Common Weakness Enumeration

The Common Weakness Enumeration (CWE) is a category system for hardware and software weaknesses and vulnerabilities. It is sustained by a community project with the goals of understanding flaws in software and hardware and creating automated tools that can be used to identify, fix, and prevent those flaws.[1] The project is sponsored by the office of the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), which is operated by The MITRE Corporation,[2] with support from US-CERT and the National Cyber Security Division of the U.S. Department of Homeland Security.[3][4]

Version 4.15 of the CWE standard was released in July 2024.[5]

CWE has over 600 categories, including classes for buffer overflows, path/directory tree traversal errors, race conditions, cross-site scripting, hard-coded passwords, and insecure random numbers.[6]

  1. ^ "CWE - About CWE". at mitre.org.
  2. ^ "CWE - Frequently Asked Questions (FAQ)". cwe.mitre.org. Retrieved 2023-09-21.
  3. ^ "Vulnerabilities | NVD CWE Slice". National Vulnerability Database.
  4. ^ Goseva-Popstojanova, Katerina; Perhinschi, Andrei (2015). "On the capability of static code analysis to detect security vulnerabilities". Information and Software Technology. 68: 18–33. doi:10.1016/j.infsof.2015.08.002.
  5. ^ "CWE Version 4.15 Now Available". Mitre Corporation. Retrieved 17 October 2024.
  6. ^ Bojanova, Irena (2014). "Bugs Framework (BF): Formalizing Software Security Weaknesses and Vulnerabilities". samate.nist.gov.