Common Weakness Enumeration

CWE Glossary Definition

Process

Process

The Common Weakness Enumeration, which published its first official version in September 2008 after moving through 9 drafts over a couple years, covers over 700 weakness and categories of things that can lead to software that is susceptible to an attack and exploit. This collection can pose a daunting collection of the problems to be addressed to gain assurance in the secureness of your software.

In early October the SANS Institute, an active member of the CWE Community and the joint DHS, DoD, and NIST Software Assurance Forums and Working Groups, proposed the idea of creating a focused list of the Top 25 CWEs, which would be a community effort to develop a prioritize list of the most exploitable constructs that make software vulnerable to attack or failure. This plays off the "Top XXX" brand that SANS has built since 2001 starting with their Top 10 – the first prioritized list of security problems that organizations should address.

Subsequently the creation of the list was announced on October 14th at the Sofware Assurance Forum being held at NIST's Headquarters in Gaithersberg Maryland and a week later MITRE's CWE team contacted 29 individuals from 24 organizations about participating in the creation and vetting of the list of the most dangerous CWEs. The 20 November invitation included a short write-up of four potential candidates for the list and stated the goal of the effort to conclude in time for a January 2009 release of the list. During this time-frame MITRE worked to develop a list of candidate CWEs to jump-start the discussions.

On November 25th, this first draft of the list, with 25 proposed items and 17 others that should be discussed was sent to the initial group for discussion and vetting. A dead-line of December 1st was given for sending in comments and suggestions with the idea that we would be circulating multiple drafts and each round of comments needed to be cleanly concluded so we, as a group, could move on to the next round of discussions.

On this same day, SANS and the MITRE CWE Team announced the "2009 CWE/SANS Top 25 Programming Errors" effort with appropriate web pages and e-mail distributions to their respective communities of e-mail subscribers.

On December 8th the second draft of the list was sent to the group, which had grown to 33 individuals from 27 organizations from people volunteering to contribute based on the SANS and CWE announcements. The 2nd draft was accompanied by a change log that reflected a summarized discussion of the comments and suggestions we received on the 1st draft from about half of the group and what we did with those suggestions. A dead-line of December 17th was given for the 2nd draft.

On December 23rd the third draft was sent to the group, now standing at 41 individuals from 35 organizations. Once again we included a change log of the received input and comments, which again came from over half of the members of the group, but, interestingly mostly from members who hadn't commented on the 1st draft. We emphasized the importance of reviewing this draft of the Top 25 Errors list since it was basically the candidate final list given the time remaining before the list was schedule for release.

A dead-line of December 30th was given for this round of commenting but we encouraged people to send in their inputs as soon as they could so we could improve our chances of making the roll-out schedule. We established January 5th as the absolute last day for comments in order to allow sufficient time to work through all of the comments and get the list ready for publication on the 12th of January as the "2009 CWE/SANS Top 25 Most Dangerous Programming Errors".

A "pre-view" of the final CWE/SANS Top 25 document, with the change log of what comments were received on the 3rd draft and how the suggestions and comments were handled was sent to the group on the 8th of January.