Common Weakness Enumeration (CWE™) is a community-developed list of common software and hardware weakness types that have security ramifications. A “weakness” is a condition in a software, firmware, hardware, or service component that, under certain circumstances, could contribute to the introduction of vulnerabilities. The CWE List and associated classification taxonomy serve as a language that can be used to identify and describe these weaknesses in terms of CWEs.
Targeted at both the development and security practitioner communities, the main goal of CWE is to stop vulnerabilities at the source by educating software and hardware architects, designers, programmers, and acquirers on how to eliminate the most common mistakes before products are delivered. Ultimately, use of CWE helps prevent the kinds of security vulnerabilities that have plagued the software and hardware industries and put enterprises at risk.
CWE helps developers and security practitioners to:
The CWE List includes both software and hardware weakness types. First released in 2006 (view history), the list initially focused on software weaknesses because organizations of all sizes want assurance that the software products they acquire and develop are free of known types of security flaws. Follow-on releases refined these weaknesses and their classification trees—referred to as a “CWEs”—while also adding new content such as CWEs for mobile applications.
In recent years, hardware security issues (e.g., LoJax, Rowhammer, Meltdown/Spectre) have become increasingly important concerns for both enterprise IT, OT, and IoT in general, from industrial control systems and medical devices to automobiles and wearable technologies. For this reason, support for hardware weaknesses was added to the CWE List in 2020.
Since the beginning, creation of the list has been a community initiative to develop specific and succinct definitions for each common weakness type and its related classification tree structures, and to refine them over time. By leveraging the widest possible group of interests and talents, we ensure that each item in the list is adequately described and differentiated.
This work continues today with each new release of the CWE List.
Using the CWE List
The Software Development view organizes items by concepts that are frequently used or encountered during development, the Hardware Design view organizes weaknesses around concepts that are frequently used or encountered in hardware design, and Research Concepts facilitates weakness type research by organizing items by behaviors.
Other helpful predefined views provide insight for a certain domain or use case, such as weaknesses introduced during design or introduced during implementation; weaknesses with indirect security impacts; in software written in C, C++, Java, and PHP; in mobile applications; and many more. Another useful feature is the external mappings of CWE content to related resources including the CWE Top 25 (2020); OWASP Top Ten (2017); Seven Pernicious Kingdoms; Software Fault Pattern Clusters; CISQ Quality Measures (2020); and SEI CERT Coding Standards for C, Java, and Perl.
Scoring the Severity of CWEs
The severity of weaknesses can be scored using Common Weakness Scoring System (CWSS™) and Common Weakness Risk Analysis Framework (CWRAF™). CWSS enables organizations to score the severity of software coding errors found in their software applications in order in mitigate weaknesses in applications they are currently using and to influence future purchases, while CWRAF enables organizations to apply CWSS to those CWEs that are most relevant to their own specific businesses, missions, and deployed technologies.
The CWE Top 25 Most Dangerous Software Weaknesses List is a free, easy to use community resource that identifies the most widespread and critical programming errors that can lead to serious software vulnerabilities. These weaknesses are often easy to find, and easy to exploit. They are dangerous because they are often easy to find, exploit, and can allow adversaries to completely take over a system, steal data, or prevent an application from working.
First released in 2009, the CWE Top 25 was at that time constructed by aggregating survey responses from a wide selection of developers, security analysts, researchers, and vendors who nominated weaknesses they considered to be the most prevalent or important to determine a ranking. The 2010 and 2011 releases also followed this approach, but it remained labor-intensive and subjective. Beginning in 2019, a new data-driven approach was undertaken that is repeatable and can be scripted to generate a CWE Top 25 list on a regular basis with minimal effort. The 2020 CWE Top 25 uses real-world vulnerability data from the U.S. National Vulnerability Database (NVD), combining frequency and an average Common Vulnerability Scoring System (CVSS) score to determine a rank order.
Today, the CWE Top 25 is a valuable community resource that can help developers, testers, and users – as well as project managers, security researchers, and educators – provide insight into the most severe and current security weaknesses.
Released in 2021, the first-ever version of the “2021 CWE™ Most Important Hardware Weaknesses List” is a community-developed list of hardware weaknesses with detailed descriptions and authoritative guidance for mitigating and avoiding them, is now available on the CWE website.
The goals for the list are to drive awareness of common hardware weaknesses through CWE, and to prevent hardware security issues at the source by educating designers and programmers on how to eliminate important mistakes early in the product development lifecycle.
Security analysts and test engineers can use the list in preparing plans for security testing and evaluation. Hardware consumers could use the list to help them to ask for more secure hardware products from their suppliers. Also, managers and CIOs can use the list as a measuring stick of progress in their efforts to secure their hardware and ascertain where to direct resources to develop security tools or automation processes that mitigate a wide class of vulnerabilities by eliminating the underling root cause.
CWE is industry-endorsed by the international CWE Community, which includes representatives from major operating systems vendors, commercial information security tool vendors, academia, government agencies, and research institutions. By leveraging the widest possible group of interests and talents, we ensure that the CWE elements, specific effects, behaviors, exploit mechanisms, and implementation details in the CWE List are adequately captured, described, and differentiated.
Community members actively participate in the CWE effort by:
We encourage you to leverage CWE for your enterprise security, product development, and educational objectives. We especially encourage you to join us and the CWE Community as we continue to develop future releases of CWE.
Please contact us for more information.