CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > Community > Research > Major Discussion Points for CWE Content  
ID

Major Discussion Points for CWE Content
Major Discussion Points for CWE Content

In Summer 2007, MITRE performed an extensive review of all CWE nodes and identified some major discussion points that could have a significant impact on future versions of CWE.

During Fall 2007, MITRE will engage the CWE Researcher community on each of these points, use community feedback to determine the best course of action, and modify CWE accordingly. Informally, this process is being referred to as a "scrub."

There are 3 main classes of Systemic Issues within CWE, ignoring schema changes and minor modifications to individual nodes:

Inclusion how certain types of nodes should be captured in CWE
Abstraction whether some nodes are at the right level of abstraction, i.e. could be split into sub-nodes, or perhaps should be merged into a single node
Perspective whether nodes are really described from the core, underlying "weakness" - and how other types of issues should be represented in the Common "Weakness" Enumeration.

Included with each discussion point is:

  • a brief description of the issue
  • the expected impact of the issue on various stakeholders
  • a set of possible approaches for resolving the issue
  • a list of CWE nodes that demonstrate the issue
  • MITRE's recommendations for the proper resolution
Main Discussion Points: Summary
Main Discussion Points: Summary
Language-Specific Issues (LANGSPEC) There are entries in CWE that describe a weakness in a way that is specific to a certain language or even a particular function within a language.
Resource-Specific Issues (RESSPEC) Several groups of entries take a general weakness and create more specialized entries based on specific types of resources (e.g. files).
Technology-Specific Issues (TECHSPEC) A fairly large group of entries describe weaknesses specific to a particular technology, such as specific OSes, frameworks, representations, or protocols.
Context-Specific Issues (CONSPEC) Some issues are generally thought of to be "bad practice" or misuse, but they can be used in certain contexts that are legitimate.
Quality Indicators (QUALITY) Some CWE entries describe properties of code that are relevant to quality and security, but do not directly introduce other weaknesses or vulnerabilities.
Other Discussion Points Other discussion points exist, but they have not been fully documented yet. MITRE will document and propose these over the upcoming months, as community input helps to clarify them. These issues include:
  • NONWEAK: Nodes that do not describe weaknesses
  • PERSP-OTHER: Other Perspectives
  • LOW-LEVEL: Nodes at an extremely low level
  • RESULTANT: Nodes that are only resultant from other nodes
  • OVERLAP: Nodes that overlap each other
  • MIXED: Sibling nodes that might not be well-organized under the same parent.
  • OTHER-ABST: Other issues related to Abstraction
  • OTHER-INCL: Other issues related to Inclusion
  • MULTI-FACTOR: Multi-Factor issues

Document version: 0.1    Date: September 12, 2007

This is a draft document. It is intended to support maintenance of CWE, and to educate and solicit feedback from a specific technical audience. This document does not reflect any official position of the MITRE Corporation or its sponsors. Copyright © 2007, The MITRE Corporation. All rights reserved. Permission is granted to redistribute this document if this paragraph is not removed. This document is subject to change without notice.


More information is available — Please select a different filter.
Page Last Updated: January 17, 2017