Fluid Attacks is among the cybersecurity companies recognizing the value of and contributing to this collaborative community effort: CWE. In their daily work, our ethical hackers, with their analysis tools, use CWE’s updated public repository of software and hardware flaws as a reference to define their coverage and classify and label their findings. Thus, you can conveniently set a link between the information we provide you with and many other CWE-compatible sources for the benefit of your company’s security.
What is CWE?
CWE (Common Weakness Enumeration) is a community-developed, free-to-use list or dictionary of common hardware and software weaknesses. CWE functions as a standard language for security tools and operations that aim to identify, eliminate and prevent weaknesses. The U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) sponsors this project, which is managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI), which is in turn operated by The MITRE Corporation (MITRE). MITRE started their software weakness categorizing efforts in 1999 and at that time created the CVE (Common Vulnerabilities and Exposures) List. In 2005, they evaluated CVE for use in the code assessment industry and produced the Preliminary List of Vulnerability Examples for Researchers (PLOVER) document. In PLOVER, the researchers succeeded in collecting known flaws in the code, abstracting them and organizing them into common classes. Later, they established definitions and descriptions for the groups of weaknesses, and it was then in 2006 that the CWE List and the associated classification taxonomy emerged.
In line with its website, CWE’s primary objective is to provide information to development and security teams so that they can eliminate the most common errors in software and hardware prior to deployment. These errors are the weaknesses, which can lead to vulnerabilities. CWE serves as a preventive measure against the many security vulnerabilities that have represented problems for numerous organizations worldwide. Some of the data present in each CWE entry are the following: identification and description of the weakness type; explanation of how the flaw may be introduced, and the applicable platforms; the likelihood of exploit for the weakness, and information on its consequences and potential mitigations; code samples; related CVE IDs; references.
CWE has evolved over the years in line with advances in technology, as well as enterprise concerns and needs. For this reason, for example, CWE has been including content for mobile applications since 2014 and support for hardware weaknesses since 2020. Thanks to the community, the information in CWE is constantly expanding and improving. There are also resources such as CWSS and CWRAF to score the severity of weaknesses and the CWE Top 25 to identify the most prevalent and critical flaws that can lead to dangerous software vulnerabilities.