What’s the Difference Between CWE and CQE?

What’s the Difference Between CWE and CQE?

Nov. 22, 2017
The Common Weakness Enumeration (CWE) and the Common Quality Enumeration (CQE) represent efforts for identifying and classifying software-security issues.

Given the increased interest in security and safety development, it’s surprising how few know about the Common Weakness Enumeration (CWE) and the Common Quality Enumeration (CQE). Both are industry projects hosted by MITRE.

CWE is a community-developed list of common software security weaknesses like buffer overflow. It’s designed to be a baseline for “weakness identification, mitigation, and prevention efforts.”

“The Common Quality Enumeration (CQE) project is developing a "lingua-franca" of software quality issues aimed at getting tool creators to adopt a common identification system—allowing them to define quality issues easily and ultimately create better software.”

The two are complementary and every programmer should be aware of their contents.

Common Weakness Enumeration (CWE)

All software developers should be take a look at CWE, as it serves as a common language for describing software security weaknesses in architecture, design, or code. It can also be used to measure software security tools from programming languages to static-analysis tools that target the weaknesses. It also addresses weaknesses in identification, mitigation, and prevention efforts.

Some common software weaknesses enumerated by CWE include buffer overflows, structure and validity problems, common special element manipulations, channel and path errors, handler errors, user interface errors, pathname traversal and equivalence errors, authentication errors, resource-management errors, insufficient verification of data, code evaluation and injection, and randomness and predictability.

CWE is based on work that MITRE began in 1999 called the Common Vulnerabilities and Exposures (CVE). The CVE list was a preliminary classification and categorization of vulnerabilities, attacks, faults, and other concepts to help define common software weaknesses.

The CWE entries like this buffer overflow includes standard sections like the description, relationship links to other entries, applicable platforms like C and C++, common consequences, examples and mitigations.

The CWE List is numbered and detailed. For example, CWE-121 is Stack-based Buffer Overflow (see figure). A variety of other buffer overflow entries are in the mix as well. Included are a description, relationship links to other entries, applicable platforms like C and C++, common consequences, examples, and mitigations.

Quite a few items are listed, so there are different views, or collections, that provide more targeted lists, such as the one for C applications. This is a list of 79 items, although others can be applicable to C applications. This list includes the primary ones, and has things like buffer overflows, conversion errors, and pointer issues.

Some languages like Ada, SPARK and Rust address many of the items in the list, while tools such as static- and dynamic-analysis tools can be used as well.

Common Quality Enumeration (CQE)

Programmers want to deliver quality code, but what does that really mean? Part of the challenge is coming up with a common set of descriptions and then enumerating and addressing details. CQE is a work in progress.

MITRE's John Marien notes, “The Common Weakness Enumeration (CWE) lists quality issues that can be exploited. One or more weaknesses can create a vulnerability. Yet beyond these security-relevant weaknesses, there's a large set of quality issues not covered by CWE.”

A large number of software tools and programming languages are designed to improve code quality. No one language or tool addresses all quality issues or application areas. Many overlapping tools make the discussion of quality difficult. Coming up with a common discussion language and then collecting information about quality issues and solutions could be used for a competitive advantage.

"MITRE is helming the CQE project because automated-tool creators trust us with proprietary data they would not share with each other," says Marien. "They know we won't use it for a competitive advantage."

Hopefully the CQE lingua-franca will be widely adopted. This could not come too soon. CWE is useful now, and CQE is on its way.

About the Author

William G. Wong | Senior Content Director - Electronic Design and Microwaves & RF

I am Editor of Electronic Design focusing on embedded, software, and systems. As Senior Content Director, I also manage Microwaves & RF and I work with a great team of editors to provide engineers, programmers, developers and technical managers with interesting and useful articles and videos on a regular basis. Check out our free newsletters to see the latest content.

You can send press releases for new products for possible coverage on the website. I am also interested in receiving contributed articles for publishing on our website. Use our template and send to me along with a signed release form. 

Check out my blog, AltEmbedded on Electronic Design, as well as his latest articles on this site that are listed below. 

You can visit my social media via these links:

I earned a Bachelor of Electrical Engineering at the Georgia Institute of Technology and a Masters in Computer Science from Rutgers University. I still do a bit of programming using everything from C and C++ to Rust and Ada/SPARK. I do a bit of PHP programming for Drupal websites. I have posted a few Drupal modules.  

I still get a hand on software and electronic hardware. Some of this can be found on our Kit Close-Up video series. You can also see me on many of our TechXchange Talk videos. I am interested in a range of projects from robotics to artificial intelligence. 

Sponsored Recommendations

Comments

To join the conversation, and become an exclusive member of Electronic Design, create an account today!