📑 Table of Contents
Common Weakness Enumeration (CWE) logo

The Common Weakness Enumeration (CWE) is a category system for hardware and software weaknesses and vulnerabilities. It is sustained by a community project with the goals of understanding flaws in software and hardware and creating automated tools that can be used to identify, fix, and prevent those flaws.[1] The project is sponsored by the office of the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), which is operated by The MITRE Corporation,[2] with support from US-CERT and the National Cyber Security Division of the U.S. Department of Homeland Security.[3][4]

The first release of the list and associated classification taxonomy was in 2006.[5] Version 4.15 of the CWE standard was released in July 2024.[6]

CWE has over 600 categories, including classes for buffer overflows, path/directory tree traversal errors, race conditions, cross-site scripting, hard-coded passwords, and insecure random numbers.[7]

Examples

edit
  • CWE category 121 is for stack-based buffer overflows.[8]

CWE compatibility

edit

Common Weakness Enumeration (CWE) Compatibility program allows a service or a product to be reviewed and registered as officially "CWE-Compatible" and "CWE-Effective". The program assists organizations in selecting the right software tools and learning about possible weaknesses and their possible impact.

In order to obtain CWE Compatible status a product or a service must meet 4 out of 6 requirements, shown below:

CWE Searchable users may search security elements using CWE identifiers
CWE Output security elements presented to users include, or allow users to obtain, associated CWE identifiers
Mapping Accuracy security elements accurately link to the appropriate CWE identifiers
CWE Documentation capability's documentation describes CWE, CWE compatibility, and how CWE-related functionality in the capability is used
CWE Coverage for CWE-Compatibility and CWE-Effectiveness, the capability's documentation explicitly lists the CWE-IDs that the capability claims coverage and effectiveness against locating in software
CWE Test Results for CWE-Effectiveness, test results from the capability showing the results of assessing software for the CWEs are posted on the CWE Web site

There are 56 organizations as of September 2019 that develop and maintain products and services that achieved CWE Compatible status.[9]

Research, critiques, and new developments

edit

Some researchers think that ambiguities in CWE can be avoided or reduced.[10]

As of 4/16/2024, the CWE Compatibility Program has been discontinued.[11]

See also

edit

References

edit
  1. ^ "CWE - About CWE". at mitre.org.
  2. ^ "CWE - Frequently Asked Questions (FAQ)". cwe.mitre.org. Retrieved 2023-09-21.
  3. ^ "Vulnerabilities | NVD CWE Slice". National Vulnerability Database.
  4. ^ Goseva-Popstojanova, Katerina; Perhinschi, Andrei (2015). "On the capability of static code analysis to detect security vulnerabilities". Information and Software Technology. 68: 18–33. doi:10.1016/j.infsof.2015.08.002.
  5. ^ "CWE - About - CWE History". cwe.mitre.org. Retrieved 2025-02-18.
  6. ^ "CWE Version 4.15 Now Available". Mitre Corporation. Retrieved 17 October 2024.
  7. ^ Bojanova, Irena (2014). "Bugs Framework (BF): Formalizing Software Security Weaknesses and Vulnerabilities". samate.nist.gov.
  8. ^ "CWE - CWE-121: Stack-based Buffer Overflow (4.15)". cwe.mitre.org. Retrieved August 5, 2024.
  9. ^ "CWE - CWE-Compatible Products and Services". at mitre.org.
  10. ^ Paul E. Black; Irena V. Bojanova; Yaacov Yesha; Yan Wu (2015). "Towards a "Periodic Table" of Bugs". National Institute of Standards and Technology.
  11. ^ "CWE-Compatible Products and Services". Common Weakness Enumeration. Archived from the original on 2025-01-07.
edit

📚 Artikel Terkait di Wikipedia

CERT Coding Standards

cross-referenced with several other standards including Common Weakness Enumeration (CWE) entries and MISRA. Common Vulnerabilities and Exposures National Vulnerability

Common Vulnerabilities and Exposures

The Common Vulnerabilities and Exposures (CVE) system, originally Common Vulnerability Enumeration, provides a reference method for publicly known information-security

PVS-Studio

security testing, or SAST), the analyzer matches warnings to the common weakness enumeration, SEI CERT coding standards, and supports the MISRA standard.

Common Vulnerability Scoring System

metrics Common Weakness Enumeration (CWE) Common Vulnerabilities and Exposures (CVE) Common Attack Pattern Enumeration and Classification (CAPEC) "Common Vulnerability

Mass assignment vulnerability

Controlled Modification of Dynamically-Determined Object Attributes". Common Weakness Enumeration. NIST. Retrieved February 27, 2013. "Mass Assignment". Ruby On

Software security assurance

"Common Weaknesses Enumeration Project". Retrieved 26 August 2010. Web Application Security Testing "A Catalog of Security Architecture Weaknesses".

OWASP

Source Security Foundation Application security Mobile security Common Weakness Enumeration Huseby, Sverre (2004). Innocent Code: A Security Wake-Up Call

Vulnerability (computer security)

risk score using Common Vulnerability Scoring System (CVSS), Common Platform Enumeration (CPE) scheme, and Common Weakness Enumeration.[citation needed]