CWE - New to CWE

Common Weakness Enumeration (CWE™) can be difficult to understand for the average person and can even be overwhelming to a seasoned IT industry veteran. This document offers some tips on how to familiarize yourself with what CWE has to offer before more fully exploring this extensive knowledge base. If you are looking for a high-level overview of the CWE Program, you have come to the right place.

What is CWE?

First, we should describe what CWE is. CWE is a community-developed list of common software and hardware weakness types that could have security ramifications. A “weakness” is a condition in a software, firmware, hardware, or service component that, under certain circumstances, could contribute to the introduction of vulnerabilities. Weakness conditions are in many cases introduced by the developer during development of the product.

Even though developers may have vastly different coding practices, they are all capable of introducing the same common type of weaknesses, leading to vulnerabilities in their own products. The CWE List and associated taxonomies and classification schemes serve as a language that can be used to identify and describe these weaknesses in terms of “CWEs”.

The best part is that CWE is free to use by any organization or individual for any research, development, and/or commercial purposes, per the CWE Terms of Use.

What kinds of things does a CWE include?

A CWE is assigned an ID in the form CWE-<ID>, where the <ID> is simply a unique number chosen at the time of assignment (e.g., “CWE-798”). The CWE-ID is followed by a descriptive name for the weakness (e.g., “CWE-798: Use of Hard-coded Credentials”).

For a weakness to be assigned a CWE-ID and published on the CWE website, it must include a set of required information including:

Required CWE Element	Associated Information
Name	The name includes (1) the intended behavior, (2) the mistake (i.e., weakness), (3) the affected resource (if relevant), and (4) the affected technology (if relevant).
Summary	The summary is one or two sentences that describe the weakness focusing on the mistake that is made.
Extended Description	The extended description is one or two paragraphs further describing how the weakness can be a problem. It is intended for the audience that may not understand how the weakness can be a problem.
Modes of Introduction	The Mode of Introduction provides how and when the weakness may be introduced (e.g., by product lifecycle phase).
Potential Mitigations	Potential Mitigations are one or more techniques that will eliminate and/or reduce the frequency or impact of the weakness.
Common Consequences	Common Consequences are the typical negative security impact (or impacts) that occurs if this weakness can be exploited by an attacker.
Applicable Platforms	Applicable Platforms specifies the programming languages, operating systems, architectures, and technologies in which this weakness is usually found.
Demonstrative Examples	Demonstrative Examples illustrate the weakness through code, explanatory text, and/or diagrams.
Observed Examples	Observed Examples are publicly reported vulnerabilities (e.g., CVE Records) in real-world products that exhibit the weakness.
Relationships	Relationships are the other CWEs related to the weakness.
References	References include one or more citations, with URLs, for academic papers, white papers, blog posts, slide presentations, or videos that describe the weakness.

What is an example of a CWE weakness?

The screen shots below provide a glimpse at the first example presented in this tutorial, “CWE-798: Use of Hard-coded Credentials.” This CWE describes the situation where credentials, such as passwords or cryptographic keys, have been hard coded into a hardware or software product. For those unfamiliar with the term “hard-coded,” it is just a way of saying that the password or keys have been defined directly within the source code of a product, which makes it impossible for administrators to change.

You can follow along and view this same CWE by visiting https://cwe.mitre.org/, typing “CWE-798” (without the quotes) into the ID Lookup box on the top right side of the page, and clicking the Go button.

The above figure shows some of the descriptive text of CWE-798, while the figure below shows example 1 from the demonstrative examples section of the CWE.

CWE-798 demonstrative examples screen capture

The following figures show the Observed Examples section which displays a curated list of real-world CVE Records where hard-coded passwords have been discovered in hardware or software products. The last figure shows potential mitigations for the weakness and what part of the development process to which these mitigations would apply.

If you are following along and able to navigate CWE-798 directly, you will notice that this CWE entry includes much more information than what is in these screenshots. A mature CWE can contain a lot of useful information!

CWE-798 observed examples screen capture

CWE-798 potential mitigations screen capture

How can I use CWE?

Many different organizations and individuals use CWE for a variety of different reasons. For example, software developers and security researchers are using CWE today as a common language for discussing how to eliminate and/or mitigate software security weaknesses in architecture, design, code, and implementation. Other organizations are using CWE today as a means to evaluate software security tools looking to discover these weaknesses, and as a common baseline standard for their weakness identification, mitigation, and prevention efforts.

Through the User Experience Working Group (UEWG) — one of several collaborative community efforts — the CWE Program has also defined a number of User Stories based on real usage of the CWE List by various organizations across industry, academia, and government. These User Stories can help to illustrate how the CWE List is used in practice and how it might help you or your organization. The CWE User Stories can be found here.

The CWE Team invites you to explore the CWE List and learn about the ways it is used today. We hope that this guide and the rest of the available CWE documentation helps you understand what CWE is, how to properly use the CWE List, and most importantly provide you and your organization with the best information around security weaknesses. If you have questions, comments, or would like to get involved in one of our community working groups, feel free to reach out to the team at cwe@mitre.org.


	Site Map \| Terms of Use \| Manage Cookies \| Cookie Notice \| Privacy Policy \| Contact Us \| Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2024, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.