CWE

Common Weakness Enumeration

A Community-Developed Dictionary of Software Weakness Types

Common Weakness Scoring System
Common Weakness Risk Analysis Framework
Home > CWE List > PDFs with Graphical Depictions of CWE (2.7)  

PDFs with Graphical Depictions of CWE (Version 2.8)

The following PDF files provide graphical representations of various CWE views, which provides a way of quickly seeing the structure implied by the parent relationships in those views. Some files provide "coverage graphs," in which the members of a smaller view are highlighted within the context of a larger view. This provides a way to see how the entries of the smaller view are organized by the larger view.

This graph depicts the Research View with the varying levels of weakness abstractions and entry types colored as specified below.
Research View with Abstractions Highlighted
Category
Weakness Class
Weakness Base
Weakness Variant
Compound Elements
This graph depicts the Research View with the Seven Pernicious Kingdoms entries colored as specified below.
Seven Pernicious Kingdoms Highlighted in the Research View
Environment
Input Validation
API Abuse
Security Features
Time and State
Error Handling
Code Quality
Encapsulation
This graph depicts the Development View with the varying levels of weakness abstractions and entry types colored as specified below.
Development View with Abstractions Highlighted
Category
Weakness Class
Weakness Base
Weakness Variant
Compound Elements
This graph depicts the Development View with the Category entry types colored as specified below.
Development View with Categories Highlighted
Category
This graph depicts the Development View with the Seven Pernicious Kingdoms entries colored as specified below.
Seven Pernicious Kingdoms Highlighted in the Development View
Environment
Input Validation
API Abuse
Security Features
Time and State
Error Handling
Code Quality
Encapsulation
This graph depicts the Seven Pernicious Kingdoms entries in CWE colored as specified below.
Seven Pernicious Kingdoms View in CWE
Environment
Input Validation
API Abuse
Security Features
Time and State
Error Handling
Code Quality
Encapsulation
This graph depicts Software Fault Pattern (SFP) Clusters in CWE colored as specified below.
Software Fault Pattern (SFP) Clusters View in CWE
Primary SFP Cluster
Secondary SFP Cluster
Weakness
This graph depicts the Development View weaknesses who have defined Software Fault Pattern (SFP) entries highlighted in red for visibility at a distance.
Development View weaknesses with Software Fault Patterns (SFP) in Red
Software Fault Pattern (SFP)
This graph depicts Research View weaknesses who have defined Software Fault Pattern (SFP) entries highlighted in red for visibility at a distance.
Research View weaknesses with Software Fault Patterns (SFP) in Red
Software Fault Pattern (SFP)
This graph depicts the Development View with the OWASP Top 10 (2004) entries colored as specified below.
OWASP Top 10 (2004) Highlighted in the Development View
A1 - Unvalidated Input
A2 - Broken Access Control
A3 - Broken Authentication and Session Management
A4 - Cross-Site Scripting (XSS) Flaws
A5 - Buffer Overflows
A6 - Injection Flaws
A7 - Improper Error Handling
A8 - Insecure Storage
A9 - Denial of Service
A10 - Insecure Configuration Management
This graph depicts the Research View with the OWASP Top 10 (2004) entries colored as specified below.
OWASP Top 10 (2004) Highlighted in the Research View
A1 - Unvalidated Input
A2 - Broken Access Control
A3 - Broken Authentication and Session Management
A4 - Cross-Site Scripting (XSS) Flaws
A5 - Buffer Overflows
A6 - Injection Flaws
A7 - Improper Error Handling
A8 - Insecure Storage
A9 - Denial of Service
A10 - Insecure Configuration Management
This graph depicts the OWASP Top 10 (2004) entries that have been mapped to CWE entries.
OWASP Top 10 (2004) in CWE
A1 - Unvalidated Input
A2 - Broken Access Control
A3 - Broken Authentication and Session Management
A4 - Cross-Site Scripting (XSS) Flaws
A5 - Buffer Overflows
A6 - Injection Flaws
A7 - Improper Error Handling
A8 - Insecure Storage
A9 - Denial of Service
A10 - Insecure Configuration Management
This graph depicts the OWASP Top 10 (2007) entries that have been mapped to CWE entries.
OWASP Top 10 (2007) in CWE
A1 - Cross Site Scripting (XSS)
A2 - Injection Flaws
A3 - Malicious File Execution
A4 - Insecure Direct Object Reference
A5 - Cross Site Request Forgery (CSRF)
A6 - Information Leakage and Improper Error Handling
A7 - Broken Authentication and Session Management
A8 - Insecure Cryptographic Storage
A9 - Insecure Communications
A10 - Failure to Restrict URL Access
This graph depicts the OWASP Top 10 (2013) entries that have been mapped to CWE entries.
OWASP Top 10 (2013) in CWE
A1 - Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery (CSRF)
A9 - Using Components with Known Vulnerabilities
A10 - Unvalidated Redirects and Forwards
This graph depicts the Development View with OWASP Top 10 (2004) entries highlighted in red for visibility at a distance.
Development View with OWASP Top 10 (2004) in Red
OWASP Top 10 (2004) CWE Entry
This graph depicts the Research View with OWASP Top 10 (2004) entries highlighted in red for visibility at a distance.
Research View with OWASP Top 10 (2004) in Red
OWASP Top 10 (2004) CWE Entry
This graph depicts the Research View with Seven Pernicious Kingdom entries highlighted in red for visibility at a distance.
Research View with Seven Pernicious Kingdoms in Red
Seven Pernicious Kingdoms CWE Entry
This graph depicts the Development View with Seven Pernicious Kingdom entries highlighted in red for visibility at a distance.
Development View with Seven Pernicious Kingdoms in Red
Seven Pernicious Kingdoms CWE Entry
This graph depicts the CERT C Secure Coding Standard view.
Cert C Secure Coding Standard
Preprocessor (PRE), Signals (SIG)
Declarations and Initialization (DCL), Error Handling (ERR)
Expressions (EXP), Miscellaneous (MSC)
Integers (INT)
Floating Point (FLP)
Arrays (ARR)
Characters and Strings (STR)
Memory Management (MEM)
Input Output (FIO)
Environment (ENV), POSIX (POS)
This graph depicts the CERT C Secure Coding Standard view within the Research View.
Cert C Secure Coding Standard
Preprocessor (PRE), Signals (SIG)
Declarations and Initialization (DCL), Error Handling (ERR)
Expressions (EXP), Miscellaneous (MSC)
Integers (INT)
Floating Point (FLP)
Arrays (ARR)
Characters and Strings (STR)
Memory Management (MEM)
Input Output (FIO)
Environment (ENV), POSIX (POS)
This graph depicts the CERT C Secure Coding Standard view within the Development View.
Cert C Secure Coding Standard
Preprocessor (PRE), Signals (SIG)
Declarations and Initialization (DCL), Error Handling (ERR)
Expressions (EXP), Miscellaneous (MSC)
Integers (INT)
Floating Point (FLP)
Arrays (ARR)
Characters and Strings (STR)
Memory Management (MEM)
Input Output (FIO)
Environment (ENV), POSIX (POS)
This graph depicts the Research View with the CWE Cross-section entries highlighted in red for visibility at a distance.
Research View with CWE Cross-section in Red
CWE Cross-section Entry
This graph depicts the Development View with the CWE Cross-section entries highlighted in red for visibility at a distance.
Development View with CWE Cross-section in Red
CWE Cross-section Entry
This graph depicts the 2011 CWE/SANS Top 25 entries colored as specified below.
2011 CWE/SANS Top 25
Insecure Interaction Between Components
Risky Resource Management
Porous Defenses
Weaknesses On the Cusp
This graph depicts the 2010 CWE/SANS Top 25 entries colored as specified below.
2010 CWE/SANS Top 25
Insecure Interaction Between Components
Risky Resource Management
Porous Defenses
Weaknesses On the Cusp
This graph depicts the Development View with the 2010 CWE/SANS Top 25 entries highlighted in red for visibility at a distance.
Development View with 2010 CWE/SANS Top 25 in Red
2010 CWE/SANS Top 25 Entry
This graph depicts the Research View with the 2010 CWE/SANS Top 25 entries highlighted in red for visibility at a distance.
Research View with 2010 CWE/SANS Top 25 in Red
2010 CWE/SANS Top 25 Entry
This graph depicts the 2009 CWE/SANS Top 25 entries colored as specified below.
2009 CWE/SANS Top 25
Insecure Interaction Between Components
Risky Resource Management
Porous Defenses

Please contact cwe@mitre.org with suggestions for additional views.

Page Last Updated: July 31, 2014