How is CWE related to the DHS’ Software Assurance efforts?
CWE has matured through collaborative efforts of the Software Assurance Forums and SwA working groups. CWE provides the requisite characterization of exploitable software constructs; thus it better enables the needed education and training of programmers on how to become aware and informed about these types of errors before software is delivered and put into operation. This aligns with the NCSD’s Build Security In approach to software assurance so that software is developed more securely on the front end, thereby avoiding security issues in the longer term. It provides a standard means for understanding residual risks; thus enables more informed decision-making by suppliers and consumers about the security of software. CWE also enables the interoperable automation of Software Assurance EcoSystem components and projects, such as the NIST Software Assurance Metrics and Tool Evaluation (SAMATE) project that is sponsored by DHS NCSD Software Assurance Program.
