News & Events - 2021 ArchiveRight-click and copy a URL to share an article. Send feedback about this page to cwe@mitre.org. CWE/CAPEC Blog: “Mind Your REGEX or It Can Put Your Program Into an Infinite Loop” February 1, 2022 | Share this article The CWE Team’s “Mind Your REGEX or It Can Put Your Program Into an Infinite Loop” blog article discusses how if your project uses or implements regular expressions, you need to check them for a weakness that might allow an attacker to stop your program from working. Read the complete article on the CWE/CAPEC Blog on Medium. CWE/CAPEC Blog: “HTTP Desync: The Redux and Evolution of HTTP Smuggling and Splitting Attack Techniques” January 13, 2022 | Share this article The CWE Team’s “HTTP Desync: The Redux and Evolution of HTTP Smuggling and Splitting Attack Techniques” blog article provides a primer on the often conflated HTTP (response/request) (splitting/smuggling) attack techniques as well as information about which Common Attack Pattern Enumeration and Classification (CAPEC™) entries may help further distinguish between the two. Read the complete article on the CWE/CAPEC Blog on Medium. CWE/CAPEC Board Approves Version 1.0 of Board Charter January 10, 2022 | Share this article The CWE/CAPEC Board approved version 1.0 of the “CWE/CAPEC Board Charter” on January 7, 2022. The charter includes two main sections, “Board Overview and Member Responsibilities” and “Board Membership and Operations,” as well as a “Board Charter Review” section that describes the process for updating the charter. Along with version 1.0 of the charter document, the Board also approved the “CWE/CAPEC Program Professional Code of Conduct.” CWE/CAPEC Communications Survey January 6, 2022 | Share this article The CWE/CAPEC Program requests your feedback on our communications efforts. We would like to learn what you think about the topics being covered on our CWE/CAPEC Blog and Out-of-Bounds Read podcast, as well as anything else that you want to see or learn more about? Please respond to our “CWE/CAPEC Communications Survey” and share your thoughts today! CWE/CAPEC Board Member Jason Fung Discusses the Most Important Hardware CWEs on Podcast January 6, 2022 | Share this article Listen to CWE/CAPEC Board Member Jason Fung of Intel talk about the 2021 Most Important Hardware Weaknesses list and its potential impact on the hardware security industry on Intel’s Chips & Salsa podcast. CWE/CAPEC Blog: “Neutralizing Your Inputs: a Log4Shell Weakness Story” December 20, 2021 | Share this article The CWE Team’s “Neutralizing Your Inputs: a Log4Shell Weakness Story” blog article discusses the underlying weaknesses related to CVE-2021–44228. Read the complete article on the CWE/CAPEC Blog on Medium. CWE/CAPEC Blog: “Don’t Forget to Protect Your Hardware from the Power Cosmic” December 10, 2021 | Share this article The CWE Team’s “Don’t Forget to Protect Your Hardware from the Power Cosmic” blog article discusses how to prefent or recover from a single-event-upset (SEU). Read the complete article on the CWE/CAPEC Blog on Medium. CWE/CAPEC Podcast: “CWE and Hardware Security” November 3, 2021 | Share this article The CWE/CAPEC Program’s “Out-of-Bounds Read” podcast is devoted to helping the community that protects systems by understanding weaknesses and attack patterns in software and hardware. In our fifth episode, “CWE and Hardware Security,” hardware experts discuss hardware CWEs and the “2021 CWE™ Most Important Hardware Weaknesses List,” including how the list will help the community, their favorite entries and surprising items on the list, and stories around hardware weaknesses. Interviewees include Jason Fung, Director of Offensive Security Research and Academic Research Engagement at Intel; Jason Oberg, Cofounder and Chief Technology Officer at Tortuga Logic; Paul Wortman, Cybersecurity Research Scientist at Wells Fargo; Jasper von Woudenberg, CTO of Riscure North America and co-author of the “Hardware Hacking Handbook”; and Nicole Fern, Senior Security Analyst at Riscure. The podcast is available for free on the CWE/CAPEC Program Channel on YouTube, the Out-of-Bounds Read page on Buzzsprout, or on podcast platforms. Please give the podcast a listen and let us know what you think by commenting on Twitter at @cwecapec or sending a direct message, or email us at cwe@.mitre.org. We look forward to hearing from you! CWE/CAPEC Blog: “New Math: Don’t Let Real Numbers Cause the Loss of Real Lives or Money” November 2, 2021 | Share this article The CWE Team’s “New Math: Don’t Let Real Numbers Cause the Loss of Real Lives or Money” blog article discusses the importance of making sure you know the limits of the problem you are trying to solve and of testing up to those limits. Read the complete article on the CWE/CAPEC Blog on Medium. “2021 CWE Most Important Hardware Weaknesses” List Now Available! October 28, 2021 | Share this article The first-ever version of the “2021 CWE™ Most Important Hardware Weaknesses List,” a community-developed list of hardware weaknesses with detailed descriptions and authoritative guidance for mitigating and avoiding them, is now available on the CWE website. Goals The goals for the 2021 Hardware List are to drive awareness of common hardware weaknesses through CWE, and to prevent hardware security issues at the source by educating designers and programmers on how to eliminate important mistakes early in the product development lifecycle. Security analysts and test engineers can use the list in preparing plans for security testing and evaluation. Hardware consumers could use the list to help them to ask for more secure hardware products from their suppliers. Also, managers and CIOs can use the list as a measuring stick of progress in their efforts to secure their hardware and ascertain where to direct resources to develop security tools or automation processes that mitigate a wide class of vulnerabilities by eliminating the underling root cause. Visit the 2021 Hardware List page to view the full list, as well as other details including limitations, methodology, and more. A Community Effort The list is the direct result of collaboration within the Hardware CWE Special Interest Group (SIG), a community forum for individuals representing organizations within hardware design, manufacturing, research, and security domains, as well as academia and government. Feedback Welcome Please send any feedback or questions to the CWE Research email discussion list, @cwecapec on Twitter, CWE page on LinkedIn, or contact us directly. CWE Version 4.6 Now Available October 28, 2021 | Share this article CWE Version 4.6 has been posted on the CWE List page to add support for the recently released “2021 CWE Most Important Hardware Weaknesses” list, and creating an initial view based on the recently-announced OWASP Top Ten 2021. A detailed report is available that lists specific changes between Version 4.5 and Version 4.6. Main Changes: CWE 4.6 includes the addition of 1 new view to support the release of the “2021 CWE Most Important Hardware Weaknesses”; 1 new view with 10 categories based on the recently-announced “OWASP Top Ten 2021”; 1 new software weakness, CWE-1341: Multiple Releases of Same Resource or Handle; and 1 new hardware weakness, CWE-1342: Information Exposure through Microarchitectural State after Transient Execution. In addition, many of the entries on the hardware list had significant improvements in names, descriptions, detection methods, potential mitigations, examples, and references. The schema was updated from v6.5 to v6.6 to (1) add “Formal Verification” and “Simulation/Emulation” to the DetectionMethodEnumeration, which is used in the Detection_Method element in weaknesses; and (2) add “Discouraged Common Practice” to the EffectivenessEnumeration, which is used in the Mitigation element in weaknesses. View the schema difference report for details. Summary: There are 924 weaknesses and a total of 1,357 entries on the CWE List. Changes for the new version include the following:
See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v4.5_v4.6.html. Future updates will be noted here, on the CWE Research email discussion list, CWE page on LinkedIn, and on @cwecapec on Twitter. Please contact us with any comments or concerns. CWE/CAPEC Podcast: “The CWE 15th Anniversary Special” October 14, 2021 | Share this article The CWE/CAPEC Program’s “Out-of-Bounds Read” podcast is devoted to helping the community that protects systems by understanding weaknesses and attack patterns in software and hardware. Our fourth episode, “The CWE 15th Anniversary Special,” is a special cybersecurity awareness month podcast where we discuss the 15-year history and future of the CWE/CAPEC program with those who made significant contributions to CWE: Bob Martin, Senior Principal Software and Supply Chain Assurance Engineer at MITRE; Joe Jarzombek, Director of Government and Critical Infrastructure Programs at Synopsis; Chris Eng, Chief Research Officer at Veracode; Chris Levendis, CWE/CAPEC Program Leader at MITRE; and Drew Buttner, Software Assurance Capability Area Lead at MITRE. The podcast is available for free on the CWE/CAPEC Program Channel on YouTube, the Out-of-Bounds Read page on Buzzsprout, or on podcast platforms. Please give the podcast a listen and let us know what you think by commenting on Twitter at @cwecapec or sending a direct message, or email us at cwe@.mitre.org. We look forward to hearing from you! CWE/CAPEC Blog: “The Most Important CWEs and CAPECs to Pay Attention to When Building Software” October 6, 2021 | Share this article The CWE Team’s “The Most Important CWEs and CAPECs to Pay Attention to When Building Software” blog article includes 5 checks for your development process. Read the complete article on the CWE/CAPEC Blog on Medium. CWE/CAPEC Podcast: “All About the 2021 Top 25 Most Dangerous Software Weaknesses” September 15, 2021 | Share this article The CWE/CAPEC Program’s “Out-of-Bounds Read” podcast is devoted to helping the community that protects systems by understanding weaknesses and attack patterns in software and hardware. In our third episode, “All About the 2021 Top 25 Most Dangerous Software Weaknesses,” Steve Battista of the CWE/CAPEC Program interviews Rushi Purohit, who has helped lead the efforts behind the last few years' Top 25 most dangerous software weaknesses publications. We talk about the new 2021 release of this list. The podcast is available for free on the CWE/CAPEC Program Channel on YouTube and on other podcast platforms. Please give the podcast a listen and let us know what you think by commenting on Twitter at @cwecapec or sending a direct message, or email us at cwe@.mitre.org. We look forward to hearing from you! Minutes from CWE/CAPEC Board Teleconference Meeting on August 17 Now Available September 1, 2021 | Share this article The CWE/CAPEC Board held a teleconference meeting on August 17, 2021. Read the meeting minutes. CWE/CAPEC Podcast: “What is CAPEC, Why is It important, and How Can it Help Me?” September 1, 2021 | Share this article The CWE/CAPEC Program’s “Out-of-Bounds Read” podcast is devoted to helping the community that protects systems by understanding weaknesses and attack patterns in software and hardware. In our second episode, “What is CAPEC, Why is It important, and How Can it Help Me?,” Steve Battista of the CWE/CAPEC Program interviews Rich Piazza, the CAPEC Task Lead, about what Common Attack Pattern Enumeration and Classification (CAPEC™) and the problem it aims to solve, who can benefit from CAPEC and how to leverage it, the role of the community, how CAPEC has evolved over time, and possibilities for the future. The podcast is available for free on the CWE/CAPEC Program Channel on YouTube and on other podcast platforms. Please give the podcast a listen and let us know what you think by commenting on Twitter at @cwecapec or sending a direct message, or email us at capec@.mitre.org or cwe@.mitre.org. We look forward to hearing from you! CWE Blog Article Focuses on the “Shadow Copy” Weakness August 18, 2021 | Share this article The CWE Team has posted a “Who Knows What Passwords Lurk in the Heart of Windows? The Shadow Knows!” blog article focuses on the shadow copy weakness nicknamed “SeriousSAM” or “HiveNightmare.” Read the complete article on the CWE/CAPEC Blog on Medium. 2021 “CWE Top 25” Now Available! July 20, 2021 | Share this article The official version of the “2021 CWE Top 25 Most Dangerous Software Weaknesses,” a demonstrative list of the most widespread and critical weaknesses that can lead to serious vulnerabilities in software, is now available on the CWE website. These weaknesses are dangerous because they are often easy to find, exploit, and can allow adversaries to completely take over a system, steal data, or prevent an application from working. The CWE Top 25 is a valuable community resource that can help developers, testers, and users — as well as project managers, security researchers, and educators — provide insight into the most severe and current security weaknesses. What’s Changed The major difference between the 2020 and 2021 CWE Top 25 lists is the continued transition to more specific weaknesses as opposed to abstract class-level weaknesses. Significant downward movement from high-level classes included CWE-200: Exposure of Sensitive Information to an Unauthorized Actor; CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer; CWE-94: Improper Control of Generation of Code (‘Code Injection’); CWE-269: Improper Privilege Management; and CWE-732: Incorrect Permission Assignment for Critical Resource. With the relative decline of class-level weaknesses, more specific CWEs have moved higher up in the rankings, such as CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’); CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’); CWE-434: Unrestricted Upload of File with Dangerous Type; CWE-306: Missing Authentication for Critical Function; CWE-502: Deserialization of Untrusted Data; CWE-862: Missing Authorization; and CWE-276: Incorrect Default Permissions. Leveraging Real-World Data To create the 2021 list, the CWE Team used a data-driven approach that leverages published Common Vulnerabilities and Exposures (CVE®) data and related CWE mappings found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), as well as the Common Vulnerability Scoring System (CVSS) scores associated with each of the CVEs. A scoring formula was then applied to determine the level of prevalence and danger each weakness presents. The 2021 CWE Top 25 leverages NVD data from the years 2019 and 2020, which consists of approximately 32,500 CVEs that are associated with a weakness. A scoring formula is used to calculate a ranked order of weaknesses which combines the frequency that a CWE is the root cause of a vulnerability with the projected severity of its exploitation. In both cases, the frequency and severity are normalized relative to the minimum and maximum values seen. For more detailed information including methodology, rankings, scoring, and refined mappings, visit the CWE Top 25 page. Feedback Welcome Please send any feedback or questions to the CWE Research email discussion list, @cwecapec on Twitter, CWE page on LinkedIn, or contact us directly. CWE Version 4.5 Now Available July 20, 2021 | Share this article CWE Version 4.5 has been posted on the CWE List page to add support for the recently released “2021 CWE Top 25 Most Dangerous Software Weaknesses” list, among other updates. A detailed report is available that lists specific changes between Version 4.4 and Version 4.5. Main Changes: CWE 4.5 includes the addition of 1 new view to support the release of the 2021 CWE Top 25, 3 new software weaknesses, and 1 new hardware weaknesses. In addition, there were many updates related to randomness. The schema was updated from v6.4 to v6.5 to make the Content_History element required on all top-level elements (Views, Categories, and Weaknesses) and add “Rust” to the LanguageNameEnumeration, which is used in the Applicable_Platform and Demonstrative_Example elements in Weaknesses. In addition, several CWE entries now use <img> tags to include images, such as CWE-1339 and CWE-1256. These tags are valid for earlier schema versions, but they might require a change in functionality for programs that render the XML. View the schema difference report for details. One new view added: Three new software weaknesses added:
One new hardware weakness added: Summary: There are 922 weaknesses and a total of 1,343 entries on the CWE List. Changes for the new version include the following:
See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v4.4_v4.5.html. Future updates will be noted here, on the CWE Research email discussion list, CWE page on LinkedIn, and on @cwecapec on Twitter. Please contact us with any comments or concerns. CWE/CAPEC Program Launches New Podcast! July 16, 2021 | Share this article The CWE/CAPEC Program’s new “Out-of-Bounds Read” podcast is devoted to helping the community that protects systems by understanding weaknesses and attack patterns in software and hardware. In our first-ever episode, Steve Battista of the CWE/CAPEC Program interviews Steve Christey Coley, the CWE/CAPEC Program Technical Lead, about what Common Weakness Enumeration (CWE™) is and the problem it aims to solve, who can benefit from CWE and how to leverage it, the role of the community, how CWE has evolved over time, and possibilities for the future. The podcast is available for free on the CWE/CAPEC Program Channel on YouTube and on the CWE website as an MP3. Other podcast platforms coming soon. Please give the podcast a listen and let us know what you think by commenting on Twitter at @cwecapec or sending a direct message, or email us at cwe@.mitre.org. We look forward to hearing from you! CWE Blog Article Discusses the “Integer Overflow or Wraparound” Weakness July 15, 2021 | Share this article The CWE Team has posted a “Buffett Overflow Integer Overflow in Berkshire Hathaway Stock” blog article about the CWE-190: Integer Overflow or Wraparound, in which “software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.” Read the complete article on the CWE/CAPEC Blog on Medium. CWE Blog Article Focuses on the Two Weaknesses that Led to an Apple iOS 0 day July 1, 2021 | Share this article The CWE Team has posted an “Inconsistent reading of XML leading to an Apple iOS 0 day” blog article about how sometimes weaknesses are not in a specific piece of code or executable but in how multiple executables interpret the same inputs which can cause them to behave differently. Read the complete article on the CWE/CAPEC Blog on Medium. CWE Blog Article Discusses Spectre Mitigation for Developers, Technical Staff, and Leadership June 17, 2021 | Share this article The CWE Team has posted a “Once theoretical, the practical implementation of Spectre haunts web applications” blog article about the still looming and practical threat of Spectre and its side-channel attack, along with Spectre mitigation advice for developers, technical staff, and leadership. Read the complete article on the CWE/CAPEC Blog on Medium. CWE Mappings Included in “2021 Top 20 Secure PLC Coding Practices List” June 17, 2021 | Share this article The CWE Program is pleased to have participated in a first-of-its-kind, community-driven effort to capture best practices for coding on Programmable Logic Controllers (PLCs). Each entry on the “2021 Top 20 Secure PLC Coding Practices List” maps its practices to their underlying root-cause weaknesses (CWEs). According to the PLC Security website, “The aim of this project is to provide guidelines to engineers that are creating software (ladder logic, function charts etc.) to help improve the security posture of Industrial Control Systems. These practices leverage natively available functionality in the PLC/DCS. Little to no additional software tools or hardware is needed to implement these practices. They can all be fit into the normal PLC programming and operating workflow. More than security expertise, good knowledge of the PLCs to be protected, their logic, and the underlying process is needed for implementing these practices.” The CWE Program shares a common goal with the Top 20 Secure PLC Coding Practices project to help stop vulnerabilities at the source and prevent them from ever showing up in production code. We encourage you to leverage the Top 20 Secure PLC Coding Practices, and avoid their underlying CWEs, when programming PLCs. Join the CWE/CAPEC User Experience Working Group! June 10, 2021 | Share this article Interested in working to improve the way we present weaknesses and attack patterns? Join the new CWE/CAPEC User Experience Working Group (CWE/CAPEC UE WG) that will meet every two weeks to strategize and develop solutions for optimizing content and educating users. To join or learn more, direct message us on Twitter at @cwecapec or email us at cwe@mitre.org. Minutes from CWE/CAPEC Board Teleconference Meeting on May 18 Now Available May 26, 2021 | Share this article The CWE/CAPEC Board held a teleconference meeting on May 18, 2021. Read the meeting minutes. CWE Blog Article Offers Possible Solutions for Avoiding the “Double Free” Weaknesses May 19, 2021 | Share this article The CWE Team has posted a “If You Love Something, Set It Free — But Only Once” blog article that offers possible solutions for avoiding the Double Free weakness. Read the complete article on the CWE/CAPEC Blog on Medium. CWE/CAPEC Program Launches YouTube Channel May 12, 2021 | Share this article The CWE/CAPEC Program is now on YouTube! Our new CWE/CAPEC Channel on YouTube currently includes several videos about the CWE Compatibility program from the “CWE Compatibility Program Vendor Summit 2021.” Please check out the videos and let us know what you think by commenting on YouTube. We look forward to hearing from you! CWE Blog Article Focuses on Avoiding Uncontrolled Search Path Weaknesses May 6, 2021 | Share this article The CWE Team has posted a “Why Your Build Chain Might Be Installing Random Packages” blog article that discusses how to avoid the Uncontrolled Search Path Element weakness. Read the complete article on the CWE/CAPEC Blog on Medium. CWE Is Main Topic of Riscure Webinar April 29, 2021 | Share this article CWE/CAPEC team lead Alec Summers presented a Riscure Webinar entitled “Common Weakness Enumeration (CWE): A Common Language for Software and Hardware Design Weaknesses.” CWE Blog Article Focuses on Preventing Hardware Weaknesses April 21, 2021 | Share this article The CWE Team has posted a “Addressing Thunderspy, One Weakness at A Time” blog article that discusses how incorporating security into hardware design and implementation can prevent weaknesses that could lead to future vulnerabilities. Read the complete article on the CWE/CAPEC Blog on Medium. CWE Blog Article Focuses on How the Mitigation for One Weakness Can Introduce Another Weakness April 6, 2021 | Share this article The CWE Team has posted a “When Mitigations Have Their Own Weaknesses” blog article that also discusses how future issues can be reduced by testing across multiple weakness types. Read the complete article on the CWE/CAPEC Blog on Medium. Guidance for Mapping CVEs to CWEs Now Available March 25, 2021 | Share this article Guidance for mapping vulnerabilities to weaknesses is now available on the “CVE → CWE Mapping Guidance” page on the CWE website. Vendors and researchers who produce or analyze CVE Records can use this guidance to better align newly discovered vulnerabilities (i.e., CVE Records) to their respective, underlying weaknesses (i.e., CWE Entries). This guidance is informed by two years of experience in analyzing and mapping thousands of CVE Records in the NIST’s National Vulnerability Database (NVD) to CWEs for calculating the annual CWE Top 25 list. By aligning CVE Records to the most applicable CWE Entries, the community will be in a better position to mitigate or eliminate their associated operational risk most effectively. Guidance
The new guidance provides an overview of CWE, a section of helpful resources with a refresher on CWE Entry structure, and offers five different mapping methodologies that can be used on the CWE website to help identify appropriate weakness mappings for CVE Records:
A mapping cheat sheet and mapping examples are also included. Feedback Welcome Please contact us with any comments or concerns about this guidance. We look forward to hearing from you! CWE Blog Article Focuses on How Mapping Vulnerabilities to Weaknesses Can Help Prevent Future Vulnerabilities March 25, 2021 | Share this article The CWE Team has posted a “Slowing down with sudo or (The importance of accurately mapping vulnerabilities to weaknesses)” blog article about the benefits of mapping vulnerabilities to weaknesses. Read the complete article on the CWE/CAPEC Blog on Medium. Minutes from CWE/CAPEC Board Teleconference Meeting on February 10 Now Available March 19, 2021 | Share this article The CWE/CAPEC Board held a teleconference meeting on February 10, 2021. Read the meeting minutes. CWE Version 4.4 Now Available March 15, 2021 | Share this article CWE Version 4.4 has been posted on the CWE List page to add 1 new View, CWE Entries with Maintenance Notes, which assessment vendors may use to anticipate future changes to CWE and help their customers prepare for those changes; 2 new Software Development Weakness entries: Generation of Weak Initialization Vector (IV) and Inefficient Regular Expression Complexity; as well as updates to 244 other entries. A detailed report is available that lists specific changes between Version 4.3 and Version 4.4. The CWE Content Team conducted in-depth research and analysis in the following areas:
Summary: There are 918 weaknesses and a total of 1,338 entries on the CWE List. Changes for the new version include the following:
See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v4.3_v4.4.html. Future updates will be noted here, on the CWE Research email discussion list, CWE page on LinkedIn, and on @cwecapec on Twitter. Please contact us with any comments or concerns. Thank you to all who participated in the CWE Compatibility Program Vendor Summit 2021! March 15, 2021 | Share this article The CWE Program would like to thank everyone who participated in the CWE Compatibility Program Vendor Summit on March 11, 2021. The event included great discussions from multiple viewpoints on a topics important to CWE and the CWE Compatibility Program. Special thanks to our panelists:
There was a tremendous amount of insight and thoughtful comments from the day that the CWE Team is distilling and developing into materials to share for follow-up engagement with the community. In the meantime, please help us continue the discussion by following us on @cwecapec on Twitter, the CWE page on LinkedIn, the CWE Blog, the CWE discussion lists, or by email. We look forward to hearing from you! Event Agenda Now Available for the CWE Compatibility Program Vendor Summit 2021 on March 11 March 2, 2021 | Share this article The event agenda for the CWE Compatibility Program Vendor Summit on March 11, 2021 from 10:30 a.m. - 4:30 p.m. (EST) is now available. The focus areas for this event will be program improvements, education and awareness, and CWE modernization. Attendees will have the opportunity to participate in subsequent discussions around the following topics and more:
If you haven’t registered, there’s still space so register today! CWE Compatibility Program Vendor Summit 2021 — Registration Now Open! February 24, 2021 | Share this article Registration for this year’s CWE Compatibility Program Vendor Summit is now open! Participants in this free virtual event will have the opportunity to provide feedback on how CWE and the CWE Compatibility program are working for them and their customers. An agenda for the summit, will be held on March 11, 2021 from 10:30 a.m. - 4:30 p.m. (EST), will be available soon. Register today! “Make Hardware Strong With CWE” Article on Semiconductor Engineering January 15, 2021 | Share this article Use of CWE for hardware is encouraged in a December 9, 2020 article entitled “Make Hardware Strong With CWE” on Semiconductor Engineering. In the article, the author defines what a hardware weakness is, explains why addressing them is imperative to hardware security, and describes how CWE for hardware helps. The author states: “Weaknesses could be introduced during any stage of the ASIC and FPGA hardware development process, including pre-silicon phases such as RTL coding, integrations of third-party intellectual properties (3PIPs), synthesis, place-and-route, and bitstream generation ... Unfortunately, when it comes to security weaknesses, the issues and consequences get even worse. Professional hackers, security researchers, and other very smart and creative people continuously try to find ways to breach security protections … Ultimately, one or more weaknesses may cause a vulnerability that is exploited by attackers to violate system security policies.” The author describes the need for CWE for hardware, as follows: “Security requirements and assurance processes must be an integral part of all these applications’ hardware development life cycle ... CWE provides a common language and list of targets for IP and integrated circuit (IC) developers, and electronic design automation (EDA) tool vendors.” |