Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWRAF > Common Weakness Risk Analysis Framework (CWRAF)  

Introduction to CWRAF™

CWRAF Version: 0.8.3 Revision Date: April 3, 2013
Document Version: 0.8.3  
Project Coordinator: Robert A. Martin, MITRE  
Document Editor: Steven M. Christey, MITRE  
Copyright © 2013, The MITRE Corporation

CWRAF provides a means for software developers and consumers to prioritize software weaknesses that are relevant for their business, mission, and deployed technologies. In certain circumstances, a software weakness can lead to an exploitable vulnerability. By providing a repeatable way to customize the Common Weakness Scoring System (CWSS™), CWRAF enables people to reason and communicate about the relative importance of different weaknesses. Users can automatically generate a more targeted specification of "Top-N" lists of weaknesses that are the most critical for the software that is used in the relevant business domains, missions, and technology groups. In conjunction with other activities, CWRAF ultimately helps developers and consumers to introduce more secure software into their operational environments.

CWRAF provides a framework for scoring weaknesses in a consistent, flexible, open manner, that reflects the application's business context and what the application is doing for the business. It is a collaborative, community-based effort that is addressing the needs of its stakeholders across government, academia, and industry.


  • Includes a mechanism for measuring risk of weaknesses in a way that is closely linked with the risk to the business or mission.
  • Supports the automatic selection and prioritization of relevant weaknesses, customized to the specific needs of the business or mission.
  • In conjunction with the CWSS, can be used by consumers to identify the most important weaknesses for their business domains, in order to inform their acquisition and protection activities as one part of the larger process of achieving software assurance.

How to Use CWRAF

CWRAF and CWSS allow users to rank classes of weaknesses independent of any particular software package, in order to prioritize them relative to each other (e.g., "buffer overflows are higher priority than memory leaks"). This approach, sometimes referred to as a "Top-N list," is used by the CWE/SANS Top 25, OWASP Top Ten, and similar efforts to provide measuring baselines for wide groups of industry to leverage in their own improvement activities.

CWRAF and CWSS let users create top-n lists for their particular software and business domains, missions, and technology groups. In conjunction with other activities, CWSS and CWRAF help developers and consumers introduce more robust and resilient software into their operational environments.

Details about the current stakeholders and their perspectives and motivations are here.

CWRAF is designed to support stakeholder needs throughout the software lifecycle. However, the applicability of CWRAF extends beyond the design and development of software. CWRAF can be used to support Supply Chain Risk Management (SCRM) by giving software acquirers a means to define the software weaknesses that they deem most critical. CWRAF can also support the prioritization of training and education based on the unique needs of a business sector or organization.

To be most effective, CWRAF supports multiple usage scenarios by different stakeholders who all have an interest in a consistent scoring system for prioritizing software weaknesses that could introduce risks to products, systems, networks and services. Some of the primary stakeholders considered in developing CWRAF are listed here.

The high-level concepts in the Common Weakness Risk Analysis Framework are highlighted below. Complete technical details are provided below.

CWRAF Summary

(Click here for a larger picture.)

A "business domain" is a major function or service that includes the operations and interactions of a broad range of networked capabilities or organizations, such as Banking and Finance, Public Health, and e-Commerce.

Within a business domain, a "vignette" provides a shareable, semi-formal description of a scenario that identifies a set of connected technology groups that collectively perform a function within a business domain. For example, a vignette in the e-Commerce domain may identify a retail-based web store that uses web applications and a database for customers to purchase various products and services.

The underlying concept that CWRAF and CWSS leverage is that in spite of there being over 600 weaknesses in CWE, all of them lead to one or more of only eight (8) technical impacts when they manifest in the operational system. In other words, if a particular CWE in a piece of software is exploited when that software is in use supporting a particular business it will result in the attacker being able to: modify data, read data, create a denial-of-service that results in unreliable execution, create a denial-of-service that results in resource consumption, execute unauthorized code or commands, gain privileges / assume identity, bypass protection mechanism, and/or hide activities.

The details about modeling the Business Domains, Technology Groups, Archetypes, and Vignettes are described here.

By exploring how important these various technical impacts are to the business that the application is supporting we can flow these “importance” ratings to the CWEs that can result in those technical impacts.

As described above, the scoring of weaknesses in CWRAF and CWSS is directly influenced by the business domain in which the application runs and what it is doing to support that business, as well as the importance of the applications support to the business.

The way CWSS scoring captures this business importance is by using the context of a vignette, which defines:

  • A description of a system (or system-of-systems) that implement a business function using "technical archetypes" from various Technology Groups, such as web applications, industrial control systems, etc.
  • A Business Value Context (BVC), which identifies the primary security concerns for deployed software that is covered by the vignette. The BVC describes potential harm that could occur to the business or mission if any weaknesses can be successfully exploited by an attacker, such as compliance failure, loss of reputation, or ecological disaster.
  • A Technical Impact Scorecard, which lists the potential low-level effects of weakness exploitation (e.g., code execution or system crash) and ranks or prioritizes these impacts based on how they affect the performance of the business function being identified by the vignette.

Using the Business Value Context and the Technical Impact Scorecard, CWRAF provides vignette-specific input to CWSS, which can then be used to prioritize which weaknesses are of greatest concern and ideally must be addressed first.

Relationships between CWRAF, CWSS, and CWE

The following image summarizes the relationships between CWRAF, CWSS, and CWE:

CWRAF Relationships

(Click here for a larger picture.)

Proceed to the next section "CWSS Scoring in CWRAF"

More information is available — Please select a different filter.
Page Last Updated: January 18, 2017