
The purpose of this blog is to provide the community with insight into the data analysis activities associated with the development of the “2020 Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Weaknesses (CWE Top 25).” It is intended to supplement the methodology previously published on the 2020 CWE Top 25 page on the CWE website, and to provide further transparency into the technical process behind calculating the final list.
NVD Data Operations
The process to create the 2020 CWE Top 25 began on April 23, 2020 by downloading vulnerability data (in JSON format) from the National Vulnerability Database (NVD) for the years 2018 and 2019. There were 16,169 entries from 2018, and 15,370 entries from 2019 (total 31,539). …

What is this:
The CWE Top 25 helps the community determine which problems are the most critical to focus on. The 2020 CWE Top 25 looks at all the Common Vulnerabilities and Exposures (CVEs) for the past two years (2018 + 2019) and the CWEs associated with each CVE. The CWEs are then ranked based on a score that combines severity and frequency of the weakness.
What is different this year:
The program evaluated CVEs that mapped to categories (arbitrary groupings that support navigation) and remapped them to the more specific classes and base weaknesses. …
CWE established a new CWE/CAPEC Board comprised of representatives from commercial hardware and software vendors, academia, government departments and agencies, and other prominent security experts that will set and promote the goals and objectives of the Common Weakness Enumeration (CWE™)/Common Attack Pattern Enumeration and Classification (CAPEC™) Program.
Members of the CWE/CAPEC Board will work with each other and the community to advise and advocate for the CWE/CAPEC Program. …

About