If you are involved in the security industry you are at least somewhat familiar with the Mitre ATT&CK framework, the very useful, community driven, knowledgebase of attack threat models and methodologies which can be used to emulate adversary behavior to test security controls. However fewer are aware of a lesser known Mitre project, Common Weakness Enumeration (CWE).
CWE is a community developed list of common software and hardware weaknesses which serves as a common language which can be used as an input to security processes. One way I have commonly used the CWE is to aid in creation of Request for Proposals (RFP) for security products, but it can also be used as input to penetration tests, security assessments, product testing and many other use cases.
At the present time the CWE contains 918 documented weaknesses, but the CWE contributors have organized those weaknesses into useful groupings, or views, which make the CWE applicable to many different usages. One of the most popular views is the CWE Top 25 Most Dangerous Software Weaknesses, which can be used as a starting point to securing software applications. There is also a view which maps weaknesses to the OWASP Top 10 as well as many other views into the CWE data.
The CWE Project as well as ATT&CK are always looking for contributors. Getting involved in projects like these are an excellent way to network in the security industry as well as an excellent place to develop security skills. For those of you who are new to the security industry, active participation in projects like these can look very good on your resume. Please consider contributing if you have the time.
— Rick Wanner MSISE – rwanner at isc dot sans dot edu – Twitter:namedeplume (Protected)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.