CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWRAF > CWE List > CWRAF Vignette Summary  
ID

CWRAF - Vignette Summary

The MITRE Corporation
Copyright © 2013
http://cwe.mitre.org/cwraf/

CWRAF version: 0.8.3

Date: April 3, 2013

Project Coordinator:

Bob Martin (MITRE)

Document Editor:

Steve Christey (MITRE)
CWRAF - Vignette Summary
CWRAF - Vignette Summary

Within the Common Weakness Risk Analysis Framework (CWRAF), a vignette provides a shareable, formalized way to define a particular environment, the role that software plays within that environment, and an organization's priorities with respect to software security. It identifies essential resources and capabilities, as well as their importance relative to security principles such as confidentiality, integrity, and availability.

Vignettes allow CWSS to support diverse audiences who may have different requirements for how to prioritize weaknesses. CWSS scoring can occur within the context of a vignette.

This page currently contains details for 23 vignettes that are being actively developed for CWRAF. The CWRAF community will help to refine these and develop others. Feedback is welcome.

banking-finance
Financial TradingInternet-facing, E-commerce provider of retail goods or services. Data-centric - Database containing PII, credit card numbers, and inventory.
Online BankingThe web-based interaction between a bank, credit union, or other financial institution and its consumers for managing accounts, paying bills, and conducting financial transactions.
chemical
Chemical Flow ControlA SCADA-based flow control system for a chemical plant. Underlying technology - heavy C usage. Systems developed in pre-Internet era with management consoles interfacing to them.
ecomm
Web-Based Retail ProviderInternet-facing, E-commerce provider of retail goods or services. Data-centric - Database containing PII, credit card numbers, and inventory.
emerg-svc
First ResponderFirst responder (such as fire, police, and emergency medical personnel) for a disaster or catastrophe.
energy
Household Smart MeterMeter within the Smart Grid that records electrical consumption and communicates this information to the supplier on a regular basis.
Smart Grid remote utility serverObtains information from smart meters through neighborhood gateways.
Smart Grid Neighborhood GatewayAppliance between smart meter and remote utility server.
Regional Electricity Flow ControlFlow control for an electricity network throughout a relatively large region, to further connect suppliers and consumers. Power now enters the grid from both sides (classic provider, but also home-to-provider e.g. home photo-voltaic and wind turbines in homes and throughout the landscape). System needs to have "smarts" to the load leveling capabilities of the grid which is basically a large distributed SCADA-type system.
SCADA HistorianHistorian server for archival and analysis of data for a SCADA system. Contains a database backend and is accessible via a web interface. Access to the server is typically restricted to a DMZ or internal network.
Distributed Production Facility Management using SCADA Web-based HMIA web-based Human Machine Interface (HMI) for SCADA systems. Users can visualize and control industrial automation processes in real-time from a control interface directly in communication with remote sensors and data collection points. All facets of production can be monitored and managed from a web browser.

The HMI uses various frameworks (Java, .NET, etc.) with Restful Architecture (AJAX, XML, SOAP, XSL, and WML).

evoting
State Election Administration using remote Internet voting via absentee ballotInternet-facing polling system supporting high-volume transactions, high availability, Data-centric Database containing ballot information, Audit log generation for each voter.
State or Local Elections using eVoting via Direct Recording Election Machines.DRE systems are not directly connected with the Internet. Vote data is uploaded to a centralized server via modem. Election worker retrieves hardcopies of the voting record from the machine and delivers the printouts to election officials. DRE machines are programmed with firmware uploaded from a compact flash card. It is generally accepted that the computer used to upload the firmware to the flash card should not be connected to the Internet.
State or Local Elections using eVoting via an Internet web applicationInternet-facing polling systems are connected to the Internet and are designed to support high-volume transactions and high availability. A Data-centric Database is used to collect ballot information, Audit logs are generated for each voter.
Corporate Shareholder Internet votingCorporate Shareholder voting using remote Internet voting.
human-res
Employee CompensationProduct for managing employee salary and bonuses. PII includes salary, financial transaction (e.g. for direct deposit), social security number, home address, etc.
natl-defense
Weapon system sensorSensor for a weapons system that is connected to the Global Information Grid (GIG).
pub-health
Medical BillingMedical encoding and billing. Data used includes Electronic Health Records (EHR), financial management, and interactions with insurance companies.
Human Medical DevicesMedical devices - "implantable" or "partially embedded" in humans, as well as usage in clinic or hospital environments ("patient care" devices). Includes items such as pacemakers and automatic drug delivery. Control or monitoring of the device might be performed by smartphones. The devices are not in a physically secured environment.
soc-media
Social NetworkingWeb site for enabling a large community of people to post comments, create profiles, exchange messages or pictures, and join affiliation groups, e.g. Facebook, MySpace, Twitter, or LinkedIn. Free-form content, high connectivity between users, private messaging. Heavy Web 2.0 usage.
Electronic DatingWeb site for electronic dating. Users can create profiles with pictures, exchange private email, participate in discussion forums, perform searches. Heavy Web 2.0.
telecom
Teleworking - Remote Access ServerRemote Access Server used to support employees working outside the enterprise, including teleworking/telecommuting.
Teleworking - Web MailUse of web-based email for remote access.

More information is available — Please select a different filter.
Page Last Updated: January 18, 2017