Comprehensive Categorization for Software Assurance Trends
A view in the Common Weakness Enumeration published by The MITRE Corporation.
Objective
Views in the Common Weakness Enumeration (CWE) represent one perspective with which to consider a set of weaknesses.
This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using tactics such as secure language development. It is also intended to help tracking weakness trends in publicly disclosed vulnerability data. This view is comprehensive in that every weakness must be contained in it, unlike most other views that only use a subset of weaknesses. This view is structured with categories at the top level, with a second level of only weaknesses. Relationships among the weaknesses presented under the research view (CWE-1000) are not shown.
Each weakness is added to only one category. All categories are mutually exclusive; that is, no weakness can be a member of more than one category. While weaknesses defy strict categorization along only one characteristic, the forced bucketing into a single category can simplify certain kinds of analysis.
Note that the size of each category can vary widely because (1) CWE is not as well fleshed-out in some areas compared to others; (2) abstraction of the CWEs in the grouping might go down to Variant level for some buckets, versus others.
Target Audience
Academic Researchers
Researchers can use this view to evaluate the breadth and depth of software assurance with respect to mitigating and managing weaknesses before they become vulnerabilities.
Categories
Weaknesses in this category are related to access control.
Weaknesses in this category are related to comparison.
Weaknesses in this category are related to component interaction.
Weaknesses in this category are related to concurrency.
Weaknesses in this category are related to encryption.
Weaknesses in this category are related to exposed resource.
Weaknesses in this category are related to file handling.
Weaknesses in this category are related to improper check or handling of exceptional conditions.
Weaknesses in this category are related to improper input validation.
Weaknesses in this category are related to improper neutralization.
Weaknesses in this category are related to incorrect calculation.
Weaknesses in this category are related to injection.
Weaknesses in this category are related to insufficient control flow management.
Weaknesses in this category are related to insufficient verification of data authenticity.
Weaknesses in this category are related to memory safety.
Weaknesses in this category are related to poor coding practices.
Weaknesses in this category are related to protection mechanism failure.
Weaknesses in this category are related to randomness.
Weaknesses in this category are related to resource control.
Weaknesses in this category are related to resource lifecycle management.
Weaknesses in this category are related to sensitive information exposure.
Weaknesses in this category are related to violation of secure design principles.
Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.