Group Leader, Software Assurance Research & Practice
Cyber Security Engineer, Lead
O: (781) 271-6970
C: (781) 496-8426
MITRE - Solving Problems for a Safer World
From: Rushi B Purohit <[hidden email]> Date: Thursday, April 1, 2021 at 11:15 AM To: Alec J Summers <[hidden email]> Subject: Guidance E-mail Research List
I just realized that we never actually sent an e-mail via the research list. Here is what I think will be sufficient to share today:
The CWE team heard from the community about difficulty in navigating the CWE corpus to identify specific, desired information. As part of a longer effort, the CWE team has produced an initial guidance materials which will help the community identify the root cause CWE entry for the respective CVE records. Guidance for mapping vulnerabilities to weaknesses is now available on the “CVE → CWE Mapping Guidance” page on the CWE website. Vendors and researchers can use this guidance to better align vulnerabilities (CVE Records) to their respective, underlying weaknesses (CWE entries).
This guidance is informed by two years of experience in analyzing and mapping thousands of CVE Records in the NIST’s National Vulnerability Database (NVD) to CWEs for calculating the annual CWE Top 25 list. By aligning CVE Records to the most applicable CWE Entries, the community will be in a better position to mitigate or eliminate their associated operational risk most effectively.
Other Useful Hierarchical Views – via “CWE View-1000: Research Concepts,” “CWE View-699: Software Development,” and “CWE View-1194: Hardware Design,” each of which are targeted at specific hierarchical subsets of CWEs.
Keyword Scraper – a CWE Program-developed CVE description parsing script that identifies keywords in NVD’s CVE descriptions is expected to be available to the public in the near future. Meanwhile, vendors and researchers can create their own customized scripts/tools to fit their specific needs using suggestions in Keyword Scraper.