Release of CWE 1.0

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Release of CWE 1.0

Steven M. Christey-2

CWE 1.0 has been released!

We've added a lot of pages to the site.  Many new pages have undergone
a redesign; you might need to refresh your browser cache to see the
new presentation.

The most efficient way for you to access what you want is probably
through the links provided in this email, much of which is also
reflected in this page:

Major changes have been made to the CWE schema, which will be much
more stable than previous versions. It is expected that the schema
will not change in any substantial fashion for the near future. The
new schema addresses the main outstanding limitations of past
versions, provides internal consistency, fixes outstanding
limitations, and supports ease of content editing by the CWE team. We
thank Sean Barnum of Cigital for his active contributions in this

Schema change summary:

Schema documentation:

Engagement with key stakeholders in the community has led to
additional content enhancements in CWE 1.0. Many entries contain
modifications that were contributed by external parties.

  * Cigital provided additional demonstrative examples, mitigations,
    and times of introduction.

  * KDM Analytics provided additional white box definitions.

  * Veracode suggested the creation of an OWASP Top Ten 2004 view
    (CWE-711) because of its use in PCI, and they provided supporting
    CWE mappings.

Links: everywhere.  Look at the Modification credits in the Content
History sections of individual entries.

Engagement with members of the community has also resulted in
significant enhancements to the Development Concepts (CWE-699) and
Research Concepts (CWE-1000) views, which are the most heavily
featured on the CWE web site. We have also created a Seven Pernicious
Kingdoms view (CWE-700).  A comparison of these views is available, as
well as a description of how they evolved. We are especially grateful
for feedback from representatives from Cigital, Fortify, and Veracode.

Development Concepts view (check out the graph tab):

Research Concepts view (check out the graph tab):

Evolution of the views:


List of all views:

In addition to 39 new entries, all 695 entries from CWE Draft 9 have
been modified in some fashion, mostly from external contributions and
from relationship changes in support of various views.

Detailed change report:



There are additional documents that have been published, including:

 (1) an analysis of CWE's ability to support tool mappings, of
     interest to tool vendors, academic researchers, and tool

 (2) PDF graphical depictions of various CWE views, including
     "coverage graphs" that show how members of one view are located
     within another view:

 (3) an evolving glossary of terms:

Of course, the work doesn't end here, but we believe that CWE 1.0 is a
significant improvement to the past drafts of CWE. It would not be
possible without hard work from the community and the CWE team. Bob
Martin and Steve Christey would like to thank CWE team members Janis
Kenderdine, Conor Harris, and Mark Loveless for all their efforts in
bringing CWE to a new level of maturity.

As always, feedback is welcome here on the list or to [hidden email].


Steve Christey, CWE Technical Lead
Bob Martin, CWE Project Lead