[SANS ISC] Mitre CWE – Common Weakness Enumeration, (Mon, Jun 21st)

If you are involved in the security industry  you are at least somewhat familiar with the Mitre ATT&CK framework, the very useful, community driven, knowledgebase of attack threat models and methodologies which can be used to emulate adversary behavior to test security controls. However fewer are aware of a lesser known Mitre project, Common Weakness Enumeration (CWE).

CWE is a community developed list of common software and hardware weaknesses which serves as a common language which can be used as an input to security processes.  One way I have commonly used the CWE is to aid in creation of Request for Proposals (RFP) for security products, but it can also be used as input to penetration tests, security assessments,  product testing and many other use cases. 

At the present time the CWE contains 918 documented weaknesses, but the CWE contributors have organized those weaknesses into useful groupings, or views, which make the CWE applicable to many different usages. One of the most popular views is the CWE Top 25 Most Dangerous Software Weaknesses, which can be used as a starting point to securing software applications. There is also a view which maps weaknesses to the OWASP Top 10 as well as many other views into the CWE data.

The CWE Project as well as ATT&CK are always looking for contributors.  Getting involved in projects like these are an excellent way to network in the security industry as well as an excellent place to develop security skills.  For those of you who are new to the security industry, active participation in projects like these can look very good on your resume. Please consider contributing if you have the time.


— Rick Wanner MSISE – rwanner at isc dot sans dot edu – Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

Daily NCSC-FI news followup 2020-08-10

Onko Android-puhelimessasi haittaohjelma? Nämä oireet enteilevät pahaa www.is.fi/digitoday/tietoturva/art-2000006594928.html Haittaohjelmat uhkaavat Android-käyttäjiä jopa virallisessa Google Play -latauskaupassa. Niiden aiheuttamat vahingot voivat näkyä esimerkiksi puhelinlaskussa, mutta haittaohjelman voi usein tunnistaa jo ennen sitä tarkkailemalla puhelimen käytöstä. FBI says an Iranian hacking group is attacking F5 networking devices www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices/ Sources: Attacks linked to a hacker group known as […]

Read More

[ZDNet] How to remove yourself from Internet search results and hide your identity

All posts, ZDNet

Here is a step-by-step guide to reducing your digital footprint online, whether you want to lock down data or vanish entirely. Source: Read More (Latest topics for ZDNet in Security)

Read More

[ZDNet] Singapore moots ‘foreign interference’ law with powers to issue online platforms take-down order

All posts, ZDNet

Ministry of Home Affairs has proposed a Foreign Interference Bill that will arm the government with the ability to issue directives to platforms, including social media and websites, to remove or block access to content deemed part of hostile information campaigns. Source: Read More (Latest topics for ZDNet in Security)

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.