Security Engineering (SE) Workbench


Return to the SE-Workbench Project Page

Security Vulnerability Explorer Exercises

1. Explore the CWE Vulnerability and Weakness Tool

  1. Initialize the tool by loading the tool or resetting the filters
  2. Review the Table Header Instructional information and click the Show/Hide button to Hide the Instructions
  3. Observe the column filters pulldown menus, visible columns, the text search field, and the data rows and cells.
  4. Observe the options within the Column Visibiity function.
  5. Observe the options within the Select Data function.
  6. Observe the options within the Export Data function.
  7. Scroll down to the bottom of the page and note the number of entries in the CWE data.

2. Explore the CWE entries associated with the Open Web Application Security Project (OWASP)

  1. Reset the filters or reload the tool
  2. Use the pulldown menu labeled "Reference Views" to filter the CWE entries related to "OWASP Top 10 2021"
  3. Optionally use the "Show" pulldown menu to change the number of entries visible on the web page from 10 to 100.
  4. Optionally create an output file:
    • Use the Select Data button to Select the "filtered" CWE entries
    • Use the Export Data button to create a spreadsheet (CSV) file containing the CWE entries for "OWASP Top 10 2021"

3. Explore the testing/assurance strategies for CWE entries associated with the Open Web Application Security Project (OWASP)

  1. Reset the filters or reload the tool
  2. Use the pulldown menu labeled "Reference Views" to filter the CWE entries related to "OWASP Top 10"
  3. Use the pulldown menu for Assurance Strategy and select "Design Review"
  4. Optionally create an output file:
    • Use the Select Data button to Select the "filtered" CWE entries
    • Use the Export Data button to create a spreadsheet (CSV) file containing the CWE entries for "OWASP Top 10"

4. Explore the CWE entries associated with the Mitre Top Software Weaknesses List

  1. Reset the filters or reload the tool
  2. Use the pulldown menu labeled "Reference Views" to filter the CWE entries related to "CWE SW-2021"
  3. Optionally use the "Show" pulldown menu to change the number of entries visible on the web page from 10 to 100.
  4. Optionally create an output file:
    • Use the Select Data button to Select the "filtered" CWE entries
    • Use the Export Data button to create a spreadsheet (CSV) file containing the CWE entries for "CWE SW-2021"

5. Explore the CWE entries associated with the Mitre Top Hardware Weaknesses List

  1. Reset the filters or reload the tool
  2. Use the pulldown menu labeled "Reference Views" to filter the CWE entries related to "CWE HW-2021"
  3. Optionally use the "Show" pulldown menu to change the number of entries visible on the web page from 10 to 100.
  4. Optionally create an output file:
    • Use the Select Data button to Select the "filtered" CWE entries
    • Use the Export Data button to create a spreadsheet (CSV) file containing the CWE entries for "CWE HW-2021"

6. Explore the Categories and CWE entries associated with Hardware Design. Similarly you can explore Software Development issues

  1. Reset the filters or reload the tool
  2. Use the pulldown menu labeled "HW-Design View Detail" to review the categories of weaknesses associated with HW-Design"
  3. Use the pulldown menu labeled "HW-Design View Detail" to select one or more HW-Design categories to review the CWEs in the selected categories
  4. Optionally use the "Show" pulldown menu to change the number of entries visible on the web page from 10 to 100.
  5. Optionally create an output file:
    • Use the Select Data button to Select the "filtered" CWE entries
    • Use the Export Data button to create a spreadsheet (CSV) file containing the CWE entries for "HW-Design"

7. Explore the CWE entries associated with "buffer overflow"

  1. Reset the filters or reload the tool
  2. Use the Search Field to find the weaknesses associated with the term "buffer overflow". How many CWE entries are in that list?
  3. Optionally use the "Show" pulldown menu to change the number of entries visible on the web page from 10 to 100.
  4. Review the visible entries. How many CWEs are in the list?

8. Explore the CWE entries by "Exploit Likelihood"

  1. Reset the filters or reload the tool
  2. Use the Column Visibility button to show the "Exploit Likelihood" Column
  3. Optionally, Use the "Show" pulldown menu to change the number of entries visible on the web page from 10 to 100.
  4. Optionally, Use the pulldown menu labeled "Typical Likelihood" to select one or more values: "High", Medium", "Low" or "Not Provided".
  5. Optionally create an output file:
    • Use the Select Data button to Select the "filtered" CWE entries
    • Use the Export Data button to create a spreadsheet (CSV) or PDF file

9. Explore the CWE entries based on the Impact

  1. Reset the filters or reload the tool
  2. Use the pulldown menu labeled "Exploit Impact" to select the "Dos: Resource Consumption (CPU)".
  3. Optionally use the "Show" pulldown menu to change the number of entries visible on the web page from 10 to 100.
  4. Optionally create an output file:
    • Use the Select Data button to Select the "filtered" CAPEC entries
    • Use the Export Data button to create a spreadsheet (CSV) or PDF file
  5. Optionally use a combination of pulldown menus to explore the CWE entry with "Resource Consumption" and "Likelihood" that is "Low". What are the attacks? What are the recommendations to reduce the likelihood of these attacks?

10. Explore the CWE entries based on Technology affinity

  1. Reset the filters or reload the tool
  2. Enter a quoted string into the Search field, to select a set of relevant entries from Target Technologies or other entries. Some examples:
    • enter "Class: Web Based" - to display CWEs related to programming for Web applications.
    • enter "Class: ICS/OT" - to display CWEs related to Industrial Control Systems or Internet of Things.
    • enter "Name: JavaScript" - to display CWEs related to Javascript programming and code.
    • enter "Name: PHP" - to display CWEs related to PHP programming and code.
    • enter "Name: Java" - to display CWEs related to Java programming and code.
    • enter "Name: C++" or "Name: C" - to display CWEs related to C programming and code.
    • enter "Class: Assembly" - to display CWEs related to Assembly Language programming and code.
  3. Optionally use the "Show" pulldown menu to change the number of entries visible on the web page from 10 to 100.
  4. Optionally create an output file:
    • Use the Select Data button to Select the "filtered" CAPEC entries
    • Use the Export Data button to create a spreadsheet (CSV) or PDF file

11. Create a Security Vulnerability Assessment Worksheet

  1. Reset the filters or reload the tool
  2. Use one of the following methods to select attacks of interest from the data in the tool.
    • Use cursor to highlight individual items
    • Use filters to select groups of items, for example, enter a text string, such as "buffer overflow", or "SQL injection", or, select one or more reference lists, such as "OWASP 2021" or "CWE Hardware". Afterward, use the "Select Data" button and "Select Filtered Data"
  3. Create the Assessment Worksheet by Accessing the Assessment CSV button within the Export Data Function
  4. Open the downloaded CSV file in a local Spreadsheet program
  5. Format the downloaded spreadsheet by:
    • Set row 1 to Bold text to highlight the column headers
    • Select the entire spreadsheet and enable text wrap.
    • Select and stretch the column identifiers A thru L to show to spreadsheet content
    • Optionally set cell alignment at top
    • Save the changes to a local file
    • Work with the file to assign and track work items

top of the page

Copyright © 2022 Jim Whitmore.

LAST UPDATE: 14 April 2022