CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > Compatibility > CWE Compatibility and Effectiveness Program  
ID

CWE Community

CWE Compatibility and Effectiveness Program

Introduction

The CWE Compatibility and Effectiveness Program is a formal review and evaluation process for organizations wishing to declare their information security products and services as CWE-Compatible and CWE-Effective and have them formally evaluated.

Compatible and Effective products and services, as well as those working towards compatibility and effectiveness, will be posted on the "CWE-Compatible and Effective Products and Services" page on the CWE Web site and included on handouts at information security and related tradeshows and events at which MITRE exhibits CWE (see the CWE Calendar).

The formal CWE Compatibility and Effectiveness Program includes three phases: Declaration, Evaluation, and Effectiveness.

Phase 1 – Declaration Phase

The Declaration Phase requires the completion of a short informational "CWE Compatibility Declaration Form" used to register an organization's declaration of intent with respect to CWE compatibility and effectiveness. In this phase you are asked to review the compatibility and effectiveness requirements and then make a statement regarding whether your organization believes that its product or service currently fulfills the compatibility requirements, or if your organization is working towards fulfilling the requirements. This phase of the CWE compatibility and effectiveness process does not result in an official evaluation or assessment by MITRE; rather, MITRE only reviews the declaration. As long as the products or services are commercially or publicly available, the declaration and an endorsement quote from you (if desired) is posted on the CWE Web site.

Phase 2 – Evaluation Phase

The Evaluation Phase requires completion of Phase 1 with "yes" as the answer for support of CWE output, CWE searchable, and CWE documentation. You must also complete an extended "CWE Compatibility Requirements Evaluation Form" that is a more extensive CWE-compatible formal review and includes several evaluation activities. You will also receive the "Compatible Product/Service Organization Welcome Kit" with items for your Web site.

This formal evaluation process includes a "branding program" and logo to indicate successful completion of the compatibility portion of the compatibility and effectiveness evaluation. A major component of this phase requires specific details about how your organization has satisfied each of the mandatory requirements in the Requirements and Recommendations for CWE Compatibility and CWE Effectiveness document. The Phase 2 "CWE Compatibility Requirements Evaluation Form" also requires the signature of an authorized representative of your organization. Additionally, you must provide the CWE Team at MITRE with copies of the CWE-related user documentation for your product or service and information from your capability that shows how it maps CWE identifiers to your capabilities analysis results or outcomes.

Your organization's statements and documents will be evaluated and the CWE Team at MITRE will arrange to verify the accuracy of the mapping between CWE identifiers and the weakness entries in your organization's underlying data repository. Upon completion of the evaluation of your organization's detailed statement describing how your product or service fulfills the requirements for CWE compatibility, that statement will be posted on the CWE Web site for public review. Upon the successful completion of the mapping accuracy review we will post MITRE's concurrence with your organization's statement by awarding you official CWE Compatibility status. MITRE will then provide you with the special CWE-Compatible logo and formally give you permission to use the CWE-compatible logo and term "CWE-Compatible" on your Web site, literature, product packaging, in communications with the press, etc.

Phase 3 – Effectiveness Phase

The CWE Effectiveness Phase includes a branding program and is of high interest to many federal agencies as well as large enterprises. While some aspects of the test case generation to support the CWE Effectiveness Phase are still being developed, many aspects of CWE Effectiveness have been determined.

The major aspect of the CWE Effectiveness phase is that it is:

  • focused on providing your prospective customers with an understanding of which specific CWE identifiers your capability reviews artifacts for;
  • to provide a public collection of test results that will allow a prospective customer to understand which CWE identifiers your capability is effective in locating; and,
  • to articulate what types of complexity in software your capability is most successful at dealing with when looking for CWE identifier labeled weaknesses.

The posting of the test results on the CWE Web site will conclude the CWE Effectiveness Phase and an appropriate CWE-Effective logo and brand will be made available for your use. As more information about CWE Effectiveness test cases is developed, we will make sure to keep everyone informed through email messages and on the CWE News & Events page. Please contact us at cwe@mitre.org with any comments or concerns.

Contact and Submission Instructions

To begin the registration process, review the official CWE Compatibility and Effectiveness Program detailed above then send an email to cwe@mitre.org requesting the Declaration Form along with your company name and contact information, the type of product, and the name of the product or service.

You will receive specific instructions for completing and submitting additional information as the process continues.


More information is available — Please select a different filter.
Page Last Updated: May 23, 2017