Common Weakness Enumeration

The Common Weakness Enumeration (CWE) is a category system for software weaknesses and vulnerabilities. It is sustained by a community project with the goals of understanding flaws in software and creating automated tools that can be used to identify, fix, and prevent those flaws.[1] The project is sponsored by the National Cybersecurity FFRDC, which is operated by The MITRE Corporation, with support from US-CERT and the National Cyber Security Division of the U.S. Department of Homeland Security.[2]

Version 3.2 of the CWE standard was released in January 2019.[3]

CWE has over 600 categories, including classes for buffer overflows, path/directory tree traversal errors, race conditions, cross-site scripting, hard-coded passwords, and insecure random numbers.[4]

Examples

CWE category 121 is for stack-based buffer overflows.[5]

CWE compatibility

Common Weakness Enumeration (CWE) Compatibility program allows a service or a product to be reviewed and registered as officially "CWE-Compatible" and "CWE-Effective". The program assists organizations in selecting the right software tools and learning about possible weaknesses and their possible impact.

In order to obtain CWE Compatible status a product or a service must meet 4 out of 6 requirements, shown below:

CWE Searchable	users may search security elements using CWE identifiers
CWE Output	security elements presented to users includes, or allows users to obtain, associated CWE identifiers
Mapping Accuracy	security elements accurately link to the appropriate CWE identifiers
CWE Documentation	capability's documentation describes CWE, CWE compatibility, and how CWE-related functionality in the capability is used
CWE Coverage	for CWE-Compatibility and CWE-Effectiveness, the capability's documentation explicitly lists the CWE-IDs that the capability claims coverage and effectiveness against locating in software
CWE Test Results	for CWE-Effectiveness, test results from the capability showing the results of assessing software for the CWEs are posted on the CWE Web site

There are 56 organizations as of September 2019 that develop and maintain products and services that achieved CWE Compatible status.[6]

Research, critiques, and new developments

Some researchers think that ambiguities in CWE can be avoided or reduced.[7]

References

"CWE - About CWE". at mitre.org.
National Vulnerabilities Database CWE Slice at nist.gov
"CWE News". at mitre.org.
The Bugs Framework (BF) / Common Weakness Enumeration (CWE) at nist.gov
CWE-121: Stack-based Buffer Overflows
"CWE - CWE-Compatible Products and Services". at mitre.org.
Paul E. Black, Irena V. Bojanova, Yaacov Yesha, Yan Wu. 2015. Towards a “Periodic Table” of Bugs

External links

Certifying Applications for Known Security Weaknesses. The Common Weakness Enumeration (CWE) Effort // 6 March 2007
"Classes of Vulnerabilities and Attacks" (PDF). Wiley Handbook of Science and Technology for Homeland Security. comparison of different vulnerability Classifications. Archived from the original (PDF) on 2016-03-22.CS1 maint: others (link)

This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.

[1] "CWE - About CWE". at mitre.org.

[2] National Vulnerabilities Database CWE Slice at nist.gov

[3] "CWE News". at mitre.org.

[samate-4] The Bugs Framework (BF) / Common Weakness Enumeration (CWE) at nist.gov

[5] CWE-121: Stack-based Buffer Overflows

[6] "CWE - CWE-Compatible Products and Services". at mitre.org.

[7] Paul E. Black, Irena V. Bojanova, Yaacov Yesha, Yan Wu. 2015. Towards a “Periodic Table” of Bugs