Policy Insights: CISA releases first-ever 2021 Common Weakness Enumeration (CWE)

CISA released a first-ever 2021 Common Weakness Enumeration (CWE), containing a list of the most important and common hardware weaknesses. The list was compiled by the Hardware CWE Special Interest Group (SIG). Excerpt:

The 2021 CWE Most Important Hardware Weaknesses

  • CWE-1189           Improper Isolation of Shared Resources on System-on-a-Chip (SoC)
  • CWE-1191           On-Chip Debug and Test Interface With Improper Access Control
  • CWE-1231           Improper Prevention of Lock Bit Modification
  • CWE-1233           Security-Sensitive Hardware Controls with Missing Lock Bit Protection
  • CWE-1240           Use of a Cryptographic Primitive with a Risky Implementation
  • CWE-1244           Internal Asset Exposed to Unsafe Debug Access Level or State
  • CWE-1256           Improper Restriction of Software Interfaces to Hardware Features
  • CWE-1260           Improper Handling of Overlap Between Protected Memory Ranges
  • CWE-1272           Sensitive Information Uncleared Before Debug/Power State Transition
  • CWE-1274           Improper Access Control for Volatile Memory Containing Boot Code
  • CWE-1277           Firmware Not Updateable
  • CWE-1300           Improper Protection of Physical Side Channels


Policy Insights:

According to Saryu Nayyar, CEO, Gurucul (she/her), “Who would have thought that computing hardware would have security flaws? It turns out that hardware has plenty of vulnerabilities that can be exploited by competent and determined hackers. From poor system-on-a-chip design and implementation to improper shared physical memory spaces, hardware vulnerabilities can cause just as much havoc as software. Software developers and testers not only have to be concerned about their own code, but also weaknesses in the hardware they are deploying on. While it’s possible to keep some attackers out with firewalls and malware detection software, enterprises also have to use analytics to monitor unusual activity and flag that for possible intrusion.”