Research Concepts |
View ID: 1000 (View: Graph) | Status: Draft |
View Objective
This view is intended to facilitate research into weaknesses, including their inter-dependencies and their role in vulnerabilities. It classifies weaknesses in a way that largely ignores how they can be detected, where they appear in code, and when they are introduced in the software development life-cycle. Instead, it is mainly organized according to abstractions of software behaviors. It uses a deep hierarchical organization, with more levels of abstraction than other classification schemes. The top-level entries are called Pillars.
Where possible, this view uses abstractions that do not consider particular languages, frameworks, technologies, life-cycle development phases, frequency of occurrence, or types of resources. It explicitly identifies relationships that form chains and composites, which have not been a formal part of past classification efforts. Chains and composites might help explain why mutual exclusivity is difficult to achieve within security error taxonomies.
This view is roughly aligned with MITRE's research into vulnerability theory, especially with respect to behaviors and resources. Ideally, this view will only cover weakness-to-weakness relationships, with minimal overlap and very few categories. This view could be useful for academic research, CWE maintenance, and mapping. It can be leveraged to systematically identify theoretical gaps within CWE and, by extension, the general security community.
CWEs in this view | Total CWEs | ||
---|---|---|---|
Total | 677 | out of | 810 |
Views | 0 | out of | 23 |
Categories | 10 | out of | 110 |
Weaknesses | 658 | out of | 668 |
Compound_Elements | 9 | out of | 9 |
Stakeholder | Description |
---|---|
Academic Researchers | This view provides an organizational structure for weaknesses that is different than the approaches undertaken by taxonomies such as Seven Pernicious Kingdoms. |
Applied Researchers | Applied researchers could use the higher-level classes and bases to identify potential areas for future research. |
Developers | Developers who have fully integrated security into their SDLC might find this view useful in identifying general patterns of issues within code, instead of relying heavily on "badness lists" that only cover the most severe issues. |
Nature | Type | ID | Name | View(s) this relationship pertains to![]() |
---|---|---|---|---|
HasMember | ![]() | 118 | Improper Access of Indexable Resource ('Range Error') | Research Concepts (primary)1000 |
HasMember | ![]() | 330 | Use of Insufficiently Random Values | Research Concepts (primary)1000 |
HasMember | ![]() | 435 | Interaction Error | Research Concepts (primary)1000 |
HasMember | ![]() | 664 | Improper Control of a Resource Through its Lifetime | Research Concepts (primary)1000 |
HasMember | ![]() | 682 | Incorrect Calculation | Research Concepts (primary)1000 |
HasMember | ![]() | 691 | Insufficient Control Flow Management | Research Concepts (primary)1000 |
HasMember | ![]() | 693 | Protection Mechanism Failure | Research Concepts (primary)1000 |
HasMember | ![]() | 697 | Insufficient Comparison | Research Concepts (primary)1000 |
HasMember | ![]() | 703 | Failure to Handle Exceptional Conditions | Research Concepts (primary)1000 |
HasMember | ![]() | 707 | Improper Enforcement of Message or Data Structure | Research Concepts (primary)1000 |
HasMember | ![]() | 710 | Coding Standards Violation | Research Concepts (primary)1000 |