Given the increased interest in security and safety development, it’s surprising how few know about the Common Weakness Enumeration (CWE) and the Common Quality Enumeration (CQE). Both are industry projects hosted by MITRE.
CWE is a community-developed list of common software security weaknesses like buffer overflow. It’s designed to be a baseline for “weakness identification, mitigation, and prevention efforts.”
“The Common Quality Enumeration (CQE) project is developing a "lingua-franca" of software quality issues aimed at getting tool creators to adopt a common identification system—allowing them to define quality issues easily and ultimately create better software.”
The two are complementary and every programmer should be aware of their contents.
Common Weakness Enumeration (CWE)
All software developers should be take a look at CWE, as it serves as a common language for describing software security weaknesses in architecture, design, or code. It can also be used to measure software security tools from programming languages to static-analysis tools that target the weaknesses. It also addresses weaknesses in identification, mitigation, and prevention efforts.
Some common software weaknesses enumerated by CWE include buffer overflows, structure and validity problems, common special element manipulations, channel and path errors, handler errors, user interface errors, pathname traversal and equivalence errors, authentication errors, resource-management errors, insufficient verification of data, code evaluation and injection, and randomness and predictability.
CWE is based on work that MITRE began in 1999 called the Common Vulnerabilities and Exposures (CVE). The CVE list was a preliminary classification and categorization of vulnerabilities, attacks, faults, and other concepts to help define common software weaknesses.
The CWE entries like this buffer overflow includes standard sections like the description, relationship links to other entries, applicable platforms like C and C++, common consequences, examples and mitigations.
The CWE List is numbered and detailed. For example, CWE-121 is Stack-based Buffer Overflow (see figure). A variety of other buffer overflow entries are in the mix as well. Included are a description, relationship links to other entries, applicable platforms like C and C++, common consequences, examples, and mitigations.
Quite a few items are listed, so there are different views, or collections, that provide more targeted lists, such as the one for C applications. This is a list of 79 items, although others can be applicable to C applications. This list includes the primary ones, and has things like buffer overflows, conversion errors, and pointer issues.
Some languages like Ada, SPARK and Rust address many of the items in the list, while tools such as static- and dynamic-analysis tools can be used as well.
Common Quality Enumeration (CQE)
Programmers want to deliver quality code, but what does that really mean? Part of the challenge is coming up with a common set of descriptions and then enumerating and addressing details. CQE is a work in progress.
MITRE's John Marien notes, “The Common Weakness Enumeration (CWE) lists quality issues that can be exploited. One or more weaknesses can create a vulnerability. Yet beyond these security-relevant weaknesses, there's a large set of quality issues not covered by CWE.”
A large number of software tools and programming languages are designed to improve code quality. No one language or tool addresses all quality issues or application areas. Many overlapping tools make the discussion of quality difficult. Coming up with a common discussion language and then collecting information about quality issues and solutions could be used for a competitive advantage.
"MITRE is helming the CQE project because automated-tool creators trust us with proprietary data they would not share with each other," says Marien. "They know we won't use it for a competitive advantage."
Hopefully the CQE lingua-franca will be widely adopted. This could not come too soon. CWE is useful now, and CQE is on its way.
