ESAPI control coverage of CWEs
This page covers the relationships between ESAPI controls and the CWE entries that are eliminated or reduced by the application of those controls.
- CWE-287: Insufficient Authentication
- Session Management
- Access Control
- CWE-330: Use of Insufficiently Random Values
- Error Handling
- Intrusion Detection
- HTTP Protection
Considerations for the Mapping
The mapping is notional; it is not complete.
Just because a feature is mapped to a CWE, does not mean that the feature covers all child nodes of that CWE.
It would be useful to map individual API names, not just features.
The CWE team has a capability for providing a "coverage graph" that highlights the location of a subset of CWEs within the context of an entire CWE hierarchy. This could be used to conduct a gap analysis to see which CWEs are not addressed by ESAPI, which would be useful to ESAPI consumers as well as identifying possible future requirements for ESAPI itself. See the graphical depictions of the CWE OWASP Top Ten views for examples.
Only CWE identifiers associated with weaknesses were reviewed. (Some CWE entries are arbitrary categories that organize weaknesses instead of being weaknesses themselves). Only the most abstract CWE identifiers were mapped, implying that lower-level variants are also covered (based on the hierarchy imposed by CWE-1000, the research view, which has a different hierarchical structure than CWE-699, the developer view).
As of December 2008, there are two different approaches for conducting mappings: "literal" in which you only map to a CWE if it is specifically mentioned or addressed, and "implied" in which you map to a CWE if it is associated with general concepts. For example, the API functions for output encoding can imply some protection against SQL injection, XSS, and others. The initial CWE/ESAPI mapping was implied.