Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities

New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > Documents > CWE Mapping Guidance - Common Terms Cheatsheet  

CWE Mapping Guidance - Common Terms Cheatsheet

Pillar Weakness: These are the highest-level weaknesses that cannot be made any more abstract. They typically only describe one or two dimensions at a high level of abstraction.

Class Weakness: These are weaknesses that can be described abstractly, typically independent of any specific language or technology. They typically describe two dimensions.

Base Weakness: These weaknesses build on a Class weakness by providing lower-abstraction concepts for two to three dimensions, although these concepts are still typically associated with groups of specific languages, technologies, or resources.

Variant Weakness: These weaknesses build on a Base weakness by linking to an individual type of language, technology, or resource. They typically cover three or more dimensions.

Resource: A vulnerability theory term for an object or entity that is accessed or modified within the operation of the product, such as memory, CPU, files, or sockets. Resources can be system-level (memory or CPU), code-level (function or variable), or application-level (cookie or message).

Information Exposure: The intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information.

Improper: Used as a catch-all term to cover security behaviors that are either "Missing" or “Incorrect."

Missing: Used to describe a behavior that the developer has not attempted to perform.

Incorrect: A general term, used to describe when a behavior attempts to do a task but does not do it correctly.

Authentication: The process of verifying that an actor has a specific real-world identity, typically by checking for information that the product assumes can only be produced by that actor.

Authorization: The process of determining whether an actor with a given identity is allowed to have access to a resource, then granting access to that resource, as defined by the implicit and explicit security policies for the system.

Permissions: The explicit specifications for a resource, or a set of resources, that defines which actors are allowed to access that resource, and which actions may be performed by those actors.

Neutralization: A general term to describe the process of ensuring that input or output has certain security properties before it is used. This is independent of the specific protection mechanism that performs the neutralization. The term could refer to one or more of the following: filtering/cleansing, canonicalization/resolution, encoding/decoding, escaping/unescaping, quoting/unquoting, validation, or other mechanisms.

Page Last Updated: March 23, 2021