The Common Weakness Enumeration, or CWE for short, translated from English as “enumeration of general weaknesses”, is a system that was developed to categorize hardware and software weaknesses or vulnerabilities. The community-designed list has been operated by MITER Corporation since 2006. It serves as a common language and basis for identifying security-critical vulnerabilities.
Among other things, the list is used for vulnerability analysis or Penetration-Testing. Furthermore, this list helps in the containment and delimitation, and prevention of possible weaknesses in software and hardware. The CWE community includes major companies such as Apple, Oracle, and Microsoft. The project is funded by the U.S. Department of Homeland Security (DHS) and the Cybersecurity Infrastructure Security Agency (CISA).
Goals of the CWE
The main goal of CWE is to prevent CVEs (Common Vulnerabilities and Exposures) whenever possible. To achieve this, a CWE not only contains a detailed description of vulnerabilities but also provides examples and possible solutions for fixing these vulnerabilities. Thus, the list can be helpful for security researchers and programmers alike and provide practical benefits for the respective use case.
Due to the detailed description of the vulnerabilities, it is also possible to use them for similar problems in other programs.
The CWE list is also used in various vulnerability scanners or when creating new programs. Programmers can use the CWE list to find out about known vulnerabilities and errors in other programs and take this information into account when developing a new program.
The CWE ID
A CWE ID is formed similarly to a CVE as follows: CWE-XXX.
This is a unique ID. The CWE list in version 4.1 currently includes over 800 vulnerabilities, which have been divided into over 300 categories.
Similar to the “Open Web Application Security Project”, or OWASP for short, there is also a list of the “Top 25 Most Dangerous Software Errors”, the so-called “CWE
Top 25,” in which, for example, “CWE-798 Use of Hard-coded Credentials” was in 19th place in 2019. Other well-known classes include, for example, buffer overflow, cross-site scripting, SQL injection, and OS command injections.
Application of CWE at ProSec GmbH
At ProSec GmbH, CWE and CVE are used in the area of pentesting and IT security consulting – mainly in the context of documentation, classification of vulnerabilities, and as a basis for a uniform “wording”.