Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWRAF > Common Weakness Risk Analysis Framework (CWRAF)  

CWSS Scoring in CWRAF

Common Weakness Scoring System (CWSS) provides a mechanism for scoring weaknesses in a consistent, flexible, open manner, which accommodates the expression of the context for the various business domains or vignettes. It is independent of CWRAF. However, CWRAF takes advantage of CWSS' flexibility in order to define vignette-specific ways of customizing CWSS scores through Technical Impact Scorecards.

Scoring Weakness Findings Using Vignettes

One important use case for CWSS is to support the automatic scoring of findings that are generated from an automated code scanner or other tool. CWSS is independent of CWRAF; its Impact factor defines discrete values such as "High" and "Low."

However, vignettes can be used to customize CWSS scores that are generated for tool findings. The Impact factor can be quantified using methods that have been previously described.

CWSS Findings

Click here for a larger picture.)

Automatically Building Custom Top-N Lists

Using CWRAF, an organization can pre-select which CWE entries are of greatest interest, that is, they can create their own custom Top-N list. For example, a vignette that is centered around a product search capability for an e-Commerce web site might be composed of a database, web client and server, and a mobile application.

A set of relevant CWE entries could be selected as follows:


The process of creating a custom Top-N list involves several steps.

Manual steps:

  • 1) Select or manually define an appropriate vignette, including its Technical Impact Scorecard.
  • 2) Select the set of relevant CWE entries (see image above). This could be partially automated, or use a selection from elsewhere (e.g., the Top 25).
  • 3) Identify which CWSS factors should be treated as Not Applicable (e.g., Remediation Cost).

Automatic steps:

  • 4) For each relevant CWE entry, extract its potential Technical Impacts.
  • 5) Use the vignette's Technical Impact Scorecard to evaluate each Technical Impact that is part of the relevant CWE entry. Select the maximum available subscore, regardless of the affected layer.
  • 6) Calculate the CWSS Impact factor using the maximum available subscore (i.e., use Quantified weighting instead of the pre-defined values for the Impact).
  • 7) Perform the full CWSS calculation to obtain a general score for the CWE entry (using the "Not Applicable" factors from step 3).
  • 8) Rank all relevant CWE entries according to their CWSS scores.

The previous approach can be simplified as:

CWRAF Top N List

(Click here for a larger picture.)

Proceed to the next section "Creating Your Own Vignettes"

More information is available — Please select a different filter.
Page Last Updated: January 18, 2017