CISA releases Common Weakness Enumeration, CWE 4.0
MITER may be known for its ATT & CK framework, a rich source of adversarial strategies and technologies, and mitigation measures, while MITER is also known for another resource: Common Weakness Enumeration (CWE). CWE is a community initiative initiated by the Cyber Security and Infrastructure Security Agency (CISA). The community that contributes to this repository is very broad and diverse. It includes large companies, universities, individual researchers, and government agencies.
Unlike the ATT & CK framework which focuses on offense and defense, CWE is very useful for actively managing risk. CWE enumerates common security weaknesses, is an indispensable tool for vulnerability management, and can effectively check potential harmful points within the enterprise. CWE allows users to search for a list of vulnerabilities by software, hardware, and other categories, making it easy for risk analysts to perform detailed and in-depth analysis. CWE has recently been updated to version 4.0. Let’s take a look at what new features are worth paying attention to.
The most notable updates in version 4.0 are the addition of hardware security flaws, several views that break vulnerabilities into useful categories, and search capabilities. Hardware defects mainly come from hardware design, so anyone who is responsible for hardware development can use this list for risk analysis during the design phase, or use list design tests to determine if the current hardware is vulnerable.
“CWE 4.0 includes two new views: (1) Hardware Design, which organizes weaknesses around concepts that are frequently used or encountered in hardware design; and (2) Software Development, which was created by combining content from the previous Architecture Concepts and Development Concepts views.”
CWE provides important resources for developers, designers, security analysts, and researchers to discover vulnerabilities and develop mitigations before they are exploited. Unlike some resources, which are mainly for IT or security engineers, CWE puts developers, designers, and architects first in the process of protecting the enterprise.
