MITRE has been doing exceptional work in advancing cybersecurity as a public good, and it is an excellent resource for security professionals. Possibly best known for their ATT&CK Framework, a rich source of adversarial tactics and techniques and their mitigations, MITRE is also known for another resource: the Common Weakness Enumeration (CWE). The CWE is a community initiative sponsored by the Cybersecurity and Infrastructure Security Agency (CISA). The community contributing to this repository is quite broad and diverse. It includes large corporations, universities, individual researchers, and government agencies.
Unlike the ATT&CK framework, which focuses on the “red team” and how to defend against them, the CWE is useful for pro-actively managing risk. Since this list shines a spotlight on common weaknesses, it can be a valuable tool for a vulnerability management program and a useful check against potential points of compromise within an enterprise. The CWE allows a user to search the list by software and hardware weaknesses as well as several other useful groupings, allowing for detailed drill-down and analysis for risk analysts.
What’s New in 4.0
Notable updates in the latest update are the addition of hardware security weaknesses, several views organizing the weaknesses into useful categories, and a search function. The hardware weaknesses focus on hardware design, so anyone responsible for creating hardware can leverage this list for risk analysis in the design phase or determine if current hardware is susceptible by using the list to design tests if an automated system isn’t already in place.
The new views are a helpful addition to threat and risk analysis and can contribute to a vulnerability management program, though it’s no replacement for regular automated scanning. The new views include categories such as “Introduced during design,” “introduced during implementation,” several coding language-specific weaknesses, mobile, and easier ways to review the entire weakness list. Building a habit of security review and secure coding practices is one way to “shift left” with security and strengthens other practices such as static code analysis with automation.
The CWE list uses several external mappings that are also organized into list views, which is helpful for prioritizing or reviewing weaknesses. For instance, the CWE Top 25 and OWASP Top 10 are quick ways to prioritize which weaknesses to analyze and address first. Following the language coding standards can help ensure that developers are following secure coding practices and provide a good cross-check. Architectural concepts offer a general safe development framework and a good way to develop a threat and security checklist.
Building a strong defensive posture includes addressing weaknesses before they are introduced into production along with regular runtime analysis with tools such as Tripwire’s vulnerability management platform. The CWE offers a resource for developers, designers, security analysts, and researchers to find weaknesses and develop mitigations before those weaknesses are exploited. Unlike some resources that tend to have IT or InfoSec engineers as a primary audience, the CWE places developers, designers, and architects front-and-center in the process of defending the enterprise.
The State of Security has a series of posts on the MITRE ATT&CK framework, including an excellent overview video by Travis Smith.
The Common Weakness Enumeration list is run by MITRE.