DocumentsA number of documents exist to help clarify the historical significance, current use, and future directions of CWE. An archive of older documents is also included. Using the CWE ListSchema Documentation This document, which is posted on the CWE List page, contains descriptions of the various elements in the official CWE Schema. It provides a basic understanding of the CWE data structure and can be used as a useful guide for developing new CWE entries or adding content to existing entries. Previous versions of the schema documentation are available in the Release Downloads. CWE List Reports Includes "General Reports" such as Stakeholder Field Priorities, Field Completeness Goals, Schema Documentation (current version), Chains and Composites, etc., and "Difference Reports" from the various CWE List versions. CVE → CWE Mapping & Navigation Guidance Provides information for mapping CVEs to CWE-IDs as well as tips for searching and navigating CWE content on the CWE Web site, including the following: "Mapping to CWE IDs - Criteria for the Best Match," "Using the Web Site to Map to a CWE-ID," and "Additional Suggestions for Search and Navigation." The Evolution of the CWE Development and Research Views This paper explains the evolution of the two main views in CWE, CWE-699 (Development Concepts) and CWE-1000 (Research Concepts). It identifies the methodologies used for constructing the views, including the emphasis on providing clear names and descriptions. A Comparison of the CWE Development and Research Views This paper performs a comparison between the two main views in CWE, CWE-699 (Development Concepts) and CWE-1000 (Research Concepts), and shows how CWE-699 has some similarities with Seven Pernicious Kingdoms (CWE-700), while CWE-1000 is a new approach to weakness classification. Comments and feedback are welcome and should be directed to [email protected]. September 9, 2008 - Steve Christey, CWE Technical Lead CWE Mapping Analysis This paper describes the results of a study that examined how well CWE can be mapped to third party weakness descriptions. The CWE mappings for three separate repositories were analyzed and broken into ten categories of "mapping fit." Several categories have implications for how CWE content should be managed in the future. Tool vendors and researchers in vulnerability classification will find this document useful. Comments and feedback are welcome and should be directed to [email protected]. September 9, 2008 - Mark Loveless, CWE Researcher PDF (53 KB) Structured CWE Descriptions This paper contains structured, semi-formal descriptions of some of the most notorious CWE entries using the vulnerability theory terminology. The structured descriptions provide a consistent way to clearly define the core of each weakness and a means to help clarify classification problems. Comments and feedback are welcome and should be directed to [email protected]. July 10, 2007 - Steve Christey, CVE List Editor and CWE Technical Lead; Conor Harris, CWE Researcher PDF (163 KB) ArchiveUse & Citations This archived web page page lists community usage of CWE by Industry, Government, Academia, Policy/Guidance, Reference, and Standards. A running count of the number of citations by category is also included. CWE Research This archived page includes links to sections of the website and documents for researching early version of the CWE List. Sources A list of external sources used to help build early versions of the CWE List. Advances in Information Assurance Standards This briefing was presented at CISQ Seminar–Software Quality in Federal Acquisitions in Reston, Virginia, USA. March 26, 2014 - CWE/CAPEC Program Manager Robert A. Martin, Senior Advisor for Cybersecurity at the U.S. General Services Administration Office of Mission Assurance Emile Monette, and Computer Scientist at the http://csrc.nist.gov/ Dr. Paul Black. PDF (6 MB) CWE Introductory Brochure A brief two-page introduction to the CWE effort. February 2013. PDF (522 KB) CWSS/CWRAF Introductory Brochure A brief two-page introduction to the Common Weakness Scoring System (CWSS™) and Common Weakness Risk Analysis Framework (CWRAF™) efforts. February 2013. PDF (131 KB) Key Practices for Mitigating the Most Egregious Exploitable Software Weaknesses Development, Volume II – (Version 2.3, November 1, 2012) This pocket guide focuses on key practices for preventing and mitigating the most egregious exploitable software weaknesses. These key practices were documented in the “2011 CWE/SANS Top 25 Most Dangerous Programming Errors”. The Top 25 CWEs are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all. Some of the practices specified in the pocket guide are derived from mitigation recommendations that were common across many of the CWEs in the CWE Top 25, and others came from approaches described on the CERT Secure Coding Wiki. The practices are not represented as being complete or comprehensive; yet they do provide a focus for getting started in SwA efforts. 8.5" x 11" version PDF File Introduction to Vulnerability Theory This paper is an overview of the vulnerability theory terminology and concepts used to create the structured descriptions of some of the major CWE entries. The purpose of the vulnerability theory vocabulary and framework is to create a standard way of describing flaw concepts and to quickly educate new researchers. Comments and feedback are welcome and should be directed to [email protected]. October 29, 2009 - Steve Christey, CWE Technical Lead; Conor Harris, CWE Researcher PDF (279 KB) Unforgivable Vulnerabilities This briefing was presented as a "Turbo-Talk" at Black Hat Briefings 2007 in Las Vegas, Nevada, USA. August 2, 2007 - Steve Christey, CVE List Editor and CWE Technical Lead PDF (212 KB) PDF (153 KB) Making Security Measurable Podcast A 10-minute podcast interview with CVE Compatibility Lead and CWE Program Manager Robert A. Martin by BankInfoSecurity.com about Common Vulnerabilities and Exposures (CVE®), Common Weakness Enumeration (CWE™), and Making Security Measurable at Black Hat Briefings 2007 — August 2007 MP3 (9.3 MB) Software Security Assurance: State-of-the-Art Report (SOAR) Published by the U.S. Department of Defense’s (DoD) Information Assurance Technology Analysis Center (IATAC) (now called the Cyber Security and Information Systems Information Analysis Center [CSIAC]), this report represents the collaborative efforts of the Department of Homeland Security (DHS)/DoD Software Assurance (SwA) Forum and Working Groups and provides an overview of the current state of the environment in which software must operate and surveys current and emerging activities and organizations involved in promoting various aspects of software security assurance. The report, which presents observations about noteworthy trends in software security assurance as a discipline, also describes the variety of techniques and technologies in use in government, industry, and academia for specifying, acquiring, producing, assessing, and deploying software that can, with a justifiable degree of confidence, be said to be secure. — July 31, 2007 PDF (6 MB) Vulnerability Type Distributions in CVE (2001-2006) This updated technical white paper discusses the high-level types of vulnerabilities that have been publicly reported over the past five years, such as buffer overflows, cross-site scripting (XSS), SQL injection, and PHP file inclusion. The paper identifies and explains trends such as the rapid rise of Web application vulnerabilities, covers the distribution of vulnerability types in operating system vendor advisories, and compares the issues being reported in open and closed source advisories. May 22, 2007 - Steve Christey, CVE List Editor and CWE Technical Lead; Robert A. Martin, CWE Program Manager PDF (2 MB) Being Explicit About Security Weaknesses, Black Hat DC 2007 This slide presentation and white paper were presented at Black Hat DC 2007. The two documents describe the CWE effort, list community members, explain how the drafts of the CWE dictionary are developed, describe the CWE Compatibility and CWE Effectiveness program, and suggest additional impact and transition opportunities tied to CWE. March 1, 2007 - Robert A. Martin, CWE Program Manager; Sean Barnum, Cigital, Inc.; Steve Christey, CWE Technical Lead White Paper: Slide Presentation: Being Explicit About Security Weaknesses This article about CWE was published in Crosstalk, The Journal of Defense Software Engineering. The article describes the CWE effort, lists community members, explains how the drafts of the CWE dictionary are developed, describes the CWE Compatibility and CWE Effectiveness program, and suggests additional impact and transition opportunities tied to CWE. March 2007 - Robert A. Martin, CWE Program Manager PDF (417 KB) A Status Update: The Common Weaknesses Enumeration NIST Static Analysis Summit, Gaithersburg, MD Jun 29, 2006. PDF (139 KB) The Case for Common Flaw Enumeration This technical white paper presented at the NIST Workshop on Software Security Assurance Tools, Techniques, and Methods in Long Beach, California, USA discusses the reasons and rational behind the CWE initiative.November 8, 2005 - Robert A. Martin and Steve Christey (MITRE), and Joe Jarzombek (DHS) PDF (287 KB) CWE CompatabilityRequirements and Recommendations for CWE Compatibility and CWE Effectiveness Provides the detailed requirements against which an information product or service may become CWE-Compatible. Version 1.0, June 12, 2011 - Robert A. Martin, CWE Project Leader and Steve Christey, CWE Technical Lead CWE Coverage Claims Representation Provides a description of the Coverage Claims Representation (CCR) feature of the CWE Compatibility Program, which is a means for software analysis vendors to convey to their customers exactly which CWE-identified weaknesses they claim to be able to locate in software. Also provided are CCR schemas and examples. Version 0.3, June 12, 2011 - Robert A. Martin, CWE Project Leader and Steve Christey, CWE Technical Lead |