introduction to common weakness enumeration (cwe)
DESCRIPTION
Introduction to CWETRANSCRIPT
Common Weakness Enumeration
Aung Thu Rha Hein (g5536871)
Content
■ What is CWE?■ CWE Process■ CWE Lists■ CWE Overviews■ CWE Requirements■ Products & Services■ References
What is CWE?
■ CWE is an extended project of CVE by MITRE■ list of software weakness for developers and
security practitioners■ a common language for describing software
security weaknesses■ a standard measurement for software security
tools■ a common baseline standard for weakness
identification, mitigation, and prevention efforts
CWE Process
■ CVE provides real-world vulnerabilities■ CWE provides specific and concise definition of
common software weakness■ working to map each CWE list with specific CVE-
IDs■ 3 organizational structures for CWE elements:
o lowest level for tool vendors & researcherso mid level for security practitionerso highest level for software practitioners & other
stakeholders
CWE Lists
■ latest version - 2.6 o 943 CWEs
● 31 views● 187 categories● 717 weakness● 8 compound elements
■ it also provides filter for different users ■ the lists are community initiative
CWE Lists/2
■ CWEs are in hierarchical structure
CWE Lists/3
CWE Overviews
■ 4 useful overviews (Total,Views,Categories,Weakness, Compound
elements)o CWE-699: Development concepts (754, 4, 65, 680, 5)
o CWE-1000: Research concepts ( 721, 0, 9, 704, 8)
o CWE-2000: Comprehensive CWE Dictionary o PDFs with Graphical Depictions of CWE
■ Views can be slices or graphs■ Compound Elements are entries that closely associates■ Chains are entries that has cause/effect on another
CWE Requirements
CWE Searchable users may search security elements using CWE identifiers
CWE Outputsecurity elements presented to users includes, or allows users to obtain, associated CWE identifiers
Mapping Accuracy security elements accurately link to the appropriate CWE identifiers
CWE Documentation
capability's documentation describes CWE, CWE compatibility, and how CWE-related functionality in the capability is used
CWE Coverage
for CWE-Compatibility and CWE-Effectiveness, the capability's documentation explicitly lists the CWE-IDs that the capability claims coverage and effectiveness against locating in software
CWE Test Resultsfor CWE-Effectiveness, test results from the capability showing the results of assessing software for the CWEs are posted on the CWE Web site
*4 out of6 requirements
Products & Services
■ 10 organizations that hold CWE compatible statuso Fascoo (Sparrow)o CXSecurity (WLB)o GrammarTech (CodeSonar)o High-Tech Bridge (HTB SA,ImmuniWeb)o IBM Security Systems (IBM Security AppScan Standard)o Klockwork (Klokwork Insight)o HPo NIST (SARD)o Security Database (Security Database Web Services)o Veracode (Veracode Analysis)
References
■ http://cwe.mitre.org/■ https://en.wikipedia.org/wiki/Common_Weakness
_Enumeration■ https://nvd.nist.gov/cwe.cfm