Ha Thanh LE, student from School of Computer Engineering, Nanyang
Technological University (NTU) Singapore. Currently, I am doing research in a Forensic and Security Lab (ForSe Lab) in software quality evaluation based on their vulnerability project. Recently, our group used CVSS
to evaluate the severity of several web-based vulnearbilities.
Later, I think we need CWE to classify the vulnerabilities. I have studied version 1.2 and just received the announcement of version 1.3
I have questions about mapping vulnerability taxonomies to CWE:
1. What criteria do you use to match one weakness in a taxonomy into a CWE entry?
2. Based on what condition do you evaluate one weakness has a relationship with (such as a ChildOf or canPrecede ) another weaknesses? Do people classify weaknesses and determine relationship base on their own experience?
3.I think a particular categorization process for weakness mapping depends on how you concern the terms in the existing taxonomy with CWE. What happen if the term(s) is updated?