CWE Views
|
| V1 | Programming language-specific |
| When programming or analyzing specific languages (C, Perl, Java, etc.), these are the issues of which you should be aware. Also, runtime vs. compiled, and other language-related characteristics. | |
| V2 | Platform-specific |
| When a program is run on a platform (Windows, UNIX, etc.) or in certain environments (32/64 bit, multi-processor), there are certain issues that should be checked for in addition to the actual language used. E.g., backslashes in paths, trailing filename dots, concurrency | |
| V3 | Technology-specific |
| Is the weakness generic, or is it primarily associated with, or dependent on a certain technology class: Web, OS, Database? | |
| V4 | Common Weakness Chains |
| When viewing a weakness, it is useful to know related issues. The proper fix may not lie in the same place where the result is seen, so finding weakness they commonly lead to or result from a weakness is useful to support patching and visualize more abstract weakness relationships. | |
| V5 | Taxonomy/Classification |
| From a more formal taxonomic perspective, the most appropriate abstraction levels for various weaknesses may be important. | |
| V6 | Commonality |
| How easy is it for someone to make this mistake? How often is this weakness seen? | |
| V7 | Risk/Severity-based |
| Correlation by CWE to ensure that all "high" risk weaknesses have been addressed. | |
| V8 | Feature-specific |
| For a CWE, is it associated with other programming or security concepts? Does it usually involve or require features such as authentication, authorization, permissions, file access, or threading? | |
| V9 | Resource-specific |
| Is the weakness associated with a specific system resource such as memory, files, or network sockets? | |
| V10 | Attack-based |
| Typically, external researchers or auditors might perform testing on the running code. It this case, their results will most likely be described as attacks or vulnerabilities. If that is the case, a view supporting the CWEs grouped by the causal vulnerability and/or trigger attack may be useful. | |
| V11 | Genesis |
| A breakdown of issues based on which software development phase they typically occur in, e.g. design or implementation. | |
| XS | CWE Cross-Section |
| A small set of diverse CWE nodes that illustrates the breadth and depth of CWE. | |
| SAMATE | SAMATE Slice |
| The prioritized CWE nodes that are being focused on by SAMATE. | |
| NVD | NVD Slice |
| The set of CWE nodes that NVD will use to classify their entries. | |
| SANS | SANS Secure Programming Information |
| The set of CWE nodes that SANS' Secure Programming initiative is emphasizing for developer awareness. | |
| OWASP | OWASP Top Ten |
| The CWE nodes associated with the OWASP Top Ten. |
Document version: 0.1 Date: September 12, 2007
This is a draft document. It is intended to support maintenance of CWE, and to educate and solicit feedback from a specific technical audience. This document does not reflect any official position of the MITRE Corporation or its sponsors. Copyright © 2007, The MITRE Corporation. All rights reserved. Permission is granted to redistribute this document if this paragraph is not removed. This document is subject to change without notice.
