Discussion of Issues in CWE Draft 6
Discussion of Issues in CWE Draft 6Following is a summary of the main overall issues in CWE Draft 6.
- Some "weakness" nodes are not about weaknesses.The most noticeable are nodes that are focused on attacks (e.g. HTTP Response Splitting, Man-in-the-Middle). CWE also has grouping nodes such as "Authentication Issues" that might be useful for navigation but are not weaknesses themselves.
- Abstraction Challenges. Some nodes might be broken down into sub-nodes in ways that don't make sense to some users. Others might be regarded as too high-level. Some nodes might be too low-level.
- Different Perspectives. CWE nodes can be organized and described along different perspectives, which might not be suitable for some users.
- Usability. There are different types of users of CWE, but its current layout and navigation is relatively limited.
- Incomplete Entries. There are numerous fields available for CWE nodes, but many entries do not have as much detailed information as they could, including the description and relationships.
- Vague Names or Descriptions. Some entries have names or descriptions that do not clearly describe the issue.
Document version:0.1Date:September 13, 2007 This is a draft document. It is intended to support maintenance of CWE, and to educate and solicit feedback from a specific technical audience. This document does not reflect any official position of the MITRE Corporation or its sponsors. Copyright © 2007, The MITRE Corporation. All rights reserved. Permission is granted to redistribute this document if this paragraph is not removed. This document is subject to change without notice.
More information is available — Please select a different filter.
|
