Documents
Documents

The Evolution of the CWE Development and Research Views

This paper explains the evolution of the two main views in CWE, CWE-699 (Development Concepts) and CWE-1000 (Research Concepts). It identifies the methodologies used for constructing the views, including the emphasis on providing clear names and descriptions.

HTML

Schema Documentation

This document contains descriptions of the various CWE schema elements. It provides a basic understanding of the CWE data structure and can be used as a useful guide for developing new CWE entries or adding content to existing entries. Comments and feedback are welcome and should be directed to cwe@mitre.org. September 9, 2008 - Conor Harris, CWE Researcher

CWE Glossary of Terms

This document provides informal definitions for some of the most commonly used terms on this site. July 27, 2009 - Steve Christey, CWE Technical Lead

HTML

Introduction to Vulnerability Theory

This paper is an overview of the vulnerability theory terminology and concepts used to create the structured descriptions of some of the major CWE entries. The purpose of the vulnerability theory vocabulary and framework is to create a standard way of describing flaw concepts and to quickly educate new researchers. Comments and feedback are welcome and should be directed to cwe@mitre.org. October 29, 2009 - Steve Christey, CWE Technical Lead; Conor Harris, CWE Researcher

HTML

PDF (279 KB)

A Comparison of the CWE Development and Research Views

This paper performs a comparison between the two main views in CWE, CWE-699 (Development Concepts) and CWE-1000 (Research Concepts), and shows how CWE-699 has some similarities with Seven Pernicious Kingdoms (CWE-700), while CWE-1000 is a new approach to weakness classification. Comments and feedback are welcome and should be directed to cwe@mitre.org. September 9, 2008 - Steve Christey, CWE Technical Lead

HTML

CWE Mapping Analysis

This paper describes the results of a study that examined how well CWE can be mapped to third party weakness descriptions. The CWE mappings for three separate repositories were analyzed and broken into ten categories of "mapping fit." Several categories have implications for how CWE content should be managed in the future. Tool vendors and researchers in vulnerability classification will find this document useful. Comments and feedback are welcome and should be directed to cwe@mitre.org. September 9, 2008 - Mark Loveless, CWE Researcher

HTML

PDF (53 KB)

Unforgivable Vulnerabilities

This briefing was presented as a "Turbo-Talk" at Black Hat Briefings 2007 in Las Vegas, Nevada, USA. August 2, 2007 - Steve Christey, CVE List Editor and CWE Technical Lead

PDF (212 KB)

PDF (153 KB)

Making Security Measurable Podcast

A 10-minute podcast interview with CWE Program Manager Robert A. Martin by BankInfoSecurity.com about CWE, CVE, and Making Security Measurable at Black Hat Briefings 2007 – August 2007

MP3 (9 MB)

Structured CWE Descriptions

This paper contains structured, semi-formal descriptions of some of the most notorious CWE entries using the vulnerability theory terminology. The structured descriptions provide a consistent way to clearly define the core of each weakness and a means to help clarify classification problems. Comments and feedback are welcome and should be directed to cwe@mitre.org. July 10, 2007 - Steve Christey, CVE List Editor and CWE Technical Lead; Conor Harris, CWE Researcher

HTML

PDF (163 KB)

Vulnerability Type Distributions in CVE (2001-2006)

This updated technical white paper discusses the high-level types of vulnerabilities that have been publicly reported over the past five years, such as buffer overflows, cross-site scripting (XSS), SQL injection, and PHP file inclusion. The paper identifies and explains trends such as the rapid rise of Web application vulnerabilities, covers the distribution of vulnerability types in operating system vendor advisories, and compares the issues being reported in open and closed source advisories. May 22, 2007 - Steve Christey, CVE List Editor and CWE Technical Lead; Robert A. Martin, CWE Program Manager

HTML

PDF (2 MB)

Being Explicit About Security Weaknesses, Black Hat DC 2007

This slide presentation and white paper were presented at Black Hat DC 2007. The two documents describe the CWE effort, list community members, explain how the drafts of the CWE dictionary are developed, describe the CWE Compatibility and CWE Effectiveness program, and suggest additional impact and transition opportunities tied to CWE. March 1, 2007 - Robert A. Martin, CWE Program Manager; Sean Barnum, Cigital, Inc.; Steve Christey, CWE Technical Lead

White Paper:
WORD (1.1 MB)
PDF (555 KB)

Slide Presentation:
PPT (14.8 MB)
PDF (2.8 MB)

Being Explicit About Security Weaknesses

This article about CWE was published in Crosstalk, The Journal of Defense Software Engineering. The article describes the CWE effort, lists community members, explains how the drafts of the CWE dictionary are developed, describes the CWE Compatibility and CWE Effectiveness program, and suggests additional impact and transition opportunities tied to CWE. March 2007 - Robert A. Martin, CWE Program Manager

HTML

PDF (417 KB)

A Status Update: The Common Weaknesses Enumeration

NIST Static Analysis Summit, Gaithersburg, MD Jun 29, 2006.

PDF (139 KB)

The Case for Common Flaw Enumeration

This technical white paper discusses the reasons and rational behind the CWE initiative. PDF document. November 8, 2005 - Robert A. Martin and Steve Christey (MITRE), and Joe Jarzombek (DHS) (NIST Workshop on "Software Security Assurance Tools, Techniques, and Methods", Long Beach, CA., USA)

PDF (287 KB)