MITRE began working on the issue of categorizing software weaknesses as early 1999 when it launched the Common Vulnerabilities and Exposures (CVE®) List. As part of the development of CVE, MITRE’s CVE Team developed a preliminary classification and categorization of vulnerabilities, attacks, faults, and other concepts to help define common software weaknesses. However, while sufficient for CVE, those groupings are too rough to be used to identify and categorize the functionality offered within the offerings of the code security assessment industry. To support that type of usage, additional fidelity and succinctness are needed as are additional details and description for each of the different nodes and groupings such as the effects, behaviors, and implementation details, etc.
To do this, MITRE took a first cut at revising the internal CVE category work for usage in the code assessment industry in 2005 as part of MITRE’s participation in the U.S. Department of Homeland Security (DHS) sponsored National Institute of Standards and Technology (NIST) Software Assurance Metrics and Tool Evaluation (SAMATE) project. Our resulting document, entitled Preliminary List Of Vulnerability Examples for Researchers (PLOVER), was a working document that lists over 1,500 diverse, real-world examples of vulnerabilities, identified by their CVE name. The vulnerabilities in PLOVER are organized within a detailed conceptual framework that currently enumerates 290 individual types of software weaknesses, idiosyncrasies, faults, and flaws, with a large number of real-world vulnerability examples for each. PLOVER represented the first attempt at a truly bottom-up effort to take real-world observed faults and flaws that do exist in code, abstract them and group them into common classes representing more general potential vulnerabilities that could exist in code, and then finally to organize them in an appropriate relative structure so as to make them accessible and useful to a diverse set of audiences for a diverse set of purposes.
After PLOVER, the next step was to establish acceptable definitions and descriptions of these common weaknesses by the community under the NIST SAMATE project, which led to the creation and the first release of the “Common Weakness Enumeration” List and associated classification taxonomy in 2006. Not only did CWE encompass a large portion of the CVE List’s (now 130,000+) CVE Entries, but it also included detail, breadth, and classification structure from a diverse set of other industry and academic sources and examples including the McGraw/Fortify “Kingdoms” taxonomy; Howard, LeBlanc & Viega’s 19 Deadly Sins; and Secure Software’s CLASP project; among others.
Follow-on releases over the years refined these software weakness types and their classification trees, while also adding new content such as in 2014 for mobile applications. In recent years, hardware security issues (e.g., LoJax, Rowhammer, Meltdown/Spectre) have become increasingly important concerns for both enterprise IT, OT, and IoT in general, from industrial control systems and medical devices to automobiles and wearable technologies. For this reason, support for hardware weaknesses was added to the CWE List in 2020.
Today, each new release of the CWE List continues to be a community effort. Creation of the list is an ongoing process as the CWE Community regularly refines existing software and hardware weakness types and their classification trees, develops and adds new weakness types definitions and related content as needed for new technologies, and discovers new ways for the community to leverage CWE content such as the new data-driven approach for generating the CWE Top 25.