CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > Community > Research > CWE Views  
ID

CWE Views
CWE Views

User Issues/Questions

  • Is this the right view? What are the others?
  • Is the navigation/structure natural? Does it allow me to easily find what I'm looking for?

Types of Views

  • Lists: simple lists of CWE nodes for a specialized purpose.
  • Organization Schemes: hierarchical or other organizational schemes that are for a specific purpose.

Views

V1 Programming language-specific
When programming or analyzing specific languages (C, Perl, Java, etc.), these are the issues of which you should be aware. Also, runtime vs. compiled, and other language-related characteristics.
V2 Platform-specific
When a program is run on a platform (Windows, UNIX, etc.) or in certain environments (32/64 bit, multi-processor), there are certain issues that should be checked for in addition to the actual language used. E.g., backslashes in paths, trailing filename dots, concurrency
V3 Technology-specific
Is the weakness generic, or is it primarily associated with, or dependent on a certain technology class: Web, OS, Database?
V4 Common Weakness Chains
When viewing a weakness, it is useful to know related issues. The proper fix may not lie in the same place where the result is seen, so finding weakness they commonly lead to or result from a weakness is useful to support patching and visualize more abstract weakness relationships.
V5 Taxonomy/Classification
From a more formal taxonomic perspective, the most appropriate abstraction levels for various weaknesses may be important.
V6 Commonality
How easy is it for someone to make this mistake? How often is this weakness seen?
V7 Risk/Severity-based
Correlation by CWE to ensure that all "high" risk weaknesses have been addressed.
V8 Feature-specific
For a CWE, is it associated with other programming or security concepts? Does it usually involve or require features such as authentication, authorization, permissions, file access, or threading?
V9 Resource-specific
Is the weakness associated with a specific system resource such as memory, files, or network sockets?
V10 Attack-based
Typically, external researchers or auditors might perform testing on the running code. It this case, their results will most likely be described as attacks or vulnerabilities. If that is the case, a view supporting the CWEs grouped by the causal vulnerability and/or trigger attack may be useful.
V11 Genesis
A breakdown of issues based on which software development phase they typically occur in, e.g. design or implementation.
XS CWE Cross-Section
A small set of diverse CWE nodes that illustrates the breadth and depth of CWE.
SAMATE SAMATE Slice
The prioritized CWE nodes that are being focused on by SAMATE.
NVD NVD Slice
The set of CWE nodes that NVD will use to classify their entries.
SANS SANS Secure Programming Information
The set of CWE nodes that SANS' Secure Programming initiative is emphasizing for developer awareness.
OWASP OWASP Top Ten
The CWE nodes associated with the OWASP Top Ten.

Document version: 0.1    Date: September 12, 2007

This is a draft document. It is intended to support maintenance of CWE, and to educate and solicit feedback from a specific technical audience. This document does not reflect any official position of the MITRE Corporation or its sponsors. Copyright © 2007, The MITRE Corporation. All rights reserved. Permission is granted to redistribute this document if this paragraph is not removed. This document is subject to change without notice.


More information is available — Please select a different filter.
Page Last Updated: January 17, 2017