CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > News  

News & Events

July 31, 2014

CWE Version 2.8 Now Available

CWE Version 2.8 has been posted on the CWE List page. A detailed report is available that lists specific changes between Version 2.7 and Version 2.8.

There are 58 new entries, mostly categories to support the view for DoD Software Fault Patterns (CWE-888) using information provided by KDM Analytics. In all, 638 entries were modified, primarily using data from the Software Fault Patterns (SFP) work as well as the "State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation" paper written by the Institute for Defense Analyses (IDA). The main changes include: (1) name changes for 21 entries, (2) additional detection methods for 54 entries based on SOAR data, (3) relationship changes for 607 entries related to SFP clusters, (4) additional taxonomy mappings for 306 entries that reference specific SFPs, and (5) changes to demonstrative examples in 36 entries.

There was a minor change to the schema.

PDF documents have been updated to display graphs of views such as the Research View (CWE-1000) and the Development View (CWE-699), and a "Printable CWE" document lists all of the entries in CWE.

Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to cwe@mitre.org.

CWSS Version 1.0 Now Available

Common Weakness Scoring System (CWSS™) Version 1.0 has been posted in the CWSS section of the CWE Web site. CWSS allows organizations to score the severity of software coding errors—that is, CWEs—found in their software applications in order in mitigate weaknesses in applications they are currently using and to influence future purchases. When used in conjunction with the Common Weakness Risk Analysis Framework (CWRAF™), organizations are able to apply CWSS to those CWEs that are most relevant to their own specific businesses, missions, and deployed technologies.

Updates for CWSS Version 1.0 include the following:

  • Removed "Authentication Instances (AI)." The CVSSv3 team found that in this factor, the Multiple value was "rarely, if ever, used" within several real-world implementations of CVSSv2, and the CVSS SIG will remove this factor in CVSSv3. In addition, within CVSSv2, there was sometimes user confusion between this factor and the Access Vector's "Local" value that could cause inconsistent values to be chosen.

  • Removed "Remediation Effort (RE)." This factor does not directly contribute to the inherent risk or severity of a weakness, so it is outside the scope of CWSS scoring. Remediation effort could be better handled using separate processes within the context of a remediation plan. For example, bug databases and external maintenance/release processes might be more appropriate for recording this information.

  • Changed scoring formula to handle removal of AuthenticationInstances and RemediationEffort. Within the Attack Surface Subscore, the multiplier for LevelOfInteraction was adjusted from 10 to 15. Within the Environmental Subscore, the multiplier for LikelihoodOfExploit was increased from 3 to 4, which reflects current trends in vulnerability management that place greater emphasis on likelihood of exploit than raw CVSS scores.

  • Clarified distinction between CWSS and Common Vulnerability Scoring System (CVSS).

Read the complete release notes. Please send any comments or concerns to cwss@mitre.org.

1 Product from David A. Wheeler Now Registered as Officially "CWE-Compatible"

CWE Compatible

One additional information security product has achieved the final stage of MITRE’s formal CWE Compatibility Program and is now officially "CWE-Compatible." The product is now eligible to use the CWE-Compatible Product/Service logo, and a completed and reviewed "CWE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization’s listing on the CWE-Compatible Products and Services page on the CWE Web site. A total of 28 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CWE-Compatible":

Use of the official CWE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting SwA products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CWE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CVE compatibility and to review all products and services listed, visit the CWE Compatibility Program and CWE-Compatible Products and Services.

June 23, 2014

CWE Version 2.7 Now Available

CWE Version 2.7 has been posted on the CWE List page. A detailed report is available that lists specific changes between Version 2.6 and Version 2.7.

There are 2 new entries. In all, 135 entries were modified. The main changes include: (1) description changes for 42 entries, mostly for extended details; (2) relationship changes for 35 entries, primarily reflecting the OWASP Top Ten 2013 view; (3) potential mitigation updates in 20 entries; (4) modification of Other_Notes elements in 76 entries, mostly to move to move relevant fields; and (5) updates to Common Attack Pattern Enumeration and Classification (CAPEC™) attack patterns for 8 entries; and (6) updates to at least 10 entries each for demonstrative examples, observed examples, common consequences, applicable platforms, relationship notes, modes of introduction, and modes of introduction.

There were no schema changes.

PDF documents have been updated to display graphs of views such as the Research View (CWE-1000) and the Development View (CWE-699), and a "Printable CWE" document lists all of the entries in CWE.

Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to cwe@mitre.org.

MITRE Hosts Software and Supply Chain Assurance Working Group Meeting

MITRE hosted the Software and Supply Chain Assurance (SSCA) Working Group Meeting June 9, 10, 11, 17, 2014 at MITRE Corporation in McLean, Virginia, USA. The event focused on mitigating hardware and software risks in the supply chain.

Visit the CWE Calendar for information on this and other events.

June 3, 2014

MITRE to Host Software and Supply Chain Assurance Working Group Meeting, June 9, 10, 11, 17

MITRE will host the Software and Supply Chain Assurance (SSCA) Working Group Meeting June 9, 10, 11, 17, 2014 at MITRE Corporation in McLean, Virginia, USA. The event focuses on mitigating hardware and software risks in the supply chain.

See the event agenda for additional information.

Visit the CWE Calendar for information on this and other events.

May 15, 2014

CWCWE, CAPEC, and CVE Are Main Topics of Article about the "Heartbleed" Bug on MITRE's Cybersecurity Blog

CWE, CAPEC, and CVE and are the main topics of an article "Security Standards Help Stop Heartbleed" by CAPEC Technical Lead Drew Buttner on MITRE's Cybersecurity blog on May 7, 2014. "Heartbleed," or CVE-2014-0160, is a serious vulnerability in "certain versions of OpenSSL where it enables remote attackers to obtain sensitive information, such as passwords and encryption keys. Many popular websites have been affected or are at risk, which in turn, puts countless users and consumers at risk."

The article defines the Common Vulnerabilities and Exposures (CVE®), Common Weakness Enumeration (CWE™), and Common Attack Pattern Enumeration and Classification (CAPEC™) e efforts and explains the problem each solves.

In sections entitled "CVE and Heartbleed," "CWE and Heartbleed,"and "CAPEC and Heartbleed," the article describes how CVE helped when the issue became public by assigning CVE-2014-0160 to what also was referred to as the Heartbleed bug, and how CWE and CAPEC can help prevent future Heartbleeds.

The author then concludes the article as follows: "Security automation efforts such as CVE, CWE, and CAPEC can help reduce the possibility of similar severe vulnerabilities such as Heartbleed in the future. But it is incumbent upon developers and other security professionals to actively leverage resources such as these to be better prepared for the next Heartbleed."

Read the complete article at http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/security-standards-help-stop-heartbleed.

May 6, 2014

CWCWE and CVE Cited in White Paper about the Heartbleed Vulnerability

CWE and Common Vulnerabilities and Exposures (CVE®) a are included as references in an April 29, 2014 white paper entitled "Why Do Software Assurance Tools Have Problems Finding Bugs Like Heartbleed?: by James A. Kupsch and Barton P. Miller of the Software Assurance Marketplace (SWAMP) at the University of Wisconsin in Madison, Wisconsin, USA. The following were cited as references in the white paper, which also included the urls: CVE-2014-0160, CWE-130: Improper Handling of Length Parameter Inconsistency, and CWE-125: Out-of-Bounds Read.

CWE Mentioned in Preface of March/April 2014 Issue of Crosstalk: The Journal of Defense Software Engineering

CWE is mentioned in the preface to the March/April 2014 issue of Crosstalk: The Journal of Defense Software Engineering, the main topic of which is "Mitigating Risks of Counterfeit and Tainted Components."

The preface was written by Roberta Stempfley, Acting Assistant Secretary at the U.S. Department of Homeland Security's Office of Cybersecurity and Communications, and CVE is mentioned as follows: "How can we collaboratively orchestrate industry and government response to these attacks [on information and communications technology (ICT) assets]? One way is through the Common Vulnerabilities and Exposures (CVE) List, which is an extensive listing of publicly known vulnerabilities found after ICT components have been deployed. Sponsored by the Department of Homeland Security (DHS), the ubiquitous adoption of CVE has enabled the public and private sectors to communicate domestically and internationally in a consistent manner the vulnerabilities in commercial and open source software. CVE has enabled our operations groups to prioritize, patch, and remediate nearly 60,000 openly reported vulnerabilities. Unfortunately, vulnerabilities are proliferating rapidly thus stretching our capabilities and resources. As we seek to discover and mitigate the root causes of these vulnerabilities, sharing the knowledge we have of them helps to mitigate their impact. In order to keep pace with the threat, we must facilitate the automated exchange of information. To achieve that, DHS sponsors "free for use" standards, such as: Common Weakness Enumeration (CWE), which provides for the discussion and mitigation of architectural, design, and coding flaws introduced during development and prior to use; Common Attack Pattern Enumeration and Classification (CAPEC), which enables developers and defenders to discern the attacks and build software resistant to them; Malware Attribute Enumeration and Characterization (MAEC), which encodes and communicates high-fidelity information about malware based upon behaviors, artifacts, and attack patterns; Structured Threat Information eXpression (STIX), which conveys the full range of potential cyber threat information using the Trusted Automated eXchange of Indicator Information."

The entire issue is available for free in a variety of formats at http://www.crosstalkonline.org/.

CWE and CVE Mentioned in Article about Mitigating Risks of Counterfeit and Tainted Components in March/April 2014 Issue of Crosstalk

CWE and Common Vulnerabilities and Exposures (CVE®) are included in an article written by CWE/CAPEC Program Manager Robert A. Martin entitled "Non-Malicious Taint: Bad Hygiene is as Dangerous to the Mission as Malicious Intent" in March/April 2014 issue of Crosstalk: The Journal of Defense Software Engineering, the main topic of which is "Mitigating Risks of Counterfeit and Tainted Components.:"

CWE and CVE are mentioned in a section entitled "Making Change through Business Value," as follows: "For an example of a behavior change in an industry motivated by a new perceived business value, consider that many of the vendors currently doing public disclosures are doing so because they wanted to include CVE [14] Identifiers in their advisories to their customers. However, they could not have CVE Identifiers assigned to a vulnerability issue until there was publicly available information on the issue for CVE to correlate. The vendors were motivated to include CVE Identifiers due to requests from their large enterprise customers who wanted that information so they could track their vulnerability patch/remediation efforts using commercially available tools. CVE Identifiers were the way they planned to integrate those tools. Basically the community created an ecosystem of value propositions that influenced the software product vendors (as well as the vulnerability management vendors) to do things that helped the community, as a whole, work more efficiently and effectively. Similarly, large enterprises are leveraging CWE Identifiers to coordinate and correlate their internal software quality/security reviews and other assurance efforts. From that starting point, they have been asking the Pen Testing Services and Tools community to include CWE identifiers in their findings. While CWE Identifiers in findings was something that others had cited as good practice, it was not until the business value to Pen Testing industry players made sense that they started adopting them and pushing the state-of-the-art to better utilize them."

CWE is also mentioned in a section entitled "Assurance for the Most Dangerous Non-Malicious Issues" that explains what CWE is and how the information "can assist project staff in planning their assurance activities; it will better enable them to combine the groupings of weaknesses that lead to specific technical impacts with the listing of specific detection methods. This provides information about the presence of specific weaknesses, enabling them to make sure the dangerous ones are addressed."

The entire issue is available for free in a variety of formats at http://www.crosstalkonline.org/.

Software Assurance Roadmap Briefing at IEEE Chapter Meeting

CWE/CAPEC Program Manager Robert A. Martin presented a briefing that discussed Common Weakness Enumeration (CWE™) and Common Attack Pattern Enumeration and Classification (CAPEC™) entitled "Building a Software Assurance Road-map and Using It Effectively," at to the IEEE Computer Society Northern VA Computer Chapter & ASQ 509 Software SIG Meeting in McLean, Virginia, USA on April 22, 2014.

The topic included material from the recent March/April 2014 Crosstalk article focusing on "Non-Malicious Taint: Bad Hygiene is as Dangerous to the Mission as Malicious Intent," the newest updates to the Software Assurance On-Ramp collection on the CWE Web site, and the current ideas for incorporating more non-software weakness into CWE to reflect the same mixture of critical capabilities already addressed by CAPEC.

Visit the CWE Calendar for information on this and other events.

April 10, 2014

Software Assurance Roadmap Briefing at IEEE Chapter Meeting on April 22

CWE/CAPEC Program Manager Robert A. Martin will present a briefing that discusses Common Weakness Enumeration (CWE™) and Common Attack Pattern Enumeration and Classification (CAPEC™) entitled "Building a Software Assurance Road-map and Using It Effectively," at the IEEE Computer Society Northern VA Computer Chapter & ASQ 509 Software SIG Meeting in McLean, Virginia, USA on April 22, 2014.

Visit the CWE Calendar for information on this and other events.

"Advances in Information Assurance Standards" Briefing at CISQ Seminar–Software Quality in Federal Acquisitions

CWE/CAPEC Program Manager Robert A. Martin, Senior Advisor for Cybersecurity at the U.S. General Services Administration Office of Mission Assurance E Emile Monette, and Computer Scientist at the U.S. National Institute of Standards and Technology Dr. Paul Black, co-presented a briefing entitled "Advances in Information Assurance Standards," at CISQ Seminar–Software Quality in Federal Acquisitions in Reston, Virginia, USA on March 26, 2014.

The briefing, which included discussion of Common Weakness Enumeration (CWE™) and Common Attack Pattern Enumeration and Classification (CAPEC™), described the "national efforts to identify and eliminate the causes of security breaches through the development of the Common Weakness Enumeration repository … best practices for using information in the repository for improving the security of software … how to measure the security of software and how this is done using the CISQ measure for security."

The slides from this briefing are available at http://it-cisq.org/wp-content/uploads/2014/04/CISQ-Seminar-2014_03_26-Advances-in-Information-Assurance-Standards.pdf.

Visit the CWE Calendar for information on this and other events.

MITRE Hosts Software and Supply Chain Assurance Spring Forum 2014

MITRE hosted the Software and Supply Chain Assurance (SSCA) Spring Forum 2014 March 18-20, 2014 at MITRE Corporation in McLean, Virginia, USA. The theme for this event was "mitigating hardware and software risks in the supply chain."

Visit the CWE Calendar for information on this and other events.

March 14, 2014

OWASP Makes Declaration of CWE Compatibility

Open Web Application Security Project (OWASP) declared that its assessment and remediation tool, Zed Attack Proxy, is CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectiveness section.

MITRE to Host Software and Supply Chain Assurance Spring Forum 2014, March 18-20

MITRE will host the Software and Supply Chain Assurance (SSCA) Spring Forum 2014 March 18-20, 2014 at MITRE Corporation in McLean, Virginia, USA. The theme for this event is "mitigating hardware and software risks in the supply chain."

See the event agenda, and/or event registration page, for additional information.

Visit the CWE Calendar for information on this and other events.

Information Assurance Standards Briefing at CISQ Seminar–Software Quality in Federal Acquisitions on March 26

CWE/CAPEC Program Manager Robert A. Martin, Senior Advisor for Cybersecurity at the U.S. General Services Administration Office of Mission Assurance E Emile Monette, and Computer Scientist at the U.S. National Institute of Standards and Technology Dr. Paul Black, will co-present a briefing entitled "Advances in Information Assurance Standards," at CISQ Seminar–Software Quality in Federal Acquisitions in Reston, Virginia, USA on March 26, 2014.

The briefing, which will include discussion of Common Weakness Enumeration (CWE™) and Common Attack Pattern Enumeration and Classification (CAPEC™), will describe the “national efforts to identify and eliminate the causes of security breaches through the development of the Common Weakness Enumeration repository … best practices for using information in the repository for improving the security of software … how to measure the security of software and how this is done using the CISQ measure for security.”

Visit the CWE Calendar for information on this and other events.

Security Assurance Discussion Panel at RSA 2014

CWE/CAPEC Program Manager Robert A. Martin participated on a discussion panel entitled "Measurement as a Key to Confidence: Providing Assurance" on February 27, 2014 at RSA Conference 2014 in San Francisco, California, USA.

Visit the CWE Calendar for information on this and other events.

February 19, 2014

CWE Version 2.6 Now Available

CWE Version 2.6 has been posted on the CWE List page. A detailed report is available that lists specific changes between Version 2.5 and Version 2.6.

There are 3 new entries, mostly related to communication channels. In all, 73 entries were modified. The main changes include: (1) name and description changes for 4 and 8 entries respectively, mostly related to mobile applications; (2) relationship changes for 14 entries, primarily reflecting re-organization of the research view to better handle mobile and communication-channel weaknesses; (3) potential mitigation updates in 22 entries; (4) related attack patterns (CAPEC) updates in 22 entries; (5) new demonstrative examples in 22 entries, primarily for mobile applications; and (6) updates in 18 entries for references.

The CWE Schema was updated to version 5.4 to support another programming language for demonstrative examples.

PDF documents have been updated to display graphs of views such as the Research View (CWE-1000) and the Development View (CWE-699), and a "Printable CWE" document lists all of the entries in CWE.

Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to cwe@mitre.org.

"CWE Mapping and Navigation Guidance" Now Available

A CWE Mapping and Navigation Guidance page has been added to the CWE Web site. The new page provides information for mapping to CWE-IDs as well as tips for searching and navigating CWE content on the CWE Web site, including the following: "Mapping to CWE IDs - Criteria for the Best Match," "Using the Web Site to Map to a CWE-ID," and "Additional Suggestions for Search and Navigation."

SwA On-Ramp Collection Updated with Detection vs. Impact Information

The Getting Started in Software Assurance (SwA) collection on the CWE Web site, also known as the "SwA On-Ramp" collection, has been updated with a new page and enhanced detection method versus technical impact guidance information.

This collection includes an overview of software assurance and then points out the several steps/phases of gaining assurance about software's resilience, reliability, and robustness with appropriate links to further information about these different steps.

The collection includes updates to the following regarding detection versus impact:

Engineering for Attack - discusses the need to consider the attacks that your applications may face as you start your concept definition, design, and architecture efforts as well as your coding and deployment efforts.

Software Quality – about how paying attention to quality can help with the secureness, reliability, and robustness of your software.

Prioritizing Weaknesses Based Upon Your Organization's Mission - this updated page includes a discussion of the Top 25 effort, CWSS, and CWRAF, and a new discussion of a Technical Impact and Detection Method approach.

Detection Methods – this new page provides information on how the different types of weaknesses are findable by different types of detection approaches and that a project team should leverage that to plan which weaknesses they deal with at the various stages of a development effort.

Manageable Steps - summarizes the above and reinforces the need to plan and manages the software assurance effort into accomplishable steps.

Feedback on this collection is welcome at cwe@mitre.org.

Security Assurance Discussion Panel at RSA 2014 on February 27

CWE/CAPEC Program Manager Robert A. Martin will participate on a discussion panel entitled "Measurement as a Key to Confidence: Providing Assurance" on February 27, 2014 at RSA Conference 2014 in San Francisco, California, USA.

Discussion topic summary for this panel is as follows: "Providing security assurance relies on programs, schemes and assessors specifying and performing appropriate measurements. These may include sampling strategies, specification of appropriate boundaries and the rigor of assessment. Confidence in the security assurance claims depends on the conformity of assessments and appropriate measurement of the specification of the assurance requirements."

Visit the CWE Calendar for information on this and other events.

January 17, 2014

The MathWorks, Inc. Makes Declaration of CWE Compatibility

The MathWorks, Inc. declared that its static analysis tool and coding rules checker, Polyspace Bug Finder, will be CWE-Compatible. For additional information about this and other compatible products, visit the CWE Compatibility and Effectivenessa section.

CWE Mentioned in "DARPA Cyber Grand Challenge (CGC)"

CWE was mentioned in the U.S. Defense Advanced Research Projects Agency (DARPA) "Cyber Grand Challenge" announcement on December 24, 2013 in a frequently asked questions document. "The DARPA Cyber Grand Challenge (CGC) is a tournament for fully automated network defense. Similar to computer security competitions currently played by expert software analysts, the CGC intends to allow groundbreaking prototype systems to compete for the first time in a "league of their own." During the competition, automatic systems would reason about software flaws, formulate patches and deploy them on a network in real time."

CWE is mentioned in the answers to two DARPA Cyber Grand Challenge (CGC) FAQs, as follows: "Q9: What constitutes a software flaw in Cyber Grand Challenge? A9: DARPA CGC will not provide a formal definition of a software flaw; this question lies outside the scope of the challenge. The CGC will operate in the tradition of existing cyber competitions: a flaw is proven when an input delivered from the network to a flawed software program (CB) creates an effect detectable by instrumentation operated by the competition framework. CGC Challenge Binaries will contain memory corruption flaws representative of flaws categorized by the MITRE CWE (cwe.mitre.org), however, Competitor Systems may prove any software flaw they discover through automated reasoning. A list of representative CWE categories will be released prior to the kickoff of Cyber Grand Challenge." And "Q10: What type of security vulnerabilities will CGC address? A10: CGC Challenge Binaries shall contain traditional memory corruption flaws. A subset of relevant flaw types drawn from the MITRE Common Weakness Enumeration entries as found on http://cwe.mitre.org/ follows; teams are encouraged to make use of this list as a starting point, not a reference." The answer to A10 also lists 39 individual CWE entries by CWE-IDs, for example, "CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'), etc.".

See https://dtsn.darpa.mil/CyberGrandChallenge/default.aspx for additional information.

MITRE Hosts DHS/DoD Software and Supply Chain Assurance Working Group Meeting

MITRE hosted the DHS/DoD Software and Supply Chain Assurance Working Group Meeting on December 17-19, 2013 at MITRE Corporation in McLean, Virginia, USA. Discussion topics included the Software and Supply Chain Assurance (SSCA) Way Ahead, Cyber Executive Order and Framework/Emerging Industry Standards and Best Practices, Tools and Technology State-of-the-Art Report (SOAR), Supply Chain Risk Management (SCRM) Taxonomies for Information Sharing, Education and Training, SSCA Mobile, DHS Research and Development Software Assurance Marketplace (SWAMP), and a SCRM Working Group Workshop.

Visit the CWE Calendar for information on this and other events.

Page Last Updated: July 31, 2014