CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > CWE- Individual Dictionary Definition (2.9)  

Presentation Filter:

CWE-16: Configuration

 
Configuration
Category ID: 16 (Category)Status: Draft
+ Description

Description Summary

Weaknesses in this category are typically introduced during the configuration of the software.
+ Detection Methods

Automated Static Analysis - Binary / Bytecode

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:

  • Rebuild & Compare

Effectiveness: SOAR Partial

Dynamic Analysis with automated results interpretation

According to SOAR, the following detection techniques may be useful:

Highly cost effective:

  • Network Vulnerability Scanner – scan for already-known vulnerabilities for specific products

  • Host-based Vulnerability Scanners – Examine configuration for flaws, verifying that audit mechanisms work, ensure host configuration meets certain predefined criteria

  • Web Application Scanner

  • Web Services Scanner

  • Database Scanners

Cost effective for partial coverage:

  • Network Scanner - id (sub)systems & ports. (what systems are there, ports up? Should they be?)

Effectiveness: SOAR High

Dynamic Analysis with manual results interpretation

According to SOAR, the following detection techniques may be useful:

Highly cost effective:

  • Fuzz Tester

  • Framework-based Fuzzer

Effectiveness: SOAR High

Manual Static Analysis - Source Code

According to SOAR, the following detection techniques may be useful:

Highly cost effective:

  • Focused Manual Spotcheck - Focused manual analysis of source

  • Manual Source Code Review (not inspections)

Effectiveness: SOAR High

Automated Static Analysis - Source Code

According to SOAR, the following detection techniques may be useful:

Cost effective for partial coverage:

  • Source code Weakness Analyzer

  • Context-configured Source Code Weakness Analyzer

Effectiveness: SOAR Partial

Automated Static Analysis

According to SOAR, the following detection techniques may be useful:

Highly cost effective:

  • Configuration Checker

Cost effective for partial coverage:

  • Origin Analysis

Effectiveness: SOAR High

Architecture / Design Review

According to SOAR, the following detection techniques may be useful:

Highly cost effective:

  • Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)

Cost effective for partial coverage:

  • Attack Modeling

Effectiveness: SOAR High

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory1Location
Development Concepts (primary)699
ChildOfCategoryCategory933OWASP Top Ten 2013 Category A5 - Security Misconfiguration
Weaknesses in OWASP Top Ten (2013) (primary)928
MemberOfViewView635Weaknesses Used by NVD
Weaknesses Used by NVD (primary)635
MemberOfViewView1003Weaknesses for Simplified Mapping of Published Vulnerabilities
Weaknesses for Simplified Mapping of Published Vulnerabilities (primary)1003
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
WASC14Server Misconfiguration
WASC15Application Misconfiguration
+ Content History
Modifications
Modification DateModifierOrganizationSource
2008-09-08CWE Content TeamMITREInternal
updated Relationships
2010-02-16CWE Content TeamMITREInternal
updated Taxonomy_Mappings
2013-07-17CWE Content TeamMITREInternal
updated Relationships
2014-07-30CWE Content TeamMITREInternal
updated Detection_Factors
2015-12-07CWE Content TeamMITREInternal
updated Relationships
Page Last Updated: December 08, 2015