Introduction
In AppSec and DevSecOps, understanding the type of vulnerability is just as important as knowing it exists. That’s where CWE comes in — it helps categorize software weaknesses.
But what exactly is a CWE?
1. CWE = Common Weakness Enumeration
CWE stands for Common Weakness Enumeration. It’s a classification system for software and hardware vulnerabilities and design flaws.
While CVEs describe specific vulnerabilities, CWEs describe the type of weakness that leads to those vulnerabilities.
2. Who manages CWE?
The CWE list is maintained by MITRE, the same organization behind CVEs. It’s an open and community-driven project.
3. What does a CWE look like?
Each CWE entry includes:
- CWE ID: e.g. CWE-79
- Name: e.g. Improper Neutralization of Input During Web Page Generation (“Cross-site Scripting”)
- Description: What the weakness is and how it can be exploited
- Examples: Real-world cases and related CVEs
4. CWE vs CVE
| CVE | CWE | |
|---|---|---|
| What it is | A specific vulnerability | A category of weakness |
| Example | CVE-2021-12345 | CWE-89 (SQL Injection) |
| Purpose | Track and report individual bugs | Understand and group common flaw types |
5. Why CWE matters in DevSecOps
- Helps developers understand root causes of vulnerabilities
- Improves secure coding practices
- Enables policy enforcement (e.g., block code with CWE-79 issues)
- Useful in SAST tools, which often report vulnerabilities by CWE ID
6. Popular CWEs to know
- CWE-79 – Cross-Site Scripting (XSS)
- CWE-89 – SQL Injection
- CWE-22 – Path Traversal
- CWE-732 – Incorrect Permission Assignment
Conclusion
CWE gives us the why behind vulnerabilities — a framework to understand, prevent, and fix flaws at the source.
That’s what a CWE is.