A Suite of Metrics for Calculating the Most Significant Security Relevant Software Flaw Types

TL;DR

This paper develops a set of metrics using CWE taxonomy graphs and vulnerability data to identify the most significant security-relevant software flaw types based on frequency, impact, exploitability, and severity.

Contribution

It introduces a novel approach combining CWE taxonomies with vulnerability analysis to quantify the significance of different software weakness types.

Findings

Metrics effectively rank CWE weaknesses by significance.

Graphs reveal relationships and impact of different flaw types.

Approach aids prioritization in security assessments.

Abstract

The Common Weakness Enumeration (CWE) is a prominent list of software weakness types. This list is used by vulnerability databases to describe the underlying security flaws within analyzed vulnerabilities. This linkage opens the possibility of using the analysis of software vulnerabilities to identify the most significant weaknesses that enable those vulnerabilities. We accomplish this through creating mashup views combining CWE weakness taxonomies with vulnerability analysis data. The resulting graphs have CWEs as nodes, edges derived from multiple CWE taxonomies, and nodes adorned with vulnerability analysis information (propagated from children to parents). Using these graphs, we develop a suite of metrics to identify the most significant weakness types (using the perspectives of frequency, impact, exploitability, and overall severity).