CWE - Documents

Home > About CWE > Documents

CWE List
Full Dictionary View
Classification Tree
Reports

About
Sources
Process
Documents

Community
Related Activities
Discussion List
Research

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Declarations
Make a Declaration

Contact Us
Search the Site

Section Contents
About CWE
Process
Sources
Documents
Other Items of Interest
Privacy Policy
Terms of Use

Documents
Documents

Schema Documentation

This paper contains descriptions of the various CWE schema elements. It provides a basic understanding of the CWE data structure and can be used as a useful guide for developing new CWE entries or adding content to existing entries. Comments and feedback are welcome and should be directed to cwe@mitre.org. April 9, 2008 - Conor Harris, CWE Researcher

HTML

PDF (162 KB)

Difference Report

Unforgivable Vulnerabilities

This briefing was presented as a "Turbo-Talk" at Black Hat Briefings 2007 in Las Vegas, Nevada, USA. August 2, 2007 - Steve Christey, CVE List Editor and CWE Technical Lead

PDF (212 KB)

PDF (153 KB)

Making Security Measurable Podcast

A 10-minute podcast interview with CWE Program Manager Robert A. Martin by BankInfoSecurity.com about CWE, CVE, and Making Security Measurable at Black Hat Briefings 2007 – August 2007

MP3 (9 MB)

Introduction to Vulnerability Theory

This paper is an overview of the vulnerability theory terminology and concepts used to create the structured descriptions of some of the major CWE entries. The purpose of the vulnerability theory vocabulary and framework is to create a standard way of describing flaw concepts and to quickly educate new researchers. Comments and feedback are welcome and should be directed to cwe@mitre.org. July 10, 2007 - Steve Christey, CVE List Editor and CWE Technical Lead; Bill Heinbockel, CVE Senior Analyst

HTML

PDF (130 KB)

Structured CWE Descriptions

This paper contains structured, semi-formal descriptions of some of the most notorious CWE entries using the vulnerability theory terminology. The structured descriptions provide a consistent way to clearly define the core of each weakness and a means to help clarify classification problems. Comments and feedback are welcome and should be directed to cwe@mitre.org. July 10, 2007 - Steve Christey, CVE List Editor and CWE Technical Lead; Conor Harris, CWE Researcher

HTML

PDF (163 KB)

Vulnerability Type Distributions in CVE (2001-2006)

This updated technical white paper discusses the high-level types of vulnerabilities that have been publicly reported over the past five years, such as buffer overflows, cross-site scripting (XSS), SQL injection, and PHP file inclusion. The paper identifies and explains trends such as the rapid rise of Web application vulnerabilities, covers the distribution of vulnerability types in operating system vendor advisories, and compares the issues being reported in open and closed source advisories. May 22, 2007 - Steve Christey, CVE List Editor and CWE Technical Lead; Robert A. Martin, CWE Program Manager

HTML

PDF (2 MB)

Being Explicit About Security Weaknesses, Black Hat DC 2007

This slide presentation and white paper were presented at Black Hat DC 2007. The two documents describe the CWE effort, list community members, explain how the drafts of the CWE dictionary are developed, describe the CWE Compatibility and CWE Effectiveness program, and suggest additional impact and transition opportunities tied to CWE. March 1, 2007 - Robert A. Martin, CWE Program Manager; Sean Barnum, Cigital, Inc.; Steve Christey, CWE Technical Lead

White Paper:
WORD (1.1 MB)
PDF (555 KB)

Slide Presentation:
PPT (14.8 MB)
PDF (2.8 MB)

Being Explicit About Security Weaknesses

This article about CWE was published in Crosstalk, The Journal of Defense Software Engineering. The article describes the CWE effort, lists community members, explains how the drafts of the CWE dictionary are developed, describes the CWE Compatibility and CWE Effectiveness program, and suggests additional impact and transition opportunities tied to CWE. March 2007 - Robert A. Martin, CWE Program Manager

HTML

PDF (417 KB)

A Status Update: The Common Weaknesses Enumeration

NIST Static Analysis Summit, Gaithersburg, MD Jun 29, 2006.

PDF (139 KB)

The Case for Common Flaw Enumeration

This technical white paper discusses the reasons and rational behind the CWE initiative. PDF document. November 8, 2005 - Robert A. Martin and Steve Christey (MITRE), and Joe Jarzombek (DHS) (NIST Workshop on "Software Security Assurance Tools, Techniques, and Methods", Long Beach, CA., USA)

PDF (287 KB)

Page Last Updated: April 11, 2008


	CWE is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Copyright 2008, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us