Before You Start
- Try to frame your perspective of the vulnerability to its underlying weakness
- Become familiar with key terms in CWE's glossary so that you can be sure you are interpreting CWE names correctly
- Familiarize yourself with key views (CWE-1003, CWE-699, CWE-1194, and CWE-1000), and determine which ones seem to match your needs the best
- If new to CWE mapping, view CWE-1003 might be a good starting point, as it contains a usable subset of the most commonly-encountered CWE entries
- Become familiar with the top-level CWEs in your preferred view
- Understand how to navigate up and down the view hierarchies, whether on the view entry’s page; relationships on weakness pages; or visual PDFs – one may be a better fit for your efforts
When You Are Ready
- The keyword search on the CWE website can help you quickly find potential entries, regardless of their level of abstraction
- Always map to Weakness entries, not Categories
- Map to the lowest-level CWE entry that you can. Weakness abstraction levels, from highest to lowest, are: Pillar, Class, Base, and Variant
- Verify your mapping with a team member with different skills and experience than you
- If you find an entry similar but not quite what you are looking for, then examine its relationships with parents, children, siblings, etc.
More information is available — Please select a different filter.