Major Discussion Points for CWE Content
Major Discussion Points for CWE Content
In Summer 2007, MITRE performed an extensive review of all CWE nodes
and identified some major discussion points that could have a
significant impact on future versions of CWE.
During Fall 2007, MITRE will engage the
CWE Researcher community on each of these points, use community
feedback to determine the best course of action, and modify CWE
accordingly. Informally, this process is being referred to as a
"scrub."
There are 3 main classes of Systemic
Issues within CWE, ignoring schema changes and minor modifications
to individual nodes:
| Inclusion |
how certain types of nodes should be captured in CWE |
| Abstraction |
whether some nodes are at the right level of abstraction,
i.e. could be split into sub-nodes, or perhaps should be merged into a
single node |
| Perspective |
whether nodes are really described from the core, underlying
"weakness" - and how other types of issues should be represented in
the Common "Weakness" Enumeration. |
Included with each discussion point is:
- a brief description of the issue
- the expected impact of the issue on various stakeholders
- a set of possible approaches for resolving the issue
- a list of CWE nodes that demonstrate the issue
- MITRE's recommendations for the proper resolution
Main Discussion Points: Summary
Main Discussion Points: Summary
| Language-Specific
Issues (LANGSPEC) |
There are entries in CWE that describe a weakness in a way that is
specific to a certain language or even a particular function within a
language. |
| Resource-Specific
Issues (RESSPEC) |
Several groups of entries take a general weakness and create more
specialized entries based on specific types of resources (e.g. files). |
| Technology-Specific
Issues (TECHSPEC) |
A fairly large group of entries describe weaknesses specific to a
particular technology, such as specific OSes, frameworks,
representations, or protocols. |
| Context-Specific
Issues (CONSPEC) |
Some issues are generally thought of to be "bad practice" or misuse,
but they can be used in certain contexts that are legitimate. |
| Quality
Indicators (QUALITY) |
Some CWE entries describe properties of code that are relevant to
quality and security, but do not directly introduce other weaknesses
or vulnerabilities. |
| Other Discussion Points |
Other discussion points exist, but they have not been fully
documented yet. MITRE will document and propose these over the
upcoming months, as community input helps to clarify them. These
issues include:
- NONWEAK: Nodes that do not describe weaknesses
- PERSP-OTHER: Other Perspectives
- LOW-LEVEL: Nodes at an extremely low level
- RESULTANT: Nodes that are only resultant from other nodes
- OVERLAP: Nodes that overlap each other
- MIXED: Sibling nodes that might not be well-organized under the
same parent.
- OTHER-ABST: Other issues related to Abstraction
- OTHER-INCL: Other issues related to Inclusion
- MULTI-FACTOR: Multi-Factor issues
|
Document version: 0.1 Date: September 12, 2007
This is draft document. It is intended to support maintenance of CWE, and to educate and solicit feedback from a specific technical
audience. This document does not reflect any official position of the MITRE Corporation or its sponsors. Copyright © 2007, The MITRE Corporation. All rights reserved. Permission is granted to redistribute this document if this paragraph is not removed. This document is subject to change without notice.
|
