HOME

TheInfoList



OR:

The Common Weakness Enumeration (CWE) is a category system for hardware and software weaknesses and vulnerabilities. It is sustained by a community project with the goals of understanding flaws in software and hardware and creating automated tools that can be used to identify, fix, and prevent those flaws. The project is sponsored by the
National Cybersecurity FFRDC The National Cybersecurity FFRDC (NCF) is a federally funded research and development center operated by MITRE Corporation. It supports the U.S. National Institute of Standards and Technology (NIST)'s National Cybersecurity Center of Excellen ...
, which is operated by The MITRE Corporation, with support from
US-CERT The United States Computer Emergency Readiness Team (US-CERT) is an organization within the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Specifically, US-CERT is a branch of the Office of C ...
and the
National Cyber Security Division The National Cyber Security Division (NCSD) is a division of the Office of Cyber Security & Communications, within the United States Department of Homeland Security's Cybersecurity and Infrastructure Security Agency. Formed from the Critical Inf ...
of the U.S. Department of Homeland Security. Version 4.5 of the CWE standard was released in July 2021. CWE has over 600 categories, including classes for buffer overflows, path/directory tree traversal errors, race conditions,
cross-site scripting Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may ...
, hard-coded passwords, and insecure random numbers.The Bugs Framework (BF) / Common Weakness Enumeration (CWE)
at nist.gov


Examples

* CWE category 121 is for stack-based buffer overflows.


CWE compatibility

Common Weakness Enumeration (CWE) Compatibility program allows a service or a product to be reviewed and registered as officially "CWE-Compatible" and "CWE-Effective". The program assists organizations in selecting the right software tools and learning about possible weaknesses and their possible impact. In order to obtain CWE Compatible status a product or a service must meet 4 out of 6 requirements, shown below: There are 56 organizations as of September 2019 that develop and maintain products and services that achieved CWE Compatible status.


Research, critiques, and new developments

Some researchers think that ambiguities in CWE can be avoided or reduced.Paul E. Black, Irena V. Bojanova, Yaacov Yesha, Yan Wu. 2015
Towards a “Periodic Table” of Bugs
/ref>


See also

*
Common Vulnerabilities and Exposures The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. The United States' National Cybersecurity FFRDC, operated by The MITRE Corporation, maintai ...
(CVE) *
Common Vulnerability Scoring System The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritiz ...
(CVSS) *
National Vulnerability Database The National Vulnerability Database (NVD) is the U.S. government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, ...


References


External links


Certifying Applications for Known Security Weaknesses. The Common Weakness Enumeration (CWE) Effort
// 6 March 2007 * {{MITRE security ontologies Software anomalies Computer standards Computer network security Web security exploits Computer security organizations Classification systems