Interview with Alec J Summers, Cyber Security Engineer at Lead: What is CWE?

What is CWE?


Common Weakness Enumeration (CWE™) is a community-developed list of common weakness types that have security ramifications. “Weaknesses” are flaws in software or hardware implementation, code, design, or architecture that could result in them being vulnerable to attack.


How is CWE related to Common Vulnerabilities and Exposures?


CWE captures the underlying weaknesses that manifest CVEs. For example, many SQL injection CVEs are examples of one, individual CWE.


Originally CWE focused on software. When did the project start thinking about hardware?


CWE originally focused on software weaknesses, but understanding how software, firmware, and hardware interact to create weaknesses has always been in scope to some degree. Hardware security issues (e.g., LoJax, Rowhammer, Meltdown/Spectre) have become increasingly important concerns for both enterprise IT, OT, and IoT in general, from industrial control systems and medical devices to automobiles and wearable technologies. It is essential to understand the different types of weaknesses in this space so hardware designers can understand and take action against these types of weaknesses before they become exploitable vulnerabilities.


Are there other efforts in identifying and defining hardware weaknesses? What did CWE bring to the table?


Yes, first is the Accellera IP Security Assurance Working Group of over a dozen organizations creating standards for hardware security risks when integrating hardware into larger systems. Also, the Department of Defense has a Hardware Vulnerability Database. Members of both of these are collaborating with the CWE Team on the HW CWE scope expansion.


The CWE team brings tremendous experience and expertise in identifying and understanding weaknesses from an objective, research perspective. This experience, coupled with new community partnerships, establishes the baseline expertise to identify and define hardware weaknesses with the degree of rigor required to meet stakeholder needs. It is precisely the community partnership that enables the CWE Program to evolve in a way that best serves program stakeholders.


How did CWE drive interest and the adoption of HW CWE?


It began with an organization wanting to map its hardware-related CVEs to the underlying weaknesses. The CWE Team worked with them to develop the HW weakness categories and the first new set of entries published in early 2020. It was apparent that the amount of industry interest in identifying and describing hardware weaknesses meant that ad hoc collaboration with individual organizations was both impractical and suboptimal, and that a new community forum was required to bring together the vast but disparate knowledge that exists within the community.


What is the HW CWE Special Interest Group (SIG)?


The HW CWE SIG is a monthly forum for organizations operating in hardware design, manufacturing, and security to interact, share opinions and expertise, and leverage each other’s experiences in supporting the continued growth and adoption of CWE as a common language for defining hardware security weaknesses. Members work with each other through open and collaborative discussions to provide critical input regarding domain coverage and content hierarchical structure, as well capabilities, best practices, and industry trends