US flag signifying that this is a United States Federal Government website   Official website of the Department of Homeland Security

Homeland Security

U.S. Flag and Keyboard

Securing Tomorrow’s Software

Posted by Bobbie Stempfley, Acting Assistant Secretary, DHS Office of Cybersecurity and Communications (CS&C)

Today, the Department of Homeland Security (DHS), in collaboration with the Mitre Corporation, released the Common Weakness Enumeration version 2.0 (or CWE v2) – a dictionary of software weaknesses and their associated mitigation practices developed by the experts from government, industry and academia from across the software security community.

The CWE was completed by DHS’s National Cybersecurity Division under the Software Assurance Program. In collaboration with the private sector, the Software Assurance Program spearheads the development of practical guidance and tools while promoting research and development of secure software engineering. The recent publication of known weaknesses is available for public use and will enable software developers to build secure software from the ground up while limiting software vulnerabilities that can be potentially exploited by malicious actors. It can be found here.

While CWE v2 represents a substantial improvement over the first iteration of CWE, it also serves as the foundation for emerging efforts by DHS, including the Common Weakness Risk Analysis Framework (CWRAF) and the Common Weakness Scoring System (CWSS).
  • The CWRAF organizes the top priority exploitable weaknesses by business and mission domain, so that a given organization knows what mitigation practices are needed to best meet their specific needs.
  • The CWSS provides organizations with a tool to develop their own list of most critical weaknesses based on their unique business or mission.
CWRAF and CWSS enable all stakeholders throughout the software life cycle to better mitigate risks associated with the kinds of exploitable software that are most applicable to their organization and the technologies they use.
Published by the U.S. Department of Homeland Security, Washington, D.C.
Back to Top