Common Weakness Enumeration
The Common Weakness Enumeration (CWE) is a category system for hardware and software weaknesses and vulnerabilities. It is sustained by a community project with the goals of understanding flaws in software and hardware and creating automated tools that can be used to identify, fix, and prevent those flaws.[1] The project is sponsored by the office of the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), which is operated by The MITRE Corporation,[2] with support from US-CERT and the National Cyber Security Division of the U.S. Department of Homeland Security.[3][4]
Version 4.15 of the CWE standard was released in July 2024.[5]
CWE has over 600 categories, including classes for buffer overflows, path/directory tree traversal errors, race conditions, cross-site scripting, hard-coded passwords, and insecure random numbers.[6]
Examples
[edit]- CWE category 121 is for stack-based buffer overflows.[7]
CWE compatibility
[edit]Common Weakness Enumeration (CWE) Compatibility program allows a service or a product to be reviewed and registered as officially "CWE-Compatible" and "CWE-Effective". The program assists organizations in selecting the right software tools and learning about possible weaknesses and their possible impact.
In order to obtain CWE Compatible status a product or a service must meet 4 out of 6 requirements, shown below:
| CWE Searchable | users may search security elements using CWE identifiers |
| CWE Output | security elements presented to users include, or allow users to obtain, associated CWE identifiers |
| Mapping Accuracy | security elements accurately link to the appropriate CWE identifiers |
| CWE Documentation | capability's documentation describes CWE, CWE compatibility, and how CWE-related functionality in the capability is used |
| CWE Coverage | for CWE-Compatibility and CWE-Effectiveness, the capability's documentation explicitly lists the CWE-IDs that the capability claims coverage and effectiveness against locating in software |
| CWE Test Results | for CWE-Effectiveness, test results from the capability showing the results of assessing software for the CWEs are posted on the CWE Web site |
There are 56 organizations as of September 2019 that develop and maintain products and services that achieved CWE Compatible status.[8]
Research, critiques, and new developments
[edit]Some researchers think that ambiguities in CWE can be avoided or reduced.[9]
See also
[edit]- Common Vulnerabilities and Exposures (CVE)
- Common Vulnerability Scoring System (CVSS)
- National Vulnerability Database
References
[edit]- ^ "CWE - About CWE". at mitre.org.
- ^ "CWE - Frequently Asked Questions (FAQ)". cwe.mitre.org. Retrieved 2023-09-21.
- ^ "Vulnerabilities | NVD CWE Slice". National Vulnerability Database.
- ^ Goseva-Popstojanova, Katerina; Perhinschi, Andrei (2015). "On the capability of static code analysis to detect security vulnerabilities". Information and Software Technology. 68: 18–33. doi:10.1016/j.infsof.2015.08.002.
- ^ "CWE Version 4.15 Now Available". Mitre Corporation. Retrieved 17 October 2024.
- ^ Bojanova, Irena (2014). "Bugs Framework (BF): Formalizing Software Security Weaknesses and Vulnerabilities". samate.nist.gov.
- ^ "CWE - CWE-121: Stack-based Buffer Overflow (4.15)". cwe.mitre.org. Retrieved August 5, 2024.
- ^ "CWE - CWE-Compatible Products and Services". at mitre.org.
- ^ Paul E. Black; Irena V. Bojanova; Yaacov Yesha; Yan Wu (2015). "Towards a "Periodic Table" of Bugs". National Institute of Standards and Technology.
External links
[edit]- Certifying Applications for Known Security Weaknesses. The Common Weakness Enumeration (CWE) Effort // 6 March 2007
- "Classes of Vulnerabilities and Attacks" (PDF). Wiley Handbook of Science and Technology for Homeland Security. comparison of different vulnerability Classifications. Archived from the original (PDF) on 2016-03-22.
{{cite web}}: CS1 maint: others (link)