A Suite of Metrics for Calculating the Most Significant Security Relevant Software Flaw Types

06/15/2020
by   Peter Mell, et al.
0

The Common Weakness Enumeration (CWE) is a prominent list of software weakness types. This list is used by vulnerability databases to describe the underlying security flaws within analyzed vulnerabilities. This linkage opens the possibility of using the analysis of software vulnerabilities to identify the most significant weaknesses that enable those vulnerabilities. We accomplish this through creating mashup views combining CWE weakness taxonomies with vulnerability analysis data. The resulting graphs have CWEs as nodes, edges derived from multiple CWE taxonomies, and nodes adorned with vulnerability analysis information (propagated from children to parents). Using these graphs, we develop a suite of metrics to identify the most significant weakness types (using the perspectives of frequency, impact, exploitability, and overall severity).

READ FULL TEXT
POST COMMENT

Comments

There are no comments yet.

Authors

page 3

02/02/2021

A Historical and Statistical Studyof the Software Vulnerability Landscape

Understanding the landscape of software vulnerabilities is key for devel...
04/12/2021

Measurements of the Most Significant Software Security Weaknesses

In this work, we provide a metric to calculate the most significant soft...
12/02/2021

A Grounded Theory Based Approach to Characterize Software Attack Surfaces

The notion of Attack Surface refers to the critical points on the bounda...
08/18/2020

Clustering and Analysis of Vulnerabilities Present in Different Robot Types

Due to the new advancements in automation using Artificial Intelligence,...
02/26/2020

Is the OWASP Top 10 list comprehensive enough for writing secure code?

The OWASP Top 10 is a list that is published by the Open Web Application...
10/29/2020

Examining the Relationship of Code and Architectural Smells with Software Vulnerabilities

Context: Security is vital to software developed for commercial or perso...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.