“Common Weakness Enumeration” Added to CVE Web Site

March 15, 2006, according to the official news from mitre.org, a new effort leveraging CVE entitled the "Common Weakness Enumeration (CWE)" has been added to the GET CVE page on the CVE Web site.

GetCVECWE is a community-developed formal list of common software
weaknesses, idiosyncrasies, faults, and flaws. The intention of CWE is to serve as a common language for describing software security vulnerabilities, a standard measuring stick for software security tools targeting these vulnerabilities, and as a baseline standard for vulnerability identification, mitigation, and prevention efforts. Leveraging the diverse thinking on this topic from academia, the commercial sector, and government, CWE unites the most valuable breadth and depth of content and structure to serve as a unified standard. Our objective is to help shape and mature the code security assessment industry and also dramatically accelerate the use and utility of software assurance capabilities for organizations in reviewing the software systems they acquire or develop.

Based in part on the CVE List's 15,000 plus CVE names—but also including detail and scope from a diverse set of other industry and academic sources and examples including the McGraw/Fortify "Kingdoms" taxonomy; Howard, LeBlanc & Viega's 19 Deadly Sins; and Secure Software's CLASP project; among others—CWE's definitions and descriptions support the finding of common types of software security flaws in code prior to fielding. This means both users and developers now have a mechanism for ensuring that the software products they acquire and develop are free of known types of security flaws by describing their code and assessment capabilities in terms of their coverage of the different CWEs.

The new section includes the CWE List, offered in a detailed Taxonomy view and a high-level Dictionary view; an About section describing the overall CWE effort and process in more detail; a Compatibility page; a Community Participation page; and list of Sources.

Technorati Tags: , , ,,


2 Responses to “Common Weakness Enumeration” Added to CVE Web Site

  1. zhaol says:

    different from CVE, CWE focus on the why and where those vulnerabilities and weaknesses come from. It help standardize the taxonomy and terminology in this area. It’s funny to find the author of cwe_classification_tree.pdf  was signed as Bill Gates.

  2. hi2005 says:

    it’s interesting that this entry is listed as No. 1 when you seach “CWE common weakness enumeration” with Google, while cve.mitre.org is second. 🙂

%d bloggers like this: