CVE & CWE

CVE- Common Vulnerabilities and Exposures 通用漏洞披露

https://cve.mitre.org/

CVE 的英文全称是“Common Vulnerabilities & Exposures”通用漏洞披露。CVE就好像是一个字典表,为广泛认同的信息安全漏洞给出一个公共的名称。

CWE-Common Weakness Enumeration


https://cwe.mitre.org/

CWE是社区开发的常见软件和硬件安全弱点列表。它是一种通用语言,是安全工具的量尺,并且是弱点识别,缓解和预防工作的基准。

通用弱点列举(CWE™)针对开发社区和安全从业人员社区,是一个正式的清单或字典,列出了架构、设计、代码或实施中可能出现的常见软件和硬件弱点,这些弱点可能导致可利用的安全漏洞。创建CWE的目的是作为描述安全弱点的通用语言;作为针对这些弱点的安全工具的标准衡量标准;并为弱点识别、缓解和预防工作提供一个通用的基线标准。

**What is CWE? **

Targeted at both the development community and the community of security practitioners, Common Weakness Enumeration (CWE™) is a formal list or dictionary of common software and hardware weaknesses that can occur in architecture, design, code, or implementation that can lead to exploitable security vulnerabilities. CWE was created to serve as a common language for describing security weaknesses; serve as a standard measuring stick for security tools targeting these weaknesses; and provide a common baseline standard for weakness identification, mitigation, and prevention efforts.

CWE计划的主要目标是通过教育软件和硬件收购者、建筑师、设计师和程序员如何在产品交付前消除最常见的错误,从源头上阻止漏洞。CWE是程序员编写代码时的资源,是建筑师设计新软件时的资源,是硬件工程师创建物理组件时的资源,并支持教育工作者将安全教学作为软件和硬件工程、计算机科学和管理信息系统课程的一部分;CWE最终帮助他们防止困扰软件和硬件行业并将企业置于风险之中的各种安全漏洞。CWE继续作为一个社区协作的努力,为开发者和安全从业者填充一个公开可用的软件和硬件在代码、设计、架构和实施方面的错误库,工具供应商也可以利用这个库来标记他们的工具报告和声称的内容。

The main goal of the CWE initiative is to stop vulnerabilities at the source by educating software and hardware acquirers, architects, designers, and programmers on how to eliminate the most common mistakes before a product is delivered. CWE serves as a resource for programmers as they write code, for architects as they design new software, for hardware engineers as they create physical components, and supports educators in teaching security as part of the curriculum for software and hardware engineering, computer science, and management information systems; CWE ultimately helps them prevent the kinds of security vulnerabilities that have plagued the software and hardware industries and put enterprises at risk. CWE continues to evolve as a collaborative community effort to populate a publicly available repository of software and hardware errors in code, design, architecture, and implementation for developers and security practitioners that can also be utilized by tool vendors for tagging what their tool’s report and claim to cover.

漏洞(Vulnerability)和弱点(Weakness)的区别

Weakness 弱点

"弱点 "是指软件和硬件设计、架构、代码或实施中的缺陷、故障、漏洞和其他错误,如果不加以解决,可能导致系统和网络以及硬件容易受到攻击。

“Weaknesses” are flaws, faults, bugs, and other errors in software and hardware design, architecture, code, or implementation that if left unaddressed could result in systems and networks, and hardware being vulnerable to attack.

Weaknesses Examples:

  • Software — buffer overflows, format strings, etc.; structure and validity problems; common special element manipulations; channel and path errors; handler errors; user interface errors; pathname traversal and equivalence errors; authentication errors; resource management errors; insufficient verification of data; code evaluation and injection; and randomness and predictability.
  • Hardware — core and compute issues typically associated with CPUs, Graphics, Vision, AI, FPGA, and uControllers; privilege separation and access control issues related to identity and policy, shared resources, locking controls, registers, and other features and mechanisms; and power, clock, and reset concerns related to voltage, electrical current, temperature, clock control, and state saving/restoring.

二者区别

简而言之,弱点是导致漏洞的源头,或者具体的软件/硬件薄弱之处;漏洞是软件/硬件没有及时修补掉薄弱之处,可被攻击者用于攻击的突破口。

弱点是可以导致漏洞的错误。一个软件漏洞,如CVE列表中列举的那些,是软件中的一个错误,可以被黑客直接利用来获得对系统或网络的访问。硬件漏洞是硬件或其固件中的一个错误,可被黑客用来获得对系统的远程或物理访问。

What is the difference between a vulnerability and a weakness?

Weaknesses are errors that can lead to vulnerabilities. A software vulnerability, such as those enumerated on the CVE List, is a mistake in software that can be directly used by a hacker to gain access to a system or network. A hardware vulnerability is a mistake in hardware or its firmware that can be used by a hacker to gain remote or physical access to a system.

CVE和CWE区别

MITRE早在1999年就开始研究软件弱点的分类问题,当时它推出了通用漏洞和暴露(CVE®)列表。作为建立CVE的一部分,MITRE的CVE团队从2005年开始对漏洞、攻击、故障和其他概念进行了初步分类和归类,以帮助定义常见的软件弱点。然而,虽然对CVE来说是足够的,但这些分组过于粗糙,无法用来识别和分类代码安全评估行业所提供的功能。CWE列表是在2006年创建的,以更好地满足这些额外的需求。

What is the relationship between CWE and CVE?

MITRE began working on the issue of categorizing software weaknesses as early 1999 when it launched the Common Vulnerabilities and Exposures (CVE®) List. As part of building CVE, MITRE’s CVE Team developed a preliminary classification and categorization of vulnerabilities, attacks, faults, and other concepts beginning in 2005 to help define common software weaknesses. However, while sufficient for CVE those groupings were too rough to be used to identify and categorize the functionality offered within the offerings of the code security assessment industry. The CWE List was created in 2006 to better address those additional needs.

References

[1] CVE- Common Vulnerabilities and Exposures

[2] CWE-Common Weakness Enumeration

[3] 一文带你快速理解CVE是什么意思?从CVE ID分配到CVE漏洞处理.

[4] 安全测试之CVE、CWE、CVSS - 测试之心的文章 - 知乎.

CVE和CWE的区别相关推荐

  1. 什么是CVE?常见漏洞和暴露列表概述

    常见漏洞和暴露(Common Vulnerability and Exposures,简称CVE)收集了已知的网络安全漏洞和暴露,以帮助您更好地保护您的嵌入式软件. 在这里,我们会阐释什么是CVE,C ...

  2. 【网络安全常用术语解读】CWE详解

    什么是CWE?CWE是由个组织维护的?CWE的能解决什么问题?CWE共有多少个类别和条目?读完本文你将收获所有答案.如还有其他相关疑问,欢迎留言讨论. 文章目录 1. 简介 2. 分类 2.1. Vi ...

  3. RHEL 8 - CIS安全合规基线、SCAP、SSG和合规扫描、漏洞扫描

    <OpenShift 4.x HOL教程汇总> 文章目录 CIS互联网安全中心 SCAP安全内容自动化协议 SCAP Security Guide - SSG 安装 SCAP Securi ...

  4. 2021 ATTCK v10版本更新指南

    一.什么是ATT&CK ATT&CK(Adversarial Tactics, Techniques, and Common Knowledge )是一个攻击行为知识库和模型,主要应用 ...

  5. 20180823-cve

    20180823-cve 20180823-cve preface: Keyword : Cve what 什么是cve? cve的格式是什么? cve是unique的吗? why why cve? ...

  6. 开源开放 | 开源立体化漏洞情报知识图谱(四维创智)

    OpenKG地址:http://openkg.cn/dataset/vuln-sprocket 开放许可协议:CC BY-SA 4.0 (署名相似共享) 贡献者:四维创智(李德斌,孙基栩,鲍晨阳) 1 ...

  7. 利用openVuln API自动化查询思科产品漏洞

    利用openVuln API自动化查询思科产品漏洞 B站视频链接:​​https://www.bilibili.com/video/BV1ZG411P7cf/?spm_id_from=333.999. ...

  8. 网络安全课程day1

    ip地址详解 局域网:一般称为内网 简单局域网构成:交换机 网线 pc 交换机:组建局域网最重要的设备 路由器:链接内网和外网 ip地址:网络编码(二进制)32位二进制组成 范围:0-255 子网掩码 ...

  9. 金融行业开源技术应用社区(FINOC)研讨实录:开源组件安全问题与升级方式

    科技云报道原创. 在开源成为全球趋势的今天,抢跑科技创新的金融机构成为开源技术的重度用户.然而,由于我国金融机构对开源软件的管理尚不完善,不具备较成熟的开源治理体系,金融机构在引入和管理开源软件时总会 ...

最新文章

  1. php-redis客户端使用方法
  2. leetcode 167 Two Sum II - Input array is sorted
  3. 物联网卡封卡原因有哪些
  4. 顺序栈实现迷宫求解问题v0.1
  5. 如何在HTML中输入英语音标符号,电脑上如何输入国际音标?
  6. 京瓷打印机p5026cdn_京瓷p5026cdn打印机驱动
  7. centos7使用iso镜像离线安装依赖工具
  8. servlet003:监听器
  9. Mandriva Linux 2012 Alpha 2 发布
  10. python风变编程是骗局吗-风变编程的Python课程怎么样?
  11. 洛谷 P5713 【深基3.例5】洛谷团队系统
  12. 中国电信短信网关程序源码
  13. 幂函数在计算机中怎么下,对数指数幂函数模拟计算机.doc
  14. Django刨坑记-- Anaconda3 环境报错
  15. C语言英文背单词软件,C语言背单词程序
  16. vue中用canvas实现移动端手写板、电子签名功能
  17. Python+Django+Channels之Consumers(用户)
  18. 电子商务网站的建设及发展趋势
  19. 微信小程序直播怎么开通
  20. Anaconda操作手册-添加kernal

热门文章

  1. java实验报告9 输入输出流
  2. 2018年医疗大数据产业的发展及解决方案
  3. 深度搜索处理问题的关键 --- 做leetcode深度搜索类题目小结
  4. 中国式“高定美学”燃爆广州秀场!「琢我」之气场与「莲玉芳华」之优雅
  5. 壹沓科技签约全球快消品牌巨头保乐力加,为企业数智化升级注入新动能
  6. 艺赛旗(RPA)国家企业信用信息公示系统验证码破解(一)
  7. jdk下载,安装与卸载,删除注册表
  8. C++信息学奥赛一本通(T1413:确定进制)
  9. 如何加速./mk snod打包
  10. OSPF —— 多区域部署 + ABR + ASBR + 路由重分发