Using the CWE List
This document, which is posted on the CWE List page, contains descriptions of the various elements in the official CWE Schema. It provides a basic understanding of the CWE data structure and can be used as a useful guide for developing new CWE entries or adding content to existing entries. Previous versions of the schema documentation are available in the
CWE List Reports
Includes "General Reports" such as Stakeholder Field Priorities, Field Completeness Goals, Schema Documentation (current version), Chains and Composites, etc., and "Difference Reports" from the various CWE List versions.
CWE Glossary of Terms
Informal definitions for some of the most commonly used terms on this site.
CWE Mapping & Navigation Guidance
Provides information for mapping to CWE-IDs as well as tips for searching and navigating CWE content on the CWE Web site, including the following: "Mapping to CWE IDs - Criteria for the Best Match," "Using the Web Site to Map to a CWE-ID," and "Additional Suggestions for Search and Navigation."
The Evolution of the CWE Development and Research Views
This paper explains the evolution of the two main views in CWE, CWE-699 (Development Concepts) and CWE-1000 (Research Concepts). It identifies the methodologies used for constructing the views, including the emphasis on providing clear names and descriptions.
A Comparison of the CWE Development and Research Views
This paper performs a comparison between the two main views in CWE, CWE-699 (Development Concepts) and CWE-1000 (Research Concepts), and shows how CWE-699 has some similarities with Seven Pernicious Kingdoms (CWE-700), while CWE-1000 is a new approach to weakness classification. Comments and feedback are welcome and should be directed to email@example.com. September 9, 2008 - Steve Christey, CWE Technical Lead
CWE Mapping Analysis
This paper describes the results of a study that examined how well CWE can be mapped to third party weakness descriptions. The CWE mappings for three separate repositories were analyzed and broken into ten categories of "mapping fit." Several categories have implications for how CWE content should be managed in the future. Tool vendors and researchers in vulnerability classification will find this document useful. Comments and feedback are welcome and should be directed to firstname.lastname@example.org. September 9, 2008 - Mark Loveless, CWE Researcher
PDF (53 KB)
Structured CWE Descriptions
This paper contains structured, semi-formal descriptions of some of the most notorious CWE entries using the vulnerability theory terminology. The structured descriptions provide a consistent way to clearly define the core of each weakness and a means to help clarify classification problems. Comments and feedback are welcome and should be directed to email@example.com. July 10, 2007 - Steve Christey, CVE List Editor and CWE Technical Lead; Conor Harris, CWE Researcher
PDF (163 KB)
Advances in Information Assurance Standards
This briefing was presented at CISQ Seminar–Software Quality in Federal Acquisitions in Reston, Virginia, USA. March 26, 2014 - CWE/CAPEC Program Manager Robert A. Martin, Senior Advisor for Cybersecurity at the
U.S. General Services Administration Office of Mission Assurance Emile Monette, and Computer Scientist at the
http://csrc.nist.gov/ Dr. Paul Black.
PDF (6 MB)
CWE Introductory Brochure
A brief two-page introduction to the CWE effort. February 2013.
PDF (522 KB)
CWSS/CWRAF Introductory Brochure
A brief two-page introduction to the Common Weakness Scoring System (CWSS™) and Common Weakness Risk Analysis Framework (CWRAF™) efforts. February 2013.
PDF (131 KB)
Key Practices for Mitigating the Most Egregious Exploitable Software Weaknesses Development, Volume II – (Version 2.3, November 1, 2012)
This pocket guide focuses on key practices for preventing and mitigating the most egregious exploitable software weaknesses. These key practices were documented in the “2011 CWE/SANS Top 25 Most Dangerous Programming Errors”. The Top 25 CWEs are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all. Some of the practices specified in the pocket guide are derived from mitigation recommendations that were common across many of the CWEs in the CWE Top 25, and others came from approaches described on the CERT Secure Coding
Wiki. The practices are not represented as being complete or comprehensive; yet they do provide a focus for getting started in SwA efforts.
8.5" x 11" version
Introduction to Vulnerability Theory
This paper is an overview of the vulnerability theory terminology and concepts used to create the structured descriptions of some of the major CWE entries. The purpose of the vulnerability theory vocabulary and framework is to create a standard way of describing flaw concepts and to quickly educate new researchers. Comments and feedback are welcome and should be directed to firstname.lastname@example.org. October 29, 2009 - Steve Christey, CWE Technical Lead; Conor Harris, CWE Researcher
PDF (279 KB)
This briefing was presented as a "Turbo-Talk" at Black Hat Briefings 2007 in Las Vegas, Nevada, USA. August 2, 2007 - Steve Christey, CVE List Editor and CWE Technical Lead
PDF (212 KB)
PDF (153 KB)
Making Security Measurable Podcast
A 10-minute podcast interview with CVE Compatibility Lead and CWE Program Manager Robert A. Martin by BankInfoSecurity.com about Common Vulnerabilities and Exposures (CVE®), Common Weakness Enumeration (CWE™), and Making Security Measurable at Black Hat Briefings 2007 — August 2007
MP3 (9.3 MB)
Software Security Assurance: State-of-the-Art Report (SOAR)
Published by the U.S. Department of Defense’s (DoD) Information Assurance Technology Analysis Center (IATAC) (now called the Cyber Security and Information Systems Information Analysis Center [CSIAC]), this report represents the collaborative efforts of the Department of Homeland Security (DHS)/DoD Software Assurance (SwA) Forum and Working Groups and provides an overview of the current state of the environment in which software must operate and surveys current and emerging activities and organizations involved in promoting various aspects of software security assurance. The report, which presents observations about noteworthy trends in software security assurance as a discipline, also describes the variety of techniques and technologies in use in government, industry, and academia for specifying, acquiring, producing, assessing, and deploying software that can, with a justifiable degree of confidence, be said to be secure. — July 31, 2007
PDF (6 MB)
Vulnerability Type Distributions in CVE (2001-2006)
This updated technical white paper discusses the high-level types of vulnerabilities that have been publicly reported over the past five years, such as buffer overflows, cross-site scripting (XSS), SQL injection, and PHP file inclusion. The paper identifies and explains trends such as the rapid rise of Web application vulnerabilities, covers the distribution of vulnerability types in operating system vendor advisories, and compares the issues being reported in open and closed source advisories. May 22, 2007 - Steve Christey, CVE List Editor and CWE Technical Lead; Robert A. Martin, CWE Program Manager
PDF (2 MB)
Being Explicit About Security Weaknesses, Black Hat DC 2007
This slide presentation and white paper were presented at Black Hat DC 2007. The two documents describe the CWE effort, list community members, explain how the drafts of the CWE dictionary are developed, describe the CWE Compatibility and CWE Effectiveness program, and suggest additional impact and transition opportunities tied to CWE. March 1, 2007 - Robert A. Martin, CWE Program Manager; Sean Barnum, Cigital, Inc.; Steve Christey, CWE Technical Lead
WORD (1.1 MB)
PDF (555 KB)
PPT (14.8 MB)
PDF (2.8 MB)
Being Explicit About Security Weaknesses
This article about CWE was published in Crosstalk,
The Journal of Defense Software Engineering. The article describes the CWE effort, lists community members, explains how the drafts of the CWE dictionary are developed, describes the CWE Compatibility and CWE Effectiveness program, and suggests additional impact and transition opportunities tied to CWE. March 2007 - Robert A. Martin, CWE Program Manager
PDF (417 KB)
A Status Update: The Common Weaknesses Enumeration
NIST Static Analysis Summit, Gaithersburg, MD Jun 29, 2006.
PDF (139 KB)
The Case for Common Flaw Enumeration
This technical white paper presented at the NIST Workshop on Software Security Assurance Tools, Techniques, and Methods in Long Beach, California, USA discusses the reasons and rational behind the CWE initiative.November 8, 2005 - Robert A. Martin and Steve Christey (MITRE), and Joe Jarzombek (DHS)
PDF (287 KB)
Requirements and Recommendations for CWE Compatibility and CWE Effectiveness
Provides the detailed requirements against which an information product or service may become CWE-Compatible. Version 1.0, June 12, 2011 - Robert A. Martin, CWE Project Leader and Steve Christey, CWE Technical Lead
CWE Coverage Claims Representation
Provides a description of the Coverage Claims Representation (CCR) feature of the CWE Compatibility Program, which is a means for software analysis vendors to convey to their customers exactly which CWE-identified weaknesses they claim to be able to locate in software. Also provided are CCR schemas and examples. Version 0.3, June 12, 2011 - Robert A. Martin, CWE Project Leader and Steve Christey, CWE Technical Lead