Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
Common Weakness Enumeration
open-in-new
<h2 id="examples">Examples</h2> <ul><li>CWE category 121 is for stack-based buffer overflows.<a class="footnote-ref" id="fnref:8" href="#fn:8"><sup>8</sup></a></li></ul> <h2 id="cwe-compatibility">CWE compatibility</h2> <p>Common Weakness Enumeration (CWE) Compatibility program allows a service or a product to be reviewed and registered as officially "CWE-Compatible" and "CWE-Effective". The program assists organizations in selecting the right software tools and learning about possible weaknesses and their possible impact. </p><p>In order to obtain CWE Compatible status a product or a service must meet 4 out of 6 requirements, shown below: </p> <table><tbody><tr><td>CWE Searchable</td><td>users may search security elements using CWE identifiers</td></tr><tr><td>CWE Output</td><td>security elements presented to users include, or allow users to obtain, associated CWE identifiers</td></tr><tr><td>Mapping Accuracy</td><td>security elements accurately link to the appropriate CWE identifiers</td></tr><tr><td>CWE Documentation</td><td>capability's documentation describes CWE, CWE compatibility, and how CWE-related functionality in the capability is used</td></tr><tr><td>CWE Coverage</td><td>for CWE-Compatibility and CWE-Effectiveness, the capability's documentation explicitly lists the CWE-IDs that the capability claims coverage and effectiveness against locating in software</td></tr><tr><td>CWE Test Results</td><td>for CWE-Effectiveness, test results from the capability showing the results of assessing software for the CWEs are posted on the CWE Web site</td></tr></tbody></table> <p>There are 56 organizations as of September 2019 that develop and maintain products and services that achieved CWE Compatible status.<a class="footnote-ref" id="fnref:9" href="#fn:9"><sup>9</sup></a> </p> <h2 id="research-critiques-and-new-developments">Research, critiques, and new developments</h2> <p>Some researchers think that ambiguities in CWE can be avoided or reduced.<a class="footnote-ref" id="fnref:10" href="#fn:10"><sup>10</sup></a> </p><p>As of 4/16/2024, the CWE Compatibility Program has been discontinued.<a class="footnote-ref" id="fnref:11" href="#fn:11"><sup>11</sup></a> </p> <h2 id="see-also">See also</h2> <ul><li><a href="/facts/Common_Vulnerabilities_and_Exposures/r6uEABNB">Common Vulnerabilities and Exposures</a> (CVE)</li> <li><a href="/facts/Common_Vulnerability_Scoring_System/LPP5p4SV">Common Vulnerability Scoring System</a> (CVSS)</li> <li><a href="/facts/National_Vulnerability_Database/kVoJTyAp">National Vulnerability Database</a></li></ul> <h2 id="external-links">External links</h2> <ul><li><a href="http://www.omg.org/news/meetings/workshops/SWA_2007_Presentations/02-1_Martin_revised.pdf">Certifying Applications for Known Security Weaknesses. The Common Weakness Enumeration (CWE) Effort</a> // 6 March 2007</li> <li><a href="https://web.archive.org/web/20160322061614/http://homes.cerias.purdue.edu/~pmeunier/aboutme/classes_vulnerabilities.pdf">"Classes of Vulnerabilities and Attacks"</a> (PDF). <i>Wiley Handbook of Science and Technology for Homeland Security</i>. comparison of different vulnerability Classifications. Archived from <a href="http://homes.cerias.purdue.edu/~pmeunier/aboutme/classes_vulnerabilities.pdf">the original</a> (PDF) on 2016-03-22.{{cite web}}: CS1 maint: others (link)</li></ul> <h2 id="references">References</h2> <ol> <li id="fn:1"><p>"CWE - About CWE". at mitre.org. <a href="http://cwe.mitre.org/about/index.html" target="_blank">http://cwe.mitre.org/about/index.html</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></p></li> <li id="fn:2"><p>"CWE - Frequently Asked Questions (FAQ)". cwe.mitre.org. Retrieved 2023-09-21. <a href="https://cwe.mitre.org/about/faq.html#cwe_sponsor" target="_blank">https://cwe.mitre.org/about/faq.html#cwe_sponsor</a> <a href="#fnref:2" class="footnote-back-ref">↩</a></p></li> <li id="fn:3"><p>"Vulnerabilities | NVD CWE Slice". National Vulnerability Database. <a href="https://nvd.nist.gov/vuln/categories" target="_blank">https://nvd.nist.gov/vuln/categories</a> <a href="#fnref:3" class="footnote-back-ref">↩</a></p></li> <li id="fn:4"><p>Goseva-Popstojanova, Katerina; Perhinschi, Andrei (2015). "On the capability of static code analysis to detect security vulnerabilities". Information and Software Technology. 68: 18–33. doi:10.1016/j.infsof.2015.08.002. <a href="https://linkinghub.elsevier.com/retrieve/pii/S0950584915001366" target="_blank">https://linkinghub.elsevier.com/retrieve/pii/S0950584915001366</a> <a href="#fnref:4" class="footnote-back-ref">↩</a></p></li> <li id="fn:5"><p>"CWE - About - CWE History". cwe.mitre.org. Retrieved 2025-02-18. <a href="https://cwe.mitre.org/about/history.html" target="_blank">https://cwe.mitre.org/about/history.html</a> <a href="#fnref:5" class="footnote-back-ref">↩</a></p></li> <li id="fn:6"><p>"CWE Version 4.15 Now Available". Mitre Corporation. Retrieved 17 October 2024. <a href="https://cwe.mitre.org/news/archives/news2024.html#july16_CWE_Version_4.15_Now_Available" target="_blank">https://cwe.mitre.org/news/archives/news2024.html#july16_CWE_Version_4.15_Now_Available</a> <a href="#fnref:6" class="footnote-back-ref">↩</a></p></li> <li id="fn:7"><p>Bojanova, Irena (2014). "Bugs Framework (BF): Formalizing Software Security Weaknesses and Vulnerabilities". samate.nist.gov. <a href="/w/index.php?title=Irena_Bojanova&action=edit&redlink=1" target="_blank">/w/index.php?title=Irena_Bojanova&action=edit&redlink=1</a> <a href="#fnref:7" class="footnote-back-ref">↩</a></p></li> <li id="fn:8"><p>"CWE - CWE-121: Stack-based Buffer Overflow (4.15)". cwe.mitre.org. Retrieved August 5, 2024. <a href="https://cwe.mitre.org/data/definitions/121.html" target="_blank">https://cwe.mitre.org/data/definitions/121.html</a> <a href="#fnref:8" class="footnote-back-ref">↩</a></p></li> <li id="fn:9"><p>"CWE - CWE-Compatible Products and Services". at mitre.org. <a href="https://cwe.mitre.org/compatible/compatible.html" target="_blank">https://cwe.mitre.org/compatible/compatible.html</a> <a href="#fnref:9" class="footnote-back-ref">↩</a></p></li> <li id="fn:10"><p>Paul E. Black; Irena V. Bojanova; Yaacov Yesha; Yan Wu (2015). "Towards a "Periodic Table" of Bugs". National Institute of Standards and Technology. <a href="https://www.nist.gov/publications/towards-147periodic-table148-bugs" target="_blank">https://www.nist.gov/publications/towards-147periodic-table148-bugs</a> <a href="#fnref:10" class="footnote-back-ref">↩</a></p></li> <li id="fn:11"><p>"CWE-Compatible Products and Services". Common Weakness Enumeration. Archived from the original on 2025-01-07. <a href="https://web.archive.org/web/20250107144449/https://cwe.mitre.org/compatible/compatible.html" target="_blank">https://web.archive.org/web/20250107144449/https://cwe.mitre.org/compatible/compatible.html</a> <a href="#fnref:11" class="footnote-back-ref">↩</a></p></li> </ol>