The Common Weakness Enumeration Specification, shortened as CWE, is an formal list of common, real-world software vulnerabilities to offer one common language to all the different entities developing and securing software. CWE’s ultimate goal is to help the security testing industry mature in their application security programs and the security testing of their projects.
The CWE is written in one common language to incl for the causes of security vulnerabilities found in software and applications. It’s a community project which is contributed to and designed by developers and software engineers alike from around the world.
CWE focuses on several areas of software development for enterprise level entities. One area is where Software Assurance and resources are dedicated to ensuring that the supply chain for software is protected from vulnerabilities. This looks at incrementally improving approaches to software assurance that reduce risk and the chance of new code being exposed to known problems.
Each CWE entry drills down into the specifics, including a description summary, the point at which the weakness can be introduced, the coding languages and platforms which could be effected, the most common consequences, real-life examples, relationships to other CWE entries and more.
Like CVE, the CWE is maintained by the MITRE corporation and can be used as a benchmark to test security testing tools against each other. In fact, the CWE was created as a kind of supplement for the CVE, filling in the (many) gaps left up-in-the-air with CVE entries.
CWE has also published guidelines on secure development practices. Risk management for the supply chain is also tackled with an in depth briefing to better adapt the chain to reduce risks to code. Furthermore, there’s a focus on code analysis with a briefing paper from the Software and Supply Chain Assurance branch of the Department of Homeland Security.
Yet another part of the CWE project is guidelines for assessment and remediation tools for use in secure software development for platform management, static analysis, real-time threat prevention and more. Users can also access the full national vulnerability database, which includes a comprehensive listing of known remedies for CWE vulnerabilities.
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.