What Is CVE? Common Vulnerabilities and Exposures (CVE) List Overview
October 12, 2020

What Is CVE? Common Vulnerabilities and Exposures Overview

Security & Compliance
Static Analysis

By

Common Vulnerability and Exposures (CVE) collects known cybersecurity vulnerabilities and exposures to help you to better safeguard your embedded software.

Here, we explain what is CVE, what is on the CVE list, and how identifying common vulnerabilities and exposures can help ensure that your software is secure.

Read along or jump ahead to the section that interests you the most:

Table of Contents

  1. What Is CVE?
  2. What Is the Difference Between CVE and CWE?
  3. What Is the Difference Between CVE and CVSS?
  4. What Is a CVE Identifier?
  5. What’s Included in the Common Vulnerabilities and Exposures (CVE) List?
  6. How to Fix Common Vulnerabilities and Exposures?
  7. How to Address Common Vulnerabilities and Exposures with SAST

➡️ learn how to easily write secure code

Back to top

What Is CVE?

Common Vulnerabilities and Exposures (CVE) is a list of publicly known cybersecurity vulnerabilities and exposures. Each item on the list is based upon a finding of a specific vulnerability or exposure found in a specific software product, rather than a general class or kind of vulnerability or exposure.

The CVE list has been designed to make it easier to link information from vulnerability databases, and allow comparison of security tools and services. On the CVE list is a collection of CVE Identifiers assigned to each vulnerability and exposure.

Back to top

What Is the Difference Between CVE and CWE?

The difference between CVE and CWE is quite simple. CVE refers to a specific instance of a vulnerability within a product or system. While CWE refers to types of software weaknesses. So, in effect, CVE is a list of known instances whereas CWE is a reference book of software vulnerabilities.

📕 Related Resource: Learn more about CWE.
Back to top

What Is the Difference Between CVE and CVSS?

The difference between CVE and CVSS is this: CVE is a list of vulnerabilities while CVSS is the overall score assigned to a particular vulnerability. What's more, CVSS and CVE work together in order to help you prioritize software vulnerabilities.

📕 Related Resource: Learn more about CVSS.
Back to top

What Is a CVE Identifier?

CVE Identifiers are unique identifiers for assigned to publicly known cybersecurity vulnerabilities. The Identifiers are used as a standard method for identifying vulnerabilities and for cross-linking with other repositories.

Each Identifier includes the following:

  • An identifier number.
  • Indication of “entry” or “candidate” status.
  • Brief description of the security vulnerability or exposure.
  • Any pertinent references.
Back to top

What’s Included in the Common Vulnerabilities and Exposures (CVE) List?

The common vulnerabilities and exposures CVE list catalogs several types of software vulnerabilities, including:

  • Denial of Service (DoS)
  • Code Execution
  • Buffer Overflow
  • Memory Corruption
  • SQL Injection
  • Cross-Site Scripting (XSS)
  • Directory Traversal
  • HTTP Response Splitting

It’s important to be able to identify each and every vulnerability that may be present in your code, and static analyzers — like Klocwork — are the most effective tools to identify and fix software security vulnerabilities.

📕 Related White Paper: Top 10 Embedded Software Cybersecurity Vulnerabilities
Back to top

How to Fix Common Vulnerabilities and Exposures?

To fix common vulnerabilities and exposures, follow these four steps:

  1. Establish software design requirements, which include defining and enforcing secure coding principles. This helps to inform how to effectively write, test, inspect, analyze, and demonstrate your code.
  2. Use a coding standard — such as OWASP, CWE, and CERT — to help prevent, detect, and eliminate vulnerabilities.
  3. Implement security checks into your CI/CD pipeline to identify software security vulnerabilities early. In addition, this helps to enforce good coding practices.
  4. Test your code as early and often as possible to ensure that vulnerabilities are found and eliminated.
📕 Related Resource: Software Security Guide
Back to top

How to Address Common Vulnerabilities and Exposures with SAST

The best way to address common vulnerabilities and exposures is to develop secure and safe software by using an automated testing tool — like SAST.

SAST tools identify and eliminate security vulnerabilities and software defects early on in development. This helps to ensure that your software is secure, reliable, and compliant.

By using SAST tools, you are able to

  • Identify and analyze security risks and prioritize severity.
  • Fulfill compliance standard requirements.
  • Apply and enforce coding standards, including CWE, CERT, OWASP, and DISA STIG.
  • Verify and validate through testing.
  • Achieve compliance and get certified faster.

Klocwork SAST helps you apply a coding standard and eliminate software defects and vulnerabilities early on in development, which helps to ensure you’re your software is secure and reliable.

Use Klocwork to Ensure Software Security

See for yourself how Klocwork can help you enforce software security standards, register for a free trial.

➡️ register for free trial

Back to top
Stuart Foster headshot.

Stuart Foster

Klocwork and Helix QAC Product Manager, Perforce

Stuart Foster has over 17 years of experience in mobile and software development. He has managed product development of consumer apps and enterprise software. Currently, he manages Klocwork and Helix QAC, Perforce’s market-leading code quality management solutions. He believes in developing products, features, and functionality that fit customer business needs and helps developers produce secure, reliable, and defect-free code. Stuart holds a bachelor’s degree in information technology, interactive multimedia and design from Carleton University, and an advanced diploma in multimedia design from the Algonquin College of Applied Arts and Technology.