The CWE Program: Current State and Road Ahead

Alec Summers (The MITRE Corporation, US) Alec Summers is a principal cybersecurity engineer at the MITRE Corporation with diverse experience leading cybersecurity teams in software assurance, vulnerability management, attack surface analysis, and supply chain risk management. He is the day-to-day manager of the Common Weakness Enumeration (CWE) project team, overseeing content development, research, and engagement with its stakeholder community. --- Common Weakness Enumeration (CWE™) is a community-developed list of cybersecurity weaknesses. A weakness, in the context of CWE, is a condition in a software, firmware, hardware, or service component that, under certain circumstances, could contribute to the introduction of vulnerabilities. First released in 2006, CWE initially focused on software weaknesses because organizations of all sizes want assurance that the software products they acquire and develop are free of known types of security flaws. Follow-on releases refined these weaknesses and their classification trees — referred to as a “CWEs” — while also adding coverage for new domains (e.g., mobile applications). In 2019, the CWE Program began implementing a strategy of federation to achieve its program goals of growing program adoption and growing program coverage. The CWE Board was established, as well as several community groups including the CWE User Experience Working Group, CWE REST API Working Group, Hardware CWE Special Interest Group (SIG), and the CWE ICS/OT SIG. These collaborative bodies bring together program partners in government, industry, and academia to work collaboratively towards ensuring the CWE program brings value to the cybersecurity community. This talk will provide an overview of the CWE program’s current efforts to implement its federation strategy to increase program coverage and adoption. This will include efforts to modernize CWE program infrastructure (e.g., deploying a REST API), federate CWE content development (e.g., launch the CWE Content Development Repository (CDR) to provide a platform for program partners to collaborate transparently on CWE content development), and an overview of the CWE community working groups / SIGs and what they are trying to accomplish.