CWRAF v0.4 – Common Weakness Risk Analysis Framework for CWSS Now Available
The Common Weakness Risk Analysis Framework (CWRAF) provides a way for organizations to apply the Common Weakness Scoring System (CWSS) using specialized scenarios (“vignettes”) that identify the business value context of deployed applications in order to prioritize those software weaknesses in CWE that are most relevant to their own businesses, missions, and deployed technologies. In conjunction with other activities, CWRAF ultimately helps software developers and consumers to introduce more secure software into their operational environments.
CWRAF includes a mechanism for measuring risk of weaknesses in a way that is closely linked with the risk to the business or mission; supports the automatic selection and prioritization of relevant weaknesses, customized to the specific needs of the business or mission; can be used by consumers to identify the most important weaknesses for their business domains, in order to inform their acquisition and protection activities as one part of the larger process of achieving software assurance; and allows users to create custom Top-N lists to rank classes of weaknesses independent of any particular software package, in order to prioritize them relative to each other (e.g., “buffer overflows are higher priority than memory leaks”). This “Top-N list” approach is also used by the CWE/SANS Top 25, OWASP Top Ten, and similar efforts.
CWRAF, which is a part of the CWE project, is co-sponsored by the Software Assurance program in the National Cyber Security Division of the U.S. Department of Homeland Security. We encourage members of the community to review the CWRAF specification and send feedback to firstname.lastname@example.org.