CWE-1000: Understanding Weaknesses Perspective

The purpose of this perspective is to assist in conducting studies on vulnerabilities, including their inter-relations, and can be utilized to systematically pinpoint theoretical gaps within CWE. Its organization primarily revolves around abstract representations of behaviors rather than focusing on their detections, code placements, or introduction times within the development life cycle. The aim of this perspective is to encompass all weaknesses within CWE.

The graph displayed illustrates the hierarchical relationships among weaknesses at different levels of abstraction. At the highest level, there are categories and pillars that serve to group weaknesses together. Categories, which are not considered weaknesses themselves, function as special entries in the Common Weakness Enumeration (CWE) to categorize weaknesses with similar characteristics. Pillars, on the other hand, represent weaknesses described in a highly abstract manner. Positioned beneath these top-level entries are weaknesses with varying degrees of abstraction. Classes remain at a highly abstract level, generally independent of any specific programming language or technology. Base level weaknesses, on the other hand, provide a more specific type of weakness. Variants, being described at a very detailed level, are often limited to a particular language or technology. A chain refers to a sequence of weaknesses that must be accessible consecutively to exploit a vulnerability. Conversely, a composite refers to a collection of weaknesses that must all coexist simultaneously to exploit a vulnerability.