This view is intended to facilitate research into weaknesses, including their
inter-dependencies and their role in vulnerabilities. It classifies weaknesses
in a way that largely ignores how they can be detected, where they appear in
code, and when they are introduced in the software development life-cycle.
Instead, it is mainly organized according to abstractions of software behaviors.
It uses a deep hierarchical organization, with more levels of abstraction than
other classification schemes. The top-level entries are called Pillars.
Where possible, this view uses abstractions that do not consider particular
languages, frameworks, technologies, life-cycle development phases, frequency of
occurrence, or types of resources. It explicitly identifies relationships that
form chains and composites, which have not been a formal part of past
classification efforts. Chains and composites might help explain why mutual
exclusivity is difficult to achieve within security error taxonomies.
This view is roughly aligned with MITRE's research into vulnerability theory,
especially with respect to behaviors and resources. Ideally, this view will only
cover weakness-to-weakness relationships, with minimal overlap and very few
categories. This view could be useful for academic research, CWE maintenance,
and mapping. It can be leveraged to systematically identify theoretical gaps
within CWE and, by extension, the general security community.
