CWE-1059: Insufficient Technical DocumentationWeakness ID: 1059 Vulnerability Mapping:
PROHIBITEDThis CWE ID must not be used to map to real-world vulnerabilities
Abstraction: ClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. |
 Description The product does not contain sufficient technical or engineering documentation (whether on paper or in electronic form) that contains descriptions of all the relevant software/hardware elements of the product, such as its usage, structure, architectural components, interfaces, design, implementation, configuration, operation, etc. Extended Description When technical documentation is limited or lacking, products are more difficult to maintain. This indirectly affects security by making it more difficult or time-consuming to find and/or fix vulnerabilities. When using time-limited or labor-limited third-party/in-house security consulting services (such as threat modeling, vulnerability discovery, or pentesting), insufficient documentation can force those consultants to invest unnecessary time in learning how the product is organized, instead of focusing their expertise on finding the flaws or suggesting effective mitigations. With respect to hardware design, the lack of a formal, final manufacturer reference can make it difficult or impossible to evaluate the final product, including post-manufacture verification. One cannot ensure that design functionality or operation is within acceptable tolerances, conforms to specifications, and is free from unexpected behavior. Hardware-related documentation may include engineering artifacts such as hardware description language (HDLs), netlists, Gerber files, Bills of Materials, EDA (Electronic Design Automation) tool files, etc. Common Consequences  This table specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.| Scope | Impact | Likelihood |
|---|
Other
| Technical Impact: Varies by Context; Hide Activities; Reduce Reliability; Quality Degradation; Reduce Maintainability Without a method of verification, one cannot be sure that everything only functions as expected. | |
Potential Mitigations
Phases: Documentation; Architecture and Design Ensure that design documentation is detailed enough to allow for post-manufacturing verification. |
Relationships This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore. Relevant to the view "Research Concepts" (CWE-1000) | Nature | Type | ID | Name |
|---|
| ChildOf |  Pillar - a weakness that is the most abstract type of weakness and represents a theme for all class/base/variant weaknesses related to it. A Pillar is different from a Category as a Pillar is still technically a type of weakness that describes a mistake, while a Category represents a common characteristic used to group related things. | 710 | Improper Adherence to Coding Standards | | ParentOf |  Base - a weakness
that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 1053 | Missing Documentation for Design | | ParentOf | Base - a weakness
that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 1110 | Incomplete Design Documentation | | ParentOf | Base - a weakness
that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 1111 | Incomplete I/O Documentation | | ParentOf | Base - a weakness
that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 1112 | Incomplete Documentation of Program Execution | | ParentOf | Base - a weakness
that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. | 1118 | Insufficient Documentation of Error Handling Techniques |
Relevant to the view "Hardware Design" (CWE-1194) Modes Of Introduction The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.| Phase | Note |
|---|
| Architecture and Design | | | Documentation | |
Observed Examples | Reference | Description |
|---|
| A wireless access point manual specifies that the only method of configuration is via web interface ( CWE-1059), but there is an undisclosed telnet server that was activated by default ( CWE-912). |
Weakness Ordinalities | Ordinality | Description |
|---|
Indirect | (where the weakness is a quality issue that might indirectly make it easier to introduce security-relevant weaknesses or make them more difficult to detect) |
Memberships This MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. This information is often useful in understanding where a weakness fits within the context of external information sources. Vulnerability Mapping Notes Usage: PROHIBITED (this CWE ID must not be used to map to real-world vulnerabilities) | Reason: Other | Rationale: This entry is primarily a quality issue with no direct security implications. | Comments: Look for weaknesses that are focused specifically on insecure behaviors that have more direct security implications. |
Taxonomy Mappings | Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
|---|
| ISA/IEC 62443 | Part 2-4 | | Req SP.02.03 BR |
| ISA/IEC 62443 | Part 2-4 | | Req SP.02.03 RE(1) |
| ISA/IEC 62443 | Part 2-4 | | Req SP.03.03 RE(1) |
| ISA/IEC 62443 | Part 4-1 | | Req SG-1 |
| ISA/IEC 62443 | Part 4-1 | | Req SG-2 |
| ISA/IEC 62443 | Part 4-1 | | Req SG-3 |
| ISA/IEC 62443 | Part 4-1 | | Req SG-4 |
| ISA/IEC 62443 | Part 4-1 | | Req SG-5 |
| ISA/IEC 62443 | Part 4-1 | | Req SG-6 |
| ISA/IEC 62443 | Part 4-1 | | Req SG-7 |
References
|
[REF-1254] FDA. "Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions Draft Guidance for Industry and Food and Drug Administration Staff (DRAFT GUIDANCE)". 2022-04-08.
< https://www.fda.gov/media/119933/download>. |
Content History | Submissions |
|---|
| Submission Date | Submitter | Organization |
|---|
2018-07-02
(CWE 3.2, 2019-01-03) | CWE Content Team | MITRE | | Entry derived from Common Quality Enumeration (CQE) Draft 0.9. | | Contributions |
|---|
| Contribution Date | Contributor | Organization |
|---|
| 2021-06-11 | Paul A. Wortman | Wells Fargo | | Submitted hardware-specific information about a "golden standard" that was integrated into this entry | | 2023-04-25 | "Mapping CWE to 62443" Sub-Working Group | CWE-CAPEC ICS/OT SIG | | Suggested mappings to ISA/IEC 62443. |  Modifications |
|---|
| Modification Date | Modifier | Organization |
|---|
| 2020-02-24 | CWE Content Team | MITRE | | updated Relationships | | 2022-04-28 | CWE Content Team | MITRE | | updated Applicable_Platforms, Common_Consequences, Description, Name, Potential_Mitigations, References, Relationships, Time_of_Introduction | | 2023-01-31 | CWE Content Team | MITRE | | updated Applicable_Platforms, Relationships | | 2023-04-27 | CWE Content Team | MITRE | | updated Relationships, Taxonomy_Mappings | | 2023-06-29 | CWE Content Team | MITRE | | updated Mapping_Notes, Taxonomy_Mappings | | 2023-10-26 | CWE Content Team | MITRE | | updated Observed_Examples | 2024-02-29
(CWE 4.14, 2024-02-29) | CWE Content Team | MITRE | | updated Mapping_Notes | | Previous Entry Names |
|---|
| Change Date | Previous Entry Name |
|---|
| 2022-04-28 | Incomplete Documentation | |
More information is available — Please edit the custom filter or select a different filter.
|