Creating Your Own VignettesCurrently, there are approximately 20 Vignettes and Technical Scorecards, but anyone can create their own Vignette and its accompanying Technical Scorecard to identify which CWEs are most significant to their business and applications. This section will help guide you through that process. One of the items found in these sample Vignettes is the "Archetypes". A list of the currently defined Archetypes that are available for use in describing Vignettes is here. If there are new Archetypes you need just identify them and send them to cwe@mitre.org and we can add them to the list. These Archetypes are used as the context for describing the technical elements utilized by the application described in the Vignette. There are two tables for each Vignette, "Vignette Definition" and "Technical Impact Scorecard". Vignette DefinitionCreating a Vignette Definition basically comes down to filling in the Vignette Definition table. Below is an example Vignette Definition table with a specific Vignette for a Web-Based Retail Provider described. The Vignette Definition is meant to talk about what business issues are of concern for the application. Is the application dealing with PII? Credit card (PCI-relevant) data? How bad is each of the 8 Technical Impacts given what the application is doing for a business (in the business's operational context).
Technical Impact ScorecardThe Technical Impact Scorecard is the mechanism that allows for the creating the ranked list of the items under a vignette. Creating a Technical Impact Scorecard for a Vignette starts with the fact that each CWE can result in one or more types of failures or technical impacts. The vignette is a context for scoring the 8 Technical Impacts at the 4 levels (application, system, network, and enterprise) that are then mapped into the CWEs that result in the specific Technical Impacts. Assigning weights (0-10) to the 8 Technical Impacts by determining how "bad" these impacts are for a specific business case (which is captured by the vignette) is the first step, as denoted by the words "Once the technical impact scorecard is filled in for a particular vignette" that starts the "Calculating the CWE-specific Technical Impact Subscore" section. In the first table of this "Calculating the CWE-specific Technical Impact Subscore" section, the values in the "Technical Impacts and Importance Subscores" column come from the above vignette technical impact scoring effort and is being mapped to the Technical Impacts that the various CWEs have. Note that the list of Technical Impacts that each CWE has is a part of the CWE data in CWE itself. Look for the "Common Consequences" field of a CWE and the "Technical Impact" portion and for examples (refer to CWE-900: Weaknesses in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors for specific examples).
|
