Common Weakness Enumeration
{{Short description|Catalog of software weaknesses and vulnerabilities}}
file:Common Weakness Enumeration (CWE) logo.svg
The Common Weakness Enumeration (CWE) is a category system for hardware and software weaknesses and vulnerabilities. It is sustained by a community project with the goals of understanding flaws in software and hardware and creating automated tools that can be used to identify, fix, and prevent those flaws.{{cite web |url=http://cwe.mitre.org/about/index.html |title=CWE - About CWE|publisher=at mitre.org}} The project is sponsored by the office of the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), which is operated by The MITRE Corporation,{{Cite web |title=CWE - Frequently Asked Questions (FAQ) |url=https://cwe.mitre.org/about/faq.html#cwe_sponsor |access-date=2023-09-21 |website=cwe.mitre.org}} with support from US-CERT and the National Cyber Security Division of the U.S. Department of Homeland Security.{{cite web|url=https://nvd.nist.gov/vuln/categories|title= Vulnerabilities {{!}} NVD CWE Slice|website=National Vulnerability Database}}{{Cite journal |last1=Goseva-Popstojanova |first1=Katerina |last2=Perhinschi |first2=Andrei |date=2015 |title=On the capability of static code analysis to detect security vulnerabilities |url=https://linkinghub.elsevier.com/retrieve/pii/S0950584915001366 |journal=Information and Software Technology |language=en |volume=68 |pages=18–33 |doi=10.1016/j.infsof.2015.08.002}}
The first release of the list and associated classification taxonomy was in 2006.{{Cite web |title=CWE - About - CWE History |url=https://cwe.mitre.org/about/history.html |access-date=2025-02-18 |website=cwe.mitre.org}} Version 4.15 of the CWE standard was released in July 2024.
{{cite web|url=https://cwe.mitre.org/news/archives/news2024.html#july16_CWE_Version_4.15_Now_Available|title=CWE Version 4.15 Now Available|publisher=Mitre Corporation|access-date=17 October 2024}}
CWE has over 600 categories, including classes for buffer overflows, path/directory tree traversal errors, race conditions, cross-site scripting, hard-coded passwords, and insecure random numbers.{{cite web|url=https://samate.nist.gov/BF/Enlightenment/CWE.html|title= Bugs Framework (BF): Formalizing Software Security Weaknesses and Vulnerabilities |first=Irena|last=Bojanova|authorlink=Irena Bojanova|website=samate.nist.gov|year=2014}}
Examples
- CWE category 121 is for stack-based buffer overflows.{{Cite web|url=https://cwe.mitre.org/data/definitions/121.html|title=CWE - CWE-121: Stack-based Buffer Overflow (4.15)|website=cwe.mitre.org|accessdate=August 5, 2024}}
CWE compatibility
Common Weakness Enumeration (CWE) Compatibility program allows a service or a product to be reviewed and registered as officially "CWE-Compatible" and "CWE-Effective". The program assists organizations in selecting the right software tools and learning about possible weaknesses and their possible impact.
In order to obtain CWE Compatible status a product or a service must meet 4 out of 6 requirements, shown below:
| class="wikitable" |
| CWE Searchable
| users may search security elements using CWE identifiers |
| CWE Output
| security elements presented to users include, or allow users to obtain, associated CWE identifiers |
| Mapping Accuracy
| security elements accurately link to the appropriate CWE identifiers |
| CWE Documentation
| capability's documentation describes CWE, CWE compatibility, and how CWE-related functionality in the capability is used |
| CWE Coverage
| for CWE-Compatibility and CWE-Effectiveness, the capability's documentation explicitly lists the CWE-IDs that the capability claims coverage and effectiveness against locating in software |
| CWE Test Results
| for CWE-Effectiveness, test results from the capability showing the results of assessing software for the CWEs are posted on the CWE Web site |
There are 56 organizations as of September 2019 that develop and maintain products and services that achieved CWE Compatible status.{{cite web |url=https://cwe.mitre.org/compatible/compatible.html |title=CWE - CWE-Compatible Products and Services|publisher=at mitre.org}}
Research, critiques, and new developments
Some researchers think that ambiguities in CWE can be avoided or reduced.{{cite web|author1=Paul E. Black|author2= Irena V. Bojanova|author3= Yaacov Yesha|author4= Yan Wu|year= 2015|url= https://www.nist.gov/publications/towards-147periodic-table148-bugs |title=Towards a "Periodic Table" of Bugs|website=National Institute of Standards and Technology}}
As of 4/16/2024, the CWE Compatibility Program has been discontinued.{{cite web |url=https://cwe.mitre.org/compatible/compatible.html|title=CWE-Compatible Products and Services |website=Common Weakness Enumeration|archive-date=2025-01-07 |archive-url=https://web.archive.org/web/20250107144449/https://cwe.mitre.org/compatible/compatible.html}}
See also
References
{{reflist}}
External links
- [http://www.omg.org/news/meetings/workshops/SWA_2007_Presentations/02-1_Martin_revised.pdf Certifying Applications for Known Security Weaknesses. The Common Weakness Enumeration (CWE) Effort] // 6 March 2007
- {{cite web |url=http://homes.cerias.purdue.edu/~pmeunier/aboutme/classes_vulnerabilities.pdf |title=Classes of Vulnerabilities and Attacks |work=Wiley Handbook of Science and Technology for Homeland Security |others=comparison of different vulnerability Classifications |archive-url=https://web.archive.org/web/20160322061614/http://homes.cerias.purdue.edu/~pmeunier/aboutme/classes_vulnerabilities.pdf |archive-date=2016-03-22 |url-status=dead }}
{{MITRE security ontologies}}