CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWRAF > CWE List > CWRAF Vignette Details - Domain soc-media  
ID

CWRAF Vignette Details - Domain soc-media

The MITRE Corporation
Copyright © 2013
http://cwe.mitre.org/cwraf/

CWRAF version: 0.8.3

Date: April 3, 2013

Project Coordinator:

Bob Martin (MITRE)

Document Editor:

Steve Christey (MITRE)
CWRAF Vignettes - soc-media
CWRAF Vignettes - soc-media

Within the Common Weakness Risk Analysis Framework (CWRAF), a vignette provides a shareable, formalized way to define a particular environment, the role that software plays within that environment, and an organization's priorities with respect to software security. It identifies essential resources and capabilities, as well as their importance relative to security principles such as confidentiality, integrity, and availability. For example, in an e-commerce context, 99.999% uptime may be a strong business requirement that drives the interpretation of the severity of discovered weaknesses.

Vignettes allow CWSS to support diverse audiences who may have different requirements for how to prioritize weaknesses. CWSS scoring can occur within the context of a vignette.

This page currently contains details for 2 vignettes within the "soc-media" domain. These are illustrative only; the CWRAF community will help to refine these and develop others. Feedback is welcome.

Vignette Summary
Vignette Summary
NameDescription
Social NetworkingWeb site for enabling a large community of people to post comments, create profiles, exchange messages or pictures, and join affiliation groups, e.g. Facebook, MySpace, Twitter, or LinkedIn. Free-form content, high connectivity between users, private messaging. Heavy Web 2.0 usage.
Electronic DatingWeb site for electronic dating. Users can create profiles with pictures, exchange private email, participate in discussion forums, perform searches. Heavy Web 2.0.
Vignette Details
Vignette Details

Vignette Definition: Social Networking

NameSocial Networking
IDsoc-net
Maturityexample
Domainsoc-media
DescWeb site for enabling a large community of people to post comments, create profiles, exchange messages or pictures, and join affiliation groups, e.g. Facebook, MySpace, Twitter, or LinkedIn. Free-form content, high connectivity between users, private messaging. Heavy Web 2.0 usage.
ArchetypesService-oriented architecture, Web browser, Web server
Business Value Context (BVC)Availability is the most important concern. Users want to restrict access to pictures and private messages, but many are willing to give up some privacy (e.g. usage habits) for some benefits, or do not care about it. Integrity is desired to keep malware from spreading between users and to limit hijacking of user accounts, but accuracy of the shared data is less important (e.g., modification of profile contact information or spoofing of status updates).
Notes
ReferencesNo references recorded.

Technical Impact Scorecard

ImpactLayerSubscoreNotes
Modify dataSystem
Modify dataApplication7Falsify or delete user profiles, affiliations, contact information, private or public messages. Deface web site or redirect users to malware.
Modify dataNetwork
Modify dataEnterprise
Read dataSystem
Read dataApplication4Steal data related to basic PII (phone, email, address, location), affiliations with other people, reading private communications.
Read dataNetwork
Read dataEnterprise
DoS: unreliable executionSystem
DoS: unreliable executionApplication9Customers cannot use site; financial loss due to downtime.
DoS: unreliable executionNetwork9Customers cannot reach site; financial loss due to downtime. If DNS is compromised, customers may be redirected to malicious sites.
DoS: unreliable executionEnterprise
DoS: resource consumptionSystem7Customers experience delays in reaching site; performance is very slow; possible reduction in number of simultaneous users of the site.
DoS: resource consumptionApplication7Customers experience delays in reaching site; performance is very slow; possible reduction in number of simultaneous users of the site.
DoS: resource consumptionNetwork7Customers experience delays in reaching site; performance is very slow; possible reduction in number of simultaneous users of the site.
DoS: resource consumptionEnterprise
Execute unauthorized code or commandsSystem10Modification or theft of all sensitive data; ability to shut down service or use system to attack other systems.
Execute unauthorized code or commandsApplication
Execute unauthorized code or commandsNetwork
Execute unauthorized code or commandsEnterprise
Gain privileges / assume identitySystem
Gain privileges / assume identityApplication8Pose as other users; delete profiles or change privacy settings; administer the application.
Gain privileges / assume identityNetwork
Gain privileges / assume identityEnterprise
Bypass protection mechanismSystem
Bypass protection mechanismApplication8Avoid detection of attacks; possibly steal or modify sensitive data; pose as other users.
Bypass protection mechanismNetwork
Bypass protection mechanismEnterprise
Hide activitiesSystem3Cannot obtain sufficient evidence for criminal prosecution.
Hide activitiesApplication3Cannot obtain sufficient evidence for criminal prosecution.
Hide activitiesNetwork3Cannot obtain sufficient evidence for criminal prosecution.
Hide activitiesEnterprise3Cannot obtain sufficient evidence for criminal prosecution.

Vignette Definition: Electronic Dating

NameElectronic Dating
IDelec-date
Maturityexample
Domainsoc-media
DescWeb site for electronic dating. Users can create profiles with pictures, exchange private email, participate in discussion forums, perform searches. Heavy Web 2.0.
ArchetypesService-oriented architecture, Web browser, Web server
Business Value Context (BVC)Confidentiality is probably the most important concern. Keeping identity information private is very important for personal safety. Mail messages or chat logs between participants are expected to be private. Credit card information may be stored for subscription-based services.

Availability is important for users to access the site, since it is the only means of contact between users in initial stages, until other communication channels are used.

Integrity can have some impact on users - modification of profile information could hamper the search for compatible contacts (e.g. through gender or age preferences), delete messages/chat logs between participants, or enable harrassment (e.g. by modifying pictures or descriptions of desired partners).

Notes
ReferencesNo references recorded.

Technical Impact Scorecard

ImpactLayerSubscoreNotes
Modify dataSystem
Modify dataApplication
Modify dataNetwork
Modify dataEnterprise
Read dataSystem
Read dataApplication
Read dataNetwork
Read dataEnterprise
DoS: unreliable executionSystem
DoS: unreliable executionApplication
DoS: unreliable executionNetwork
DoS: unreliable executionEnterprise
DoS: resource consumptionSystem
DoS: resource consumptionApplication
DoS: resource consumptionNetwork
DoS: resource consumptionEnterprise
Execute unauthorized code or commandsSystem
Execute unauthorized code or commandsApplication
Execute unauthorized code or commandsNetwork
Execute unauthorized code or commandsEnterprise
Gain privileges / assume identitySystem
Gain privileges / assume identityApplication
Gain privileges / assume identityNetwork
Gain privileges / assume identityEnterprise
Bypass protection mechanismSystem
Bypass protection mechanismApplication
Bypass protection mechanismNetwork
Bypass protection mechanismEnterprise
Hide activitiesSystem
Hide activitiesApplication
Hide activitiesNetwork
Hide activitiesEnterprise

More information is available — Please select a different filter.
Page Last Updated: January 18, 2017