Which CWE fields do you find important?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Which CWE fields do you find important?

Andrew Buttner
Administrator
CWE Community,

We are looking to do some quick turn-around tasks related to the CWE website to improve its usability and the ease with which users can understand and find what they are looking for. One of the things being considered is to bring the most important / most commonly leveraged data fields on an individual CWE page to the forefront. We already have the notion of a "Presentation Filter" on the page, and we will likely make the "High Level" filter the default allowing the key information fields to stand out and be immediately visible.

Question - If you were forced to choose only FIVE fields to be kept as part of this High Level filter, and all others would be hidden by default, which five would you choose?

Some potential fields are:

Description
Alternate Terms
Time of Introduction
Applicable Platforms
Common Consequences
Likelihood of Exploit
Detection Methods
Demonstrative Examples
Potential Mitigations
Observed Examples
Relationships (to other CWEs)
Related Attack Patterns
References
Taxonomy Mappings

Please reply (by Thursday Nov 3 ) back to me so as not to disrupt everyone on the list. I will pull results together and share. From there, we will work to modify the individual CWE pages to reflect the needs expressed. Note that the final filter may not have exactly five fields.

Thanks
Drew

---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Which CWE fields do you find important?

Kevin Hale
While lengthier, I think that these provide the most basic information that I would be interested in providing to those that I advise:
- Description
- Common Consequences
- Likelihood of Exploit
- Potential Mitigations
- Applicable Platforms (assuming that these become more consistently applied)


One other note about the presentation layer:  I'd really love to be able to provide a link directly to a specific view.  For example, what I want a Product Manager to focus upon is different than what I want a Developer to focus upon.


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Buttner, Drew
Sent: Friday, October 21, 2016 9:03 AM
To: cwe-research-list CWE Research Discussion <[hidden email]>
Subject: Which CWE fields do you find important?

CWE Community, Common Consequences,

We are looking to do some quick turn-around tasks related to the CWE website to improve its usability and the ease with which users can understand and find what they are looking for. One of the things being considered is to bring the most important / most commonly leveraged data fields on an individual CWE page to the forefront. We already have the notion of a "Presentation Filter" on the page, and we will likely make the "High Level" filter the default allowing the key information fields to stand out and be immediately visible.

Question - If you were forced to choose only FIVE fields to be kept as part of this High Level filter, and all others would be hidden by default, which five would you choose?

Some potential fields are:

Description
Alternate Terms
Time of Introduction
Applicable Platforms
Common Consequences
Likelihood of Exploit
Detection Methods
Demonstrative Examples
Potential Mitigations
Observed Examples
Relationships (to other CWEs)
Related Attack Patterns
References
Taxonomy Mappings

Please reply (by Thursday Nov 3 ) back to me so as not to disrupt everyone on the list. I will pull results together and share. From there, we will work to modify the individual CWE pages to reflect the needs expressed. Note that the final filter may not have exactly five fields.

Thanks
Drew

---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Which CWE fields do you find important?

Kevin Hale

Kurt’s comment about the platforms prompted me to go back and look at the 5.4.2 XSD.  It seems that I “mis-remembered” J which list “Applicable Platforms” was.  I was thinking about “Architectural Paradigm”.  I suppose the best way to say it is that for a “High Level” filter (which I see as the Executive Overview), for my #5 I’d like something like Architectural Paradigm + some of the more high-level ways of describing the language/platform such as “Memory Managed” (e.g. Java, .Net).  The heart of the matter is that, in my opinion, the “high level” view should include something of an “applicability” indicator.

 

 

From: Kurt Seifried [mailto:[hidden email]]
Sent: Friday, October 21, 2016 1:23 PM
To: Kevin Hale <[hidden email]>
Cc: Buttner, Drew <[hidden email]>; cwe-research-list CWE Research Discussion <[hidden email]>; Louis Nadeau <[hidden email]>
Subject: Re: Which CWE fields do you find important?

 

Welp since everyone is replying public and not privately I might as well:

 

My take (3 MANDATORY, 2 nice to have, and a #6 for normal people finding CWE after being told to fix CWE-foo):

 

Description - MANDATORY for basic use

Alternate Terms - MANDATORY for finding best fit

Demonstrative Examples - Nice to have

Observed Examples - Nice to have

Relationships (to other CWEs) - MANDATORY for finding best fit

 

Time of Introduction - nice historical fact, not super useful otherwise 

Applicable Platforms - not sure why this is even needed

 

^^^ This one is especially troublesome as many flaws apply to many or all of the platforms, and there are new platforms coming out all the time (languages, frameworks, etc.). I would like to avoid hyper specific CWEs like "blah blah foo in ruby on rails" unless there are so many instances of that flaw that it actually makes sense to have something hyper specific. It's also a very expensive field to maintain and keep up to date. 

 

Common Consequences - nice for research/explaining

Likelihood of Exploit - nice for research/explaining

Detection Methods - nice for research/explaining

Potential Mitigations - this would be by #6 choice for importance

Related Attack Patterns - this is useful for researcher/learning

References - unneeded for day to day operations 

Taxonomy Mappings - unneeded for day to day operations 

 

On Fri, Oct 21, 2016 at 9:33 AM, Kevin Hale <[hidden email]> wrote:

While lengthier, I think that these provide the most basic information that I would be interested in providing to those that I advise:
- Description
- Common Consequences
- Likelihood of Exploit
- Potential Mitigations
- Applicable Platforms (assuming that these become more consistently applied)


One other note about the presentation layer:  I'd really love to be able to provide a link directly to a specific view.  For example, what I want a Product Manager to focus upon is different than what I want a Developer to focus upon.


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Buttner, Drew
Sent: Friday, October 21, 2016 9:03 AM
To: cwe-research-list CWE Research Discussion <[hidden email]>
Subject: Which CWE fields do you find important?

CWE Community, Common Consequences,


We are looking to do some quick turn-around tasks related to the CWE website to improve its usability and the ease with which users can understand and find what they are looking for. One of the things being considered is to bring the most important / most commonly leveraged data fields on an individual CWE page to the forefront. We already have the notion of a "Presentation Filter" on the page, and we will likely make the "High Level" filter the default allowing the key information fields to stand out and be immediately visible.

Question - If you were forced to choose only FIVE fields to be kept as part of this High Level filter, and all others would be hidden by default, which five would you choose?

Some potential fields are:

Description
Alternate Terms
Time of Introduction
Applicable Platforms
Common Consequences
Likelihood of Exploit
Detection Methods
Demonstrative Examples
Potential Mitigations
Observed Examples
Relationships (to other CWEs)
Related Attack Patterns
References
Taxonomy Mappings

Please reply (by Thursday Nov 3 ) back to me so as not to disrupt everyone on the list. I will pull results together and share. From there, we will work to modify the individual CWE pages to reflect the needs expressed. Note that the final filter may not have exactly five fields.

Thanks
Drew

---------

Andrew Buttner
The MITRE Corporation
[hidden email]
<a href="tel:781-271-3515">781-271-3515



 

--

 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: 
[hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Which CWE fields do you find important?

Andrew Buttner
Administrator
In reply to this post by Andrew Buttner
Thank you to those that have replied to me already. There has been some great feedback for which we find extremely helpful. If there are others that have an opinion on the topic below, please send it to me offline by this Thursday (Nov 3). I will then work to summarize things and get an update made to the CWE website.

Thank you
Drew
 

> -----Original Message-----
> From: [hidden email] [mailto:owner-cwe-research-
> [hidden email]] On Behalf Of Buttner, Drew
> Sent: Friday, October 21, 2016 10:03 AM
> To: cwe-research-list CWE Research Discussion <cwe-research-
> [hidden email]>
> Subject: Which CWE fields do you find important?
>
> CWE Community,
>
> We are looking to do some quick turn-around tasks related to the CWE
> website to improve its usability and the ease with which users can
> understand and find what they are looking for. One of the things being
> considered is to bring the most important / most commonly leveraged data
> fields on an individual CWE page to the forefront. We already have the
> notion of a "Presentation Filter" on the page, and we will likely make the
> "High Level" filter the default allowing the key information fields to stand out
> and be immediately visible.
>
> Question - If you were forced to choose only FIVE fields to be kept as part of
> this High Level filter, and all others would be hidden by default, which five
> would you choose?
>
> Some potential fields are:
>
> Description
> Alternate Terms
> Time of Introduction
> Applicable Platforms
> Common Consequences
> Likelihood of Exploit
> Detection Methods
> Demonstrative Examples
> Potential Mitigations
> Observed Examples
> Relationships (to other CWEs)
> Related Attack Patterns
> References
> Taxonomy Mappings
>
> Please reply (by Thursday Nov 3 ) back to me so as not to disrupt everyone
> on the list. I will pull results together and share. From there, we will work to
> modify the individual CWE pages to reflect the needs expressed. Note that
> the final filter may not have exactly five fields.
>
> Thanks
> Drew
>
> ---------
>
> Andrew Buttner
> The MITRE Corporation
> [hidden email]
> 781-271-3515
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Which CWE fields do you find important?

Andrew Buttner
Administrator
All,

Sorry that the unsubscribe info is not presented at the bottom of these emails.  I have made an edit to the template to add it in the future.  For now, anyone else wishing to unsubscribe can do the following:

To unsubscribe, send an email message to [hidden email] with SIGNOFF CWE-RESEARCH-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

Thanks
Drew


> -----Original Message-----
> From: Tennessee Woodiel [mailto:[hidden email]]
> Sent: Tuesday, November 1, 2016 11:17 AM
> To: Buttner, Drew <[hidden email]>
> Cc: cwe-research-list CWE Research Discussion <cwe-research-
> [hidden email]>
> Subject: Which CWE fields do you find important?
>
> I have no idea how I got on this email chain, I think you guys must have
> miswrote someone's address. If you could take me off that would be greatly
> appreciated! (I'm waiting for replies from colleges currently and every time I
> get an email my heart jumps).
>
> Thanks!
>
>
> P.S.
> Whatever a CWE is, you guys seem to be doing it right.
>
>
> On Tuesday, November 1, 2016, Buttner, Drew <[hidden email]
> <javascript:_e(%7B%7D,'cvml','[hidden email]');> > wrote:
>
>
> Thank you to those that have replied to me already. There has been
> some great feedback for which we find extremely helpful. If there are others
> that have an opinion on the topic below, please send it to me offline by this
> Thursday (Nov 3). I will then work to summarize things and get an update
> made to the CWE website.
>
> Thank you
> Drew
>
>
> > -----Original Message-----
> > From: [hidden email] [mailto:owner-cwe-
> research-
> > [hidden email]] On Behalf Of Buttner, Drew
> > Sent: Friday, October 21, 2016 10:03 AM
> > To: cwe-research-list CWE Research Discussion <cwe-research-
> > [hidden email]>
> > Subject: Which CWE fields do you find important?
> >
> > CWE Community,
> >
> > We are looking to do some quick turn-around tasks related to the
> CWE
> > website to improve its usability and the ease with which users can
> > understand and find what they are looking for. One of the things
> being
> > considered is to bring the most important / most commonly
> leveraged data
> > fields on an individual CWE page to the forefront. We already have
> the
> > notion of a "Presentation Filter" on the page, and we will likely
> make the
> > "High Level" filter the default allowing the key information fields to
> stand out
> > and be immediately visible.
> >
> > Question - If you were forced to choose only FIVE fields to be kept
> as part of
> > this High Level filter, and all others would be hidden by default,
> which five
> > would you choose?
> >
> > Some potential fields are:
> >
> > Description
> > Alternate Terms
> > Time of Introduction
> > Applicable Platforms
> > Common Consequences
> > Likelihood of Exploit
> > Detection Methods
> > Demonstrative Examples
> > Potential Mitigations
> > Observed Examples
> > Relationships (to other CWEs)
> > Related Attack Patterns
> > References
> > Taxonomy Mappings
> >
> > Please reply (by Thursday Nov 3 ) back to me so as not to disrupt
> everyone
> > on the list. I will pull results together and share. From there, we will
> work to
> > modify the individual CWE pages to reflect the needs expressed.
> Note that
> > the final filter may not have exactly five fields.
> >
> > Thanks
> > Drew
> >
> > ---------
> >
> > Andrew Buttner
> > The MITRE Corporation
> > [hidden email]
> > 781-271-3515
>

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Which CWE fields do you find important?

Andrew Buttner
Administrator
In reply to this post by Andrew Buttner
Last call for those that haven't yet replied to this topic. We have had some great insight already, but would love to hear from a few of the analysis tool vendors and individual researchers as their use of CWE is bound to be specialized.

Our plan is to summarize the feedback and produce a quick write-up that we will share with this list. (hopefully on Monday) We will then work to implement a couple of changes to the website to reflect the feedback.

Thanks
Drew


> -----Original Message-----
> From: [hidden email] [mailto:owner-cwe-research-
> [hidden email]] On Behalf Of Buttner, Drew
> Sent: Tuesday, November 1, 2016 6:19 AM
> To: cwe-research-list CWE Research Discussion <cwe-research-
> [hidden email]>
> Subject: RE: Which CWE fields do you find important?
>
> Thank you to those that have replied to me already. There has been some
> great feedback for which we find extremely helpful. If there are others that
> have an opinion on the topic below, please send it to me offline by this
> Thursday (Nov 3). I will then work to summarize things and get an update
> made to the CWE website.
>
> Thank you
> Drew
>
>
> > -----Original Message-----
> > From: [hidden email]
> > [mailto:owner-cwe-research- [hidden email]] On Behalf Of
> > Buttner, Drew
> > Sent: Friday, October 21, 2016 10:03 AM
> > To: cwe-research-list CWE Research Discussion <cwe-research-
> > [hidden email]>
> > Subject: Which CWE fields do you find important?
> >
> > CWE Community,
> >
> > We are looking to do some quick turn-around tasks related to the CWE
> > website to improve its usability and the ease with which users can
> > understand and find what they are looking for. One of the things being
> > considered is to bring the most important / most commonly leveraged
> > data fields on an individual CWE page to the forefront. We already
> > have the notion of a "Presentation Filter" on the page, and we will
> > likely make the "High Level" filter the default allowing the key
> > information fields to stand out and be immediately visible.
> >
> > Question - If you were forced to choose only FIVE fields to be kept as
> > part of this High Level filter, and all others would be hidden by
> > default, which five would you choose?
> >
> > Some potential fields are:
> >
> > Description
> > Alternate Terms
> > Time of Introduction
> > Applicable Platforms
> > Common Consequences
> > Likelihood of Exploit
> > Detection Methods
> > Demonstrative Examples
> > Potential Mitigations
> > Observed Examples
> > Relationships (to other CWEs)
> > Related Attack Patterns
> > References
> > Taxonomy Mappings
> >
> > Please reply (by Thursday Nov 3 ) back to me so as not to disrupt
> > everyone on the list. I will pull results together and share. From
> > there, we will work to modify the individual CWE pages to reflect the
> > needs expressed. Note that the final filter may not have exactly five fields.
> >
> > Thanks
> > Drew
> >
> > ---------
> >
> > Andrew Buttner
> > The MITRE Corporation
> > [hidden email]
> > 781-271-3515

To unsubscribe, send an email message to [hidden email] with SIGNOFF CWE-RESEARCH-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Which CWE fields do you find important?

Andrew Buttner
Administrator
All,

Thank you to everyone that sent in suggestions about the top 5 most important fields. We got 16 responses from individuals in a variety of roles. None of the lists were the same. Each of the fields represented are provided below, with the total number of responses in parenthesis:


 Description (12)
 Potential Mitigations (11)
 Common Consequences (10)
 Applicable Platforms (6)
 Likelihood of Exploit (6)
 Demonstrative Examples (6)
 Observed Examples (6)
 Relationships (6)
 Taxonomy Mappings (4)
 Detection Methods (3)
 Related Attack Patterns (3)
 Alternate Terms (3)
 Time of Introduction (2)
 References (2)


The first take-away from this is that individuals use different fields depending on their needs. (This isn't a new idea) The second take-away is that all the fields are important to someone. Finally, there is a core set of fields that are considered a high priority by over 1/3 of the respondents.  (those with 6 or more)

This core set of fields actually aligns pretty well with a priority study done in 2009. Note that this 2009 study was not scientific and was based on CWE team understanding and approximation.

https://cwe.mitre.org/data/reports/stakeholder_field_priorities.html


 Current Survey 2009 Survey (fields with a score >75)
==================================================
 Description Description
 Potential Mitigations Applicable Platforms
 Common Consequences ** Time of Introduction
 Applicable Platforms Demonstrative Examples
 Likelihood of Exploit ** Detection Factors
 Demonstrative Examples Likelihood of Exploit
 ** Observed Examples Relationships
 Relationships Common Consequences
                                ** References
                                Potential Mitigations

** = only in one list

This exercise is being performed in an attempt to improve the usability of the CWE by creating a simplified default view that only displays the most commonly needed fields. Some of the feedback we have received in the past is that new users to the site have a hard time comprehending an individual entry due to the amount of rich data presented. This confusion drives them away. Initial users often are looking for a description and some supporting info.

Our hope is that by simplifying the default view, while still enabling a complete view for those power users, that we will make CWE more useful to all.

Based on the feedback from this exercise, I'd like to propose that the simplified default view contain the following fields:


 Description
 Applicable Platforms
 Likelihood of Exploit
 Common Consequences
 Potential Mitigations
 Demonstrative Examples
 Relationships


Our plan moving forward is to adjust the "presentation filter" on the individual weakness pages. This will enable the page to start with a simplified view, yet allow the user to change to the complete view.

Our goal is to make CWE easier to use and understand for both new and power users. This will complement some other small changes we are working on to help everyone navigate and find the CWEs they are interested in. The hope is to implement these changes in a site update in the next month or so.

Thank you all again for your feedback.

Thanks
Drew

---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515

To unsubscribe, send an email message to [hidden email] with SIGNOFF CWE-RESEARCH-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Loading...