What is CWE ?

CWE (Common Weakness Enumeration) is a community-developed formal list of common software weaknesses. It serves as a common language for describing software security weaknesses, a standard measuring stick for software security tools targeting these vulnerabilities, and as a baseline standard for weakness identification, mitigation, and prevention efforts. Leveraging the diverse thinking on this topic from academia, the commercial sector, and government, CWE unites the most valuable breadth and depth of content and structure to serve as a unified standard. The objective of CWE effort is to help shape and mature the code security assessment industry and also dramatically accelerate the use and utility of software assurance capabilities for organizations in reviewing the software systems they acquire or develop.

Security-Database use CVEs along the appropriate CWEs if available.

What does it mean to be CWE-Compatible ?

"CWE-compatible" means that a tool, Web site, database, or other security product or service uses CWE names in a manner that allows it to be cross-referenced with other products that employ CWE names. CWE-compatible means:

  • CWE Searchable - users may search security elements using CWE identifiers.
  • CWE Output - security elements presented to users includes, or allows users to obtain, associated CWE identifiers
  • Mapping Accuracy - security elements accurately link to the appropriate CWE identifiers
  • CWE Documentation - capability's documentation describes CWE, CWE compatibility, and how CWE-related functionality in the capability is used
  • CWE Coverage - for CWE-Effectiveness, capability's documentation explicitly lists the CWE identifiers that the capability is effective at locating in software
  • CWE Test Results - for CWE-Effectiveness, test results from the capability showing the results of assessing software for the CWEs are posted on the CWE Web site

Security-Database is creating a new generation of complete XML feed. The complete XML feed will enumerate every known information on a vulnerability (CVE, CPE, OVAL ID, CVSS, CWE, CAPEC, CCE, Vendor Patchs ...)

See the CWE Web site for detailed information on how a Web site, tool, database, or other security product/service becomes compatible, and for a complete list of CWE-compatible products and services.

How Security-Database uses CWE ?

Security-Database is CWE compatible.

Security-Database alerts quotation are mostly based on the publicly known vulnerabilities identified on the CVE List. CVE names (also called "CVE numbers," "CVE-IDs," and "CVEs") are unique, common identifiers for publicly known information security vulnerabilities. We have extended our web development to include CWEs and CAPECs.

Each CVE name includes the following:

  • CVE identifier number (i.e., "CVE-2003-0041").
  • Brief description of the security vulnerability or exposure.
  • Any pertinent references (i.e., vulnerability reports and advisories).
  • CVSS Version 2.0 scores
  • OVAL ID related alert if available
  • CWE ID if available
  • CAPEC ID if available

In order to enumerate all CWEs entries according to the CWE.mitre.org requirements documents and version, the direct link http://www.security-database.com/cwe.php get from Menu (Resources -> Security Classification) could be used.

More information on CVE Compatibility ?

See the CWE Web site for detailed information on how a Web site, tool, database, or other security product or service becomes compatible, and for a complete list of CWE-compatible products and services