Common Weakness Enumeration
The Common Weakness Enumeration (CWE) is a category system for hardware and software weaknesses and vulnerabilities. It is sustained by a community project with the goals of understanding flaws in software and hardware and creating automated tools that can be used to identify, fix, and prevent those flaws.[1] The project is sponsored by the office of the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), which is operated by The MITRE Corporation,[2] with support from US-CERT and the National Cyber Security Division of the U.S. Department of Homeland Security.[3][4]
Version 4.10 of the CWE standard was released in July 2021.[5]
CWE has over 600 categories, including classes for buffer overflows, path/directory tree traversal errors, race conditions, cross-site scripting, hard-coded passwords, and insecure random numbers.[6]
Examples
- CWE category 121 is for stack-based buffer overflows.[7]
CWE compatibility
Common Weakness Enumeration (CWE) Compatibility program allows a service or a product to be reviewed and registered as officially "CWE-Compatible" and "CWE-Effective". The program assists organizations in selecting the right software tools and learning about possible weaknesses and their possible impact.
In order to obtain CWE Compatible status a product or a service must meet 4 out of 6 requirements, shown below:
| CWE Searchable | users may search security elements using CWE identifiers |
| CWE Output | security elements presented to users include, or allow users to obtain, associated CWE identifiers |
| Mapping Accuracy | security elements accurately link to the appropriate CWE identifiers |
| CWE Documentation | capability's documentation describes CWE, CWE compatibility, and how CWE-related functionality in the capability is used |
| CWE Coverage | for CWE-Compatibility and CWE-Effectiveness, the capability's documentation explicitly lists the CWE-IDs that the capability claims coverage and effectiveness against locating in software |
| CWE Test Results | for CWE-Effectiveness, test results from the capability showing the results of assessing software for the CWEs are posted on the CWE Web site |
There are 56 organizations as of September 2019 that develop and maintain products and services that achieved CWE Compatible status.[8]
Research, critiques, and new developments
Some researchers think that ambiguities in CWE can be avoided or reduced.[9]
See also
References
- "CWE - About CWE". at mitre.org.
- "CWE - Frequently Asked Questions (FAQ)". cwe.mitre.org. Retrieved 2023-09-21.
- National Vulnerabilities Database CWE Slice at nist.gov
- Goseva-Popstojanova, Katerina; Perhinschi, Andrei (2015). "On the capability of static code analysis to detect security vulnerabilities". Information and Software Technology. 68: 18–33. doi:10.1016/j.infsof.2015.08.002.
- "CWE Version 4.10 Now Available". The MITRE Corporation. Retrieved 9 March 2022.
- The Bugs Framework (BF) / Common Weakness Enumeration (CWE) at nist.gov
- CWE-121: Stack-based Buffer Overflows
- "CWE - CWE-Compatible Products and Services". at mitre.org.
- Paul E. Black, Irena V. Bojanova, Yaacov Yesha, Yan Wu. 2015. Towards a “Periodic Table” of Bugs
External links
- Certifying Applications for Known Security Weaknesses. The Common Weakness Enumeration (CWE) Effort // 6 March 2007
- "Classes of Vulnerabilities and Attacks" (PDF). Wiley Handbook of Science and Technology for Homeland Security. comparison of different vulnerability Classifications. Archived from the original (PDF) on 2016-03-22.
{{cite web}}: CS1 maint: others (link)