CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities
New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > News > Podcast  
ID

Podcast

“Out-Of-Bounds Read” is the CWE Program’s free podcast about common weaknesses in software and hardware, the vulnerabilities they cause, how to reduce them, and how using CWE can help make products more secure by design. Listen now on the CWE Program Channel on YouTube.


Out of Bounds Read podcast - CWE Top 25 Most Dangerous Software Weaknesses
CWE Top 25 Most Dangerous Software Weaknesses   
YouTube

MITRE’s CWE™ and CVE™ Project Lead Alec Summers talks with CWE Technical Lead Steve Christey and CWE Top 25 Lead Connor Mullaly about the CWE Top 25 Most Dangerous Software Weaknesses list (CWE Top 25).

Topics include what the CWE Top 25 is and why it matters for software security; how the list is calculated using prevalence and average severity; how the quality of mappings in CVE Records affects the accuracy and usefulness of the list; how CVE Numbering Authorities (CNAs) help build the list; common mapping problems, especially choosing overly broad or discouraged entries instead of more specific ones; changes in methodology for the 2025 list, especially moving away from normalizing everything into a smaller subset and instead reflecting what actually mapped in the full corpus; and practical advice for better root cause mapping, including using mapping notes, avoiding discouraged entries, and focusing on the underlying weakness rather than just the impact.


Out of Bounds Read podcast - Root Cause Mapping and the CWE Top 25
Root Cause Mapping and the CWE Top 25   
YouTube

CWE Program Lead Alec Summers talks with CWE Technical Lead Steve Christey and CWE Top 25 Lead Connor Mullaly, about Root Cause Mapping (RCM) and the CWE Top 25.

Topics include the value and history of the CWE Top 25 and an analysis of the most recent Top 25 list and which weaknesses moved up and down on the list; purpose and benefits of mapping the root causes of vulnerabilities identified in CVE Records to CWE weaknesses; methodology used for RCM of the 2024 CWE Top 25 to develop the list and how CVE Numbering Authorities (CNAs) were integral to the process; and, a discussion of follow-on Top 25 lists including the “2024 On the Cusp – Other Dangerous Software Weaknesses” and “2024 CWE Top 10 KEV Weaknesses” lists.

In addition, tips for helping improve your RCM are also discussed, such as how best to leverage the CWE website for your research, using CWE List keyword search, where to find the vulnerability mapping pointers on all CWE entry pages and what the different indicators mean, the benefits of being a member of the Root Cause Mapping Working Group (RCM WG), and much more.


Out of Bounds Read podcast - Red Hat - Our CWE Story
Red Hat - Our CWE Story   
YouTube

CWE Program Lead Alec Summers talks with Red Hat’s Przemyslaw Roguski, CWE Technical Lead Steve Christey, and CWE Top 25 Lead Connor Mullaly, about Common Weakness Enumeration (CWE™) and the problem it solves; how Red Hat’s experience and relationship with CWE began and developed over time; how Red Hat uses CWE today, especially “CWE-699: Software Development”; how CWE’s different “views” can be used to educate and enable new and/or existing CWE users; CWE mappings and why mapping to CWEs/root cause weaknesses is important in vulnerability disclosure; the CWE Top 25 list; CWE in the software development lifecycle; how ongoing development of CWE benefits users; and more.

Additional details about Red Hat’s ongoing use of CWE are included in these two articles on the Red Hat blog, “Red Hat’s CWE journey” and “Weakness risk-patterns: A Red Hat way to identify poor software practices in the secure development lifecycle.”



Out of Bounds Read podcast - Using CWE/CAPEC in Education
Using CWE/CAPEC in Education   
YouTube

In this episode, we chat with Pietro Braione of Università degli Studi di Milano - Bicocca about how he uses CWE and CAPEC to help in college-level classes to teach cybersecurity. How the taxonomy can help teach the breath of issues for software development is also discussed.



Out of Bounds Read podcast - Why Cisco uses CWE while looking at fixing vulnerabilities
Why Cisco Uses CWE While Looking at Fixing Vulnerabilities   
YouTube

In this episode, we talk with Cisco’s Tim Wadhwa-Brown, Security Research and Offensive Security for Professional Services in Europe and Jared Pendleton, Advanced Security Initiatives Group about how Cisco uses CWE for finding and fixing vulnerabilities. They find it useful to help categorize the types of vulnerabilities to help determine the root cause of possible future vulnerabilities.



Out of Bounds Read podcast - Beyond the Buffer Overflow: Finding Weaknesses in Software, an Interview with Larry Cashdollar
Beyond the Buffer Overflow: Finding Weaknesses in Software, an Interview with Larry Cashdollar   
YouTube

In our sixth episode, Larry Cashdollar of Akamai talks about the types of weaknesses in the many CVEs he has found as a CVE Numbering Authority and how the frequency of these weaknesses have changed. CAPEC is also mentioned.



Out of Bounds Read podcast - CWE and Hardware Security
CWE and Hardware Security   
YouTube

In our fifth episode, hardware experts discuss hardware CWEs and the “2021 CWE™ Most Important Hardware Weaknesses List,” including how the list will help the community, their favorite entries and surprising items on the list, and stories around hardware weaknesses.

Interviewees include:

Jason Fung, Director of Offensive Security Research and Academic Research Engagement at Intel
Jason Oberg, Cofounder and Chief Technology Officer at Tortuga Logic
Paul Wortman, Cybersecurity Research Scientist at Wells Fargo
Jasper von Woudenberg, CTO of Riscure North America and co-author of the “Hardware Hacking Handbook”
Nicole Fern, Senior Security Analyst at Riscure

Resources mentioned in this episode:

2021 CWE™ Most Important Hardware Weaknesses List
Common Weakness Enumeration (CWE™)
Common Attack Pattern Enumeration and Classification (CAPEC™)



Out of Bounds Read podcast - The CWE 15th Anniversary Special
The CWE 15th Anniversary Special   
YouTube

This episode is a special cybersecurity awareness month podcast where we discuss the 15-year history and future of the CWE Program.

Interviewees include:

Bob Martin, Senior Principal Software and Supply Chain Assurance Engineer at MITRE
Joe Jarzombek, Director of Government and Critical Infrastructure Programs at Synopsis
Chris Eng, Chief Research Officer at Veracode
Chris Levendis, CWE/CAPEC Program Leader at MITRE
Drew Buttner, Software Assurance Capability Area Lead at MITRE

Resources mentioned in this episode:

Common Weakness Enumeration (CWE™)
Common Attack Pattern Enumeration and Classification (CAPEC™)
IS0/IEC 5055:2021 - Information technology; Software measurement; Software quality measurement; Automated source code quality measures
CWE-1340
Software Bill of Materials (SBOM)



Out of Bounds Read podcast - All About the 2021 Top 25 Most Dangerous Software Weaknesses
All About the 2021 Top 25 Most Dangerous Software Weaknesses   
YouTube

Steve Battista of the CWE/CAPEC Program interviews Rushi Purohit, who has helped lead the efforts behind the last few years’ Top 25 most dangerous software weaknesses publications. We talk about the new 2021 release of this list.

Resources mentioned in this episode:

2021 CWE Top 25
Methodology
Analysis
U.S. National Vulnerability Database (NVD)



Out of Bounds Read podcast - What Is CWE, Why Is It Important, and How Can It Help Me?
What Is CWE, Why Is It Important, and How Can It Help Me?   
YouTube | MP3

Welcome to the inaugural episode of Out-of-Bounds Read, the CWE/CAPEC Program podcast!

In our first-ever episode, Steve Battista of the CWE/CAPEC Program interviews Steve Christey Coley, the CWE/CAPEC Program Technical Lead, about what Common Weakness Enumeration (CWE™) is and the problem it aims to solve, who can benefit from CWE and how to leverage it, the role of the community, how CWE has evolved over time, and possibilities for the future.

Resources mentioned in this episode:

CWE/CAPEC on Twitter
CWE Submissions Form & Guidelines
Common Vulnerability Scoring System (CVSS)
U.S. National Vulnerability Database’s (NVD) CVSS calculator

Back to top

Archived Episodes


Out of Bounds Read podcast - What is CAPEC, Why is It important, and How Can it Help Me?
What is CAPEC, Why is It important, and How Can it Help Me? (ARCHIVED)   
YouTube

NOTE: This episode has been ARCHIVED.
Steve Battista of the CWE/CAPEC Program interviews Rich Piazza, the CAPEC Task Lead, about what Common Attack Pattern Enumeration and Classification (CAPEC™) and the problem it aims to solve, who can benefit from CAPEC and how to leverage it, the role of the community, how CAPEC has evolved over time, and possibilities for the future.

Resources mentioned in this episode:

CWE on Twitter
Common Attack Pattern Enumeration and Classification (CAPEC™)

Back to top
Page Last Updated: May 13, 2026
 

Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2026, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.