Common Weakness Enumeration

Scoring CWEs

Common Weakness Risk Analysis Framework (CWRAF™)

CWRAF provides a framework for scoring software weaknesses in a consistent, flexible, open manner, while accommodating context for the various business domains. It is a collaborative, community-based effort that is addressing the needs of its stakeholders across government, academia, and industry. CWRAF is a part of the Common Weakness Enumeration (CWE™) project, co-sponsored by the Software Assurance program in the office of Cybersecurity and Communications of the U.S. Department of Homeland Security (DHS).

CWRAF benefits:

• Includes a mechanism for measuring risk of security errors ("weaknesses") in a way that is closely linked with the risk to an organization's business or mission.
• Supports the automatic selection and prioritization of relevant weaknesses, customized to the specific needs of the organization's business or mission.
• Can be used by organizations in conjunction with the Common Weakness Scoring System (CWSS™) to identify the most important weaknesses for their business domains, in order to inform their acquisition and protection activities as one part of the larger process of achieving software assurance.

CWRAF and CWSS allow users to rank classes of weaknesses independent of any particular software package, in order to prioritize them relative to each other (e.g., "buffer overflows are higher priority than memory leaks"). This approach, sometimes referred to as a "Top-N list," is used by the CWE Top 25, OWASP Top Ten, and similar efforts. CWRAF and CWSS allow users to create their own custom Top-N lists.

CWRAF Version 0.8.3

• Introduction
  • How to Use CWRAF
  • Relationships between CWRAF, CWSS, and CWE
• CWSS Scoring in CWRAF
  • Scoring Weakness Findings Using Vignettes
  • Automatically Building Custom Top-N Lists
• Creating Your Own Vignettes
• Future CWRAF Versions and Activities
• Considerations for Future Versions
• Planned Future Activities
• Community Participation in CWRAF
• Change Log