2021年12月4日16:19:40评论67 views字数 2040阅读6分48秒阅读模式

View-1000: Research Concepts

ID: 1000

Type: Graph

Status: Draft

Objective

This view is intended to facilitate research into weaknesses, including their inter-dependencies, and can be leveraged to systematically identify theoretical gaps within CWE. It classifies weaknesses in a way that largely ignores how they can be detected, where they appear in code, and when they are introduced in the software development life cycle. Instead, it is mainly organized according to abstractions of software behaviors.

Audience

Academic Researchers

Academic researchers can use the high-level classes that lack a significant number of children to identify potential areas for future research.

Vulnerability Analysts

Those who perform vulnerability discovery/analysis use this view to identify related weaknesses that might be leveraged by following relationships between higher-level classes and bases.

Assessment Vendors

Assessment vendors often use this view to help identify additional weaknesses that a tool may be able to detect as the relationships are more aligned with a tool’s technical capabilities.

Membership

CWE-ID	title
CWE-682	数值计算不正确
CWE-118	对可索引资源的访问不恰当（越界错误）
CWE-330	使用不充分的随机数
CWE-435	交互错误
CWE-664	在生命周期中对资源的控制不恰当
CWE-691	不充分的控制流管理
CWE-693	保护机制失效
CWE-697	不充分的比较
CWE-703	对异常条件检查或处理不恰当
CWE-707	对消息或数据结构的处理不恰当
CWE-710	编程规范违背

Notes

Other

This view uses a deep hierarchical organization, with more levels of abstraction than other classification schemes. The top-level entries are called Pillars. Where possible, this view uses abstractions that do not consider particular languages, frameworks, technologies, life cycle development phases, frequency of occurrence, or types of resources. It explicitly identifies relationships that form chains and composites, which have not been a formal part of past classification efforts. Chains and composites might help explain why mutual exclusivity is difficult to achieve within security error taxonomies. This view is roughly aligned with MITRE's research into vulnerability theory, especially with respect to behaviors and resources. Ideally, this view will only cover weakness-to-weakness relationships, with minimal overlap and zero categories.

文章来源于互联网:scap中文网

相关推荐: CWE-440 预期行为违背

CWE-440 预期行为违背 Expected Behavior Violation 结构: Simple Abstraction: Base 状态: Draft 被利用可能性: unkown 基本描述 A feature, API, or function …

左青龙
微信扫一扫

右白虎
微信扫一扫

View-1000: Research Concepts

View-1000: Research Concepts

Objective

Audience

Academic Researchers

Vulnerability Analysts

Assessment Vendors

Membership

Notes

Other

View-999: Weaknesses without Software Fault Patterns

View-884: CWE Cross-section

View-868: Weaknesses Addressed by the SEI CERT C++ Coding Standard (2016 Version)

View-844: Weaknesses Addressed by The CERT Oracle Secure Coding Standard for Java (2011)

View-809: Weaknesses in OWASP Top Ten (2010)

View-800: Weaknesses in the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors

View-750: Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors

View-734: Weaknesses Addressed by the CERT C Secure Coding Standard (2008)

View-711: Weaknesses in OWASP Top Ten (2004)

View-709: Named Chains

发表评论

在线咨询

微信