Papers no image

Published on December 20th, 2010 | by NJ Ouchn


Common Weakness Scoring System (CWSS) v0.1 released

When a security analysis of an application is performed, such as whenusing a code auditing tool, developers often face hundreds or thousands of individual bug reports for their source code. Due to thevolume, developers are forced into a situation in which they must prioritize which issues they should fix first. Similarly, whenassessing design andarchitecture choices and their weaknesses, there needs to be a method for prioritizing them relative to each other and with the other issues of the application. Also, software consumerswant to know what they shouldworry about the most, and what to askfor to get a more secure productfrom their vendors and suppliers.

So for each weakness in the architecture, design, code or implementation that might be introduced into an application, which in some cases can contribute to a vulnerability within that software, we need to be able toreason and communicate about the relative importance of different weaknesses. For example, a buffer overflow vulnerability might arise from aweakness in which the programmer doesnot properly validate the length of an input buffer. This weakness only contributes to a vulnerability if the input buffer can be influenced by amalicious party, and the malicious buffer is copied toa smaller buffer.

While various scoring methods are used today, they are either ad hoc or inappropriate for application to the still-imprecise evaluation of software security.

The Common Weakness Scoring System (CWSS), co-sponsored by the National Cyber Security Division (NCSD) of the US Department of Homeland Security (DHS), and led by MITRE’s CWE project, intends to address this problem.

As we develop CWSS, we will explore what others have done in codifyingand communicating about severity. CWSS may borrow heavily from the Common Vulnerability Scoring System (CVSS), but other efforts will be examined as well.

Table of Contents

Continue Reading

Tags: , ,

About the Author

"Passion is needed for any great work, and for the revolution, passion and audacity are required in big doses"

Back to Top ↑