Blog

October 12, 2020

What Is CVE? Common Vulnerabilities and Exposures Overview

Stuart Foster
Stuart Foster

Security & Compliance,

DevOps

Common Vulnerability and Exposures (CVE) collects known cybersecurity vulnerabilities and exposures to help you to better safeguard your embedded software.

Here, we explain what is CVE, what is on the CVE list, and how identifying common vulnerabilities and exposures can help ensure that your software is secure.

Read along or jump ahead to the section that interests you the most:

Table of Contents

  1. What Is CVE?
  2. What Is the Difference Between CVE and CWE?
  3. What Is the Difference Between CVE and CVSS?
  4. What Is a CVE Identifier?
  5. What’s Included in the Common Vulnerabilities and Exposures (CVE) List?
  6. How to Fix Common Vulnerabilities and Exposures?
  7. How to Address Common Vulnerabilities and Exposures with Static Analysis / SAST

➡️ learn how to easily write secure code

Back to top

What Is CVE?

Common Vulnerabilities and Exposures (CVE) is a list of publicly known cybersecurity vulnerabilities and exposures. Each item on the list is based upon a finding of a specific vulnerability or exposure found in a specific software product, rather than a general class or kind of vulnerability or exposure.

The CVE list has been designed to make it easier to link information from vulnerability databases, and allow comparison of security tools and services. On the CVE list is a collection of CVE Identifiers assigned to each vulnerability and exposure.

Back to top

What Is the Difference Between CVE and CWE?

The difference between CVE and CWE is quite simple. CVE refers to a specific instance of a vulnerability within a product or system. While CWE refers to types of software weaknesses. So, in effect, CVE is a list of known instances whereas CWE is a reference book of software vulnerabilities.

📕 Related Resource: Learn more about CWE.
Back to top

What Is the Difference Between CVE and CVSS?

The difference between CVE and CVSS is this: CVE is a list of vulnerabilities while CVSS is the overall score assigned to a particular vulnerability. What's more, CVSS and CVE work together in order to help you prioritize software vulnerabilities.

📕 Related Resource: Learn more about CVSS.
Back to top

What Is a CVE Identifier?

CVE Identifiers are unique identifiers for assigned to publicly known cybersecurity vulnerabilities. The Identifiers are used as a standard method for identifying vulnerabilities and for cross-linking with other repositories.

Each Identifier includes the following:

  • An identifier number.
  • Indication of “entry” or “candidate” status.
  • Brief description of the security vulnerability or exposure.
  • Any pertinent references.
Back to top

What’s Included in the Common Vulnerabilities and Exposures (CVE) List?

The common vulnerabilities and exposures CVE list catalogs several types of software vulnerabilities, including:

  • Denial of Service (DoS)
  • Code Execution
  • Buffer Overflow
  • Memory Corruption
  • SQL Injection
  • Cross-Site Scripting (XSS)
  • Directory Traversal
  • HTTP Response Splitting

It’s important to be able to identify each and every vulnerability that may be present in your code, and static analyzers — like Klocwork — are the most effective tools to identify and fix software security vulnerabilities.

📕 Related White Paper: Top 10 Embedded Software Cybersecurity Vulnerabilities
Back to top

How to Fix Common Vulnerabilities and Exposures?

To fix common vulnerabilities and exposures, follow these four steps:

  1. Establish software design requirements, which include defining and enforcing secure coding principles. This helps to inform how to effectively write, test, inspect, analyze, and demonstrate your code.
  2. Use a coding standard — such as OWASP, CWE, and CERT — to help prevent, detect, and eliminate vulnerabilities.
  3. Implement security checks into your CI/CD pipeline to identify software security vulnerabilities early. In addition, this helps to enforce good coding practices.
  4. Test your code as early and often as possible to ensure that vulnerabilities are found and eliminated.
📕 Related Resource: Software Security Guide
Back to top

How to Address Common Vulnerabilities and Exposures with Static Analysis / SAST

The best way to address common vulnerabilities and exposures is to develop secure and safe software by using an automated testing tool — like a SAST tool or static code analyzer. 

Static analysis tools identify and eliminate security vulnerabilities and software defects early on in development. This helps to ensure that your software is secure, reliable, and compliant.

By using SAST tools, you are able to:

  • Identify and analyze security risks and prioritize severity.
  • Fulfill compliance standard requirements.
  • Apply and enforce coding standards, including CWE, CERT, OWASP, and DISA STIG.
  • Verify and validate through testing.
  • Achieve compliance and get certified faster.

Klocwork and Helix QAC help you apply a coding standard and eliminate software defects and vulnerabilities early on in development, which helps to ensure you’re your software is secure and reliable.

Use Klocwork and Helix QAC to Ensure Software Security

See for yourself how Klocwork and Helix QAC cover CVE and enforce software security standards. Register for a free trial.

➡️ register for free trial

Back to top