As the IT security landscape continues to evolve, so do the practices that IT organizations use to mitigate threats and maintain a more secure operating environment. Staying ahead of attackers and minimizing the cost of defense requires constant and appropriate reflection and analysis to improve processes and strategies. In this series, we explain what a CWE is, share our background on CWE collection, and explain how Red Hat has evolved our usage of CWEs over the past few years.
What is a CWE?
Common Weakness Enumeration (CWE) is a community-developed taxonomy of weaknesses maintained by MITRE. When it was released in 2006, it was focused on software weaknesses. Over time, CWE evolved to include weakness classification in additional categories like mobile applications and, most recently, hardware design flaws. The introduction of CWE provided a common language for software, hardware and general IT security practitioners to describe an underlying issue in a design that may lead to a vulnerability. This information has been a valuable resource for academia and industry professionals seeking to understand the product security landscape, and to observe changes in vulnerability trends.
CWE at Red Hat
Red Hat attained CWE compatibility at the end of 2012. At that time, we'd already been publishing CVEs and Red Hat Security Advisories (RHSA) for over a decade, so we started applying CWEs retroactively. Red Hat Product Security used that information almost immediately, and our first risk report covered the data we collected throughout 2013. We took advantage of CWE chains and composites to help clarify what it would take for an attacker to realize a vulnerability. This allowed customers to understand risks within their own environment. This collection and analysis of CWE data helps form Red Hat Product Security risk reports.
Making Red Hat CWE more impactful
Since 2013, however, Red Hat has adopted new CWE versions to make better use of CWE data in the vulnerability management process.
CWE-699 Software Development View adoption
Correct weakness selection helps understand a vulnerability's root cause and potential consequences. From the beginning of 2022, Red Hat's default CWE coverage has been based on the CWE-699 Software Development view, which we've found provides more accurate weakness selection for vulnerabilities most common in software vendors. While we changed our default view to Software Development, we continue to use all weaknesses from the CWE program. We prioritize the accuracy of the data we provide, so we continue to select weaknesses outside the scope of the Software Development View if they contribute to a more accurate selection.
Red Hat has also suggested several improvements to the CWE Software Development View. We proposed adding a common weakness in the software development CWE-416: Use After Free to the “Resource Management Errors” category. Additionally, we proposed adding the CWE-122: Heap-based Buffer Overflow weakness to the Memory Buffer Errors category and CWE-1325: Improperly Controlled Sequential Memory Allocation weakness to the Resource Management Errors. It's expected that future CWE program versions will include these changes.
Reactive and proactive CWE usage
By structuring the CWE data based on the Software Development View, Red Hat can more efficiently describe the nature of vulnerabilities affecting our offerings. This enables us to perform a detailed analysis and gain deeper insight into the underlying causes of the issues. For example, we can group similar weaknesses based on the CWE Software Development View categories. That approach provides useful information about repeating the same type of weaknesses in specific products and their core components. This knowledge can then be used as input for a range of proactive security testing. We can also monitor what type of weaknesses categories usually lead to exploits, which can then be used as a factor to prioritize the patching process for affected components.
Some example CWE analyses are published by Red Hat in the yearly risk reports, such as the Red Hat Product Security risk report 2022. Having well-structured CWE data allows us, for example, to correlate the CWE weakness categories, based on the Software Development View, with the CVE severity for vulnerabilities.
Table 1. Top 3 CWE categories visible in the Critical and Important severity vulnerabilities
Id. |
CWE-699 category |
Count of records |
1 |
288 |
|
2 |
204 |
|
3 |
201 |
Table 2. Top 3 CWE categories visible in the Moderate and Low severity vulnerabilities
Id. |
CWE-699 category |
Count of records |
1 |
1,866 |
|
2 |
1,749 |
|
3 |
867 |
Based on these statistics, weaknesses related to Memory Buffer issues are the most frequent reasons for high-impact vulnerabilities (Critical and Important). This is in consonance with the fact that memory corruption flaws are more likely to lead to an arbitrary code execution, which is classified as a high severity issue based on Red Hat security ratings.
In contrast, low impact vulnerabilities are mostly caused by Resource Management Errors.
We can also correlate the same CWE categories with the public KEV exploits data, published by CISA. See the following list of categories sorted from most frequent to less.
Table 3. Top 5 CWE categories in correlation with the known exploits
Id. |
CWE-699 category |
1 |
|
2 |
|
3 |
|
4 |
|
5 |
Based on this report, the most frequent known exploits are related to the weaknesses from the Resource Management Errors and Data Neutralization Issues categories.
Compare this to the previous statistics. Even though Memory Buffer issues are usually correlated with high-priority vulnerabilities, these weaknesses are not the root cause for the most frequent exploits in the wild. This is a very useful observation for Red Hat and our customers.
CWE and continual improvement
As we transition to a shift-left approach and more proactive secure development process, we're able to leverage CWE information collected at various stages of the process and create a feedback loop that benefits both upstream projects and downstream products.
We have an additional goal for ourselves as a CNA. We intend to obtain the CWE "Provider" status. To accomplish this goal, NIST's CVMAP CWE audit requirements require at least a 95% accuracy on CWEs.
Red Hat contributes to CWE community
The CWE community consists of many groups working together to improve the entire CWE program usage. Red Hat is actively engaged in the governance with our membership on the CWE/CAPEC board as well as the Hardware CWE Special Interest Group, the REST API Working Group, and the User Experience Working Group, which recently published CWE user personas and stories of CWE users based on Red Hat suggestions.
CWE’s value lies in its emphasis on continuous security improvement when used as part of the feedback loop in a secure development lifecycle (SDL). Stay tuned for our next blog post on the Red Hat Security channel for more about CWEs, including how they're used to discover areas for improvement in software practices. You can also follow us on Twitter @RedHatSecurity, and we encourage interested parties to become active members in the CWE community.
À propos des auteurs
Przemysław Roguski is a Security Architect at Red Hat who specializes in Cloud Products security aspects. He contributes security analysis work on Red Hat OpenShift and other OpenShift-related products. He also designs security solutions and processes across Red Hat Product Security. He is focused on the security data improvements (various upstream and downstream security initiatives and projects like CWE, Kubernetes, Red Hat Vulnerability Scanner Certification program) to build better understanding of the security issues and improve client satisfaction.
Charles Timko joined Red Hat in 2021 and is focused on automotive security. He is an ISC2 Certified Secure Software Lifecycle Professional and has experience managing a product security program. Charles has held prior roles as a security researcher, embedded developer and security architect, and has previously worked in the defense, automotive, silicon and financial sectors.
Contenu similaire
Parcourir par canal
Automatisation
Les dernières nouveautés en matière d'automatisation informatique pour les technologies, les équipes et les environnements
Intelligence artificielle
Actualité sur les plateformes qui permettent aux clients d'exécuter des charges de travail d'IA sur tout type d'environnement
Cloud hybride ouvert
Découvrez comment créer un avenir flexible grâce au cloud hybride
Sécurité
Les dernières actualités sur la façon dont nous réduisons les risques dans tous les environnements et technologies
Edge computing
Actualité sur les plateformes qui simplifient les opérations en périphérie
Infrastructure
Les dernières nouveautés sur la plateforme Linux d'entreprise leader au monde
Applications
À l’intérieur de nos solutions aux défis d’application les plus difficiles
Programmes originaux
Histoires passionnantes de créateurs et de leaders de technologies d'entreprise
Produits
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Services cloud
- Voir tous les produits
Outils
- Formation et certification
- Mon compte
- Assistance client
- Ressources développeurs
- Rechercher un partenaire
- Red Hat Ecosystem Catalog
- Calculateur de valeur Red Hat
- Documentation
Essayer, acheter et vendre
Communication
- Contacter le service commercial
- Contactez notre service clientèle
- Contacter le service de formation
- Réseaux sociaux
À propos de Red Hat
Premier éditeur mondial de solutions Open Source pour les entreprises, nous fournissons des technologies Linux, cloud, de conteneurs et Kubernetes. Nous proposons des solutions stables qui aident les entreprises à jongler avec les divers environnements et plateformes, du cœur du datacenter à la périphérie du réseau.
Sélectionner une langue
Red Hat legal and privacy links
- À propos de Red Hat
- Carrières
- Événements
- Bureaux
- Contacter Red Hat
- Lire le blog Red Hat
- Diversité, équité et inclusion
- Cool Stuff Store
- Red Hat Summit