[SANS ISC] Mitre CWE – Common Weakness Enumeration, (Mon, Jun 21st)

If you are involved in the security industry  you are at least somewhat familiar with the Mitre ATT&CK framework, the very useful, community driven, knowledgebase of attack threat models and methodologies which can be used to emulate adversary behavior to test security controls. However fewer are aware of a lesser known Mitre project, Common Weakness Enumeration (CWE).

CWE is a community developed list of common software and hardware weaknesses which serves as a common language which can be used as an input to security processes.  One way I have commonly used the CWE is to aid in creation of Request for Proposals (RFP) for security products, but it can also be used as input to penetration tests, security assessments,  product testing and many other use cases. 

At the present time the CWE contains 918 documented weaknesses, but the CWE contributors have organized those weaknesses into useful groupings, or views, which make the CWE applicable to many different usages. One of the most popular views is the CWE Top 25 Most Dangerous Software Weaknesses, which can be used as a starting point to securing software applications. There is also a view which maps weaknesses to the OWASP Top 10 as well as many other views into the CWE data.

The CWE Project as well as ATT&CK are always looking for contributors.  Getting involved in projects like these are an excellent way to network in the security industry as well as an excellent place to develop security skills.  For those of you who are new to the security industry, active participation in projects like these can look very good on your resume. Please consider contributing if you have the time.

 

— Rick Wanner MSISE – rwanner at isc dot sans dot edu – Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[SANS ISC] ISC Stormcast For Monday, August 23rd, 2021 https://isc.sans.edu/podcastdetail.html?id=7640, (Mon, Aug 23rd)

All posts, Sans-ISC

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Source: Read More (SANS Internet Storm Center, InfoCON: green)

Read More

[BleepingComputer] Windows 10 has an optional update problem, and it’s annoying

Windows 10 has a frustrating and annoying problem where Windows Update will only offer one optional update at a time. […] Source: Read More (BleepingComputer)

Read More

[SecurityWeek] Tech Audit of Colonial Pipeline Found ‘Glaring’ Problems

All posts, Security Week

An outside audit three years ago of the major East Coast pipeline company hit by a cyberattack found “atrocious” information management practices and “a patchwork of poorly connected and secured systems,” its author told The Associated Press. read more Source: Read More (SecurityWeek RSS Feed)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.