Published on December 20th, 2010 | by NJ Ouchn0
Common Weakness Scoring System (CWSS) v0.1 released
When a security analysis of an application is performed, such as whenusing a code auditing tool, developers often face hundreds or thousands of individual bug reports for their source code. Due to thevolume, developers are forced into a situation in which they must prioritize which issues they should fix first. Similarly, whenassessing design andarchitecture choices and their weaknesses, there needs to be a method for prioritizing them relative to each other and with the other issues of the application. Also, software consumerswant to know what they shouldworry about the most, and what to askfor to get a more secure productfrom their vendors and suppliers.
So for each weakness in the architecture, design, code or implementation that might be introduced into an application, which in some cases can contribute to a vulnerability within that software, we need to be able toreason and communicate about the relative importance of different weaknesses. For example, a buffer overflow vulnerability might arise from aweakness in which the programmer doesnot properly validate the length of an input buffer. This weakness only contributes to a vulnerability if the input buffer can be influenced by amalicious party, and the malicious buffer is copied toa smaller buffer.
While various scoring methods are used today, they are either ad hoc or inappropriate for application to the still-imprecise evaluation of software security.
The Common Weakness Scoring System (CWSS), co-sponsored by the National Cyber Security Division (NCSD) of the US Department of Homeland Security (DHS), and led by MITRE’s CWE project, intends to address this problem.
As we develop CWSS, we will explore what others have done in codifyingand communicating about severity. CWSS may borrow heavily from the Common Vulnerability Scoring System (CVSS), but other efforts will be examined as well.
- Design Considerations
- Scoring Methods within CWSS
- Aggregated Scoring Methods: Measuring Weakness Surface
- Context-adjusted Scoring using Vignettes (Vignette-oriented Scoring)
- Technical Impact Analysis for CWE Entries
- Vignette-Oriented Technical Impact Scoring
- Scoring Variation between Vignettes
- CWSS 0.1 Scoring
- Prevalence Assessment
- Importance Assessment
- Scoring Example: Retail/WWW Vignette
- Scoring Differences between Vignettes
- Considerations for CWSS beyond 0.1
- Current Limitations of the Technical Impact Model
- Considerations for Targeted Scoring
- Considerations for Generalized Scoring
- Considerations for Changes in Scoring Factors
- Other Scoring Challenges
- Additional CWSS Factors
- Potential Factors for Targeted Scoring
- Potential Factors for Generalized Scoring
- Additional Factors for both Targeted and Generalized Scoring
- Future Activities
- Community Participation in CWSS
- Appendix: Other Scoring Methods
- 2008 CWSS Kickoff Meeting
- SANS/CWE Top 25
- OWASP Top Ten
- Change Log