CWRAF v0.4 – Common Weakness Risk Analysis Framework for CWSS Now Available

The Common Weakness Risk Analysis Framework (CWRAF) provides a way for organizations to apply the Common Weakness Scoring System (CWSS) using specialized scenarios (“vignettes”) that identify the business value context of deployed applications in order to prioritize those software weaknesses in CWE that are most relevant to their own businesses, missions, and deployed technologies. In conjunction with other activities, CWRAF ultimately helps software developers and consumers to introduce more secure software into their operational environments.

CWRAF includes a mechanism for measuring risk of weaknesses in a way that is closely linked with the risk to the business or mission; supports the automatic selection and prioritization of relevant weaknesses, customized to the specific needs of the business or mission; can be used by consumers to identify the most important weaknesses for their business domains, in order to inform their acquisition and protection activities as one part of the larger process of achieving software assurance; and allows users to create custom Top-N lists to rank classes of weaknesses independent of any particular software package, in order to prioritize them relative to each other (e.g., “buffer overflows are higher priority than memory leaks”). This “Top-N list” approach is also used by the CWE/SANS Top 25, OWASP Top Ten, and similar efforts.

http://cwe.mitre.org/cwraf/CWRAF-rels-Small.jpg

CWRAF, which is a part of the CWE project, is co-sponsored by the Software Assurance program in the National Cyber Security Division of the U.S. Department of Homeland Security. We encourage members of the community to review the CWRAF specification and send feedback to cwss@mitre.org.

More Information

NJ Ouchn

"Passion is needed for any great work, and for the revolution, passion and audacity are required in big doses"
Strengthening Security: ToolsWatch Welcomes Dr. Magda Lilia Chelly and Vivek Ramachandran to Black Hat Arsenal’s Board of Review

Strengthening Security: ToolsWatch Welcomes Dr. Magda Lilia Chelly and Vivek Ramachandran to Black Hat Arsenal’s Board of Review

GISEC Armory Edition 1 Dubai 2024 – Call For Tools is Open

GISEC Armory Edition 1 Dubai 2024 – Call For Tools is Open

Black Hat Arsenal 2024 Next Stop Singapore !

Black Hat Arsenal 2024 Next Stop Singapore !

ToolsWatch introducing Armory at Gisec 2024 in Dubai: A New Arena for Cybersecurity Open Source Tools Announced

ToolsWatch introducing Armory at Gisec 2024 in Dubai: A New Arena for Cybersecurity Open Source Tools Announced

Unveiling the Awesome Lineup for Black Hat MEA Arsenal 2023 in Riyadh, KSA

Unveiling the Awesome Lineup for Black Hat MEA Arsenal 2023 in Riyadh, KSA

Announcing the First Black Hat / ToolsWatch SecTor Toronto 2023 Arsenal Tools and Their Impact on the Community

Announcing the First Black Hat / ToolsWatch SecTor Toronto 2023 Arsenal Tools and Their Impact on the Community