New to CWECommon Weakness Enumeration (CWE™) can be difficult to understand for the average person and can even be overwhelming to a seasoned IT industry veteran. This document offers some tips on how to familiarize yourself with what CWE has to offer before more fully exploring this extensive knowledge base. If you are looking for a high-level overview of the CWE Program, you have come to the right place. What is CWE?First, we should describe what CWE is. CWE is a community-developed list of common software and hardware weakness types that could have security ramifications. A “weakness” is a condition in a software, firmware, hardware, or service component that, under certain circumstances, could contribute to the introduction of vulnerabilities. Weakness conditions are in many cases introduced by the developer during development of the product. Even though developers may have vastly different coding practices, they are all capable of introducing the same common type of weaknesses, leading to vulnerabilities in their own products. The CWE List and associated taxonomies and classification schemes serve as a language that can be used to identify and describe these weaknesses in terms of “CWEs”. The best part is that CWE is free to use by any organization or individual for any research, development, and/or commercial purposes, per the CWE Terms of Use. What kinds of things does a CWE include?A CWE is assigned an ID in the form CWE-<ID>, where the <ID> is simply a unique number chosen at the time of assignment (e.g., “CWE-798”). The CWE-ID is followed by a descriptive name for the weakness (e.g., “CWE-798: Use of Hard-coded Credentials”). For a weakness to be assigned a CWE-ID and published on the CWE website, it must include a set of required information including:
What is an example of a CWE weakness?The screen shots below provide a glimpse at the first example presented in this tutorial, “CWE-798: Use of Hard-coded Credentials.” This CWE describes the situation where credentials, such as passwords or cryptographic keys, have been hard coded into a hardware or software product. For those unfamiliar with the term “hard-coded,” it is just a way of saying that the password or keys have been defined directly within the source code of a product, which makes it impossible for administrators to change. You can follow along and view this same CWE by visiting https://cwe.mitre.org/, typing “CWE-798” (without the quotes) into the ID Lookup box on the top right side of the page, and clicking the Go button. The above figure shows some of the descriptive text of CWE-798, while the figure below shows example 1 from the demonstrative examples section of the CWE. The following figures show the Observed Examples section which displays a curated list of real-world CVE Records where hard-coded passwords have been discovered in hardware or software products. The last figure shows potential mitigations for the weakness and what part of the development process to which these mitigations would apply. If you are following along and able to navigate CWE-798 directly, you will notice that this CWE entry includes much more information than what is in these screenshots. A mature CWE can contain a lot of useful information! How can I use CWE?Many different organizations and individuals use CWE for a variety of different reasons. For example, software developers and security researchers are using CWE today as a common language for discussing how to eliminate and/or mitigate software security weaknesses in architecture, design, code, and implementation. Other organizations are using CWE today as a means to evaluate software security tools looking to discover these weaknesses, and as a common baseline standard for their weakness identification, mitigation, and prevention efforts. Through the User Experience Working Group (UEWG) — one of several collaborative community efforts — the CWE Program has also defined a number of User Stories based on real usage of the CWE List by various organizations across industry, academia, and government. These User Stories can help to illustrate how the CWE List is used in practice and how it might help you or your organization. The CWE User Stories can be found here. The CWE Team invites you to explore the CWE List and learn about the ways it is used today. We hope that this guide and the rest of the available CWE documentation helps you understand what CWE is, how to properly use the CWE List, and most importantly provide you and your organization with the best information around security weaknesses. If you have questions, comments, or would like to get involved in one of our community working groups, feel free to reach out to the team at [email protected]. |