IriusRisk Team
|
The Threat Modeling Experts
April 28, 2021

IriusRisk and CWE

IriusRisk and CWE

What is the CWE?

The Common Weakness Enumeration (CWE) is a category system for software weaknesses and vulnerabilities. It is sustained by a community project with the goals of understanding flaws in software and creating automated tools that can be used to identify, fix, and prevent those flaws.[1]

The project is sponsored by the National Cybersecurity FFRDC, which is operated by The MITRE Corporation, with support from US-CERT and the National Cyber Security Division of the U.S. Department of Homeland Security. The objective of CWE effort is to help shape and mature the code security assessment industry and also dramatically accelerate the use and utility of software assurance capabilities for organizations in reviewing the software systems they acquire or develop.

What does CWE-Compatible mean?

“CWE-compatible” means that a tool, Web site, database, or other security product or service uses CWE names in a manner that allows it to be cross-referenced with other products that employ CWE names. CWE-compatible means:

  • CWE Searchable – users may search security elements using CWE identifiers.
  • CWE Output – security elements presented to users includes, or allows users to obtain, associated CWE identifiers
  • Mapping Accuracy – security elements accurately link to the appropriate CWE identifiers
  • CWE Documentation – capability’s documentation describes CWE, CWE compatibility, and how CWE-related functionality in the capability is used
  • CWE Coverage – for CWE-Effectiveness, capability’s documentation explicitly lists the CWE identifiers that the capability is effective at locating in software
  • CWE Test Results – for CWE-Effectiveness, test results from the capability showing the results of assessing software for the CWEs are posted on the CWE Web site

See the CWE Web site for detailed information on how a Web site, tool, database, or other security product/service becomes compatible, and for a complete list of CWE-compatible products and services.