Common Weakness Enumeration

CWE Glossary Definition

News & Events - 2019 Archive

Right-click and copy a URL to share an article. Send feedback about this page to [email protected].

CWE List Expanding to Include Hardware Weaknesses

October 10, 2019 | Share this article

In an effort to expand the scope of the CWE List from solely software weaknesses, we are excited to announce that the team has begun to explore integrating hardware weaknesses into the CWE corpus. This is something that we’ve been considering for a number of years, and with our goal to further grow CWE as a valuable resource for the security community, the time seems right to revisit and make it happen.

Hardware security issues (e.g., LoJax, Rowhammer, Meltdown/Spectre) are becoming increasingly important concerns for both enterprise IT, OT, and IoT in general, from industrial control systems and medical devices to automobiles and wearable technologies. It is essential to understand the different types of weaknesses in this space so that hardware designers can begin to understand and take action against these types of flaws.

We hope to work with the community actively on this and are looking for opportunities to engage experts in this field to help us understand the types of hardware weaknesses that are common today.

Please let us know if you would like to get involved by contacting us on the CWE Research email list, CWE page on LinkedIn, cwecapec on Twitter, or directly to [email protected]. We look forward to hearing from you!

2019 “CWE Top 25” Receives Extensive News Media Coverage

October 4, 2019 | Share this article

The recently released “2019 CWE Top 25 Most Dangerous Software Errors” list received extensive global media coverage, and feedback from the community. We thank the community for all your feedback regarding the new CWE Top 25.

News media articles that include interviews and quotes from the CWE Team:

“[For the 2019 CWE Top 25 we] wanted to go with a methodology that was more objective and based on what we’re seeing in the real world,” says Drew Buttner, MITRE software assurance lead. The 2019 Top 25 includes flaws from 2017 and 2018 and reflects efforts by the CWE team to correct several thousand mismapped CVE entries. MITRE plans to evaluate mappings throughout the coming year for its upcoming 2020 list. This year’s Top 25 is the first release of the list since 2011, Buttner points out, but MITRE’s goal going forward is to release a new list for each year.

“A lot of the top weaknesses continue to be in the list, and we continue to see them even as 10 years have passed,” Buttner notes. While weaknesses toward the end of the list have fallen out in favor of new ones, the top weaknesses generally remain the same.

“Significant work remains in the community to educate developers, improve analysis tools, and for consumers of software products to understand that weaknesses exist, and that they have the ultimate leverage with respect to evaluating products and selecting those products that deliberately work weaknesses out.”

“Effective security can exist only if a broad number of stakeholders demand that it does. The 2019 CWE Top 25 List is a tool that different stakeholders can use to understand what the most prevalent weaknesses are and how to orient themselves toward defending against them.”

Drew Buttner, who heads a software assurance group at MITRE focused on secure code review, said this is the first time the list has been updated since 2011 … About a third of the list is new, Buttner said, and the remaining two-thirds can be found on the 2011 list … But the 2011 list isn’t really directly comparable to the 2019 list because the methodologies used to compile them have changed. Previous lists, said Buttner, were based on subjective discussions with industry experts that were used to compile lists of CWEs. Now, MITRE’s CWE group relies on data queried from the National Vulnerability Database and Common Vulnerability Scoring System (CVSS) scores.

MITRE’s newfound data-driven approach hasn’t diminished the organization’s interest in engagement with tech types. “The more we can talk to the community, the more we can learn from each other and the more we can make the list more robust,” said Buttner.

A partial list of other articles from around the world about the 2019 CWE Top 25:

Please send any feedback about the new CWE Top 25 to us on the CWE Research email list, CWE page on LinkedIn, cwecapec on Twitter, or directly to [email protected].

CWE Version 3.4.1 Update Release Now Available

September 23, 2019 | Share this article

CWE Version 3.4.1 has been posted on the CWE List page to address an oversight in the initial release that was identified by the community. We thank the community for all of your feedback regarding the new CWE Top 25.

This minor update release adds a parent Class to the CWE View 1003: Weaknesses for Simplified Mapping of Published Vulnerabilities view, so that CWE-667 Improper Locking is now a child of CWE-662 Improper Synchronization. A detailed report is available that lists specific changes between Version 3.4 and Version 3.4.1.

Future updates will be noted here, on the CWE Research email discussion list, CWE page on LinkedIn, and on @cwecapec on Twitter. Please send any comments or concerns to [email protected].

CWE Version 3.4 Now Available

September 19, 2019 | Share this article

CWE Version 3.4 has been posted on the CWE List page to add support for the recently released "2019 CWE Top 25 Most Dangerous Software Errors" list.

A detailed report is available that lists specific changes between Version 3.3 and Version 3.4.

Main Changes:

CWE 3.4 includes 1 new view, CWE 1200: Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors, to support the release of the 2019 CWE Top 25. In all, there were 50 major changes to relationships. There were no schema changes.

Summary:

There are 808 weaknesses and a total of 1189 entries on the CWE List.

Changes for the new version include the following:

See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v3.3_v3.4.html.

Future updates will be noted here, on the CWE Research email discussion list, CWE page on LinkedIn, and on @cwecapec on Twitter. Please send any comments or concerns to [email protected].

2019 "CWE Top 25" Now Available!

September 17, 2019 | Share this article

The official version of the "2019 CWE Top 25 Most Dangerous Software Errors," a demonstrative list of the most widespread and critical weaknesses that can lead to serious vulnerabilities in software, is now available on the CWE website.

The weaknesses listed in the CWE Top 25 are often easy to find and exploit. They are dangerous because they will frequently allow adversaries to completely take over execution of software, steal data, or prevent the software from working. The CWE Top 25 can be used by software developers, software testers, software customers, software project managers, security researchers, and educators to provide insight into some of the most prevalent security threats in the software industry.

Leveraging Real-World Data

To create the 2019 list, the CWE Team used a data-driven approach that leverages published Common Vulnerabilities and Exposures (CVE®) data and related CWE mappings found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), as well as the Common Vulnerability Scoring System (CVSS) scores associated with each of the CVEs. A scoring formula was then applied to determine the level of prevalence and danger each weakness presents. This data-driven approach can be used as a repeatable, scripted process to generate a CWE Top 25 list on a regular basis with minimal effort.

The 2019 CWE Top 25 leverages NVD data from the years 2017 and 2018, which consisted of approximately twenty-five thousand CVEs. The CWE Team developed a scoring formula to calculate a rank order of weaknesses. The scoring formula combines the frequency that a CWE is the root cause of a vulnerability with the projected severity of its exploitation. In both cases, the frequency and severity are normalized relative to the minimum and maximum values seen.

For detailed information about this new approach, including methodology, rankings, scoring, and refined mappings, visit the CWE Top 25 page.

Future Releases and Feedback Welcome

Moving forward, our goal is to update the CWE Top 25 annually using the new methodology described on the CWE Top 25 page.

Please send any feedback to us on the CWE Research email discussion list, @cwecapec on Twitter, CWE page on LinkedIn, or directly to [email protected]. We look forward to hearing from you!

"2019 CWE Top 25" Draft Now Available

September 12, 2019 | Share this article

A draft version of the "2019 CWE Top 25 Most Dangerous Software Errors" is now available in our announcement message. These rankings may change before the final release, as we re-evaluate certain Common Vulnerabilities and Exposures (CVE®) <-> CWE mappings.

New Methodology

For an overview of the new methodology used to calculate this new release of the CWE Top 25, see "2019 Update of the "CWE Top 25" Now Underway." In short, we are pulling CWE-related data directly from the U.S. National Vulnerability Database (NVD) and using both frequency and an average Common Vulnerability Scoring System (CVSS) score to determine a rank order. The main advantage of this approach is that the CWE Top 25 will be an objective look at what we are actually seeing in the real-world.

Refined Mappings for the 2019 Release

For the 2019 CWE Top 25, vulnerabilities for the calendar years 2017 and 2018 are used. The CWE Team has worked very hard over the last few months to correct several thousand mis-mapped CVE Entries, and we have worked with the National Institute of Standards and Technology (NIST) to help improve the mapping of newly reported vulnerabilities with the updated CWE View 1003: Weaknesses for Simplified Mapping of Published Vulnerabilities view.

We will continue our efforts to evaluate these mappings over the coming year to improve things further in advance of a 2020 CWE Top 25. For this upcoming 2019 release, we will provide some explanations for a few inconsistencies such as why CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer is in the list, along with some of its children. In short, this is a cue that we need to improve the mappings that are currently being done, when enough detail is available. The same is true for CWE-20: Improper Input Validation and CWE-200: Information Exposure, both of which are very broad and more specific CWEs are desired.

Feedback Encouraged!

We look forward to addressing any questions, as well as hearing any thoughts and comments you might have. Please send any feedback to us on the CWE Research email discussion list, @cwecapec on Twitter, CWE page on LinkedIn, or directly to [email protected].

2019 Update of the "CWE Top 25" Now Underway

August 7, 2019 | Share this article

The CWE Team is currently working towards the generation and publication of a new 2019 release of the "CWE Top 25 Most Dangerous Software Errors."

After this initial announcement, our next step will be to release a draft in the coming weeks for community review and comment. Once those comments are reviewed and incorporated, we will officially publish the new Top 25 for the community.

A New Approach for the Top 25

In previous releases, the Top 25 list was constructed through aggregating survey responses from a wide selection of organizations, and by engaging developers, security analysts, researchers, and vendors. Respondents were asked to nominate weaknesses that they considered to be the most prevalent or important, and then a customized part of the Common Weakness Scoring System (CWSS™) was used to determine a ranking. There were a number of positives in this approach, but it was also labor-intensive and subjective.

For the upcoming Top 25, we are using a more rigorous and statistical process leveraging information about actual reported vulnerabilities to determine the prevalence and dangerousness of the given weakness. The CWE Team will use weakness data pulled directly from the U.S. National Vulnerability Database (NVD) to calculate metrics for CWEs. While this method introduces a bias through analyzing only reported vulnerabilities and could potentially exclude some software and a breadth of other data, the CWE Team believes it will result in a more repeatable and accurate Top 25 list.

Scoring for the New Top 25

There are two components in our scoring process that will be combined to determine the total score for a CWE. The first component is the frequency that a CWE is the root cause of a vulnerability. The second component is a weakness' average Common Vulnerability Scoring System (CVSS) score, which is meant to determine the overall severity of a weakness. We determine the average CVSS score for a CWE by calculating the sum of all of the CVSS scores for Common Vulnerabilities and Exposures (CVE®) Entries that map to a given CWE, and then dividing this sum by the total number of CVE Entries with that CWE. These two components are normalized before being multiplied together.

This process is represented below:

W = All CWEs
CVE_w = All CVEs with a weakness w
Freq = {count(CVE_w') for each w' in W}
Freq_w = Number of CVE Entries with a weakness w
CVSS = All CVSS Scores
CVSS_w = All CVSS Scores for w
F_w = (Freq_w - min(Freq)) / (max(Freq) - min(Freq))
C_w = (average(CVSS_w) - min(CVSS)) / (max(CVSS) - min(CVSS))

Final score = F_w * C_w

The CWE Team is still reviewing this formula, and it may change before the new Top 25 List is published.

Mapping to CVE Entries

One of the challenges that we are faced with is addressing the many CVE Entries currently mapped to CWE Categories. Categories are not technically weaknesses and therefore any existing mapping to them is considered incorrect. As such, we have coordinated with NVD and are in the process of finalizing a "mapping analysis" on these CVE Entries to map them to more accurate CWEs at lower levels of abstraction.

Relatedly, on June 20, 2019 we published our most recent minor version release, CWE Version 3.3, in which we include a new CWE View: "CWE View 1003: Weaknesses for Simplified Mapping of Published Vulnerabilities." Going forward, newly reported vulnerabilities will be mapped to the entries in View 1003 where possible. If over time vulnerability data indicates that certain weaknesses not currently part of View 1003 are occurring more frequently in the wild, View 1003 will evolve as needed to accommodate these new trends.

CWE Top 25 Draft Coming Soon

This is a large undertaking, but we hope that it will result in a repeatable and more accurate Top 25 list, as well as drive discussions about better ways to approach CVE<->CWE mapping in the future.

As stated above, our next step will be to release a draft in the coming weeks for community review and comment and once those comments are reviewed and incorporated, we will officially publish the new Top 25 for the community.

Please send any initial feedback to us on the CWE Research email discussion list, @cwecapec on Twitter, CWE page on LinkedIn, or directly to [email protected].

CWE Launches "@cwecapec" Twitter Feed

August 7, 2019 | Share this article

Please follow our new Twitter account at https://twitter.com/cwecapec to get the latest CWE news and announcements.

CWE Version 3.3 Now Available

June 20, 2019 | Share this article

CWE Version 3.3 has been posted on the CWE List page. A detailed report is available that lists specific changes between Version 3.2 and Version 3.3.

Main Changes:

CWE 3.3 has 1 new view, 1 updated view with 2 new entries, and 2 deprecated entries. In all, 238 entries had major changes to relationship, references, names, fields, and descriptions.

The main changes include: (1) adding 1 new view, CWE-1178: Weaknesses Addressed by the SEI CERT Perl Coding Standard, which identifies weaknesses in Perl that may be fully or partially prevented by following the SEI CERT Perl Coding Standard; (2) adding 8 new categories related to CWE-1178; (2) updating the CWE-1003: Weaknesses for Simplified Mapping of Published Vulnerabilities view, which may be used to categorize potential weaknesses within sources that handle public, third-party vulnerability information, such as the U.S. National Vulnerability Database (NVD); and adding 2 new weaknesses related to CWE-1003, CWE-1187: Use of Uninitialized Resource, which occurs when a resource has not been properly initialized and the software may behave unexpectedly, and CWE-1188: Insecure Default Initialization of Resource, which occurs when the software initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.

There were no schema changes.

Summary:

There are now 808 weaknesses and a total of 1188 entries on the CWE List.

Changes for the new version include the following:

See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v3.2_v3.3.html.

Future updates will be noted here and on the CWE Research email discussion list. Please send any comments or concerns to [email protected].

CWE Is Main Topic of Article on Military Embedded Systems

June 20, 2019 | Share this article

CWE is the main topic of a March 2019 article entitled "Common Weakness Enumeration (CWE) defines cybersecurity vulnerability landscape for mission-critical applications" on Military Embedded Systems. In the article, the author describes the purpose and possible uses of CWE and CWE-Compatible products, its connection to Common Vulnerabilities and Exposures (CVE®), and discusses examples from the CWE List.

The author states: "The Common Weakness Enumeration (CWE, at http://cwe.mitre.org) has emerged as a de facto reference resource to every security-conscious developer of mission-critical embedded systems." "[CWE] has made an important contribution to the overall process of developing more secure and robust software-intensive systems. It provides a common vocabulary that helps internal communications within software development organizations, as well as allowing users to understand and compare the capabilities of tools designed for scanning and analyzing the source code for mission-critical software. Designers will find that including CWE-compatible features into static-analysis and formal method toolsets enables users to readily understand the kinds of security and robustness issues that can be eliminated."

CWE Version 3.2 Now Available

January 03, 2019 | Share this article

CWE Version 3.2 has been posted on the CWE List page. A detailed report is available that lists specific changes between Version 3.1 and Version 3.2.

Main Changes

CWE 3.2 has 137 new entries and 1 deprecated entry. In all, 534 entries had important changes, primarily due to relationship changes, references, names, and descriptions.

The main changes include: (1) adding 89 new entries related to quality issues that only indirectly make it easier to introduce a vulnerability and/or make the vulnerability more difficult to detect or mitigate (see the CWE-1040: Quality Weaknesses with Indirect Security Impacts view); (2) adding 1 new weakness, CWE-1173: Improper Use of Validation Framework, detailing the improper use of an available input validation framework; (3) adding 1 new view, CWE-1128: CISQ Quality Measures (2016), to map to the Consortium for IT Software Quality (CISQ) Automated Quality Characteristic Measures released in 2016; and (4) updating the views and categories associated with the Software Engineering Institute (SEI) Computer Emergency Response Team (CERT) Coding Standards.

The CWE Schema was updated to v6.1.

Summary:

There are now 806 weaknesses and a total of 1177 entries on the CWE List.

Changes for the new version include the following:

See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v3.1_v3.2.html.

Future updates will be noted here and on the CWE Researcher email discussion list. Please send any comments or concerns to [email protected].