News & Events
Right-click and copy a URL to share an article. Send feedback about this page to firstname.lastname@example.org.
CWE List Expanding to Include Hardware Weaknesses
October 10, 2019 | Share this article
In an effort to expand the scope of the CWE List from solely software weaknesses, we are excited to announce that the team has begun to explore integrating hardware weaknesses into the CWE corpus. This is something that we’ve been considering for a number of years, and with our goal to further grow CWE as a valuable resource for the security community, the time seems right to revisit and make it happen.
Hardware security issues (e.g., LoJax, Rowhammer, Meltdown/Spectre) are becoming increasingly important concerns for both enterprise IT, OT, and IoT in general, from industrial control systems and medical devices to automobiles and wearable technologies. It is essential to understand the different types of weaknesses in this space so that hardware designers can begin to understand and take action against these types of flaws.
We hope to work with the community actively on this and are looking for opportunities to engage experts in this field to help us understand the types of hardware weaknesses that are common today.
Please let us know if you would like to get involved by contacting us on the CWE Research email list, CWE page on LinkedIn, cwecapec on Twitter, or directly to email@example.com. We look forward to hearing from you!
2019 “CWE Top 25” Receives Extensive News Media Coverage
October 4, 2019 | Share this article
The recently released “2019 CWE Top 25 Most Dangerous Software Errors” list received extensive global media coverage, and feedback from the community. We thank the community for all your feedback regarding the new CWE Top 25.
News media articles that include interviews and quotes from the CWE Team:
MITRE Releases 2019 List of Top 25 Software Weaknesses, Dark Reading:
MITRE Names 2019’s Most Dangerous Software Errors, Infosecurity Magazine:
A partial list of other articles from around the world about the 2019 CWE Top 25:
Memory Errors Top MITRE’s ‘Most Dangerous’ List, Security Boulevard
These software vulnerabilities top MITRE’s most dangerous list, The Breaking News
MITRE’s 2019 CWE Top 25 most dangerous software errors list released, Security Boulevard
No surprises in the top 25 most dangerous software errors, Naked Security
MITRE’s Top 25 Most Dangerous Software Errors, Information Security Buzz
2019 CWE Top 25 Most Dangerous Software Errors, Mag-Securs
Топ 25 самых опасных уязвимостей 2019 года, Securitylab.ru
CWE Version 3.4.1 Update Release Now Available
September 23, 2019 | Share this article
CWE Version 3.4.1 has been posted on the CWE List page to address an oversight in the initial release that was identified by the community. We thank the community for all of your feedback regarding the new CWE Top 25.
This minor update release adds a parent Class to the CWE View 1003: Weaknesses for Simplified Mapping of Published Vulnerabilities view, so that CWE-667 Improper Locking is now a child of CWE-662 Improper Synchronization. A detailed report is available that lists specific changes between Version 3.4 and Version 3.4.1.
CWE Version 3.4 Now Available
September 19, 2019 | Share this article
A detailed report is available that lists specific changes between Version 3.3 and Version 3.4.
CWE 3.4 includes 1 new view, CWE 1200: Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors, to support the release of the 2019 CWE Top 25. In all, there were 50 major changes to relationships. There were no schema changes.
Changes for the new version include the following:
See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v3.3_v3.4.html.
2019 "CWE Top 25" Now Available!
September 17, 2019 | Share this article
The official version of the "2019 CWE Top 25 Most Dangerous Software Errors," a demonstrative list of the most widespread and critical weaknesses that can lead to serious vulnerabilities in software, is now available on the CWE website.
The weaknesses listed in the CWE Top 25 are often easy to find and exploit. They are dangerous because they will frequently allow adversaries to completely take over execution of software, steal data, or prevent the software from working. The CWE Top 25 can be used by software developers, software testers, software customers, software project managers, security researchers, and educators to provide insight into some of the most prevalent security threats in the software industry.
Leveraging Real-World Data
To create the 2019 list, the CWE Team used a data-driven approach that leverages published Common Vulnerabilities and Exposures (CVE®) data and related CWE mappings found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), as well as the Common Vulnerability Scoring System (CVSS) scores associated with each of the CVEs. A scoring formula was then applied to determine the level of prevalence and danger each weakness presents. This data-driven approach can be used as a repeatable, scripted process to generate a CWE Top 25 list on a regular basis with minimal effort.
The 2019 CWE Top 25 leverages NVD data from the years 2017 and 2018, which consisted of approximately twenty-five thousand CVEs. The CWE Team developed a scoring formula to calculate a rank order of weaknesses. The scoring formula combines the frequency that a CWE is the root cause of a vulnerability with the projected severity of its exploitation. In both cases, the frequency and severity are normalized relative to the minimum and maximum values seen.
For detailed information about this new approach, including methodology, rankings, scoring, and refined mappings, visit the CWE Top 25 page.
Future Releases and Feedback Welcome
Moving forward, our goal is to update the CWE Top 25 annually using the new methodology described on the CWE Top 25 page.
"2019 CWE Top 25" Draft Now Available
September 12, 2019 | Share this article
A draft version of the "2019 CWE Top 25 Most Dangerous Software Errors" is now available in our announcement message. These rankings may change before the final release, as we re-evaluate certain Common Vulnerabilities and Exposures (CVE®) <-> CWE mappings.
For an overview of the new methodology used to calculate this new release of the CWE Top 25, see "2019 Update of the "CWE Top 25" Now Underway." In short, we are pulling CWE-related data directly from the U.S. National Vulnerability Database (NVD) and using both frequency and an average Common Vulnerability Scoring System (CVSS) score to determine a rank order. The main advantage of this approach is that the CWE Top 25 will be an objective look at what we are actually seeing in the real-world.
Refined Mappings for the 2019 Release
For the 2019 CWE Top 25, vulnerabilities for the calendar years 2017 and 2018 are used. The CWE Team has worked very hard over the last few months to correct several thousand mis-mapped CVE Entries, and we have worked with the National Institute of Standards and Technology (NIST) to help improve the mapping of newly reported vulnerabilities with the updated CWE View 1003: Weaknesses for Simplified Mapping of Published Vulnerabilities view.
We will continue our efforts to evaluate these mappings over the coming year to improve things further in advance of a 2020 CWE Top 25. For this upcoming 2019 release, we will provide some explanations for a few inconsistencies such as why CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer is in the list, along with some of its children. In short, this is a cue that we need to improve the mappings that are currently being done, when enough detail is available. The same is true for CWE-20: Improper Input Validation and CWE-200: Information Exposure, both of which are very broad and more specific CWEs are desired.
We look forward to addressing any questions, as well as hearing any thoughts and comments you might have. Please send any feedback to us on the CWE Research email discussion list, @cwecapec on Twitter, CWE page on LinkedIn, or directly to firstname.lastname@example.org.
2019 Update of the "CWE Top 25" Now Underway
August 7, 2019 | Share this article
The CWE Team is currently working towards the generation and publication of a new 2019 release of the "CWE Top 25 Most Dangerous Software Errors."
After this initial announcement, our next step will be to release a draft in the coming weeks for community review and comment. Once those comments are reviewed and incorporated, we will officially publish the new Top 25 for the community.
A New Approach for the Top 25
In previous releases, the Top 25 list was constructed through aggregating survey responses from a wide selection of organizations, and by engaging developers, security analysts, researchers, and vendors. Respondents were asked to nominate weaknesses that they considered to be the most prevalent or important, and then a customized part of the Common Weakness Scoring System (CWSS™) was used to determine a ranking. There were a number of positives in this approach, but it was also labor-intensive and subjective.
For the upcoming Top 25, we are using a more rigorous and statistical process leveraging information about actual reported vulnerabilities to determine the prevalence and dangerousness of the given weakness. The CWE Team will use weakness data pulled directly from the U.S. National Vulnerability Database (NVD) to calculate metrics for CWEs. While this method introduces a bias through analyzing only reported vulnerabilities and could potentially exclude some software and a breadth of other data, the CWE Team believes it will result in a more repeatable and accurate Top 25 list.
Scoring for the New Top 25
There are two components in our scoring process that will be combined to determine the total score for a CWE. The first component is the frequency that a CWE is the root cause of a vulnerability. The second component is a weakness' average Common Vulnerability Scoring System (CVSS) score, which is meant to determine the overall severity of a weakness. We determine the average CVSS score for a CWE by calculating the sum of all of the CVSS scores for Common Vulnerabilities and Exposures (CVE®) Entries that map to a given CWE, and then dividing this sum by the total number of CVE Entries with that CWE. These two components are normalized before being multiplied together.
This process is represented below:
W = All CWEs
The CWE Team is still reviewing this formula, and it may change before the new Top 25 List is published.
Mapping to CVE Entries
One of the challenges that we are faced with is addressing the many CVE Entries currently mapped to CWE Categories. Categories are not technically weaknesses and therefore any existing mapping to them is considered incorrect. As such, we have coordinated with NVD and are in the process of finalizing a "mapping analysis" on these CVE Entries to map them to more accurate CWEs at lower levels of abstraction.
Relatedly, on June 20, 2019 we published our most recent minor version release, CWE Version 3.3, in which we include a new CWE View: "CWE View 1003: Weaknesses for Simplified Mapping of Published Vulnerabilities." Going forward, newly reported vulnerabilities will be mapped to the entries in View 1003 where possible. If over time vulnerability data indicates that certain weaknesses not currently part of View 1003 are occurring more frequently in the wild, View 1003 will evolve as needed to accommodate these new trends.
CWE Top 25 Draft Coming Soon
This is a large undertaking, but we hope that it will result in a repeatable and more accurate Top 25 list, as well as drive discussions about better ways to approach CVE<->CWE mapping in the future.
As stated above, our next step will be to release a draft in the coming weeks for community review and comment and once those comments are reviewed and incorporated, we will officially publish the new Top 25 for the community.
CWE Launches "@cwecapec" Twitter Feed
August 7, 2019 | Share this article
Please follow our new Twitter account at https://twitter.com/cwecapec to get the latest CWE news and announcements.
CWE Version 3.3 Now Available
June 20, 2019 | Share this article
CWE 3.3 has 1 new view, 1 updated view with 2 new entries, and 2 deprecated entries. In all, 238 entries had major changes to relationship, references, names, fields, and descriptions.
The main changes include: (1) adding 1 new view, CWE-1178: Weaknesses Addressed by the SEI CERT Perl Coding Standard, which identifies weaknesses in Perl that may be fully or partially prevented by following the SEI CERT Perl Coding Standard; (2) adding 8 new categories related to CWE-1178; (2) updating the CWE-1003: Weaknesses for Simplified Mapping of Published Vulnerabilities view, which may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the U.S. National Vulnerability Database (NVD); and adding 2 new weaknesses related to CWE-1003, CWE-1187: Use of Uninitialized Resource, which occurs when a resource has not been properly initialized and the software may behave unexpectedly, and CWE-1188: Insecure Default Initialization of Resource, which occurs when the software initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.
There were no schema changes.
Changes for the new version include the following:
See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v3.2_v3.3.html.
CWE Is Main Topic of Article on Military Embedded Systems
June 20, 2019 | Share this article
CWE is the main topic of a March 2019 article entitled "Common Weakness Enumeration (CWE) defines cybersecurity vulnerability landscape for mission-critical applications" on Military Embedded Systems. In the article, the author describes the purpose and possible uses of CWE and CWE-Compatible products, its connection to Common Vulnerabilities and Exposures (CVE®), and discusses examples from the CWE List.
The author states: "The Common Weakness Enumeration (CWE, at http://cwe.mitre.org) has emerged as a de facto reference resource to every security-conscious developer of mission-critical embedded systems." "[CWE] has made an important contribution to the overall process of developing more secure and robust software-intensive systems. It provides a common vocabulary that helps internal communications within software development organizations, as well as allowing users to understand and compare the capabilities of tools designed for scanning and analyzing the source code for mission-critical software. Designers will find that including CWE-compatible features into static-analysis and formal method toolsets enables users to readily understand the kinds of security and robustness issues that can be eliminated."
CWE Version 3.2 Now Available
January 03, 2019 | Share this article
CWE 3.2 has 137 new entries and 1 deprecated entry. In all, 534 entries had important changes, primarily due to relationship changes, references, names, and descriptions.
The main changes include: (1) adding 89 new entries related to quality issues that only indirectly make it easier to introduce a vulnerability and/or make the vulnerability more difficult to detect or mitigate (see the CWE-1040: Quality Weaknesses with Indirect Security Impacts view); (2) adding 1 new weakness, CWE-1173: Improper Use of Validation Framework, detailing the improper use of an available input validation framework; (3) adding 1 new view, CWE-1128: CISQ Quality Measures (2016), to map to the Consortium for IT Software Quality (CISQ) Automated Quality Characteristic Measures released in 2016; and (4) updating the views and categories associated with the Software Engineering Institute (SEI) Computer Emergency Response Team (CERT) Coding Standards.
Changes for the new version include the following:
See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v3.1_v3.2.html.
5 Products from 3 Organizations Now Registered as Officially "CWE-Compatible"
June 14, 2018 | Share this article
Five additional cyber security products from three organizations have achieved the final stage of the formal CWE Compatibility Program and are now officially "CWE-Compatible." The products are now eligible to use the CWE-Compatible Product/Service logo, and a completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the CWE-Compatible Products and Services page on the CWE website. A total of 53 products to-date have been recognized as officially compatible.
The following 5 products are now registered as officially "CWE-Compatible":
Use of the official CWE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting SwA products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CWE compatibility requirements, and therefore which specific implementations are best for their networks and systems.
CWE Version 3.1 Now Available
March 29, 2018 | Share this article
CWE 3.1 has 17 new entries and 4 deprecated entries. In all, 145 entries had important changes, primarily due to relationship changes, references, names, and descriptions.
The main changes include: (1) adding a new view for the 2017 OWASP Top Ten; (2) adding new entries related to processor optimization and Meltdown/Spectre (CWE-1037: Processor Optimization Removal or Modification of Security-critical Code, CWE-1038: Insecure Automated Optimizations), adversarial inputs in machine learning (CWE-1039: Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations); and comparison (CWE-1023: Incomplete Comparison with Missing Factors, CWE-1024: Comparison of Incompatible Types, CWE-1025: Comparison Using Wrong Factors); (3) including various modifications as suggested by community members; and (4) better consistency in frequently-used references.
Changes for the new version include the following:
See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v3.0_v3.1.html.
How “Meltdown” and “Spectre” Can Be Defined by CWE and CAPEC
January 31, 2018 | Share this article
There has been a lot of press (rightly so) regarding the “Meltdown”- and “Spectre”-style attacks. The CWE and CAPEC teams have been reviewing the available information and trying to determine if new weaknesses or attack patterns should be added. Below are our current thoughts. We welcome additional discussion.
Common Weakness Enumeration (CWE™)
Both Meltdown and Spectre are technically attacks. They take advantage of a processor executing instructions out of order, in a way that causes some instructions to be executed even though the logic of the original code would not execute these instructions. This condition leads to a case where data in memory is cached before a permission check is performed. The end result is the ability to perform side-channel style attacks against the cache to learn the exact value of data.
The root cause of both of these attacks is the out of order execution. The processor uses this feature to increase the speed at which a program can be executed. This is very similar to compiler optimizations where a compiler makes changes to the source code to improve performance. In both instances, the computer is no longer executing exactly what the developer told it to execute, but rather is executing a variation that the processor/compiler thinks is “better.”
Unfortunately, these optimizations can sometimes lead to an exploitable weakness. There already exists a base-level CWE for the compiler version of this:
A new base-level CWE should be added to cover the case where the processor changes the order of security-critical code.
In addition, a new class-level CWE should also be considered around the topic of “Insecure Optimizations.” This class-level CWE would be a member of the Behavioral Problems category in the Development Concepts view, and a child of Interaction Error in the Researcher view. Both the existing compiler optimization (CWE-733) weakness and the new processor execution order weakness would be children of this new class.
Finally, there should be a CanFollow relationship between the existing class CWE-696: Incorrect Behavior Order and this new class “Insecure Optimizations”. We see this relationship in Meltdown/Spectre with the optimizations resulting in a change in the order of execution.
One last note, many discussions of Meltdown and Spectre focus on the side channel attack that arises from timing discrepancies. In this case, the timing discrepancy is not a weakness as it is legitimate behavior (since caching improves efficiency) and is not introduced by choices made by the application developer. Therefore, this is not a focus from the CWE classification perspective; the ability to see this (legitimate) timing discrepancy arises from the insecure optimization.
Common Attack Pattern Enumeration and Classification (CAPEC™)
Shifting to the attack pattern side of things, both the compiler and processor weaknesses are not currently well represented in CAPEC.
The compiler weakness (CWE-733) is not directly attacked, but rather results in a different weakness (e.g., buffer overflow) being present in the software, and that weakness is the one that is used in an attack. CWE thinks of this as a chain. The processor weakness can be thought of in the same way. Even though an adversary can manipulate when/how a processor decides to execute out of order, it is the resulting exposure of data that contributes to the vulnerability. See CWE-668: Exposure of Resource to Wrong Sphere.
For both the Meltdown and Spectre attacks, CAPEC already has a relevant standard-level attack pattern that can be leveraged:
This attack pattern has a detailed-level child that covers the DNS version of cache poisoning. Meltdown and Spectre expose a different type of cache poisoning where the adversary doesn't insert malicious data into the cache, but rather cause the cache to contain data that shouldn’t be allowed. CAPEC-141 needs to be cleaned up a bit, but the overall idea behind it is valid. A new detailed-level pattern should be added to cover the Flush+Reload attack pattern (and potentially others) that are leveraged by the Meltdown and Spectre attacks.
What do you think?
We look forward to hearing from you!
More information is available — Please select a different filter.