Introduction to Common Weakness Enumeration (CWE)

  • CategoryEngineering

  • View147

  • 1. Common WeaknessEnumerationAung Thu Rha Hein (g5536871)
  • 2. Content■ What is CWE?■ CWE Process■ CWE Lists■ CWE Overviews■ CWE Requirements■ Products & Services■ References
  • 3. What is CWE?■ CWE is an extended project of CVE by MITRE■ list of software weakness for developers and securitypractitioners■ a common language for describing software securityweaknesses■ a standard measurement for software security tools■ a common baseline standard for weaknessidentification, mitigation, and prevention efforts
  • 4. CWE Process■ CVE provides real-world vulnerabilities■ CWE provides specific and concise definition ofcommon software weakness■ working to map each CWE list with specific CVE-IDs■ 3 organizational structures for CWE elements:o lowest level for tool vendors & researcherso mid level for security practitionerso highest level for software practitioners & other stakeholders
  • 5. CWE Lists■ latest version - 2.6o 943 CWEs● 31 views● 187 categories● 717 weakness● 8 compound elements■ it also provides filter for different users■ the lists are community initiative
  • 6. CWE Lists/2■ CWEs are in hierarchical structure
  • 7. CWELists/3
  • 8. CWE Overviews■ 4 useful overviews (Total,Views,Categories,Weakness, Compound elements)o CWE-699: Development concepts (754, 4, 65, 680, 5)o CWE-1000: Research concepts ( 721, 0, 9, 704, 8)o CWE-2000: Comprehensive CWE Dictionaryo PDFs with Graphical Depictions of CWE■ Views can be slices or graphs■ Compound Elements are entries that closely associates■ Chains are entries that has cause/effect on another
  • 9. CWE Requirements*4 out of6 requirementsCWE Searchable users may search security elements using CWE identifiersCWE Outputsecurity elements presented to users includes, or allows users to obtain, associatedCWE identifiersMapping Accuracy security elements accurately link to the appropriate CWE identifiersCWE Documentationcapability's documentation describes CWE, CWE compatibility, and how CWE-relatedfunctionality in the capability is usedCWE Coveragefor CWE-Compatibility and CWE-Effectiveness, the capability's documentationexplicitly lists the CWE-IDs that the capability claims coverage and effectivenessagainst locating in softwareCWE Test Resultsfor CWE-Effectiveness, test results from the capability showing the results ofassessing software for the CWEs are posted on the CWE Web site
  • 10. Products & Services■ 10 organizations that hold CWE compatible statuso Fascoo (Sparrow)o CXSecurity (WLB)o GrammarTech (CodeSonar)o High-Tech Bridge (HTB SA,ImmuniWeb)o IBM Security Systems (IBM Security AppScan Standard)o Klockwork (Klokwork Insight)o HPo NIST (SARD)o Security Database (Security Database Web Services)o Veracode (Veracode Analysis)
  • 11. References■■■
  • Description
    Introduction to CWE