Right-click and copy a URL to share an article. Send feedback about this page to cwe@mitre.org.

NOTICE: CWE Website – Possible Intermittent Outages from 7:00pm May 21 until 10:00pm EDT on May 23

May 22, 2020 | Share this article

Due to maintenance, the CWE Website may be temporarily unavailable at times from 7:00 p.m. on Thursday, May 21, 2020 until 10:00 p.m. EDT on Saturday, May 23, 2020. This announcement will also be posted to Twitter and LinkedIn.

We apologize for any inconvenience. Please contact us with any comments or concerns.

Leveraging the CWE Top 25 Is Main Topic of Article on Infosecurity Magazine

May 8, 2020 | Share this article

How to leverage the 2019 release of the CWE Top 25 Most Dangerous Software Errors is the main topic of a May 8, 2020 article entitled “How Useful Is MITRE's '25 Most Dangerous Software Errors' List?” on Infosecurity Magazine.

The author begins the article by describing how the new release of the CWE Top 25 is significantly different from previous versions, most importantly by using real-world data from Common Vulnerabilities and Exposures (CVE®) and the National Institute of Standards and Technology’s National Vulnerability Database (NVD) and the impact that the CWE Top 25 can have on software development and procurement: “Software vendors or specific programs that have a lot of CWE weaknesses near the top of the list tell a story of its own. For instance, over time, should these weaknesses persist, software buyers can form their own judgments about the security design lifecycle and associated risks that they present.”

In a discussion about attack sequences, the author describes how the CWE Top 25 can offer a different approach regarding addressing the vulnerabilities identified by CVE Entries and that by ”Aligning them with the CWE ranking, which also considers criticality and causality, reveals deeper patterns that can help software companies prioritize their security development lifecycle going forward.” Also discussed is a real-world example of attackers using software vulnerabilities and weaknesses for the “EternalBlue” MS17-010 exploit that “leveraged three different software security issues to accomplish remote code execution.” The author states: “What’s instructive is that the attackers needed each component for the others to work effectively, or at all. This tells defenders something very important – while it’s important to patch all of the software security issues in a timely manner, with modern attacks, even if one of the related software security issues is patched, it can often be possible to disrupt the attack involving multiple vulnerabilities tied to different programming weaknesses.”

Regarding how to leverage the 2019 CWE Top 25, the author notes that the CWE Top 25 was “never intended to be enough on its own: it must always be used as a resource rather than a prescription … In a sense it operates as a mirror into the world of cybercriminal development which locks into common software problems, and gives defenders important clues to counter the problems. These should be figured into the context of what's critical for a given organization or environment and the software components used, so security teams stand the best chance at mitigating the biggest threats to their businesses.”

Read the entire article at https://www.infosecurity-magazine.com/opinions/mitre-software-errors/.

“Hardware CWEs…This will Change Everything” Article on Embedded Computing Design

April 17, 2020 | Share this article

CWE for hardware weaknesses is the main topic of an April 13, 2020 article entitled “Hardware CWEs…This will Change Everything” on Embedded Computing Design in which the author describes the necessity for hardware security as follows: “[Ensuring] hardware devices do not introduce a cybersecurity vulnerability is paramount to the security of the entire system. Failure to address security can be a costly mistake, including the impact they may have on consumer confidence, personal privacy, and brand reputation. The existence and exploitation of hardware vulnerabilities can also increase time-to-market; reduce vendor trust; and lead to costly lawsuits, chip recalls, or even loss of life.”

In the article, the author explains the history of CWE, how it’s connected to the Common Vulnerabilities and Exposures (CVE®) program, the role of “MITRE Corporation and the “Homeland Security Systems Engineering and Development Institute (HSSEDI) FFRDC, why and how hardware weaknesses were added to the CWE List in February 2020, and the ways in which the inclusion of hardware weaknesses in CWE will impact hardware security moving forward. HSSEDI released CWE 4.0 in partnership with “Cybersecurity and Infrastructure Security Agency (CISA), which sponsors both CVE and CWE.

The author concludes the article as follows: “[Cybersecurity] at the hardware level is a relatively new phenomenon … [however, with the availability of] … CWE version 4.0, design teams can now add and implement security specifications by leveraging the entire industry’s expertise across the United States government, scientific research, academia, commercial solutions companies, and other mediums. The standardization of common weaknesses also opens the door to automation around specification, design and verification of the weakness. In the future I expect to see fully integrated flows based on the list allowing all design teams to detect and prevent the ever-growing list of CWEs.”

CWE 4.0 Is Main Topic of Article on The State of Security

March 11, 2020 | Share this article

CWE 4.0 is the main topic of a March 11, 2020 article entitled “MITRE Releases an Update to The Common Weakness Enumeration (CWE)” on The State of Security blog.

The author begins the article by stating the value of CWE: “MITRE has been doing exceptional work in advancing cybersecurity as a public good, and it is an excellent resource for security professionals. Possibly best known for their ATT&CK Framework, a rich source of adversarial tactics and techniques and their mitigations, MITRE is also known for another resource: the Common Weakness Enumeration (CWE). The CWE is a community initiative sponsored by the Cybersecurity and Infrastructure Security Agency (CISA). The community contributing to this repository is quite broad and diverse. It includes large corporations, universities, individual researchers, and government agencies … CWE is useful for pro-actively managing risk. Since this list shines a spotlight on common weaknesses, it can be a valuable tool for a vulnerability management program and a useful check against potential points of compromise within an enterprise. The CWE allows a user to search the list by software and hardware weaknesses as well as several other useful groupings, allowing for detailed drill-down and analysis for risk analysts.”

In the article, the author explains how the release of CWE 4.0 added hardware weaknesses to the CWE List in February 2020, and that with this addition CWE now “offers a resource for developers, designers, security analysts, and researchers to find weaknesses and develop mitigations before those weaknesses are exploited. Unlike some resources that tend to have IT or InfoSec engineers as a primary audience, the CWE places developers, designers, and architects front-and-center in the process of defending the enterprise.”

CISA Announces CWE Version 4.0

February 26, 2020 | Share this article

Cybersecurity and Infrastructure Security Agency (CISA), the sponsor of CWE, issued the following news release on February 26, 2020 to announce CWE Version 4.0 to the community:

Read the release on the CISA website: https://www.us-cert.gov/ncas/current-activity/2020/02/26/new-cwe-list-common-security-weaknesses-0.

CWE Version 4.0 Now Available

February 24, 2020 | Share this article

CWE Version 4.0 has been posted on the CWE List page to add support for Hardware Design Weaknesses, among other updates. A detailed report is available that lists specific changes between Version 3.4.1 and Version 4.0.

Main Changes

CWE 4.0 includes two new views: (1) Hardware Design, which organizes weaknesses around concepts that are frequently used or encountered in hardware design; and (2) Software Development, which was created by combining content from the previous Architecture Concepts and Development Concepts views. The schema was updated from v6.1 to v6.2 (see Release of CWE 4.0 Includes Changes to CWE Schema for details).

In addition, a new “Filter View” (beta) was added for viewing CWE classification trees (in addition to expanding and collapsing), which allows you to specifically refine exactly which content you want to see when viewing a particular CWE. Filter View (beta) is currently available on the Software Development, Hardware Design, and Research Concepts views.

Summary

There are 839 weaknesses and a total of 1,251 entries on the CWE List.

Changes for the new version include the following:

New Views Added:	2
Views Deprecated:	0
New Entries Added:	63
Entries Deprecated:	13
Entries with Major Changes:	883
Entries with only Minor Changes:	0
Entries Unchanged:	293

See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v3.4.1_v4.0.html.

Future updates will be noted here, on the CWE Research email discussion list, CWE page on LinkedIn, and on @cwecapec on Twitter. Please send any comments or concerns to cwe@mitre.org.

Release of CWE 4.0 Includes Changes to CWE Schema

February 24, 2020 | Share this article

The release of CWE Version 4.0 includes minor changes to the CWE Schema, which was updated from v6.1 to v6.2.

The main changes for the CWE Schema Version 6.2 include:

• Several documentation changes to reflect CWE’s expansion into hardware related issues.
• Removal of the Paradigm element.
• Addition of the term “Pillar” to the AbstractionEnumeration. The term “Pillar” has actually been a part of CWE for a while and is defined in the glossary, but was not previously part of the schema. This will allow CWE to formalize its use, which you will notice in Version 4.0 at the top level of the Research Concepts view.
• Addition of “Verilog"” and “VHDL” to the LanguageNameEnumeration.
• Slight modification to some of the values within the StakeholderEnumeration along with the addition of “Hardware Designers”.
• Complete refactor of the TechnologyClassEnumeration and TechnologyNameEnumeration to reflect the addition of hardware related terms.

See a detailed list of schema changes at https://cwe.mitre.org/data/reports/diff_reports/xsd_v6.1_v6.2.html.

Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to cwe@mitre.org.

CWE for Hardware Continues to Gain Momentum

January 23, 2020 | Share this article

CWE is mentioned throughout a January 13, 2020 article entitled “A case for establishing a common weakness enumeration for hardware security” on Help Net Security.

In the article, the authors state: “As attacks [on modern computer systems] become more pervasive and sophisticated, they are often progressing past the software layer and “compromising hardware. [Today], implementing hardware-based security is widely recognized as a best practice. However, hardware-based security has its own set of challenges when not designed, implemented or verified properly … it’s evident that the industry needs a better and more in-depth understanding of the common hardware security vulnerabilities taxonomy, including information on how these vulnerabilities get introduced into products, how they can be exploited, their associated risks, as well as best practices to prevent and identify them early on in the product development lifecycle.”

CWE is first mentioned when the authors advocate adding hardware weaknesses to the CWE List: “With the growing awareness of hardware vulnerabilities, the CWE could be enhanced to include relevant entry points, common consequences, examples, countermeasures and detection methods from the specific hardware perspective. Furthermore, there are hardware-centric weaknesses that are related to the physical properties of hardware devices (e.g., temperature, voltage glitches, current, wear out, interference, and more) [that should also be included in CWE].”

CWE supports this request as we have been collaborating with the CWE community for some time to add hardware weaknesses to CWE (see “CWE List Expanding to Include Hardware Weaknesses”). In late February 2020, CWE Version 4.0 will be released to add hardware weakness to the CWE List, among other updates.

CWE Included in Hardware Assurance and Weakness Collaboration and Sharing Discussion

January 23, 2020 | Share this article

CWE and CAPEC are included in the Trusted and Assured MicroElectronics’ (TAME) “TAME Working Groups Report December 2019.” TAME provides “a bi-annual platform to researchers in academia, and practitioners in industry and government to discuss innovative solutions in the domain of trusted microelectronics in today’s globalized and complex supply chain, discuss grand challenges and identify collaboration opportunities.”

CWE and CAPEC, as well as CVE are included in “Chapter 1: Hardware Assurance and Weakness Collaboration and Sharing (HAWCS).” The report defines these efforts and explains the problem each solves, as well as how they are interrelated: “Specific vulnerabilities [on the Common Vulnerabilities and Exposures (CVE®) List] are concrete examples of items (hopefully) described in the catalog of Common Weakness Enumeration (CWE) items and attackable by the attack patterns captured in the Common Attack Pattern Enumeration and Classification (CAPEC) collection. By linking a public vulnerability in a specific product to the weakness and attack pattern collections, organizations can leverage those collections and the information in them in their assessment and investigation into newly discovered examples of vulnerabilities and also offer opportunities to examine their own code collections for the same type of vulnerability.”

The main focus of the chapter is how the lessons learned from CWE, CAPEC, CVE, and related efforts (e.g., NVD, CVSS, CWSS, etc.) can be applied to developing similar capabilities for hardware vulnerabilities and weaknesses. Towards that end, the CWE Program is helping to achieve these objectives for a hardware weakness taxonomy by adding hardware weaknesses to the CWE List with the release of CWE 4.0 in late February 2020.

Updates for CWE Version 4.0 Now Underway

January 10, 2020 | Share this article

The CWE Team is currently working towards the generation and publication of CWE Version 4.0, which will be released towards the end of February.

CWE Version 4.0 will include several major changes from previous versions, including restructuring content to combine the Architecture and Development views, and the addition of a new View focused on Hardware Design (read initial announcement).

Hardware Design Weaknesses to Be Included in CWE 4.0

For the past several months, the CWE Team has been working alongside community stakeholders to enumerate Hardware Design Weaknesses and incorporate them into the CWE List for CWE Version 4.0. This new view will assist hardware designers to better understand potential mistakes that can be made in specific areas of their IP design, as well as assist educators teach future professionals about the types of mistakes that are commonly made in hardware design.

As a preview, the new Hardware Design view high-level categories are expected to include:

• Manufacturing and Life Cycle Management Concerns
• Security Flow Issues
• Integration Issues
• Privilege Separation & Access Control Issues
• General Circuit & Logic Design Concerns
• Core and Compute Issues
• Memory and Storage Issues
• Interconnect Problems
• Peripherals and Interface/IO Problems
• Security Primitives and Cryptography Issues
• Power, Clock, and Reset Concerns
• Debug and Test Problems
• Cross-cutting Problems

Feedback and Content Submissions Welcome

As always, we encourage any feedback, especially if you have ideas for specific hardware weaknesses to include in these new categories. To share your suggestions, please use our new CWE Content Submission Form.

Thank you for your continued support of the CWE Project and we look forward to hearing from you.

“CWE Content Submission Form” Now Available

January 10, 2020 | Share this article

A CWE Content Submission Form for submitting proposed new weaknesses, modifications to existing weaknesses, etc. to the CWE Team for possible inclusion in future releases of the CWE List is now available on the CWE website. Guidelines for using the new submission form are also available.

The CWE Team recommends using the form in order to ensure all relevant information is included so that we may review and respond to your submission in a timely manner. Please send any comments or concerns to cwe@mitre.org.

CWE List Expanding to Include Hardware Weaknesses

October 10, 2019 | Share this article

In an effort to expand the scope of the CWE List from solely software weaknesses, we are excited to announce that the team has begun to explore integrating hardware weaknesses into the CWE corpus. This is something that we’ve been considering for a number of years, and with our goal to further grow CWE as a valuable resource for the security community, the time seems right to revisit and make it happen.

Hardware security issues (e.g., LoJax, Rowhammer, Meltdown/Spectre) are becoming increasingly important concerns for both enterprise IT, OT, and IoT in general, from industrial control systems and medical devices to automobiles and wearable technologies. It is essential to understand the different types of weaknesses in this space so that hardware designers can begin to understand and take action against these types of flaws.

We hope to work with the community actively on this and are looking for opportunities to engage experts in this field to help us understand the types of hardware weaknesses that are common today.

Please let us know if you would like to get involved by contacting us on the CWE Research email list, CWE page on LinkedIn, cwecapec on Twitter, or directly to cwe@mitre.org. We look forward to hearing from you!

2019 “CWE Top 25” Receives Extensive News Media Coverage

October 4, 2019 | Share this article

The recently released “2019 CWE Top 25 Most Dangerous Software Errors” list received extensive global media coverage, and feedback from the community. We thank the community for all your feedback regarding the new CWE Top 25.

News media articles that include interviews and quotes from the CWE Team:

“[For the 2019 CWE Top 25 we] wanted to go with a methodology that was more objective and based on what we’re seeing in the real world,” says Drew Buttner, MITRE software assurance lead. The 2019 Top 25 includes flaws from 2017 and 2018 and reflects efforts by the CWE team to correct several thousand mismapped CVE entries. MITRE plans to evaluate mappings throughout the coming year for its upcoming 2020 list. This year’s Top 25 is the first release of the list since 2011, Buttner points out, but MITRE’s goal going forward is to release a new list for each year.

“A lot of the top weaknesses continue to be in the list, and we continue to see them even as 10 years have passed,” Buttner notes. While weaknesses toward the end of the list have fallen out in favor of new ones, the top weaknesses generally remain the same.

MITRE Names 2019’s Most Dangerous Software Errors, Infosecurity Magazine:

Revealed: The 25 most dangerous software bug types – mem corruption, so hot right now, The Register:

These software vulnerabilities top MITRE’s most dangerous list, ZD Net

CWE Top 25 (2019) – List of Top 25 Most Dangerous Software Weakness that Developers Need to Focus, GBHackers

MITRE Releases 2019 List of Top 25 Software Weaknesses, Hacker News

Memory Errors Top MITRE’s ‘Most Dangerous’ List, Security Boulevard

These software vulnerabilities top MITRE’s most dangerous list, The Breaking News

List of Top 25 Most Dangerous Software Flaws that Developers Need to Focus – 2019 CWE Top 25, IT Security News

Revealed: The 25 most dangerous software bug types – mem corruption, so hot right now, World News Network

MITRE’s 2019 CWE Top 25 most dangerous software errors list released, Security Boulevard

Nueva lista de vulnerabilidad comunes (MITRE CWE Top 25), Segu Info

No surprises in the top 25 most dangerous software errors, Naked Security

MITRE’s Top 25 Most Dangerous Software Errors, Information Security Buzz

MITRE’s 2019 CWE Top 25 most dangerous software errors list released, Packt Hub

2019 CWE Top 25 Most Dangerous Software Errors, Mag-Securs

MITRE publiceert Top 25 van gevaarlijkste softwarefouten, Security.nl

Estas son las 25 debilidades de software más importantes, Redes Zone

Топ 25 самых опасных уязвимостей 2019 года, Securitylab.ru

Bös, böser, Bugs: Das sind die gefährlichsten, Inside IT