Today, the Department of Homeland Security (DHS), in collaboration with the Mitre Corporation, released the Common Weakness Enumeration version 2.0 (or CWE v2) – a dictionary of software weaknesses and their associated mitigation practices developed by the experts from government, industry and academia from across the software security community.
The CWE was completed by DHS’s National Cybersecurity Division under the Software Assurance Program. In collaboration with the private sector, the Software Assurance Program spearheads the development of practical guidance and tools while promoting research and development of secure software engineering. The recent publication of known weaknesses is available for public use and will enable software developers to build secure software from the ground up while limiting software vulnerabilities that can be potentially exploited by malicious actors. It can be found here.
While CWE v2 represents a substantial improvement over the first iteration of CWE, it also serves as the foundation for emerging efforts by DHS, including the Common Weakness Risk Analysis Framework (CWRAF) and the Common Weakness Scoring System (CWSS).
- The CWRAF organizes the top priority exploitable weaknesses by business and mission domain, so that a given organization knows what mitigation practices are needed to best meet their specific needs.
- The CWSS provides organizations with a tool to develop their own list of most critical weaknesses based on their unique business or mission.