The following PDF files provide graphical representations of various CWE views, which provides a way of quickly seeing the structure implied by the parent relationships in those views. Some files provide "coverage graphs," in which the members of a smaller view are highlighted within the context of a larger view. This provides a way to see how the entries of the smaller view are organized by the larger view.
| This graph depicts the Research View with the varying levels of weakness abstractions and entry types colored as specified below. | ||
|---|---|---|
| Research View with Abstractions Highlighted | Category | |
| Weakness Class | ||
| Weakness Base | ||
| Weakness Variant | ||
| Compound Elements | ||
| This graph depicts the Research View with the Seven Pernicious Kingdoms entries colored as specified below. | ||
| Seven Pernicious Kingdoms Highlighted in the Research View | Environment | |
| Input Validation | ||
| API Abuse | ||
| Security Features | ||
| Time and State | ||
| Error Handling | ||
| Code Quality | ||
| Encapsulation | ||
| This graph depicts the Development View with the varying levels of weakness abstractions and entry types colored as specified below. | ||
| Development View with Abstractions Highlighted | Category | |
| Weakness Class | ||
| Weakness Base | ||
| Weakness Variant | ||
| Compound Elements | ||
| This graph depicts the Development View with the Category entry types colored as specified below. | ||
| Development View with Categories Highlighted | Category | |
| This graph depicts the Development View with the Seven Pernicious Kingdoms entries colored as specified below. | ||
| Seven Pernicious Kingdoms Highlighted in the Development View | Environment | |
| Input Validation | ||
| API Abuse | ||
| Security Features | ||
| Time and State | ||
| Error Handling | ||
| Code Quality | ||
| Encapsulation | ||
| This graph depicts the Seven Pernicious Kingdoms entries in CWE colored as specified below. | ||
| Seven Pernicious Kingdoms View in CWE | Environment | |
| Input Validation | ||
| API Abuse | ||
| Security Features | ||
| Time and State | ||
| Error Handling | ||
| Code Quality | ||
| Encapsulation | ||
| This graph depicts the Development View with the OWASP 2004 entries colored as specified below. | ||
| OWASP 2004 Highlighted in the Development View | A1 - Unvalidated Input | |
| A2 - Broken Access Control | ||
| A3 - Broken Authentication and Session Management | ||
| A4 - Cross-Site Scripting (XSS) Flaws | ||
| A5 - Buffer Overflows | ||
| A6 - Injection Flaws | ||
| A7 - Improper Error Handling | ||
| A8 - Insecure Storage | ||
| A9 - Denial of Service | ||
| A10 - Insecure Configuration Management | ||
| This graph depicts the Research View with the OWASP 2004 entries colored as specified below. | ||
| OWASP 2004 Highlighted in the Research View | A1 - Unvalidated Input | |
| A2 - Broken Access Control | ||
| A3 - Broken Authentication and Session Management | ||
| A4 - Cross-Site Scripting (XSS) Flaws | ||
| A5 - Buffer Overflows | ||
| A6 - Injection Flaws | ||
| A7 - Improper Error Handling | ||
| A8 - Insecure Storage | ||
| A9 - Denial of Service | ||
| A10 - Insecure Configuration Management | ||
| This graph depicts the OWASP 2004 entries that have been mapped to CWE entries. | ||
| OWASP 2004 in CWE | A1 - Unvalidated Input | |
| A2 - Broken Access Control | ||
| A3 - Broken Authentication and Session Management | ||
| A4 - Cross-Site Scripting (XSS) Flaws | ||
| A5 - Buffer Overflows | ||
| A6 - Injection Flaws | ||
| A7 - Improper Error Handling | ||
| A8 - Insecure Storage | ||
| A9 - Denial of Service | ||
| A10 - Insecure Configuration Management | ||
| This graph depicts the OWASP 2007 entries that have been mapped to CWE entries. | ||
| OWASP 2007 in CWE | A1 - Cross Site Scripting (XSS) | |
| A2 - Injection Flaws | ||
| A3 - Malicious File Execution | ||
| A4 - Insecure Direct Object Reference | ||
| A5 - Cross Site Request Forgery (CSRF) | ||
| A6 - Information Leakage and Improper Error Handling | ||
| A7 - Broken Authentication and Session Management | ||
| A8 - Insecure Cryptographic Storage | ||
| A9 - Insecure Communications | ||
| A10 - Failure to Restrict URL Access | ||
| This graph depicts the Development View with OWASP 2004 entries highlighted in red for visibility at a distance. | ||
| Development View with OWASP 2004 in Red | OWASP 2004 CWE Entry | |
| This graph depicts the Research View with OWASP 2004 entries highlighted in red for visibility at a distance. | ||
| Research View with OWASP 2004 in Red | OWASP 2004 CWE Entry | |
| This graph depicts the Research View with Seven Pernicious Kingdom entries highlighted in red for visibility at a distance. | ||
| Research View with Seven Pernicious Kingdoms in Red | Seven Pernicious Kingdoms CWE Entry | |
| This graph depicts the Development View with Seven Pernicious Kingdom entries highlighted in red for visibility at a distance. | ||
| Development View with Seven Pernicious Kingdoms in Red | Seven Pernicious Kingdoms CWE Entry | |
| This graph depicts the CERT C Secure Coding Standard view. | ||
| Cert C Secure Coding Standard | Preprocessor (PRE), Signals (SIG) | |
| Declarations and Initialization (DCL), Error Handling (ERR) | ||
| Expressions (EXP), Miscellaneous (MSC) | ||
| Integers (INT) | ||
| Floating Point (FLP) | ||
| Arrays (ARR) | ||
| Characters and Strings (STR) | ||
| Memory Management (MEM) | ||
| Input Output (FIO) | ||
| Environment (ENV), POSIX (POS) | ||
| This graph depicts the CERT C Secure Coding Standard view within the Research View. | ||
| Cert C Secure Coding Standard | Preprocessor (PRE), Signals (SIG) | |
| Declarations and Initialization (DCL), Error Handling (ERR) | ||
| Expressions (EXP), MIscellaneous (MSC) | ||
| Integers (INT) | ||
| Floating Point (FLP) | ||
| Arrays (ARR) | ||
| Characters and Strings (STR) | ||
| Memory Management (MEM) | ||
| Input Output (FIO) | ||
| Environment (ENV), POSIX (POS) | ||
| This graph depicts the CERT C Secure Coding Standard view within the Development View. | ||
| Cert C Secure Coding Standard | Preprocessor (PRE), Signals (SIG) | |
| Declarations and Initialization (DCL), Error Handling (ERR) | ||
| Expressions (EXP), MIscellaneous (MSC) | ||
| Integers (INT) | ||
| Floating Point (FLP) | ||
| Arrays (ARR) | ||
| Characters and Strings (STR) | ||
| Memory Management (MEM) | ||
| Input Output (FIO) | ||
| Environment (ENV), POSIX (POS) | ||
| This graph depicts the CWE/SANS Top 25 entries colored as specified below. | ||
| CWE/SANS Top 25 | Insecure Interaction Between Components | |
| Risky Resource Management | ||
| Porous Defenses | ||
| This graph depicts the Development View with the CWE/SANS Top 25 entries highlighted in red for visibility at a distance. | ||
| Development View with CWE/SANS Top 25 in Red | CWE/SANS Top 25 Entry | |
| This graph depicts the Research View with the CWE/SANS Top 25 entries highlighted in red for visibility at a distance. | ||
| Research View with CWE/SANS Top 25 in Red | CWE/SANS Top 25 Entry | |
Please contact cwe@mitre.org with suggestions for additional views.