CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWRAF > CWE List > CWRAF Vignette Details - Domain banking-finance  
ID

CWRAF Vignette Details - Domain banking-finance

The MITRE Corporation
Copyright © 2013
http://cwe.mitre.org/cwraf/

CWRAF version: 0.8.3

Date: April 3, 2013

Project Coordinator:

Bob Martin (MITRE)

Document Editor:

Steve Christey (MITRE)
CWRAF Vignettes - banking-finance
CWRAF Vignettes - banking-finance

Within the Common Weakness Risk Analysis Framework (CWRAF), a vignette provides a shareable, formalized way to define a particular environment, the role that software plays within that environment, and an organization's priorities with respect to software security. It identifies essential resources and capabilities, as well as their importance relative to security principles such as confidentiality, integrity, and availability. For example, in an e-commerce context, 99.999% uptime may be a strong business requirement that drives the interpretation of the severity of discovered weaknesses.

Vignettes allow CWSS to support diverse audiences who may have different requirements for how to prioritize weaknesses. CWSS scoring can occur within the context of a vignette.

This page currently contains details for 2 vignettes within the "banking-finance" domain. These are illustrative only; the CWRAF community will help to refine these and develop others. Feedback is welcome.

Vignette Summary
Vignette Summary
NameDescription
Financial TradingInternet-facing, E-commerce provider of retail goods or services. Data-centric - Database containing PII, credit card numbers, and inventory.
Online BankingThe web-based interaction between a bank, credit union, or other financial institution and its consumers for managing accounts, paying bills, and conducting financial transactions.
Vignette Details
Vignette Details

Vignette Definition: Financial Trading

NameFinancial Trading
IDfin-trade
Maturityunder-development
Domainbanking-finance
DescInternet-facing, E-commerce provider of retail goods or services. Data-centric - Database containing PII, credit card numbers, and inventory.
ArchetypesN-tier distributed, J2EE and supporting frameworks, Transactional engine
Business Value Context (BVC)High on integrity - transactions should not be modified. Availability also very high - if system goes down, financial trading can stop and critical transactions are not processed.
Notes
ReferencesNo references recorded.

Technical Impact Scorecard

ImpactLayerSubscoreNotes
Modify dataSystem
Modify dataApplication8Delete or modify transactions; inject fraudulent transactions; remove transaction history.
Modify dataNetwork
Modify dataEnterprise
Read dataSystem
Read dataApplication7Enable insider trading; breach confidentiality of transactions between multiple parties.
Read dataNetwork
Read dataEnterprise
DoS: resource consumptionSystem
DoS: resource consumptionApplication4Lost or multiply-filed transactions due to high volume or traffic; possible DoS impact on downstream systems. Inability to process new transactions, or they take longer to perform than usual. Significant reduction in number of transactions that can be processed.
DoS: resource consumptionNetwork
DoS: resource consumptionEnterprise
DoS: unreliable executionSystem
DoS: unreliable executionApplication5Inability to process new transactions, or they take longer to perform than usual. Significant reduction in number of transactions that can be processed. Difficulty tracking whether transactions have succeeded or not; disruption of time-sensitive operations where small delays may have significant financial consequences.
DoS: unreliable executionNetwork
DoS: unreliable executionEnterprise
Execute unauthorized code or commandsApplication10Steal financial data, make unauthorized transactions.
Execute unauthorized code or commandsSystem10Disable essential services.
Execute unauthorized code or commandsNetwork8Make fraudulent transactions that appear to come from the victim user. Financial and reputation loss for the victim.
Gain privileges / assume identityNetwork7Avoid detection of attacks; possibly steal data; pose as others.
Bypass protection mechanismApplication3Cannot obtain sufficient evidence for criminal prosecution.
Hide activitiesApplication3Cannot obtain sufficient evidence for criminal prosecution.
Hide activitiesNetwork
Hide activitiesEnterprise

Vignette Definition: Online Banking

NameOnline Banking
IDe-banking
Maturitystub
Domainbanking-finance
DescThe web-based interaction between a bank, credit union, or other financial institution and its consumers for managing accounts, paying bills, and conducting financial transactions.
ArchetypesWeb browser, Web server, Database, Transactional engine
Business Value Context (BVC)High on integrity - transactions should not be modified. Availability is moderate - other avenues of communication exist, e.g. a physical visit. Confidentiality is high, due to customer privacy concerns, risk of financial loss due to identity theft.
Notes
ReferencesNo references recorded.

Technical Impact Scorecard

ImpactLayerSubscoreNotes
Modify dataSystem
Modify dataApplication
Modify dataNetwork
Modify dataEnterprise
Read dataSystem
Read dataApplication
Read dataNetwork
Read dataEnterprise
DoS: unreliable executionSystem
DoS: unreliable executionApplication
DoS: unreliable executionNetwork
DoS: unreliable executionEnterprise
DoS: resource consumptionSystem
DoS: resource consumptionApplication
DoS: resource consumptionNetwork
DoS: resource consumptionEnterprise
Execute unauthorized code or commandsSystem
Execute unauthorized code or commandsApplication
Execute unauthorized code or commandsNetwork
Execute unauthorized code or commandsEnterprise
Gain privileges / assume identitySystem
Gain privileges / assume identityApplication
Gain privileges / assume identityNetwork
Gain privileges / assume identityEnterprise
Bypass protection mechanismSystem
Bypass protection mechanismApplication
Bypass protection mechanismNetwork
Bypass protection mechanismEnterprise
Hide activitiesSystem
Hide activitiesApplication
Hide activitiesNetwork
Hide activitiesEnterprise

More information is available — Please select a different filter.
Page Last Updated: January 18, 2017