A Brief Introduction to CWEs
In the upcoming weeks, we will be releasing a series of blog posts focusing on the Common Weakness Enumeration, a list of security vulnerability types. We will begin with an introduction to concepts we’ll refer to again and again in the future.
What is the CWE List?
In short, Common Weakness Enumeration (CWE) is a project devoted to categorizing weaknesses that could lead to security flaws in applications or systems. More specifically, these weaknesses are:
Flaws, faults, bugs, and other errors in software and hardware design, architecture, code, or implementation that if left unaddressed could result in systems and networks, and hardware being vulnerable to attack.
The CWE is a community project whose goals are to understand software flaws and to help create automated tools capable of identifying, fixing, and preventing such flaws before malicious parties exploit them.
CWE? CVE? CVSS? What’s the difference?
In addition to CWE, you will see mentions of CVE and CVSS. These are concepts related to CWE, and we will be referring to these often as well.
- CVE: While the CWE list focuses on the types of software weaknesses, the Common Vulnerabilities and Exposures (CVE) list focuses on known instances of vulnerabilities for specific products/systems.
- CVSS: The Common Vulnerability Scoring System (CVSS) is used to assign a numeric score to CVEs; the CVSS score reflects the severity of the vulnerability.
If you’ve taken a look at the CWE list, you’ll notice that it’s very, very long.
However, there are ways to restrict your focus so that things aren’t overwhelming. For example, you could take a look at weaknesses by risk: the riskier the weakness, the higher it should be on your AppSec priority list.
If you’d like an even narrower focus, consider starting with the Top 25 Most Dangerous Software Weaknesses list, including the most severe security weaknesses in software today. Our subsequent blog posts will take a look at some of the changes to this list over the past year, as well as deep dives into the vulnerability types listed.
A Brief Introduction to CWEs was originally published in ShiftLeft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.
*** This is a Security Bloggers Network syndicated blog from ShiftLeft Blog - Medium authored by Katie Horne. Read the original post at: https://blog.shiftleft.io/a-brief-introduction-to-cwes-4f906e314fd?source=rss----86a4f941c7da---4