A Suite of Metrics for Calculating the Most Significant Security Relevant Software Flaw Types

by   Peter Mell, et al.

The Common Weakness Enumeration (CWE) is a prominent list of software weakness types. This list is used by vulnerability databases to describe the underlying security flaws within analyzed vulnerabilities. This linkage opens the possibility of using the analysis of software vulnerabilities to identify the most significant weaknesses that enable those vulnerabilities. We accomplish this through creating mashup views combining CWE weakness taxonomies with vulnerability analysis data. The resulting graphs have CWEs as nodes, edges derived from multiple CWE taxonomies, and nodes adorned with vulnerability analysis information (propagated from children to parents). Using these graphs, we develop a suite of metrics to identify the most significant weakness types (using the perspectives of frequency, impact, exploitability, and overall severity).



There are no comments yet.


page 3


A Historical and Statistical Studyof the Software Vulnerability Landscape

Understanding the landscape of software vulnerabilities is key for devel...

Measurements of the Most Significant Software Security Weaknesses

In this work, we provide a metric to calculate the most significant soft...

A Grounded Theory Based Approach to Characterize Software Attack Surfaces

The notion of Attack Surface refers to the critical points on the bounda...

Clustering and Analysis of Vulnerabilities Present in Different Robot Types

Due to the new advancements in automation using Artificial Intelligence,...

Is the OWASP Top 10 list comprehensive enough for writing secure code?

The OWASP Top 10 is a list that is published by the Open Web Application...

Examining the Relationship of Code and Architectural Smells with Software Vulnerabilities

Context: Security is vital to software developed for commercial or perso...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.