Measurements of the Most Significant Software Security Weaknesses

TL;DR

This paper introduces a new metric for ranking software security weaknesses by combining frequency, exploitability, and impact, addressing biases in previous methods, and provides updated top lists for 2019.

Contribution

It proposes a linearization technique for frequency distribution and improves the aggregate metric for identifying the most significant software weaknesses.

Findings

The new metric reduces bias towards frequency in top lists.

Updated top lists for 2019 highlight different weaknesses than previous lists.

Analysis reveals the importance of considering exploitability and impact in security assessments.

Abstract

In this work, we provide a metric to calculate the most significant software security weaknesses as defined by an aggregate metric of the frequency, exploitability, and impact of related vulnerabilities. The Common Weakness Enumeration (CWE) is a well-known and used list of software security weaknesses. The CWE community publishes such an aggregate metric to calculate the `Most Dangerous Software Errors'. However, we find that the published equation highly biases frequency and almost ignores exploitability and impact in generating top lists of varying sizes. This is due to the differences in the distributions of the component metric values. To mitigate this, we linearize the frequency distribution using a double log function. We then propose a variety of other improvements, provide top lists of the most significant CWEs for 2019, provide an analysis of the identified software security weaknesses, and compare them against previously published top lists.