The Common Weakness Enumeration (CWE) is a grouping and listing of the software and hardware security vulnerabilities and weaknesses found in system architecture, code, or design. Each weakness represents a vulnerability type, carries a unique identification number, called CWE ID, a description, mode of weakness introduction, applicable platforms, the severity of impact, possible mitigations, and references for the known weaknesses.
This CWE database is maintained by The Mitre Corporation, a non-profit organization of United States National Cybersecurity FFRDC, and is available free on a worldwide basis.
The main purpose of this project is to identify and understand the security weaknesses in the software & hardware and create automated effective tools that can be utilized to diagnose, fix and prevent those weaknesses.
As of July 2021, there are currently more than 900 weaknesses registered in the CWE website, varying from cross-site scripting, buffer overflows, insecure random numbers, hard-coded passwords and, path/directory tree traversal numbers.
Criteria for the CWE Compatibility:
A product or a service will be evaluated, reviewed, and registered as officially “CWE-Compatible” and “CWE-Effective”. The Common Weakness Enumeration (CWE) Compatibility Program will aid organizations in choosing the correct software tools and research about possible weaknesses and their impacts.
To obtain CWE Compatible status for a product or a service, there are 4 out 6 requirements to be eligible as shown below:
- CWE Searchable: users may search security components utilizing CWE identifiers.
- CWE Output: security components introduced to users involved, or authorize users to acquire related CWE identifiers.
- Mapping Accuracy: security components exactly link to the appropriate CWE identifiers.
- CWE Documentation: capability’s documentation reports CWE, CWE compatibility, and how CWE-related components in the capability are utilized.
- CWE Coverage: for CWE-Compatibility and CWE-Effectiveness, the capability’s documentation specifically lists the CWE-IDs that the capability analysis and effectiveness against locating in software.
- CWE Test Results: for CWE-Effectiveness, test results from the capability appearing the results of evaluating software for the CWEs are reported on the CWE website.
CWE is collected and updated by a list of experts from security companies, organizations, IT vendors, researchers, and government agencies. Currently, there are 63 organizations that develop and maintain products and services that accomplish CWE compatible status.
CWE components are divided into three organizational structures levels.
- Lowest level divides known weaknesses for tool vendors, researchers, experts at all levels including personal computer users.
- Mid level consists of security practitioners, software developers, and system administrators.
- Highest level includes several software experts, enterprise management people, and other stakeholders.
Syntax format of CWE:
The standard syntax format of the CWE-ID is the variable length that includes-
CWE Prefix + Sequential Digits
The component of CWE ID consists of two parts. The prefix is identical for each unique ID and starts with ‘CWE’, followed by the sequential digits consisting of numbers.
For example, CWE-787 represents one of the software flaws ranked #1 in 2021 CWE Top 25 Dangerous Software Weaknesses.
More details can be found here: CWE – CWE-787: Out-of-bounds Write (4.5)
CWE Latest Version and Top 25 Dangerous Software Weaknesses (CWE Top 25) Calculation:
Currently, version 4.5 is released and every year Mitre Corporation will compare and analyze the most common and effective issues over the previous two calendar years and release a list of Top 25 Dangerous Software Weaknesses (CWE Top 25).
To create the list every year, the CWE team utilizes the Common Vulnerabilities and Exposures (CVE) data which is available within the National Vulnerability Database (NVD), and as well Common Vulnerability Scoring System (CVSS) scores related to each CVE identification number.
The weaknesses are rated as dangerous based upon how often they are easy to find, exploit, and can allow attackers to totally take control over the system, steal data, etc. The calculation is done based upon the formula, using the data to score each flaw built on the severity.
Read more about the latest 2021 CWE Top 25 Most Dangerous Software Weaknesses – Source.
What is Common Weakness Scoring System (CWSS):
Mitre corporation also introduced a scoring system for the weaknesses which is called the Common Weakness Scoring System (CWSS).
The Common Weakness Scoring System (CWSS) provides a structure for categorizing software weaknesses in a constant, flexible, open method. It is a collective, community-based attempt that is addressing the requirements of its stakeholders across government, industry, and academia.
CWSS is classified into three metric groups: Base Finding, Attack Surface, and, Environmental. Each individual group contains multiple metrics also called factors, that are utilized to enumerate a CWSS score for a weakness.
Found this article interesting? Follow DefenseLead on Twitter, Facebook and LinkedIn to read more exclusive content.