Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Introduction to Common Weakness Enumeration (CWE)


Published on

Introduction to CWE

Published in: Engineering
  • Hello! I do no use writing service very often, only when I really have problems. But this one, I like best of all. The team of writers operates very quickly. It's called ⇒ ⇐ Hope this helps!
    Are you sure you want to  Yes  No
    Your message goes here

Introduction to Common Weakness Enumeration (CWE)

  1. 1. Common Weakness Enumeration Aung Thu Rha Hein (g5536871)
  2. 2. Content ■ What is CWE? ■ CWE Process ■ CWE Lists ■ CWE Overviews ■ CWE Requirements ■ Products & Services ■ References
  3. 3. What is CWE? ■ CWE is an extended project of CVE by MITRE ■ list of software weakness for developers and security practitioners ■ a common language for describing software security weaknesses ■ a standard measurement for software security tools ■ a common baseline standard for weakness identification, mitigation, and prevention efforts
  4. 4. CWE Process ■ CVE provides real-world vulnerabilities ■ CWE provides specific and concise definition of common software weakness ■ working to map each CWE list with specific CVE-IDs ■ 3 organizational structures for CWE elements: o lowest level for tool vendors & researchers o mid level for security practitioners o highest level for software practitioners & other stakeholders
  5. 5. CWE Lists ■ latest version - 2.6 o 943 CWEs ● 31 views ● 187 categories ● 717 weakness ● 8 compound elements ■ it also provides filter for different users ■ the lists are community initiative
  6. 6. CWE Lists/2 ■ CWEs are in hierarchical structure
  7. 7. CWE Lists/3
  8. 8. CWE Overviews ■ 4 useful overviews (Total,Views,Categories,Weakness, Compound elements) o CWE-699: Development concepts (754, 4, 65, 680, 5) o CWE-1000: Research concepts ( 721, 0, 9, 704, 8) o CWE-2000: Comprehensive CWE Dictionary o PDFs with Graphical Depictions of CWE ■ Views can be slices or graphs ■ Compound Elements are entries that closely associates ■ Chains are entries that has cause/effect on another
  9. 9. CWE Requirements *4 out of6 requirements CWE Searchable users may search security elements using CWE identifiers CWE Output security elements presented to users includes, or allows users to obtain, associated CWE identifiers Mapping Accuracy security elements accurately link to the appropriate CWE identifiers CWE Documentation capability's documentation describes CWE, CWE compatibility, and how CWE-related functionality in the capability is used CWE Coverage for CWE-Compatibility and CWE-Effectiveness, the capability's documentation explicitly lists the CWE-IDs that the capability claims coverage and effectiveness against locating in software CWE Test Results for CWE-Effectiveness, test results from the capability showing the results of assessing software for the CWEs are posted on the CWE Web site
  10. 10. Products & Services ■ 10 organizations that hold CWE compatible status o Fascoo (Sparrow) o CXSecurity (WLB) o GrammarTech (CodeSonar) o High-Tech Bridge (HTB SA,ImmuniWeb) o IBM Security Systems (IBM Security AppScan Standard) o Klockwork (Klokwork Insight) o HP o NIST (SARD) o Security Database (Security Database Web Services) o Veracode (Veracode Analysis)
  11. 11. References ■ ■ meration ■