As InfoSec Professionals we often refer to abbreviations viz., CWE, CVE,NVD,CVSS. At times we interchangeably use CWE & CVE, however there is a subtle difference. Below is a quick view of some of the commonly used terms,
- Common Weakness Enumeration (CWE) is the list of common software weaknesses that can lead to exploitable vulnerabilities. These weaknesses can be bugs, vulnerabilities and errors in your software’s implementation, coding, design or architecture. The CWE list is not specific to a software instance and has a detailed analysis about the weakness. Example: CWE-89 – SQL Injection, CWE-862 – Missing Authorisation etc. is a way by which MITRE classifies CVEs. Note: There is CWE-25 list released by MITRE & SANS, whereas there is another community effort that releases similar list – OWASP Top-10.
- Common Vulnerabilities and Exposure (CVE) – is a specific vulnerability in a software by assigning a unique identifier. This helps end consumers of the softwares to understand the known vulnerabilities. Example: CVE specific to Microsoft softwares – CVE-2019-0708 – Remote Desktop Services remote code execution vulnerability. The Software vendors would need to address the CVEs by patching them or suggesting mitigations.
- National Vulnerability Database (NVD) is the U.S. Government repository of standards based vulnerability management data. The NVD team analyses and scores CVEs, to give a severity score i.e., Common Vulnerability Scoring System (CVSS) to help software vendors and consumers in prioritisation. Example: SSLv3 POODLE Vulnerability (CVE-2014-3566) has a CVSS score of 3.1 (based on CVSS v3.1)
Cyber Vyber 
Leave a comment