Question about CWE categorization

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Question about CWE categorization

lehathanh
Dear CWE group,

I am Ha Thanh LE, student from School of Computer Engineering, Nanyang Technological University (NTU) Singapore. Currently, I am doing research in a Forensic and Security Lab (ForSe Lab) in software quality evaluation based on their vulnerability project. Recently, our group used CVSS to evaluate the severity of several web-based vulnearbilities. 
Later, I think we need CWE to classify the vulnerabilities. I have studied version 1.2 and just received the announcement of version 1.3

I have questions about mapping vulnerability taxonomies to CWE: 
1. What criteria do you use to match one weakness in a taxonomy into a CWE entry?  

2. Based on what condition do you evaluate one weakness has a relationship with (such as a ChildOf or canPrecede ) another weaknesses? Do people classify weaknesses and determine relationship base on their own experience? 

3.I think a particular categorization process for weakness mapping depends on how you concern the terms in the existing taxonomy with CWE. What happen if the term(s) is updated?

Thank you very much.

Ha Thanh

SCE-NTU