Which CWE fields do you find important?
Locked
Which CWE fields do you find important?
 
Administrator
|
CWE Community,
We are looking to do some quick turn-around tasks related to the CWE website to improve its usability and the ease with which users can understand and find what they are looking for. One of the things being considered is to bring the most important / most commonly leveraged data fields on an individual CWE page to the forefront. We already have the notion of a "Presentation Filter" on the page, and we will likely make the "High Level" filter the default allowing the key information fields to stand out and be immediately visible. Question - If you were forced to choose only FIVE fields to be kept as part of this High Level filter, and all others would be hidden by default, which five would you choose? Some potential fields are: Description Alternate Terms Time of Introduction Applicable Platforms Common Consequences Likelihood of Exploit Detection Methods Demonstrative Examples Potential Mitigations Observed Examples Relationships (to other CWEs) Related Attack Patterns References Taxonomy Mappings Please reply (by Thursday Nov 3 ) back to me so as not to disrupt everyone on the list. I will pull results together and share. From there, we will work to modify the individual CWE pages to reflect the needs expressed. Note that the final filter may not have exactly five fields. Thanks Drew --------- Andrew Buttner The MITRE Corporation [hidden email] 781-271-3515 |
RE: Which CWE fields do you find important?
|
While lengthier, I think that these provide the most basic information that I would be interested in providing to those that I advise:
- Description - Common Consequences - Likelihood of Exploit - Potential Mitigations - Applicable Platforms (assuming that these become more consistently applied) One other note about the presentation layer: I'd really love to be able to provide a link directly to a specific view. For example, what I want a Product Manager to focus upon is different than what I want a Developer to focus upon. -----Original Message----- From: [hidden email] [mailto:[hidden email]] On Behalf Of Buttner, Drew Sent: Friday, October 21, 2016 9:03 AM To: cwe-research-list CWE Research Discussion <[hidden email]> Subject: Which CWE fields do you find important? CWE Community, Common Consequences, We are looking to do some quick turn-around tasks related to the CWE website to improve its usability and the ease with which users can understand and find what they are looking for. One of the things being considered is to bring the most important / most commonly leveraged data fields on an individual CWE page to the forefront. We already have the notion of a "Presentation Filter" on the page, and we will likely make the "High Level" filter the default allowing the key information fields to stand out and be immediately visible. Question - If you were forced to choose only FIVE fields to be kept as part of this High Level filter, and all others would be hidden by default, which five would you choose? Some potential fields are: Description Alternate Terms Time of Introduction Applicable Platforms Common Consequences Likelihood of Exploit Detection Methods Demonstrative Examples Potential Mitigations Observed Examples Relationships (to other CWEs) Related Attack Patterns References Taxonomy Mappings Please reply (by Thursday Nov 3 ) back to me so as not to disrupt everyone on the list. I will pull results together and share. From there, we will work to modify the individual CWE pages to reflect the needs expressed. Note that the final filter may not have exactly five fields. Thanks Drew --------- Andrew Buttner The MITRE Corporation [hidden email] 781-271-3515 |
RE: Which CWE fields do you find important?
|
|
Kurt’s comment about the platforms prompted me to go back and look at the 5.4.2 XSD. It seems that I “mis-remembered”
J which list “Applicable Platforms” was. I was thinking about “Architectural Paradigm”. I suppose the best way to say it is
that for a “High Level” filter (which I see as the Executive Overview), for my #5 I’d like something like Architectural Paradigm + some of the more high-level ways of describing the language/platform such as “Memory Managed” (e.g. Java, .Net). The heart of
the matter is that, in my opinion, the “high level” view should include something of an “applicability” indicator. From: Kurt Seifried [mailto:[hidden email]]
Welp since everyone is replying public and not privately I might as well: My take (3 MANDATORY, 2 nice to have, and a #6 for normal people finding CWE after being told to fix CWE-foo): Description - MANDATORY for basic use Alternate Terms - MANDATORY for finding best fit Demonstrative Examples - Nice to have Observed Examples - Nice to have Relationships (to other CWEs) - MANDATORY for finding best fit Time of Introduction - nice historical fact, not super useful otherwise Applicable Platforms - not sure why this is even needed ^^^ This one is especially troublesome as many flaws apply to many or all of the platforms, and there are new platforms coming out all the time (languages, frameworks, etc.). I would like to avoid hyper specific
CWEs like "blah blah foo in ruby on rails" unless there are so many instances of that flaw that it actually makes sense to have something hyper specific. It's also a very expensive field to maintain and keep up to date. Common Consequences - nice for research/explaining Likelihood of Exploit - nice for research/explaining Detection Methods - nice for research/explaining Potential Mitigations - this would be by #6 choice for importance Related Attack Patterns - this is useful for researcher/learning References - unneeded for day to day operations Taxonomy Mappings - unneeded for day to day operations On Fri, Oct 21, 2016 at 9:33 AM, Kevin Hale <[hidden email]> wrote:
-- -- |
RE: Which CWE fields do you find important?
|
Administrator
|
In reply to this post by Andrew Buttner
Thank you to those that have replied to me already. There has been some great feedback for which we find extremely helpful. If there are others that have an opinion on the topic below, please send it to me offline by this Thursday (Nov 3). I will then work to summarize things and get an update made to the CWE website.
Thank you Drew > -----Original Message----- > From: [hidden email] [mailto:owner-cwe-research- > [hidden email]] On Behalf Of Buttner, Drew > Sent: Friday, October 21, 2016 10:03 AM > To: cwe-research-list CWE Research Discussion <cwe-research- > [hidden email]> > Subject: Which CWE fields do you find important? > > CWE Community, > > We are looking to do some quick turn-around tasks related to the CWE > website to improve its usability and the ease with which users can > understand and find what they are looking for. One of the things being > considered is to bring the most important / most commonly leveraged data > fields on an individual CWE page to the forefront. We already have the > notion of a "Presentation Filter" on the page, and we will likely make the > "High Level" filter the default allowing the key information fields to stand out > and be immediately visible. > > Question - If you were forced to choose only FIVE fields to be kept as part of > this High Level filter, and all others would be hidden by default, which five > would you choose? > > Some potential fields are: > > Description > Alternate Terms > Time of Introduction > Applicable Platforms > Common Consequences > Likelihood of Exploit > Detection Methods > Demonstrative Examples > Potential Mitigations > Observed Examples > Relationships (to other CWEs) > Related Attack Patterns > References > Taxonomy Mappings > > Please reply (by Thursday Nov 3 ) back to me so as not to disrupt everyone > on the list. I will pull results together and share. From there, we will work to > modify the individual CWE pages to reflect the needs expressed. Note that > the final filter may not have exactly five fields. > > Thanks > Drew > > --------- > > Andrew Buttner > The MITRE Corporation > [hidden email] > 781-271-3515 |
RE: Which CWE fields do you find important?
|
Administrator
|
All,
Sorry that the unsubscribe info is not presented at the bottom of these emails. I have made an edit to the template to add it in the future. For now, anyone else wishing to unsubscribe can do the following: To unsubscribe, send an email message to [hidden email] with SIGNOFF CWE-RESEARCH-LIST in the BODY of the message. If you have difficulties, write to [hidden email]. Thanks Drew > -----Original Message----- > From: Tennessee Woodiel [mailto:[hidden email]] > Sent: Tuesday, November 1, 2016 11:17 AM > To: Buttner, Drew <[hidden email]> > Cc: cwe-research-list CWE Research Discussion <cwe-research- > [hidden email]> > Subject: Which CWE fields do you find important? > > I have no idea how I got on this email chain, I think you guys must have > miswrote someone's address. If you could take me off that would be greatly > appreciated! (I'm waiting for replies from colleges currently and every time I > get an email my heart jumps). > > Thanks! > > > P.S. > Whatever a CWE is, you guys seem to be doing it right. > > > On Tuesday, November 1, 2016, Buttner, Drew <[hidden email] > <javascript:_e(%7B%7D,'cvml','[hidden email]');> > wrote: > > > Thank you to those that have replied to me already. There has been > some great feedback for which we find extremely helpful. If there are others > that have an opinion on the topic below, please send it to me offline by this > Thursday (Nov 3). I will then work to summarize things and get an update > made to the CWE website. > > Thank you > Drew > > > > -----Original Message----- > > From: [hidden email] [mailto:owner-cwe- > research- > > [hidden email]] On Behalf Of Buttner, Drew > > Sent: Friday, October 21, 2016 10:03 AM > > To: cwe-research-list CWE Research Discussion <cwe-research- > > [hidden email]> > > Subject: Which CWE fields do you find important? > > > > CWE Community, > > > > We are looking to do some quick turn-around tasks related to the > CWE > > website to improve its usability and the ease with which users can > > understand and find what they are looking for. One of the things > being > > considered is to bring the most important / most commonly > leveraged data > > fields on an individual CWE page to the forefront. We already have > the > > notion of a "Presentation Filter" on the page, and we will likely > make the > > "High Level" filter the default allowing the key information fields to > stand out > > and be immediately visible. > > > > Question - If you were forced to choose only FIVE fields to be kept > as part of > > this High Level filter, and all others would be hidden by default, > which five > > would you choose? > > > > Some potential fields are: > > > > Description > > Alternate Terms > > Time of Introduction > > Applicable Platforms > > Common Consequences > > Likelihood of Exploit > > Detection Methods > > Demonstrative Examples > > Potential Mitigations > > Observed Examples > > Relationships (to other CWEs) > > Related Attack Patterns > > References > > Taxonomy Mappings > > > > Please reply (by Thursday Nov 3 ) back to me so as not to disrupt > everyone > > on the list. I will pull results together and share. From there, we will > work to > > modify the individual CWE pages to reflect the needs expressed. > Note that > > the final filter may not have exactly five fields. > > > > Thanks > > Drew > > > > --------- > > > > Andrew Buttner > > The MITRE Corporation > > [hidden email] > > 781-271-3515 > |
RE: Which CWE fields do you find important?
|
Administrator
|
In reply to this post by Andrew Buttner
Last call for those that haven't yet replied to this topic. We have had some great insight already, but would love to hear from a few of the analysis tool vendors and individual researchers as their use of CWE is bound to be specialized.
Our plan is to summarize the feedback and produce a quick write-up that we will share with this list. (hopefully on Monday) We will then work to implement a couple of changes to the website to reflect the feedback. Thanks Drew > -----Original Message----- > From: [hidden email] [mailto:owner-cwe-research- > [hidden email]] On Behalf Of Buttner, Drew > Sent: Tuesday, November 1, 2016 6:19 AM > To: cwe-research-list CWE Research Discussion <cwe-research- > [hidden email]> > Subject: RE: Which CWE fields do you find important? > > Thank you to those that have replied to me already. There has been some > great feedback for which we find extremely helpful. If there are others that > have an opinion on the topic below, please send it to me offline by this > Thursday (Nov 3). I will then work to summarize things and get an update > made to the CWE website. > > Thank you > Drew > > > > -----Original Message----- > > From: [hidden email] > > [mailto:owner-cwe-research- [hidden email]] On Behalf Of > > Buttner, Drew > > Sent: Friday, October 21, 2016 10:03 AM > > To: cwe-research-list CWE Research Discussion <cwe-research- > > [hidden email]> > > Subject: Which CWE fields do you find important? > > > > CWE Community, > > > > We are looking to do some quick turn-around tasks related to the CWE > > website to improve its usability and the ease with which users can > > understand and find what they are looking for. One of the things being > > considered is to bring the most important / most commonly leveraged > > data fields on an individual CWE page to the forefront. We already > > have the notion of a "Presentation Filter" on the page, and we will > > likely make the "High Level" filter the default allowing the key > > information fields to stand out and be immediately visible. > > > > Question - If you were forced to choose only FIVE fields to be kept as > > part of this High Level filter, and all others would be hidden by > > default, which five would you choose? > > > > Some potential fields are: > > > > Description > > Alternate Terms > > Time of Introduction > > Applicable Platforms > > Common Consequences > > Likelihood of Exploit > > Detection Methods > > Demonstrative Examples > > Potential Mitigations > > Observed Examples > > Relationships (to other CWEs) > > Related Attack Patterns > > References > > Taxonomy Mappings > > > > Please reply (by Thursday Nov 3 ) back to me so as not to disrupt > > everyone on the list. I will pull results together and share. From > > there, we will work to modify the individual CWE pages to reflect the > > needs expressed. Note that the final filter may not have exactly five fields. > > > > Thanks > > Drew > > > > --------- > > > > Andrew Buttner > > The MITRE Corporation > > [hidden email] > > 781-271-3515 To unsubscribe, send an email message to [hidden email] with SIGNOFF CWE-RESEARCH-LIST in the BODY of the message. If you have difficulties, write to [hidden email]. |
RE: Which CWE fields do you find important?
|
Administrator
|
All,
Thank you to everyone that sent in suggestions about the top 5 most important fields. We got 16 responses from individuals in a variety of roles. None of the lists were the same. Each of the fields represented are provided below, with the total number of responses in parenthesis: Description (12) Potential Mitigations (11) Common Consequences (10) Applicable Platforms (6) Likelihood of Exploit (6) Demonstrative Examples (6) Observed Examples (6) Relationships (6) Taxonomy Mappings (4) Detection Methods (3) Related Attack Patterns (3) Alternate Terms (3) Time of Introduction (2) References (2) The first take-away from this is that individuals use different fields depending on their needs. (This isn't a new idea) The second take-away is that all the fields are important to someone. Finally, there is a core set of fields that are considered a high priority by over 1/3 of the respondents. (those with 6 or more) This core set of fields actually aligns pretty well with a priority study done in 2009. Note that this 2009 study was not scientific and was based on CWE team understanding and approximation. https://cwe.mitre.org/data/reports/stakeholder_field_priorities.html Current Survey 2009 Survey (fields with a score >75) ================================================== Description Description Potential Mitigations Applicable Platforms Common Consequences ** Time of Introduction Applicable Platforms Demonstrative Examples Likelihood of Exploit ** Detection Factors Demonstrative Examples Likelihood of Exploit ** Observed Examples Relationships Relationships Common Consequences ** References Potential Mitigations ** = only in one list This exercise is being performed in an attempt to improve the usability of the CWE by creating a simplified default view that only displays the most commonly needed fields. Some of the feedback we have received in the past is that new users to the site have a hard time comprehending an individual entry due to the amount of rich data presented. This confusion drives them away. Initial users often are looking for a description and some supporting info. Our hope is that by simplifying the default view, while still enabling a complete view for those power users, that we will make CWE more useful to all. Based on the feedback from this exercise, I'd like to propose that the simplified default view contain the following fields: Description Applicable Platforms Likelihood of Exploit Common Consequences Potential Mitigations Demonstrative Examples Relationships Our plan moving forward is to adjust the "presentation filter" on the individual weakness pages. This will enable the page to start with a simplified view, yet allow the user to change to the complete view. Our goal is to make CWE easier to use and understand for both new and power users. This will complement some other small changes we are working on to help everyone navigate and find the CWEs they are interested in. The hope is to implement these changes in a site update in the next month or so. Thank you all again for your feedback. Thanks Drew --------- Andrew Buttner The MITRE Corporation [hidden email] 781-271-3515 To unsubscribe, send an email message to [hidden email] with SIGNOFF CWE-RESEARCH-LIST in the BODY of the message. If you have difficulties, write to [hidden email]. |
| Free forum by Nabble | Edit this page |