What is CWE?
(baby don’t hurt me, don’t hurt me, no more)
I apologize for that title—I couldn’t help myself; but I hope I left you all with that earworm!
About a year ago, MegaZone wrote an article titled “Why we CVE” where he explained what Common Vulnerabilities and Exposures (CVE) numbers are, why F5 participates as a CVE Numbering Authority (CNA) and why we publish vulnerabilities at all—it's an excellent read, but if you need a quick reminder of what CVE numbers are before we get into what CWE numbers are:
A CVE ID, in the form CVE-yyyy-nnnnn, is a unique identifier relating to a specific issue – a software or hardware defect which results in a vulnerability in a specific piece of software or hardware. There is precisely one CVE record for each vulnerability, and it is intended to give us an easy way to be sure we are all talking about the same specific issue; though I should add that the CVE programme isn’t the only programme designed for that (see K000137683 on MyF5 for more vulnerability ID programmes).
So, what does CWE stand for?
CWE stands for Common Weakness Enumeration, and based on the name alone, you might think CWE IDs are for very much the same thing as CVE IDs, perhaps a competing program?
While CVE IDs give us a way to refer to a single specific issue, CWE IDs give us a way to refer to a type of software or hardware weakness. Many CVEs (vulnerabilities) might be caused by a single CWE (type of weakness) – to give you a specific example:
CWE-79 is “Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)”. As you can tell from the title, CWE-79 is a weakness in software which (can) cause a Cross-site Scripting vulnerability in a web application.
If you search for CWE-79 on MyF5, you’ll find at least 17 F5 CVEs which reference CWE-79; that’s 17 Cross-site Scripting vulnerabilities which impacted F5 products. Meanwhile, if you search cvedetails.com you’ll find nearly 24,000 vulnerabilities which map back to CWE-79!
As you can see, referring to a CWE ID can tell you what kind of vulnerability we are talking about, but it can’t tell you specifically what vulnerability we are talking about.
CWE, what is it good for?
(Yes, more song lyrics)
CWE is great for development teams who need to understand more about the weakness behind a vulnerability in their project and how to resolve it.
It’s great for vulnerability management teams who need to communicate to development teams, documentation teams or management about the weakness causing a vulnerability in a product they are responsible for.
It’s great for end customers who want to understand more about the weakness behind a vulnerability to better understand if they are truly impacted, or gauge their risk, given their specific deployment of a product.
What is it not good for?
So, CWE IDs have a lot of great uses, but what are they not good for?
They’re not good identifiers to use when you’re asking someone (say, a vendor) about a specific vulnerability and how to fix or mitigate it. If you need to ask a vendor like F5 how to fix a vulnerability, then you really need to refer to a CVE ID or some other unique identifier.
I see that most commonly when someone needs to discuss one of our Security Exposures. We don’t assign CVE IDs to those (that’s a whole new topic!) but we do still refer to a CWE (which is the class of weakness causing that Security Exposure) and people commonly pick up on that when/if they need to raise a question – instead of CWE, though, it is much better to use the article number (Knnnnnnnn) to refer to a Security Exposure because that ID is unique to each specific issue.
The same holds true for anyone else you may need to ask about a specific vulnerability; CWE ID is almost never the identifier you want to refer to…
I hope that helps clear things up! If you have questions, feel free to leave them as a comment on the article and we’ll do our best to answer them!