Published: December 7, 2020
Author(s)
Carlos Cardoso Galhardo (NIST), Peter Mell (NIST), Irena Bojanova (NIST), Assane Gueye (Prometheus Computing)
Conference
Name: Annual Computer Security Applications Conference (ACSAC) 2020
Dates: 12/07/2020 - 12/11/2020
Location: [Virtual] Austin, TX
Citation: ACSAC '20: Annual Computer Security Applications Conference, pp. 154-164
In this work, we provide a metric to calculate the most significant software security weaknesses as defined by an aggregate metric of the frequency, exploitability, and impact of related vulnerabilities. The Common Weakness Enumeration (CWE) is a well known and used list of software security weaknesses. The CWE community publishes such an aggregate metric to calculate the `Most Dangerous Software Errors'. However, we find that the published equation highly biases frequency and almost ignores exploitability and impact in generating top lists of varying sizes. This is due to the differences in the distributions of the component metric values. To mitigate this, we linearize the frequency distribution using a double log function. We then propose a variety of other improvements, provide top lists of the most significant CWEs for 2019, and provide an analysis of the identified software security weaknesses.
In this work, we provide a metric to calculate the most significant software security weaknesses as defined by an aggregate metric of the frequency, exploitability, and impact of related vulnerabilities. The Common Weakness Enumeration (CWE) is a well known and used list of software security...
See full abstract
In this work, we provide a metric to calculate the most significant software security weaknesses as defined by an aggregate metric of the frequency, exploitability, and impact of related vulnerabilities. The Common Weakness Enumeration (CWE) is a well known and used list of software security weaknesses. The CWE community publishes such an aggregate metric to calculate the `Most Dangerous Software Errors'. However, we find that the published equation highly biases frequency and almost ignores exploitability and impact in generating top lists of varying sizes. This is due to the differences in the distributions of the component metric values. To mitigate this, we linearize the frequency distribution using a double log function. We then propose a variety of other improvements, provide top lists of the most significant CWEs for 2019, and provide an analysis of the identified software security weaknesses.
Hide full abstract
Keywords
security; weakness; software flaw; severity
Control Families
None selected