CWE is a community-developed formal list of common software
weaknesses, idiosyncrasies, faults, and flaws. The intention of CWE is to serve as a common language for describing software security vulnerabilities, a standard measuring stick for software security tools targeting these vulnerabilities, and as a baseline standard for vulnerability identification, mitigation, and prevention efforts. Leveraging the diverse thinking on this topic from academia, the commercial sector, and government, CWE unites the most valuable breadth and depth of content and structure to serve as a unified standard. Our objective is to help shape and mature the code security assessment industry and also dramatically accelerate the use and utility of software assurance capabilities for organizations in reviewing the software systems they acquire or develop.
Based in part on the CVE List's 15,000 plus CVE names—but also including detail and scope from a diverse set of other industry and academic sources and examples including the McGraw/Fortify "Kingdoms" taxonomy; Howard, LeBlanc & Viega's 19 Deadly Sins; and Secure Software's CLASP project; among others—CWE's definitions and descriptions support the finding of common types of software security flaws in code prior to fielding. This means both users and developers now have a mechanism for ensuring that the software products they acquire and develop are free of known types of security flaws by describing their code and assessment capabilities in terms of their coverage of the different CWEs.
The new section includes the CWE List, offered in a detailed Taxonomy view and a high-level Dictionary view; an About section describing the overall CWE effort and process in more detail; a Compatibility page; a Community Participation page; and list of Sources.