If you want to know more about vulnerabilities, create security tools or are looking to improve your ability to make secure software, the Common Weakness Enumeration (CWE) should be at the top of your resource list.
What CWE is and How it works
The CWE, which is supported by the National Institute of Standards and Technology and sponsored by the MITRE Corporation, is a lot like an English language dictionary. It is a comprehensive, publicly available database of weaknesses found in computer software, source code and operational systems made specifically for developers, researchers and security experts. Its purpose is to help users (of CWE) understand security flaws and act as a database of language standards.
Education is just one use for the CWE. Developers and security experts have also used it to create, update and maintain a number of automated tools for identifying, repairing and preventing security holes. It does not include every possible weakness (technology simply moves far too quickly), but it is one of the most complete list. Part of the reason for this is that it allows and encourages outside assistance. When someone finds a new weakness, they are invited to submit it for consideration after which it can be included in the database.
The CWE has organized all of the available information on security weaknesses into three categories to help you find the information you need. At the top, you will find general issues and their descriptions. The second level contains ‘child’ issues – variations of weaknesses within a category. At the bottom, you’ll find basic weaknesses with full explanations and resources to help you.
What you will find in the CWE
The CWE has attempted to organize weaknesses in much the same way as the scientific world has classified living species to show biological relationships. It involves more than just classification, however. In addition to the category, you’ll find:
- Description - A short explanation of the weakness.
- Terminology Notes – How the weakness got its name and how it works. (There is also an additional section for notes.)
- Time of Introduction – When the weakness appears during a particular process.
- Mitigation – Hints as to how the weakness can be eliminated or minimized.
- Relationships – Information on how it fits into the CWE structure
- Taxonomy Mappings – Official taxonomy information
- References – Where to find additional information on the subject.
You will also be able to find real world examples and explanations of how a weakness works and what the dangers are.
An integrated information system on vulnerabilities, exposures and their causes
Because the CWE does not contain everything there is to know about a weakness, it is complemented by the CVE, or Common Vulnerabilities and Exposures. This is a list of information security vulnerabilities and exposures.
The CVE makes “it easier to share data across separate vulnerability capabilities (tools, repositories, and services) with this “common enumeration.” It contains a standard identifier number, status indicator, description, and references for a vulnerability.”
If you want to find information and fixes for CVE identifiers, you will need to visit the US National Vulnerability Database. Other databases you may find helpful include:
- Attack Patterns (CAPEC)
- Configurations (CCE) – Provides unique identifiers for common system configuration issues.
- Platforms (CPE) – “A standardized naming scheme for IT systems, platforms, and packages.”
- Malware (MAEC) – A database of standard language for identifying and dealing with Malware.
- Assessment Language (OVAL) – A reference for standard computer system vulnerabilities and configurations.
- Checklist Language (XCCDF) – A resource for those creating security documents, including checklists and benchmarks.
- Log Format (CEE) – A database for language used when working with computer events.
- Security Content Automation (SCAP) – A resource for security automation and related standards.
- Making Security Measurable – A hub for information about security standardization and the many initiatives currently underway. Areas covered here include Vulnerability management, asset security assessments and management, configuration help, malware responses, threat analysis information, attack detection, patches and incident management.
The main reason security attacks have been so successful in the past is a lack of understanding. By educating yourself and making use of the wealth of knowledge available through projects like the CWE, you can avoid the issues, and prevent a lot of hassle and headaches for everyone.
Author Bio: Fergal Glynn is the Director of Product Marketing at Veracode, an award-winning application security company providing a source code security analyzer and other helpful security tools.