CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > Community > Research > RESSPEC: Resource-Specific Issues and Examples  
ID

RESSPEC: Resource-Specific Issues and Examples
RESSPEC: Resource-Specific Issues and Examples

There are several groups of entries in CWE that take a weakness and elaborate on it in a resource-specific fashion. The best examples of this are the families headed up by CWE #200, Information Leak (Information Disclosure) and CWE #312, Plaintext Storage of Sensitive Information.

CWE #538, File and Directory Information Leaks, is an example of a resource-specific weakness. The problem is insecure storage of sensitive data, and the resource happens to be Files and Directories. See the children of #538 for a list of the different types of resources currently included in CWE (ACL files, core dump files, CVS repository, etc.).

The problem here is deciding on where to draw the line between resources to include versus resources to exclude.

Possible Solutions / Questions to Discuss

Note:The mechanisms for node restructuring are still being defined. See the node restructuring page for details.

  • Leave CWE as it is.
  • Enumerate each individual resource-specific variation as its own CWE entry.
  • Include all resource-specific issues as examples in a more general CWE entry.
  • Create a new type of entry which will allow for capturing each type of resource-specific issue as an individual "sub-node" within the more general weakness CWE entry.
  • Create a resource-independent entry identifying the more abstract weakness and include each related resource-specific CWE entry as a child.
  • Create a resource-independent entry identifying the more abstract weakness, and MERGE all current resource-specific entries into this entry, creating "sub-nodes" if additional granularity needed (see the node restructuring page for possible approaches).

Relevant Use-Cases

Assessment Vendors: Search for issues related to the resources they are interested in protecting.

Assessment Customers: Pick out the weaknesses that apply to the resources they are trying to protect.

Academic Researchers: Search for interaction problems between specific resources and a particular language or scheme.

Applied Vulnerability Researcher: Tailor testing and research to resource interactions with known problems.

Refined Vulnerability Information (RVI) Providers: Identify trends in where weaknesses are occurring. Specific to certain resources?

Educators: Not applicable.

Software Customers: Not applicable.

Software Developers: Identify resource-specific issues they have to be aware of.

Recommendation

The CWE Researcher Community is strongly encouraged to provide feedback to the CWE team or the researchers list regarding this recommendation.

To minimize the data loss and maximize the usability by all of the potential CWE customers, the MITRE CWE team recommends introducing a new type of entry to the CWE specification and including all the resource-specific issues as "sub-nodes" under a CWE entry for the more general CWE weakness. Whether these "sub-nodes" are separate nodes, or other types of elements, is still under discussion (see the node restructuring page for possible approaches).

For example, this would mean that all Information Leak entries would be included as "sub-nodes" under the "Information Leak" CWE-200 entry. So, the resource-specific entry of "Error Message Information Leaks" CWE-209 and all "Information Leak through ..." entries, would be MERGED into CWE-209 as sub-nodes, and referenced as such (e.g., CWE-209.1 for the 1st sub-entry of 209). Note: the mechanisms for node restructuring are still being defined; see the node restructuring page for possible approaches.

Notes

Below is preliminary work done in order to more clearly identify problems present in CWE. Any issues not addressed above should be brought to the attention of the whole list, especially if the CWE ID is missing from the notes below.

Types of Resource Specific Issues:

  • Delimiter problem in <resource>
    *141, 142, 143, 144, 145, 146
  • failed to mask <type of sensitive data>
    *549
  • Plaintext storage in <resource>
    *312, 313, 314, 315, 316, 317, 318
  • Information Leak through <resource>
    *200, 209, 210, 211, 212, 214, 215, 528, 529, 530, 531, 532, 533, 534, 535, 536, 538, 539, 540, 541, 542, 598

Complete List of Examples

All CWE nodes that are affected by this discussion point are listed on a separate page.


Document version: 0.1    Date: September 13, 2007

This is a draft document. It is intended to support maintenance of CWE, and to educate and solicit feedback from a specific technical audience. This document does not reflect any official position of the MITRE Corporation or its sponsors. Copyright © 2007, The MITRE Corporation. All rights reserved. Permission is granted to redistribute this document if this paragraph is not removed. This document is subject to change without notice.


More information is available — Please select a different filter.
Page Last Updated: January 17, 2017