DevSecOps in Practice

Common Weakness Enumeration (CWE)

Understanding vulnerabilities is not just about knowing the CVEs and CVSS scores. It's also about understanding the root cause of the vulnerability. This is where the Common Weakness Enumeration (CWE) comes in. The CWE is a community-developed list of common software security weaknesses that can lead to vulnerabilities. It provides a common language for describing these weaknesses and helps software developers, security analysts, and researchers identify, mitigate, and prevent potential security flaws.

This standardized list is maintained by the MITRE Corporation and is publicly available for free. Each weakness in the CWE list is assigned a unique identifier, a description, and a set of relationships to other weaknesses. The CWE list is organized into three main views:

View by Software Development

This categorization groups weaknesses based on software concepts that developers frequently encounter. It helps developers identify and prevent coding mistakes that introduce security risks. Some examples include:

• Data Validation Issues: Weaknesses related to improper validation of user input. Examples include Missing XML Validation (CWE-112), Permissive List of Allowed Inputs (CWE-183), and Improper Validation of Specified Type of Input (CWE-1287).

• Authentication Errors: Weaknesses related to authentication mechanisms. Examples include Authentication Bypass by Spoofing (CWE-290), Authentication Bypass by Alternate Name (CWE-289), and Improper Certificate Validation (CWE-295).

• Privilege Issues: Weaknesses related to improper handling, assignment, or management of privileges. Examples include Execution with Unnecessary Privileges (CWE-250), Incorrect Privilege Assignment (CWE-266), and Privilege Defined With Unsafe Actions (CWE-267).

This view is particularly useful for software developers, application security teams, and anyone interested in secure coding practices.

View by Hardware Design

For engineers and security experts working with hardware vulnerabilities, this view groups weaknesses around hardware concepts, including firmware, embedded systems, and physical device security flaws. This categorization includes weaknesses like:

• Manufacturing and Life Cycle Management Concerns: Weaknesses in this category are root-caused to defects that arise in the semiconductor-manufacturing process or during the life cycle and supply chain. Examples of these weaknesses include Semiconductor Defects in Hardware Logic with Security-Sensitive Implications (CWE-1248), Improper Scrubbing of Sensitive Data from Decommissioned Device (CWE-1266), and Product Released in Non-Release Configuration (CWE-1269).

• Security Primitives and Cryptography Issues: This category includes weaknesses related to cryptographic algorithms, key management, and secure communication protocols. Examples include Observable Discrepancy (CWE-203), Missing Cryptographic Step (CWE-325), and Use of a Cryptographic Primitive with a Risky Implementation (CWE-1240).

As stated, this categorization is best suited for hardware security engineers, embedded system developers, and IoT security professionals.

View by Research Concepts