The Common Weakness Enumeration Specification, shortened as CWE, is an formal list of common, real-world software vulnerabilities to offer one common language to all the different entities developing and securing software. CWE’s ultimate goal is to help the security testing industry mature in their application security programs and the security testing of their projects.
The CWE is written in one common language to incl for the causes of security vulnerabilities found in software and applications. It’s a community project which is contributed to and designed by developers and software engineers alike from around the world.
CWE focuses on several areas of software development for enterprise level entities. One area is where Software Assurance and resources are dedicated to ensuring that the supply chain for software is protected from vulnerabilities. This looks at incrementally improving approaches to software assurance that reduce risk and the chance of new code being exposed to known problems.
Each CWE entry drills down into the specifics, including a description summary, the point at which the weakness can be introduced, the coding languages and platforms which could be effected, the most common consequences, real-life examples, relationships to other CWE entries and more.
Like CVE, the CWE is maintained by the MITRE corporation and can be used as a benchmark to test security testing tools against each other. In fact, the CWE was created as a kind of supplement for the CVE, filling in the (many) gaps left up-in-the-air with CVE entries.
CWE has also published guidelines on secure development practices. Risk management for the supply chain is also tackled with an in depth briefing to better adapt the chain to reduce risks to code. Furthermore, there’s a focus on code analysis with a briefing paper from the Software and Supply Chain Assurance branch of the Department of Homeland Security.
Yet another part of the CWE project is guidelines for assessment and remediation tools for use in secure software development for platform management, static analysis, real-time threat prevention and more. Users can also access the full national vulnerability database, which includes a comprehensive listing of known remedies for CWE vulnerabilities.