CWE Views
|
V1 | Programming language-specific |
When programming or analyzing specific languages (C, Perl, Java, etc.), these are the issues of which you should be aware. Also, runtime vs. compiled, and other language-related characteristics. | |
V2 | Platform-specific |
When a program is run on a platform (Windows, UNIX, etc.) or in certain environments (32/64 bit, multi-processor), there are certain issues that should be checked for in addition to the actual language used. E.g., backslashes in paths, trailing filename dots, concurrency | |
V3 | Technology-specific |
Is the weakness generic, or is it primarily associated with, or dependent on a certain technology class: Web, OS, Database? | |
V4 | Common Weakness Chains |
When viewing a weakness, it is useful to know related issues. The proper fix may not lie in the same place where the result is seen, so finding weakness they commonly lead to or result from a weakness is useful to support patching and visualize more abstract weakness relationships. | |
V5 | Taxonomy/Classification |
From a more formal taxonomic perspective, the most appropriate abstraction levels for various weaknesses may be important. | |
V6 | Commonality |
How easy is it for someone to make this mistake? How often is this weakness seen? | |
V7 | Risk/Severity-based |
Correlation by CWE to ensure that all "high" risk weaknesses have been addressed. | |
V8 | Feature-specific |
For a CWE, is it associated with other programming or security concepts? Does it usually involve or require features such as authentication, authorization, permissions, file access, or threading? | |
V9 | Resource-specific |
Is the weakness associated with a specific system resource such as memory, files, or network sockets? | |
V10 | Attack-based |
Typically, external researchers or auditors might perform testing on the running code. It this case, their results will most likely be described as attacks or vulnerabilities. If that is the case, a view supporting the CWEs grouped by the causal vulnerability and/or trigger attack may be useful. | |
V11 | Genesis |
A breakdown of issues based on which software development phase they typically occur in, e.g. design or implementation. | |
XS | CWE Cross-Section |
A small set of diverse CWE nodes that illustrates the breadth and depth of CWE. | |
SAMATE | SAMATE Slice |
The prioritized CWE nodes that are being focused on by SAMATE. | |
NVD | NVD Slice |
The set of CWE nodes that NVD will use to classify their entries. | |
SANS | SANS Secure Programming Information |
The set of CWE nodes that SANS' Secure Programming initiative is emphasizing for developer awareness. | |
OWASP | OWASP Top Ten |
The CWE nodes associated with the OWASP Top Ten. |
Document version: 0.1 Date: September 12, 2007
This is a draft document. It is intended to support maintenance of CWE, and to educate and solicit feedback from a specific technical audience. This document does not reflect any official position of the MITRE Corporation or its sponsors. Copyright © 2007, The MITRE Corporation. All rights reserved. Permission is granted to redistribute this document if this paragraph is not removed. This document is subject to change without notice.