The Common Weakness Enumeration is a category system for software weaknesses and vulnerabilities. It is sustained by a community project with the goals of understanding flaws in software and creating automated tools that can be used to identify, fix, and prevent those flaws. Wikipedia
The CWE provides several different lenses of the list. One that might be beneficial during software development, or perhaps during research for vulnerabilities.
There are several types of CWEs (or meta types?) with the following relationships:
- Category - Entry that contains a set or group of weaknesses that share a common characteristic. For example, CWE-557: Concurrency Issues or CWE-355: User Interface Security Issues, where the shared attributes may any number of things including, but not limited to, functional area (e.g., authentication, cryptography) and the relevant resource (e.g., credentials management, certificate issues).
- Pillar weakness - A high level abstract type of weakness. Cannot be more abstract. Example: Improper Access Control - (284)
- Class weakness- independent of any specific language or technology. such as CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)
- Base weakness- a more specific type of weakness that is still mostly independent of a specific resource or technology such as CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’);
- Variant weakness - a weakness specific to a particular resource, technology, or context such as CWE-83: Improper Neutralization of Script in Attributes in a Web Page
There are also several views to consider. Each one might provide a different look at the same problem, generating new ideas.