CWE - About CWE
CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities

New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > About CWE  
ID

About CWE

Common Weakness Enumeration (CWE™) is a community-developed list of common software and hardware weaknesses. A “weakness” is a condition in a software, firmware, hardware, or service component that, under certain circumstances, could contribute to the introduction of vulnerabilities. The CWE List and associated classification taxonomy identify and describe weaknesses in terms of CWEs.

Knowing the weaknesses that result in vulnerabilities means software developers, hardware designers, and security architects can eliminate them before deployment, when it is much easier and cheaper to do so.


Example Product Lifecycle Flow Chart

CWE List

The CWE List is updated three to four times per year to add new and update existing weakness information. Before being published on the CWE website, weaknesses are developed in the CWE Content Development Repository (CDR) on GitHub.com. The CDR provides visibility into the CWE working queue and a platform for CWE community partners to collaborate on content development.

Using the CWE List

The CWE List is fully searchable and may be viewed or downloaded in its entirety. There is also a the CWE REST API to make CWE content available to community applications and websites in a more convenient way.

Weaknesses can be browsed within “Views” related to specific contexts or domains. The Software Development view organizes items by concepts that are frequently used or encountered during software development. The Hardware Design view organizes weaknesses around concepts that are frequently used or encountered in hardware design, and Research Concepts facilitates weakness type research by organizing items by behaviors.

Other views provide insight for a certain domain or use cases, such as weaknesses introduced during design or implementation; weaknesses with indirect security impacts; those in software written in C, C++, Java, and PHP; in mobile applications; and many more. Another useful feature is the external mappings of CWE content to related resources including the annual CWE Top 25; OWASP Top Ten; Seven Pernicious Kingdoms; Software Fault Pattern Clusters; and SEI CERT Coding Standards for C, Java, and Perl.

All of these unique viewpoints into CWE content enable you to quickly leverage CWE for your own specific needs. CWE List content is also free to incorporate into research, educational materials, processes, and tools, per the terms of use.

CWE Community

CWE Program partners are organizations from across government, industry, and academia. The CWE Program operates several working groups (WGs) and special interest groups (SIGs), all of which are public forums for discussing and working collaboratively to drive CWE Program adoption and increase CWE Program coverage.

Community members can actively participate in the CWE Program by:

Page Last Updated: March 22, 2024