Common Weakness Enumeration (CWE) logo
The Common Weakness Enumeration (CWE) is a category system for hardware and software weaknesses and vulnerabilities. It is sustained by a community project with the goals of understanding flaws in software and hardware and creating automated tools that can be used to identify, fix, and prevent those flaws. The project is sponsored by the office of the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), which is operated by
The MITRE Corporation, with support from
US-CERT
The United States Computer Emergency Readiness Team (US-CERT) was a team under the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security.
On February 24, 2023, the Cybersecurity and Infrastructure Security Age ...
and the
National Cyber Security Division of the U.S. Department of Homeland Security.
The first release of the list and associated classification taxonomy was in 2006. Version 4.15 of the CWE standard was released in July 2024.
CWE has over 600 categories, including classes for buffer overflows, path/directory tree traversal errors, race conditions,
cross-site scripting
Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be ...
, hard-coded passwords, and insecure random numbers.
Examples
* CWE category 121 is for stack-based buffer overflows.
CWE compatibility
Common Weakness Enumeration (CWE) Compatibility program allows a service or a product to be reviewed and registered as officially "CWE-Compatible" and "CWE-Effective". The program assists organizations in selecting the right software tools and learning about possible weaknesses and their possible impact.
In order to obtain CWE Compatible status a product or a service must meet 4 out of 6 requirements, shown below:
There are 56 organizations as of September 2019 that develop and maintain products and services that achieved CWE Compatible status.
Research, critiques, and new developments
Some researchers think that ambiguities in CWE can be avoided or reduced.
As of 4/16/2024, the CWE Compatibility Program has been discontinued.
See also
*
Common Vulnerabilities and Exposures
The Common Vulnerabilities and Exposures (CVE) system, originally Common Vulnerability Enumeration, provides a reference method for publicly known information security, information-security vulnerability (computing), vulnerabilities and exposures ...
(CVE)
*
Common Vulnerability Scoring System
The Common Vulnerability Scoring System (CVSS) is a technical standard for assessing the severity of vulnerabilities in computing systems. Scores are calculated based on a formula with several metrics that approximate ease and impact of an exploi ...
(CVSS)
*
National Vulnerability Database
The National Vulnerability Database (NVD) is the U.S. government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability managemen ...
References
External links
Certifying Applications for Known Security Weaknesses. The Common Weakness Enumeration (CWE) Effort// 6 March 2007
*
{{MITRE security ontologies
Software anomalies
Computer standards
Computer network security
Classification systems