A new major version of CWE (version 3.0) is now posted on the website.
This version adds a new "Architectural Concepts" view, which is based on work by the Rochester Institute of Technology. We thank them for their contributions. This new view organizes weaknesses according to common architectural security tactics, and is intended to assist architects in identifying potential weaknesses when designing software.
In addition, there were numerous refinements to the Development Concepts view, primarily focusing on simplifying the top-level categories and improving the relationships amongst the individual weaknesses within (this is ongoing work that will continue into 2018). The Seven Pernicious Kingdoms view was updated to more closely align it to the original white paper on which it based, and to make it easier to use. Three previous views were deprecated because they were duplicative or under-used within the community: Weaknesses Examined by SAMATE, Resource-specific Weaknesses, and Chain Elements.
CWE 3.0 adds three new Weaknesses:
* CWE-1007 "Insufficient Visual Distinction of Homoglyphs Presented to User"
* CWE-1021 "Improper Restriction of Rendered UI Layers or Frames"
* CWE-1022 "Improper Restriction of Cross-Origin Permission to window.opener.location," (submitted by David Deatherage of Silicon Valley Bank)
Finally, there were major changes to the CWE Schema, which was updated from v5.4.4 to v6.0. These changes make the schema more consistent and easier to work with.
More details about all of these changes can be found in the related articles posted to the news page:
With the 3.0 release now behind us, the CWE team will be looking to continue the refinement of existing content. We will focus on turning draft entries to stable, finishing the organization of the development view, and adding new weaknesses as appropriate. We also have a decent backlog of comments and suggests from all of you that we will be going back through and addressing.