Know Your Weakest Link: Exposing Weaknesses to Eliminate Cyber Flaws

There’s an old saying: A chain is no stronger than its weakest link. That’s as true for software and other cyber-connected systems as for steel. For more than 15 years, MITRE has helped the cyber community identify those “links.”

Leveraging the expertise of the software development and security community, we’ve amassed a common list of software weakness types that can be accessed and referenced by anyone around the world. Created in 2006, the Common Weakness Enumeration (CWE™) list has grown to nearly 1,000 recorded software weaknesses and now includes the hardware domain.

“Every new language, framework, or technology introduces new weaknesses,” says CWE co-founder Steve Christey Coley, a MITRE principal cybersecurity engineer.

CWE: A Resource with Deep Roots in CVE

In 1999, MITRE developed the Common Vulnerabilities and Exposures (CVE^®) project as a fundamental resource for identifying, defining, and cataloging publicly disclosed cybersecurity vulnerabilities. Since then, CVE has gone on to become the gold standard for identifying and numbering vulnerabilities, with more than 165,518 so far.

Seven years after CVE’s launch, the MITRE team responsible for its formation wanted to clearly identify and categorize the root causes that led to these vulnerabilities. That effort became the basis for CWE, now celebrating its 15^th anniversary.

CWE and CVE are two parts of a triad MITRE created to expose vulnerabilities. CWE lists weakness types. CVE captures specific instances of weakness types that are demonstrably exploitable. The third element, the Common Attack Pattern Enumeration and Classification (CAPEC™), details the attack patterns or execution flows by which an adversary exploits a weakness.

Valuable Information for the Wider Cyber Community

CWE educates software architects, designers, programmers, and acquisition professionals on how to eliminate the most common weaknesses before product delivery.

CWE’s use also extends to less technical professionals. For example, the CWE Top 25 Most Dangerous Software Weaknesses List helps project managers and marketers to converse with vendors about whether the software they use avoids the errors referenced within the annually updated list.

CWE, CVE, and CAPEC create a comprehensive network of information valued across government and industry sectors, from operating system and security tool vendors to representatives of academia, government agencies, and research institutions.

What’s New with CWE?

CWE constantly evolves to support its users. In 2021 alone, MITRE launched several community engagement initiatives to further improve the CWE program.

• The Hardware CWE Special Interest Group provides an avenue for those in the design, manufacturing, and security domains to foster CWE as a common language for defining hardware security weaknesses.
• The CWE/CAPEC blog explores trending security vulnerabilities and provides insights as well as potential solutions by mapping the appropriate CWEs and CAPEC entries.
• The CWE/CAPEC User Experience Working Group defines CWE’s target audiences and which types of content are most important for various usage scenarios.
• The Out-of-Bounds podcast offers security practitioners an opportunity to learn more about the CWE and CAPEC programs.

“To me, there’s no better metric of CWE’s value than the willingness of the community to engage with us collaboratively to better serve their needs,” says CWE/CAPEC Deputy Project Lead Alec Summers, a MITRE cybersecurity engineer. “CWE helps organizations by providing useful and consumable information to they can use to avoid common mistakes that can negatively affect their missions.”

For individuals and organizations wishing to get involved in CWE, visit the CWE community page.