Research Concepts

A view in the Common Weakness Enumeration published by The MITRE Corporation.


Objective

Views in the Common Weakness Enumeration (CWE) represent one perspective with which to consider a set of weaknesses.

This view is intended to facilitate research into weaknesses, including their inter-dependencies, and can be leveraged to systematically identify theoretical gaps within CWE. It is mainly organized according to abstractions of behaviors instead of how they can be detected, where they appear in code, and when they are introduced in the development life cycle.

Target Audience

Academic Researchers

Academic researchers can use the high-level classes that lack a significant number of children to identify potential areas for future research.

Assessment Tool Vendors

Assessment vendors often use this view to help identify additional weaknesses that a tool may be able to detect as the relationships are more aligned with a tool's technical capabilities.

Vulnerability Analysts

Those who perform vulnerability discovery/analysis use this view to identify related weaknesses that might be leveraged by following relationships between higher-level classes and bases.

Weaknesses

Improper Access Control

The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Improper Adherence to Coding Standards

The software does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.

Improper Check or Handling of Exceptional Conditions

The software does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the software.

Improper Control of a Resource Through its Lifetime

The software does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.

Improper Interaction Between Multiple Correctly-Behaving Entities

An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger sy...

Improper Neutralization

The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from...

Incorrect Calculation

The software performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.

Incorrect Comparison

The software compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.

Insufficient Control Flow Management

The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.

Protection Mechanism Failure

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.


Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.