US Flag Official website of the Department of Homeland Security
U.S. Department of Homeland Security Seal. Software and Supply Chain Assurance. Community Resources and Information Clearinghouse (CRIC).

Mitigating the Most Egregious Exploitable Software Weaknesses: Top 25 CWE Programming Errors


International in scope and free for public use, the Common Weakness Enumeration (CWE) is a community-developed dictionary of software weaknesses. The CWE is a publicly available resource that is collaboratively evolving through public-private contributions. CWE provides the requisite characterization of exploitable software constructs; thus it better enables the needed education and training of programmers on how to eliminate all-too-common errors before software is delivered and put into operation. This aligns with the Build Security In approach to software assurance so that software is developed more securely on the front end, thereby avoiding security issues in the longer term. The CWE provides a standard means for understanding residual risks and thus enables more informed decision making by suppliers and consumers about the security of software.

Read about the DHS Office of Cybersecurity and Communications (CS&C) Software Assurance Program.

Read about the Top 25 CWE programming errors.

  • The CWE is an important component of the CS&C's Software Assurance Program. This list of errors brings CWE to a practical, actionable, and measurable focus that will enable people to make and demonstrate real progress. Public-private collaboration forms the foundation of CS&C’s SwA Program. CWE is a good example of the type of public-private collaboration the department has been advocating. Consistent with the Open Government Directive, the SwA Program’s sponsorship of CWE enables community participation, collaboration, and transparency.
  • Lacking common characterization of exploitable software constructs presented one of the major challenges to realizing software assurance. As part of CS&C’s SwA Program public-private collaboration efforts, DHS, together with other federal partners, provided the sponsorship of those aspects for which industry and academia lacked incentives to fund on their own, but would use once matured.
  • The Top 25 CWEs represent the most significant exploitable software constructs that have made software so vulnerable. Addressing these will go a long way in securing software, both in development and in operation.
  • A Software Assurance Pocket Guide on Key Practices for Mitigating the Most Egregious Exploitable Software Weaknesses (pdf) is free for download on this website. The pocket guide provides a set of mitigation practices for each of the top CWEs along with the associated common attacks that target the exploitable weaknesses.
  • DHS cannot endorse any particular organization, such as SANS; however, we are pleased that educational and training institutions, as well as tool vendors, are using a program that DHS has funded and helped develop and mature in conjunction with other federal agencies, industry, and academia.



Frequently Asked Questions

Back to Top