Common Weakness Enumeration

Aung Thu Rha Hein (g5536871)

Content

■ What is CWE?■ CWE Process■ CWE Lists■ CWE Overviews■ CWE Requirements■ Products & Services■ References

What is CWE?

■ CWE is an extended project of CVE by MITRE■ list of software weakness for developers and

security practitioners■ a common language for describing software

security weaknesses■ a standard measurement for software security

tools■ a common baseline standard for weakness

identification, mitigation, and prevention efforts

CWE Process

■ CVE provides real-world vulnerabilities■ CWE provides specific and concise definition of

common software weakness■ working to map each CWE list with specific CVE-

IDs■ 3 organizational structures for CWE elements:

o lowest level for tool vendors & researcherso mid level for security practitionerso highest level for software practitioners & other

stakeholders

CWE Lists

■ latest version - 2.6 o 943 CWEs

● 31 views● 187 categories● 717 weakness● 8 compound elements

■ it also provides filter for different users ■ the lists are community initiative

CWE Lists/2

■ CWEs are in hierarchical structure

CWE Lists/3

CWE Overviews

■ 4 useful overviews (Total,Views,Categories,Weakness, Compound

elements)o CWE-699: Development concepts (754, 4, 65, 680, 5)

o CWE-1000: Research concepts ( 721, 0, 9, 704, 8)

o CWE-2000: Comprehensive CWE Dictionary o PDFs with Graphical Depictions of CWE

■ Views can be slices or graphs■ Compound Elements are entries that closely associates■ Chains are entries that has cause/effect on another

CWE Requirements

CWE Searchable users may search security elements using CWE identifiers

CWE Outputsecurity elements presented to users includes, or allows users to obtain, associated CWE identifiers

Mapping Accuracy security elements accurately link to the appropriate CWE identifiers

CWE Documentation

capability's documentation describes CWE, CWE compatibility, and how CWE-related functionality in the capability is used

CWE Coverage

for CWE-Compatibility and CWE-Effectiveness, the capability's documentation explicitly lists the CWE-IDs that the capability claims coverage and effectiveness against locating in software

CWE Test Resultsfor CWE-Effectiveness, test results from the capability showing the results of assessing software for the CWEs are posted on the CWE Web site

*4 out of6 requirements

Products & Services

■ 10 organizations that hold CWE compatible statuso Fascoo (Sparrow)o CXSecurity (WLB)o GrammarTech (CodeSonar)o High-Tech Bridge (HTB SA,ImmuniWeb)o IBM Security Systems (IBM Security AppScan Standard)o Klockwork (Klokwork Insight)o HPo NIST (SARD)o Security Database (Security Database Web Services)o Veracode (Veracode Analysis)

References

■ http://cwe.mitre.org/■ https://en.wikipedia.org/wiki/Common_Weakness

_Enumeration■ https://nvd.nist.gov/cwe.cfm