Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities

New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWRAF > Common Weakness Risk Analysis Framework (CWRAF)  

Creating Your Own Vignettes

Currently, there are approximately 20 Vignettes and Technical Scorecards, but anyone can create their own Vignette and its accompanying Technical Scorecard to identify which CWEs are most significant to their business and applications. This section will help guide you through that process.

One of the items found in these sample Vignettes is the "Archetypes". A list of the currently defined Archetypes that are available for use in describing Vignettes is here. If there are new Archetypes you need just identify them and send them to and we can add them to the list.

These Archetypes are used as the context for describing the technical elements utilized by the application described in the Vignette.

There are two tables for each Vignette, "Vignette Definition" and "Technical Impact Scorecard".

Vignette Definition

Creating a Vignette Definition basically comes down to filling in the Vignette Definition table. Below is an example Vignette Definition table with a specific Vignette for a Web-Based Retail Provider described. The Vignette Definition is meant to talk about what business issues are of concern for the application. Is the application dealing with PII? Credit card (PCI-relevant) data? How bad is each of the 8 Technical Impacts given what the application is doing for a business (in the business's operational context).

Name Web-Based Retail Provider
ID retail-www

Maturity under-development
Domain ecomm
Desc Internet-facing, E-commerce provider of retail goods or services. Data-centric - Database containing PII, credit card numbers, and inventory.
Archetypes Database, Web browser, Web server, General-purpose OS Business Value Context (BVC) Confidentiality essential from a financial PII perspective, identity PII usually less important. PCI compliance a factor. Security incidents might have organizational impacts including financial loss, legal liability, compliance/regulatory concerns, and reputation/brand damage.
Notes None.
References No references

Technical Impact Scorecard

The Technical Impact Scorecard is the mechanism that allows for the creating the ranked list of the items under a vignette. Creating a Technical Impact Scorecard for a Vignette starts with the fact that each CWE can result in one or more types of failures or technical impacts.

The vignette is a context for scoring the 8 Technical Impacts at the 4 levels (application, system, network, and enterprise) that are then mapped into the CWEs that result in the specific Technical Impacts.

Assigning weights (0-10) to the 8 Technical Impacts by determining how "bad" these impacts are for a specific business case (which is captured by the vignette) is the first step, as denoted by the words "Once the technical impact scorecard is filled in for a particular vignette" that starts the "Calculating the CWE-specific Technical Impact Subscore" section.

In the first table of this "Calculating the CWE-specific Technical Impact Subscore" section, the values in the "Technical Impacts and Importance Subscores" column come from the above vignette technical impact scoring effort and is being mapped to the Technical Impacts that the various CWEs have.

Note that the list of Technical Impacts that each CWE has is a part of the CWE data in CWE itself. Look for the "Common Consequences" field of a CWE and the "Technical Impact" portion and for examples (refer to CWE-900: Weaknesses in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors for specific examples).

Proceed to the next section "Future Versions and Activities"
Page Last Updated: January 18, 2017