CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities
New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWRAF > Common Weakness Risk Analysis Framework (CWRAF)  
ID

Future CWRAF Versions


Considerations for Future CWRAF Versions

In future versions of CWRAF, alternate methods of producing Impact subscores may be considered. For example, while buffer overflows can often be exploited for crashes or code execution, this is not always the case. As a result, it may be more informative to capture the "average" Impact.

In addition, a weakness may have a secondary impact that is more important to the business value context than any of its immediate impacts. For example, SQL injection allows modification of queries which then modify or read data, but in some cases it could be used to execute code (by modifying the SQL logic to invoke database functions or write files) or bypass authentication (if the associated SQL query logic can be modified to always return "true"). Currently, CWE does not distinguish between immediate and secondary impacts, and most of the associated CWE data concentrates on the primary impacts.

There is a risk to including secondary impacts. Many technical impacts are closely interrelated, having both transitive and commutative properties. For example, the ability to read a file could lead to gaining privileges if the file contains authentication credentials; on the reverse, gaining privileges will often give the attacker access to otherwise-restricted files. Or, the ability to execute code could allow an attacker to modify files; the ability to modify an executable file could allow an attacker to execute code. Because these kinds of relationships exist, extending the model to include secondary impacts would cause most weaknesses to have all possible technical impacts, which would remove the ability of the Impact subscore to distinguish between vulnerabilities. This is a hard problem for risk modeling within the information security industry, not just for CWSS and CWRAF.

Planned Future CWRAF Activities

The majority of the development and refinement of CWRAF will occur during 2011-2012. Current and past activities include:

  • Engaging communities of interest for creating new vignettes and refining the existing vignettes, including prioritization of technical impacts.
  • Using a generalized, adapted version of CWSS and vignette selection within the 2011 Top 25, and the associated pocket guide for mitigating the Top 25.
  • Define a data exchange representation for CWSS scores and vectors, e.g., XML/XSD.

Community Participation in CWRAF

Currently, members of the software assurance community can participate in the development of CWRAF in the following ways:

  • Provide feedback on this document.
  • Suggest and refine new vignettes, business domains, and BVCs. Review the definitions and associated weakness-oriented technical analyses for vignettes that have already been defined.
  • Define specific use cases for CWRAF.
Back to top
Page Last Updated: April 02, 2018
 

Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2024, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.