U.S. flag

An official website of the United States government

Government Website

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Safely connect using HTTPS

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.


  1. Home
  2. About Us
  3. Site Links
  4. Archived
  5. News Archive
  6. Securing Tomorrow’s Software

Archived Content

In an effort to keep DHS.gov current, the archive contains outdated information that may not reflect current policy or programs.

Securing Tomorrow’s Software

Posted by Bobbie Stempfley, Acting Assistant Secretary, DHS Office of Cybersecurity and Communications (CS&C)

Today, the Department of Homeland Security (DHS), in collaboration with the Mitre Corporation, released the Common Weakness Enumeration version 2.0 (or CWE v2) – a dictionary of software weaknesses and their associated mitigation practices developed by the experts from government, industry and academia from across the software security community.

The CWE was completed by DHS’s National Cybersecurity Division under the Software Assurance Program. In collaboration with the private sector, the Software Assurance Program spearheads the development of practical guidance and tools while promoting research and development of secure software engineering. The recent publication of known weaknesses is available for public use and will enable software developers to build secure software from the ground up while limiting software vulnerabilities that can be potentially exploited by malicious actors. It can be found here.

While CWE v2 represents a substantial improvement over the first iteration of CWE, it also serves as the foundation for emerging efforts by DHS, including the Common Weakness Risk Analysis Framework (CWRAF) and the Common Weakness Scoring System (CWSS).
  • The CWRAF organizes the top priority exploitable weaknesses by business and mission domain, so that a given organization knows what mitigation practices are needed to best meet their specific needs.
  • The CWSS provides organizations with a tool to develop their own list of most critical weaknesses based on their unique business or mission.
CWRAF and CWSS enable all stakeholders throughout the software life cycle to better mitigate risks associated with the kinds of exploitable software that are most applicable to their organization and the technologies they use.
Last Updated: 09/20/2018
Was this page helpful?
This page was not helpful because the content