The Common Weakness Scoring System will give organizations a way to determine the security and safety of software to create better applications.
The United States Department of Homeland Security unveiled a
detailed guide to help software developers and vendors avoid common security
errors in their applications.
Homeland Security's Cyber-Security Division worked with the
security training and research organization SANS Institute and the non-profit technology
research company Mitre to create a list of common software vulnerabilities
along with a scoring system to prioritize flaws, a risk analysis framework to
evaluate the seriousness of the flaws and a list of top 25 dangerous software
errors. The guide was released June 27 and is intended to help organizations
hold their developers and vendors accountable for problems in the application.
The CWE (Common Weakness Enumeration
) list contains
high-level overviews and examples of widespread software vulnerabilities as
well as consequences, likely attack vectors and potential ways to mitigate
attacks. Unlike other lists of common vulnerabilities, CWE 2.0 provides
detailed explanations of the exact programming errors to avoid.
"This will allow agencies and organizations to take a
tactical approach to addressing vulnerabilities," Will Pelgrin, director
of the Multi-State Information Sharing and Analysis Center, a collaborative
cybersecurity effort that includes state and local governments, said on a
The CWSS (Common Weakness Scoring System)
version 0.8 will
assign a standard score to the software, giving organizations a clear
understanding of its security. From a vendor standpoint, the company will be
motivated to address the common issues to bring up the score, or customers
won't be willing to buy the software.
From a customer standpoint, they can look at the scores and
prioritize which software vulnerabilities need to be addressed. The scoring
system considers potential technical and business impacts of the weakness when
it is exploited, the operational layer the attacker may access, the effectiveness
of available defenses, the privilege level needed to access the vulnerability, and
the likelihood an exploit.
Basic vulnerabilities such as SQL injection and cross-site
scripting still account for a majority of security flaws in Web applications,
Rafal Los, a security evangelist at HP, recently told eWEEK. Organizations are
finally realizing how important it is to regularly check their code for
programming errors, and investing in technology to help them find those flaws,
The CWRAF (Common Weakness Risk Analysis Framework
provide a way for organizations to evaluate risk as they pertain to the
industry. The framework will include "vignettes" for specific
industries highlighting which programming errors have the potential to affect
them the most. For example, a security flaw in an application may be a bigger
threat to the banking industry because of specific technology being used than
in manufacturing, which might not use it.
"I see this as a management tool to focus the team on
things that are the greatest threat and that have the greatest consequences,"
The DHS effort focused on applications and software in this
voluntary guide, which is timely considering the string of high-profile Web
attacks in recent months. Many of the attacks used basic vulnerabilities, such
as SQL injection
, to compromise the site. These attacks have highlighted how
costly software flaws can be, with attackers relying on common bugs to steal
credit card information and login credentials from various government and
The SANS Institute also released its annual list of the top
25 Web vulnerabilities
. The most significant flaws were the ones that could be
exploited by SQL injection attacks, according to the list. In a SQL injection,
attackers insert database commands into a form on the Web page and trick it to
executing them. Other top vulnerabilities include operating system
command injection, classic buffer overflow, and cross-site scripting.
SANS Institute and Mitre collaborated with software security
experts in the United States and Europe to create the list.