A view in the Common Weakness Enumeration published by The MITRE Corporation.
Views in the Common Weakness Enumeration (CWE) represent one perspective with which to consider a set of weaknesses.
This view is intended to facilitate research into weaknesses, including their inter-dependencies, and can be leveraged to systematically identify theoretical gaps within CWE. It is mainly organized according to abstractions of behaviors instead of how they can be detected, where they appear in code, and when they are introduced in the development life cycle.
Academic researchers can use the high-level classes that lack a significant number of children to identify potential areas for future research.
Assessment Tool Vendors
Assessment vendors often use this view to help identify additional weaknesses that a tool may be able to detect as the relationships are more aligned with a tool's technical capabilities.
Those who perform vulnerability discovery/analysis use this view to identify related weaknesses that might be leveraged by following relationships between higher-level classes and bases.
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
The software does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.
The software does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the software.
The software does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.
An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger sy...
The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from...
The software performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.
The software compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.
The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.
The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.