| V1 |
Programming language-specific |
|
When programming or analyzing specific languages (C, Perl, Java,
etc.), these are the issues of which you should be aware. Also,
runtime vs. compiled, and other language-related characteristics. |
| V2 |
Platform-specific |
|
When a program is run on a platform (Windows, UNIX, etc.) or in
certain environments (32/64 bit, multi-processor), there are certain
issues that should be checked for in addition to the actual language
used. E.g., backslashes in paths, trailing filename dots, concurrency |
| V3 |
Technology-specific |
|
Is the weakness generic, or is it primarily associated with, or dependent on a certain technology class: Web, OS, Database? |
| V4 |
Common Weakness Chains |
|
When viewing a weakness, it is useful to know related issues. The
proper fix may not lie in the same place where the result is seen, so
finding weakness they commonly lead to or result from a weakness is
useful to support patching and visualize more abstract weakness
relationships. |
| V5 |
Taxonomy/Classification |
|
From a more formal taxonomic perspective, the most appropriate abstraction levels for various weaknesses may be important. |
| V6 |
Commonality |
|
| How easy is it for someone to make this mistake? How often is this weakness seen? |
| V7 |
Risk/Severity-based |
|
Correlation by CWE to ensure that all "high" risk weaknesses have been
addressed. |
| V8 |
Feature-specific |
|
For a CWE, is it associated with other programming or security
concepts? Does it usually involve or require features such as
authentication, authorization, permissions, file access, or threading? |
| V9 |
Resource-specific |
|
Is the weakness associated with a specific system resource such as
memory, files, or network sockets? |
| V10 |
Attack-based |
|
Typically, external researchers or auditors might perform testing on
the running code. It this case, their results will most likely be
described as attacks or vulnerabilities. If that is the case, a view
supporting the CWEs grouped by the causal vulnerability and/or trigger
attack may be useful. |
| V11 |
Genesis |
|
A breakdown of issues based on which software development phase they typically occur in, e.g. design or implementation. |
| XS |
CWE Cross-Section |
|
A small set of diverse CWE nodes that illustrates the breadth and depth of CWE. |
| SAMATE |
SAMATE Slice |
|
The prioritized CWE nodes that are being focused on by SAMATE. |
| NVD |
NVD Slice |
|
The set of CWE nodes that NVD will use to classify their entries. |
| SANS |
SANS Secure Programming Information |
|
The set of CWE nodes that SANS' Secure Programming initiative is emphasizing for developer awareness. |
| OWASP |
OWASP Top Ten |
|
The CWE nodes associated with the OWASP Top Ten. |
