Policy Insights: CISA releases first-ever 2021 Common Weakness Enumeration (CWE)
CISA released a first-ever 2021 Common Weakness Enumeration (CWE), containing a list of the most important and common hardware weaknesses. The list was compiled by the Hardware CWE Special Interest Group (SIG). Excerpt:
The 2021 CWE Most Important Hardware Weaknesses
- CWE-1189 Improper Isolation of Shared Resources on System-on-a-Chip (SoC)
- CWE-1191 On-Chip Debug and Test Interface With Improper Access Control
- CWE-1231 Improper Prevention of Lock Bit Modification
- CWE-1233 Security-Sensitive Hardware Controls with Missing Lock Bit Protection
- CWE-1240 Use of a Cryptographic Primitive with a Risky Implementation
- CWE-1244 Internal Asset Exposed to Unsafe Debug Access Level or State
- CWE-1256 Improper Restriction of Software Interfaces to Hardware Features
- CWE-1260 Improper Handling of Overlap Between Protected Memory Ranges
- CWE-1272 Sensitive Information Uncleared Before Debug/Power State Transition
- CWE-1274 Improper Access Control for Volatile Memory Containing Boot Code
- CWE-1277 Firmware Not Updateable
- CWE-1300 Improper Protection of Physical Side Channels
Policy Insights:
According to Saryu Nayyar, CEO, Gurucul (she/her), “Who would have thought that computing hardware would have security flaws? It turns out that hardware has plenty of vulnerabilities that can be exploited by competent and determined hackers. From poor system-on-a-chip design and implementation to improper shared physical memory spaces, hardware vulnerabilities can cause just as much havoc as software. Software developers and testers not only have to be concerned about their own code, but also weaknesses in the hardware they are deploying on. While it’s possible to keep some attackers out with firewalls and malware detection software, enterprises also have to use analytics to monitor unusual activity and flag that for possible intrusion.”