Discussion of Issues in CWE Draft 6
Discussion of Issues in CWE Draft 6
Following is a summary of the main overall issues in CWE Draft 6.
- Some "weakness" nodes are not about weaknesses. The most
noticeable are nodes that are focused on attacks (e.g. HTTP Response
Splitting, Man-in-the-Middle). CWE also has grouping nodes such as
"Authentication Issues" that might be useful for navigation but are
not weaknesses themselves.
- Abstraction Challenges. Some nodes might be broken down
into sub-nodes in ways that don't make sense to some users. Others
might be regarded as too high-level. Some nodes might be too
low-level.
- Different Perspectives. CWE nodes can be organized and
described along different perspectives, which might not be suitable
for some users.
- Usability. There are different types of users of CWE, but
its current layout and navigation is relatively limited.
- Incomplete Entries. There are numerous fields available for
CWE nodes, but many entries do not have as much detailed information
as they could, including the description and relationships.
- Vague Names or Descriptions. Some entries have names or
descriptions that do not clearly describe the issue.
Document version: 0.1 Date: September 13, 2007
This is a draft document. It is intended to support maintenance of CWE, and to educate and solicit feedback from a specific technical
audience. This document does not reflect any official position of the MITRE Corporation or its sponsors. Copyright © 2007, The MITRE Corporation. All rights reserved. Permission is granted to redistribute this document if this paragraph is not removed. This document is subject to change without notice.
More information is available — Please edit the custom filter or select a different filter.
|
