Common Weakness Enumeration
Generated by GPT-5-miniExpansion Funnel Raw 103 → Dedup 0 → NER 0 → Enqueued 0
| Common Weakness Enumeration | |
|---|---|
 Jim McKeeth · Public domain · source | |
| Name | Common Weakness Enumeration |
| Acronym | CWE |
| Focus | Software security weaknesses |
| Owner | MITRE Corporation |
| Country | United States |
| First published | 2006 |
| Website | MITRE |
Common Weakness Enumeration is a community-developed list that categorizes software security weaknesses to enable consistent communication among MITRE Corporation, National Institute of Standards and Technology, Department of Homeland Security, Intel Corporation, Microsoft Corporation. It provides a shared taxonomy used by Oracle Corporation, IBM, Google, Amazon (company), Facebook and other stakeholders to prioritize remediation, measure risk, and guide secure engineering practices across projects and supply chains.
Overview
CWE defines weakness types and relationships for use by National Vulnerability Database, Common Vulnerabilities and Exposures, CERT Coordination Center, Open Web Application Security Project, Center for Internet Security and private vendors such as CrowdStrike, Palo Alto Networks, Symantec; it supports tools from GitHub, Sonatype, Veracode, Fortinet and Check Point Software Technologies. The enumeration assigns identifiers, descriptive names, severity context, and mitigation guidance to facilitate alignment with standards like Federal Information Security Management Act of 2002, ISO/IEC 27001, NIST SP 800-53 and compliance programs run by organizations such as European Union Agency for Cybersecurity, Bank for International Settlements and multinational corporations including Siemens, Schneider Electric and Johnson & Johnson.
History and Development
Origins trace to coordination among MITRE Corporation, US-CERT, NIST and industry partners responding to incidents affecting Equifax, Target Corporation, Sony, Stuxnet and malware outbreaks tied to actors linked to state and non-state entities. Early development involved collaboration with advocacy groups like OWASP and standards bodies such as Institute of Electrical and Electronics Engineers and American National Standards Institute; subsequent revisions have reflected input from vendors including Red Hat, Canonical (company), SAP SE, Cisco Systems and consultancies like Deloitte, Accenture and McKinsey & Company. Key milestones include initial cataloging, schema formalization, and mapping efforts to taxonomies such as CWE/SANS Top 25 and integrations with programs run by Department of Defense and multinational insurers.
Structure and Classification
The CWE taxonomy is organized into categories, views, and relationships used by regulators like European Commission and agencies such as UK National Cyber Security Centre to frame assessments. Primary elements include base entries with identifiers, community-generated relationships linking to entries maintained by Carnegie Mellon University labs and vendor-specific mappings for products from Apple Inc., Samsung Electronics and Huawei Technologies. Classification aligns with risk frameworks operated by Center for Strategic and International Studies, World Economic Forum and compliance regimes used by financial institutions like JPMorgan Chase, Goldman Sachs and HSBC. The structure supports formal mappings to CWE to CVE workflows, enabling traceability from discovery by researchers at institutions such as MIT, Stanford University, Carnegie Mellon University and University of Cambridge into enterprise dashboards used by McAfee and Trend Micro.
Notable Entries and Examples
Prominent weakness types include input validation issues, improper authentication, and resource mismanagement reflected across entries that researchers at Google Project Zero, Kaspersky Lab, ESET and FireEye have repeatedly observed in incidents involving Adobe Systems, Cisco Systems, Microsoft Corporation and Oracle Corporation. Specific entries often used as teaching examples appear in curricula at Massachusetts Institute of Technology, ETH Zurich, University of California, Berkeley and training from SANS Institute, illustrating exploits similar to attacks attributed to groups tracked by FBI, National Security Agency and international task forces coordinated with Interpol and Europol.
Usage and Applications
CWE is used to drive secure development lifecycles at companies like Intel Corporation, AMD, NVIDIA, SAP SE and Siemens, to prioritize remediation in ticketing systems from Atlassian and ServiceNow, and to feed security testing suites from Qualys, Rapid7, Tenable and Nessus. Governments including United States Department of Defense, Australian Signals Directorate and Government of Canada reference CWE in procurement and assessment frameworks; insurers and auditors at KPMG, PwC and Ernst & Young use mappings to quantify exposure and validate controls. Academic researchers at University of Oxford, Princeton University and Tsinghua University leverage CWE to benchmark tool effectiveness and reproduce results across datasets shared with initiatives like Common Weakness Scoring System collaborations.
Governance and Maintenance
Maintenance is coordinated by MITRE Corporation with contributions and advisory input from stakeholders such as NIST, DHS, OWASP, major vendors including Microsoft Corporation, Amazon (company), Google, and international consortia hosted by ISO. Change control processes involve public proposals, community reviews, and working groups that include participants from Red Hat, Canonical (company), VMware and consulting firms like Booz Allen Hamilton; governance aims to balance academic research, vendor requirements, and regulatory expectations enforced by bodies such as European Commission and US Congress.
Category:Computer security