CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities

New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > About CWE > Documents  
ID

Documents

A number of documents exist to help clarify the historical significance, current use, and future directions of CWE. An archive of older documents is also included.

Using the CWE List

Schema Documentation

This document, which is posted on the CWE List page, contains descriptions of the various elements in the official CWE Schema. It provides a basic understanding of the CWE data structure and can be used as a useful guide for developing new CWE entries or adding content to existing entries. Previous versions of the schema documentation are available in the Release Downloads.

HTML

CWE List Reports

Includes "General Reports" such as Stakeholder Field Priorities, Field Completeness Goals, Schema Documentation (current version), Chains and Composites, etc., and "Difference Reports" from the various CWE List versions.

HTML

CVE → CWE Mapping & Navigation Guidance

Provides information for mapping CVEs to CWE-IDs as well as tips for searching and navigating CWE content on the CWE Web site, including the following: "Mapping to CWE IDs - Criteria for the Best Match," "Using the Web Site to Map to a CWE-ID," and "Additional Suggestions for Search and Navigation."

HTML

The Evolution of the CWE Development and Research Views

This paper explains the evolution of the two main views in CWE, CWE-699 (Development Concepts) and CWE-1000 (Research Concepts). It identifies the methodologies used for constructing the views, including the emphasis on providing clear names and descriptions.

HTML

A Comparison of the CWE Development and Research Views

This paper performs a comparison between the two main views in CWE, CWE-699 (Development Concepts) and CWE-1000 (Research Concepts), and shows how CWE-699 has some similarities with Seven Pernicious Kingdoms (CWE-700), while CWE-1000 is a new approach to weakness classification. Comments and feedback are welcome and should be directed to cwe@mitre.org. September 9, 2008 - Steve Christey, CWE Technical Lead

HTML

CWE Mapping Analysis

This paper describes the results of a study that examined how well CWE can be mapped to third party weakness descriptions. The CWE mappings for three separate repositories were analyzed and broken into ten categories of "mapping fit." Several categories have implications for how CWE content should be managed in the future. Tool vendors and researchers in vulnerability classification will find this document useful. Comments and feedback are welcome and should be directed to cwe@mitre.org. September 9, 2008 - Mark Loveless, CWE Researcher

HTML

PDF (53 KB)

Structured CWE Descriptions

This paper contains structured, semi-formal descriptions of some of the most notorious CWE entries using the vulnerability theory terminology. The structured descriptions provide a consistent way to clearly define the core of each weakness and a means to help clarify classification problems. Comments and feedback are welcome and should be directed to cwe@mitre.org. July 10, 2007 - Steve Christey, CVE List Editor and CWE Technical Lead; Conor Harris, CWE Researcher

HTML

PDF (163 KB)

Archive

Use & Citations

This archived web page page lists community usage of CWE by Industry, Government, Academia, Policy/Guidance, Reference, and Standards. A running count of the number of citations by category is also included.

HTML

CWE Research

This archived page includes links to sections of the website and documents for researching early version of the CWE List.

HTML

Sources

A list of external sources used to help build early versions of the CWE List.

HTML

Advances in Information Assurance Standards

This briefing was presented at CISQ Seminar–Software Quality in Federal Acquisitions in Reston, Virginia, USA. March 26, 2014 - CWE/CAPEC Program Manager Robert A. Martin, Senior Advisor for Cybersecurity at the U.S. General Services Administration Office of Mission Assurance Emile Monette, and Computer Scientist at the http://csrc.nist.gov/ Dr. Paul Black.

PDF (6 MB)

CWE Introductory Brochure

A brief two-page introduction to the CWE effort. February 2013.

PDF (522 KB)

CWSS/CWRAF Introductory Brochure

A brief two-page introduction to the Common Weakness Scoring System (CWSS™) and Common Weakness Risk Analysis Framework (CWRAF™) efforts. February 2013.

PDF (131 KB)

Key Practices for Mitigating the Most Egregious Exploitable Software Weaknesses Development, Volume II – (Version 2.3, November 1, 2012)

This pocket guide focuses on key practices for preventing and mitigating the most egregious exploitable software weaknesses. These key practices were documented in the “2011 CWE/SANS Top 25 Most Dangerous Programming Errors”. The Top 25 CWEs are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all. Some of the practices specified in the pocket guide are derived from mitigation recommendations that were common across many of the CWEs in the CWE Top 25, and others came from approaches described on the CERT Secure Coding Wiki. The practices are not represented as being complete or comprehensive; yet they do provide a focus for getting started in SwA efforts.

8.5" x 11" version PDF File

Introduction to Vulnerability Theory

This paper is an overview of the vulnerability theory terminology and concepts used to create the structured descriptions of some of the major CWE entries. The purpose of the vulnerability theory vocabulary and framework is to create a standard way of describing flaw concepts and to quickly educate new researchers. Comments and feedback are welcome and should be directed to cwe@mitre.org. October 29, 2009 - Steve Christey, CWE Technical Lead; Conor Harris, CWE Researcher

HTML

PDF (279 KB)

Unforgivable Vulnerabilities

This briefing was presented as a "Turbo-Talk" at Black Hat Briefings 2007 in Las Vegas, Nevada, USA. August 2, 2007 - Steve Christey, CVE List Editor and CWE Technical Lead

PDF (212 KB)

PDF (153 KB)

Making Security Measurable Podcast

A 10-minute podcast interview with CVE Compatibility Lead and CWE Program Manager Robert A. Martin by BankInfoSecurity.com about Common Vulnerabilities and Exposures (CVE®), Common Weakness Enumeration (CWE™), and Making Security Measurable at Black Hat Briefings 2007 — August 2007

MP3 (9.3 MB)

Software Security Assurance: State-of-the-Art Report (SOAR)

Published by the U.S. Department of Defense’s (DoD) Information Assurance Technology Analysis Center (IATAC) (now called the Cyber Security and Information Systems Information Analysis Center [CSIAC]), this report represents the collaborative efforts of the Department of Homeland Security (DHS)/DoD Software Assurance (SwA) Forum and Working Groups and provides an overview of the current state of the environment in which software must operate and surveys current and emerging activities and organizations involved in promoting various aspects of software security assurance. The report, which presents observations about noteworthy trends in software security assurance as a discipline, also describes the variety of techniques and technologies in use in government, industry, and academia for specifying, acquiring, producing, assessing, and deploying software that can, with a justifiable degree of confidence, be said to be secure. — July 31, 2007

PDF (6 MB)

Vulnerability Type Distributions in CVE (2001-2006)

This updated technical white paper discusses the high-level types of vulnerabilities that have been publicly reported over the past five years, such as buffer overflows, cross-site scripting (XSS), SQL injection, and PHP file inclusion. The paper identifies and explains trends such as the rapid rise of Web application vulnerabilities, covers the distribution of vulnerability types in operating system vendor advisories, and compares the issues being reported in open and closed source advisories. May 22, 2007 - Steve Christey, CVE List Editor and CWE Technical Lead; Robert A. Martin, CWE Program Manager

HTML

PDF (2 MB)

Being Explicit About Security Weaknesses, Black Hat DC 2007

This slide presentation and white paper were presented at Black Hat DC 2007. The two documents describe the CWE effort, list community members, explain how the drafts of the CWE dictionary are developed, describe the CWE Compatibility and CWE Effectiveness program, and suggest additional impact and transition opportunities tied to CWE. March 1, 2007 - Robert A. Martin, CWE Program Manager; Sean Barnum, Cigital, Inc.; Steve Christey, CWE Technical Lead

White Paper:
WORD (1.1 MB)
PDF (555 KB)

Slide Presentation:
PPT (14.8 MB)
PDF (2.8 MB)

Being Explicit About Security Weaknesses

This article about CWE was published in Crosstalk, The Journal of Defense Software Engineering. The article describes the CWE effort, lists community members, explains how the drafts of the CWE dictionary are developed, describes the CWE Compatibility and CWE Effectiveness program, and suggests additional impact and transition opportunities tied to CWE. March 2007 - Robert A. Martin, CWE Program Manager

HTML

PDF (417 KB)

A Status Update: The Common Weaknesses Enumeration

NIST Static Analysis Summit, Gaithersburg, MD Jun 29, 2006.

PDF (139 KB)

The Case for Common Flaw Enumeration

This technical white paper presented at the NIST Workshop on Software Security Assurance Tools, Techniques, and Methods in Long Beach, California, USA discusses the reasons and rational behind the CWE initiative.November 8, 2005 - Robert A. Martin and Steve Christey (MITRE), and Joe Jarzombek (DHS)

PDF (287 KB)

CWE Compatability

Requirements and Recommendations for CWE Compatibility and CWE Effectiveness

Provides the detailed requirements against which an information product or service may become CWE-Compatible. Version 1.0, June 12, 2011 - Robert A. Martin, CWE Project Leader and Steve Christey, CWE Technical Lead

HTML

CWE Coverage Claims Representation

Provides a description of the Coverage Claims Representation (CCR) feature of the CWE Compatibility Program, which is a means for software analysis vendors to convey to their customers exactly which CWE-identified weaknesses they claim to be able to locate in software. Also provided are CCR schemas and examples. Version 0.3, June 12, 2011 - Robert A. Martin, CWE Project Leader and Steve Christey, CWE Technical Lead

HTML

Page Last Updated: September 27, 2022