MITRE has been doing exceptional work in advancing cybersecurity as a public good, and it is an excellent resource for security professionals. Possibly best known for their ATT&CK Framework, a rich source of adversarial tactics and techniques and their mitigations, MITRE is also known for another resource: the Common Weakness Enumeration (CWE). The CWE is a community initiative sponsored by the Cybersecurity and Infrastructure Security Agency (CISA). The community contributing to this repository is quite broad and diverse. It includes large corporations, universities, individual researchers, and government agencies.

Unlike the ATT&CK framework, which focuses on the “red team” and how to defend against them, the CWE is useful for pro-actively managing risk. Since this list shines a spotlight on common weaknesses, it can be a valuable tool for a vulnerability management program and a useful check against potential points of compromise within an enterprise. The CWE allows a user to search the list by software and hardware weaknesses as well as several other useful groupings, allowing for detailed drill-down and analysis for risk analysts.

What’s New in 4.0

Notable updates in the latest update are the addition of hardware security weaknesses, several views organizing the weaknesses into useful categories, and a search function. The hardware weaknesses focus on hardware design, so anyone responsible for creating hardware can leverage this list for risk analysis in the design phase or determine if current hardware is susceptible by using the list to design tests if an automated system isn’t already in place.

The new views are a helpful addition to threat and risk analysis and can contribute to a vulnerability management program, though it’s no replacement for regular automated scanning. The new views include categories such as “Introduced during design,” “introduced during implementation,” several coding language-specific weaknesses, mobile, and easier (Read more...)