TECHSPEC: Technology Specific Issues and Examples
TECHSPEC: Technology Specific Issues and Examples
There is a fairly large group of entries in CWE (at least 50, up to 100) that
describe weaknesses specific to a particular technology. "Technology" might
mean a specific OS:
CWE #60, Unix Path Link Problems (and children)
CWE #67, Windows MS-DOS device names
CWE #70, Mac Virtual File Problems (and children)
or a specific framework such as .NET or J2EE
CWE #519, .NET Environment Issues (and children)
CWE #4, J2EE Environment Issues (and children)
or, with some overlap of the Language Specific materials, there can be
problems specific to technologies like XML, HTTP, SSL, SQL, etc. such as
CWE #91, XML Injection (aka Blind XPath Injection)
CWE #113, HTTP Response Splitting
CWE #618, Exposed Unsafe ActiveX Method
These different types of problems raise several abstraction issues for CWE
because many of these entries represent instantiations of a more general
weakness in the context of a certain technology. For example, XML Injection
is an examlpe of a failed protection mechanism in which characters special
to XML were allowed to pass through.
Possible Solutions / Questions to Discuss
Note:The mechanisms for node restructuring are still being defined.
See the node restructuring page for details.
- Leave CWE as it is.
- Enumerate each individual technology-specific variation as its own
CWE entry.
- Include all technology-specific issues as "variants" in a more
general CWE entry.
- Create a new type of entry that will allow for capturing each type of
technology-specific issue as an individual "sub-node" within the more
general weakness CWE entry.
- Create a technology-independent entry identifying the more abstract
weakness, and include each related technology-specific CWE entry as a
child.
- Create a technology-independent entry identifying the more abstract
weakness, and MERGE all current technology-specific entries from CWE
into this more abstract entry (see the node restructuring page for
possible approaches).
Relevant Use-Cases
Assessment Vendors: Search for different issues based upon the
technology used.
Assessment Customers: Pick out the weaknesses that apply to
technologies used by their codebase.
Academic Researchers: Not applicable.
Applied Vulnerability Researchers: Tailor testing and research to the
specific issues of the technologies being explored.
Refined Vulnerability Information (RVI) Providers: Useful to be able
to identify "more secure" technologies and make recommendations.
Educators: Not applicable.
Software Customers: Useful to know what the more secure technologies
are.
Software Developers: Be aware of problems with technologies being used
in their work
Note: This obviously has a good amount of overlap with
language-specific weaknesses, but we have done our best to break it
down into the unique issues.
Recommendation
The CWE Researcher Community is strongly encouraged to provide
feedback to the CWE team or the researchers list regarding this
recommendation.
To minimize the data loss and maximize the usability by all of the
potential CWE customers, the MITRE CWE team recommends introducing a
new type of entry to the CWE specification, and including all the
technology-specific issues as "sub-nodes" under a CWE entry for the
more general CWE weakness.
For example, this would mean that all Relative Path Traversal entries
would be included as "variants" under the "Relative Path Traversal"
CWE-23 entry. So, the technology-specific entry of "dot dot backslash"
(CWE-28) would be MERGED under CWE-23 as a "sub-node" along with other
specific entries. Note: the mechanisms for node restructuring are
still being defined; see the node restructuring page for possible
approaches.
Additional Notes
Below is preliminary work done in order to more clearly identify problems
present in CWE. Any issues not addressed above should be brought to the
attention of the whole list, especially if the CWE ID is missing from the
notes below.
- Mac
*70-72
- ActiveX
*618, 623
- SQL
*89, 564
- Windows
*58, 67-69, 422, 63-65
- Unix
*60, 61, 62
- Categories for generic Tech-Specific issues
*3, 100, 380, 573
- XML
*91, 112, 611
- HTTP / SSL / Other Web Specific
*113, 350, 444, 593, 598, 599, 614
- .Net Issues
*10-13, 519, 520, 554, 556
- J2EE/Java/EJB
*4-9, 245, 246, 381-383, 486, 536 (double listed as both tech &
resource specific), 537, 543, 555, 568, 574-581, 594, 600
- STRUTS Issues
*101-110, 608
- Uncertain
*219 & 220(resource specific?), 304, 582, 583
- Omit
*396, 397, 589
- Misc. Notes:
*Many nodes are labeled as Java/J2EE specific when the issue is more
generally applicable to most OO languages (C# for example). Examples of
these nodes are any of the Mobile Code Issues, Erroneous Finalize
Method, etc.
Complete List of Examples
All CWE nodes that are affected by this discussion point are listed on
a separate page.
Document version: 0.1 Date: September 13, 2007
This is a draft document. It is intended to support maintenance of CWE, and to educate and solicit feedback from a specific technical
audience. This document does not reflect any official position of the MITRE Corporation or its sponsors. Copyright © 2007, The MITRE Corporation. All rights reserved. Permission is granted to redistribute this document if this paragraph is not removed. This document is subject to change without notice.
More information is available — Please edit the custom filter or select a different filter.
|