CWE - Common Weakness Enumeration

From cwe.mitre.org
CWE is a community-developed dictionary of common software weaknesses targeted to developers and security practitioners.
"...
CWE is a community-developed formal list of common software weaknesses. It serves as a common language for describing software security weaknesses, a standard measuring stick for software security tools targeting these vulnerabilities, and as a baseline standard for weakness identification, mitigation, and prevention efforts.

Leveraging the diverse thinking on this topic from academia, the commercial sector, and government, CWE unites the most valuable breadth and depth of content and structure to serve as a unified standard. Our objective is to help shape and mature the code security assessment industry and also dramatically accelerate the use and utility of software assurance capabilities for organizations in reviewing the software systems they acquire or develop.
..."
The CWE project provides a Classification Tree of the full list of software vulnerabilities along with a Full CWE Dictionary.

'Vulnerability Type Distributions in CVE', published as part of the CWE project provides research results on publicly reported vulnerabilities. This technical white paper discusses the high-level types of vulnerabilities that have been publicly reported over the past five years, such as buffer overflows, cross-site scripting (XSS), SQL injection, and PHP file inclusion.

The paper identifies and explains trends such as the rapid rise of web application vulnerabilities, covers the distribution of vulnerability types in operating system vendor advisories, and compares the issues being reported in open and closed source advisories.

read more ...