status.[9]
Research, critiques, and new developments
Some researchers think that ambiguities in CWE can be avoided or reduced.[10]
As of 4/16/2024, the CWE Compatibility Program has been discontinued.[11]
See also
- Common Vulnerabilities and Exposures (CVE)
- Common Vulnerability Scoring System (CVSS)
- National Vulnerability Database
References
- ↑ "CWE - About CWE". at mitre.org. http://cwe.mitre.org/about/index.html.
- ↑ "CWE - Frequently Asked Questions (FAQ)". https://cwe.mitre.org/about/faq.html#cwe_sponsor.
- ↑ "Vulnerabilities | NVD CWE Slice". https://nvd.nist.gov/vuln/categories.
- ↑ Goseva-Popstojanova, Katerina; Perhinschi, Andrei (2015). "On the capability of static code analysis to detect security vulnerabilities" (in en). Information and Software Technology 68: 18–33. doi:10.1016/j.infsof.2015.08.002. https://linkinghub.elsevier.com/retrieve/pii/S0950584915001366.
- ↑ "CWE - About - CWE History". https://cwe.mitre.org/about/history.html.
- ↑ "CWE Version 4.15 Now Available". Mitre Corporation. https://cwe.mitre.org/news/archives/news2024.html#july16_CWE_Version_4.15_Now_Available.
- ↑ Bojanova, Irena (2014). "Bugs Framework (BF): Formalizing Software Security Weaknesses and Vulnerabilities". https://samate.nist.gov/BF/Enlightenment/CWE.html.
- ↑ "CWE - CWE-121: Stack-based Buffer Overflow (4.15)". https://cwe.mitre.org/data/definitions/121.html. Retrieved August 5, 2024.
- ↑ "CWE - CWE-Compatible Products and Services". at mitre.org. https://cwe.mitre.org/compatible/compatible.html.
- ↑ "Towards a "Periodic Table" of Bugs". 2015. https://www.nist.gov/publications/towards-147periodic-table148-bugs.
- ↑ "CWE-Compatible Products and Services". https://cwe.mitre.org/compatible/compatible.html.
External links
- Certifying Applications for Known Security Weaknesses. The Common Weakness Enumeration (CWE) Effort // 6 March 2007
- "Classes of Vulnerabilities and Attacks". Wiley Handbook of Science and Technology for Homeland Security. http://homes.cerias.purdue.edu/~pmeunier/aboutme/classes_vulnerabilities.pdf.
 |  |
