CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities
New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > Reports > Major Changes from Draft 9 to CWE 1.0  
ID

Major Changes from Draft 9 to CWE 1.0

Major changes have been made to the CWE schema, which will be much more stable than previous versions. It is expected that the schema will not change in any substantial fashion for the near future. The new schema addresses the main outstanding limitations of past versions, provides internal consistency, fixes outstanding limitations, and supports ease of content editing by the CWE team. We thank Sean Barnum of Cigital for his active contributions in this area.

Engagement with key stakeholders in the community has led to additional content enhancements in CWE 1.0. Many entries contain modifications that were contributed by external parties.

  • Cigital provided additional demonstrative examples, mitigations, and times of introduction.
  • KDM Analytics provided additional white box definitions.
  • Veracode suggested the creation of an OWASP Top Ten 2004 view because of its use in PCI, and they provided supporting CWE mappings.

Engagement with members of the community has also resulted in significant enhancements to the Development Concepts and Research Concepts views, which are the most heavily featured on the CWE web site. We have also created a Seven Pernicious Kingdoms view. A comparison of these views is available, as well as a description of how they evolved. We are especially grateful for feedback from representatives from Cigital, Fortify, and Veracode.

All 695 entries from CWE Draft 9 have been modified in some fashion, mostly from external contributions and from relationship changes in support of various views. Additional details of the differences are here.

Several additional supporting documents and white papers have been published, including (1) an analysis of CWE's ability to support tool mappings, (2) an evolving glossary of terms, (3) a detailed description of the evolution of the Development and Research views, (4) a comparison of those views, and (5) PDF graphs of various views, including "coverage graphs" that show how members of one view are located within another view.

CWE 1.0 is a significant improvement to the past drafts of CWE. It would not be possible without hard work from the community and the CWE team. Bob Martin and Steve Christey would like to thank CWE team members Janis Kenderdine, Conor Harris, and Mark Loveless for all their efforts in bringing CWE to a new level of maturity.

Back to top
Page Last Updated: April 02, 2018
 

Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2024, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.