Research Concepts
View ID: 1000 (View: Graph)Status: Draft
+ View Data

View Objective

This view is intended to facilitate research into weaknesses, including their inter-dependencies and their role in vulnerabilities. It classifies weaknesses in a way that largely ignores how they can be detected, where they appear in code, and when they are introduced in the software development life-cycle. Instead, it is mainly organized according to abstractions of software behaviors. It uses a deep hierarchical organization, with more levels of abstraction than other classification schemes. The top-level entries are called Pillars.

Where possible, this view uses abstractions that do not consider particular languages, frameworks, technologies, life-cycle development phases, frequency of occurrence, or types of resources. It explicitly identifies relationships that form chains and composites, which have not been a formal part of past classification efforts. Chains and composites might help explain why mutual exclusivity is difficult to achieve within security error taxonomies.

This view is roughly aligned with MITRE's research into vulnerability theory, especially with respect to behaviors and resources. Ideally, this view will only cover weakness-to-weakness relationships, with minimal overlap and very few categories. This view could be useful for academic research, CWE maintenance, and mapping. It can be leveraged to systematically identify theoretical gaps within CWE and, by extension, the general security community.

+ View Metrics
CWEs in this viewTotal CWEs
Total677out of810
Views0out of23
Categories10out of110
Weaknesses658out of668
Compound_Elements9out of9
+ View Audience
Academic Researchers

This view provides an organizational structure for weaknesses that is different than the approaches undertaken by taxonomies such as Seven Pernicious Kingdoms.

Applied Researchers

Applied researchers could use the higher-level classes and bases to identify potential areas for future research.


Developers who have fully integrated security into their SDLC might find this view useful in identifying general patterns of issues within code, instead of relying heavily on "badness lists" that only cover the most severe issues.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
HasMemberWeakness ClassWeakness Class118Improper Access of Indexable Resource ('Range Error')
Research Concepts (primary)1000
HasMemberWeakness ClassWeakness Class330Use of Insufficiently Random Values
Research Concepts (primary)1000
HasMemberWeakness ClassWeakness Class435Interaction Error
Research Concepts (primary)1000
HasMemberWeakness ClassWeakness Class664Improper Control of a Resource Through its Lifetime
Research Concepts (primary)1000
HasMemberWeakness ClassWeakness Class682Incorrect Calculation
Research Concepts (primary)1000
HasMemberWeakness ClassWeakness Class691Insufficient Control Flow Management
Research Concepts (primary)1000
HasMemberWeakness ClassWeakness Class693Protection Mechanism Failure
Research Concepts (primary)1000
HasMemberWeakness ClassWeakness Class697Insufficient Comparison
Research Concepts (primary)1000
HasMemberWeakness ClassWeakness Class703Failure to Handle Exceptional Conditions
Research Concepts (primary)1000
HasMemberWeakness ClassWeakness Class707Improper Enforcement of Message or Data Structure
Research Concepts (primary)1000
HasMemberWeakness ClassWeakness Class710Coding Standards Violation
Research Concepts (primary)1000
+ Content History
Modification DateModifierOrganizationSource
2008-09-08CWE Content TeamMITREInternal
updated Description, Name, Relationships, View Audience, View Structure
Previous Entry Names
Change DatePrevious Entry Name
2008-09-09Natural Hierarchy