It’s important to note that a weakness is not a vulnerability—at least not yet. As MITRE puts it, weaknesses like these “can lead to serious vulnerabilities in software.”
That means they are considered precursors, but they don’t qualify for the higher-profile Common Vulnerabilities and Exposures (CVE) list, also maintained by MITRE and created from data within the National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD), as well as the Common Vulnerability Scoring System (CVSS) scores associated with each CVE.
Lang said weaknesses are types of mistakes in software that “contribute to the introduction of vulnerabilities within that software under the right conditions.”
“A vulnerability is a specific occurrence of one or more weaknesses that can be exploited under the right conditions to cause the software to behave in an unintended manner,” she said. “But as the conditions may not exist for exploitation, not every weakness is a vulnerability.”
Ksenia Peguero, senior research lead at Synopsys, added that “not every weakness qualifies for a CVE for two reasons. One, a weakness in the code may be mitigated by a control outside of the codebase. Also, CVEs are vulnerabilities that are reported in certain versions of specific software. CWEs, by contrast, are classes of vulnerabilities.”
“For example, the 2020 list has CWE-287, improper authentication, which can manifest in everything from weak password requirements, to incorrect implementation of OAuth flow, to a complete bypass of authentication services,” she said.
“Another example of a class of vulnerabilities is CWE-522, insufficiently protected credentials, which can range from lack of password hashing, to lack of salt, to using of weak hashing algorithms, like MD5.”
While there are thousands of vulnerabilities and weaknesses discovered every year—the 2018-19 NVD data used to compile this year’s list contained approximately 27,000 CVEs that are associated with weaknesses—not all of them are necessarily a major threat. And as has been noted many times at security conferences, it’s impossible to fix every defect in software. Any organization that tried would rarely get a product to market. It would grind development to a halt.