Slide 1

CWE 4.7

Common Weakness Enumeration

What is Common Weakness Enumeration (CWE™)?

The Common Weakness Enumeration (CWE™) is a collaborative effort focused on identifying and categorizing prevalent weaknesses in software, which can have security implications. A « weakness » refers to a condition or flaw in a software component that, under specific circumstances, can contribute to the introduction of vulnerabilities. By utilizing the CWE List and its associated classification system, individuals can effectively recognize and describe these weaknesses using CWEs.

CWE aims to benefit both the development and security communities by addressing vulnerabilities at the root cause. Its primary objective is to educate software architects, designers, programmers, and acquirers on how to eliminate common mistakes before the final software products are delivered. By leveraging CWE, we can effectively prevent the occurrence of security vulnerabilities that have historically posed challenges in the software industry, thereby ensuring the protection of enterprises from potential risks.

Examples of Software Weaknesses:

• Buffer overflows, format strings, etc.
• Structure and validity problems
• Common special element manipulations
• Channel and path errors
• Handler errors
• User interface errors
• Pathname traversal and equivalence errors
• Authentication errors
• Resource management errors
• Insufficient verification of data
• Code evaluation and injection
• Randomness and predictability

The CWE Top 25 Most Dangerous Software Weaknesses List is a free, easy to use community resource that identifies the most widespread and critical programming errors that can lead to serious software vulnerabilities. These weaknesses are often easy to find, and easy to exploit.

QA-MISRA is a powerful static analyzer that ensures compliance with international coding guidelines, promoting software safety and security. The tool supports CWE rule sets.

With QA-MISRA there are no hidden extras, coding language variants, or compliance module add-ons. It provides a single solution to automatically check your C or C++ source code for compliance against the most common international software safety and security standards.

  • Highlights coding rule violations
  • Reports unspecified, undefined or compiler-dependent behavior
  • Clearly flags possible runtime issues