Modeling the Environment: Business Domains, Technology Groups, Archetypes, and Vignettes
Each business or enterprise has different priorities, threat environments, and risk tolerance. This makes the development and application of a standardized scoring mechanism difficult, because the assumptions of the mechanism may not match those of the enterprise that is applying the scoring.
CWRAF attempts to minimize this difficulty by allowing users to model environment-specific considerations within the framework. These considerations are then reflected in the formulas that produce customized CWSS scores, which can then be used to identify which weaknesses are most important.
The environment-specific modeling dimension of CWRAF consists of the following major concepts:
Technology Groups and Business Domains
The following table highlights the kinds of technology groups and business domains that are being investigated using CWRAF. Note that a vignette can cross multiple domains (e.g., the use of end-point computing devices in Shipping & Transportation, Public Health, Homeland Security, etc.) A vignette can also utilize multiple technology groups within a single domain such as Energy, in which the Smart Grid uses many different groups.
An up-to-date version of this matrix highlights which vignettes have been defined and are under active development.
Note: CWRAF users are not restricted to using such large-scale domains and technology groups. CWRAF can be customized with user-defined domains, technology groups, and vignettes.
(A larger picture is available.)
Within CWRAF, a business domain typically covers a major industry or sector that includes the operations, processes, and interfaces for a broad range of connected organizations, capabilities, or services that are enabled or controlled by software and require some degree of resilience and security in transactions and operations. Information and communication technologies (ICT) cut across all domains.
Following is an example list of business domains. This list is being actively reviewed and modified. The full, up-to-date list of domains is provided in more detail on a separate page.
Technology Groups and Archetypes
Within CWRAF, a "technical archetype" is a class of technical capability, system (or system-of-systems), or architecture that is commonly used to support the mission of an organization. Examples include a web application, web server connected to a database; Service-Oriented Architecture; Real-time, Embedded Device; end-point computing devices (such as a Smartphone); process control system (such as SCADA); etc. A technical archetype may be used within different business domains. For example, SCADA systems are used in Energy, Chemical, and other domains; and many industries manage their information using database-connected web servers.
Technical archetypes can be used in multiple business domains, and certain archetypes may inherit certain classes of weaknesses. For example, a web-based archetype may always have cross-site scripting (XSS) as a concern. However, an archetype may have varying importance depending on the business context. For example, a database archetype that contains a retail customer's financial information and order history may have different security concerns than a database that contains sports statistics that are intended to be read by anyone.
Note that the definitions and usage of archetypes are still under review, and this concept may change in future versions of this paper. They do not play an explicit role in CWRAF 0.8, although this may change in future versions.
Following is an example list of archetypes categorized by their technology group. This list is being actively reviewed and modified. The full, up-to-date list is provided in more detail on a separate page.
A vignette provides a shareable, formalized way to define a particular environment within a business domain. It includes the role that software archetypes play within that environment, and an organization's priorities with respect to software security. It identifies essential resources and capabilities, as well as their importance relative to security principles such as confidentiality, integrity, and availability. For example, in an e-commerce context, 99.999% uptime may be a strong business requirement that drives the interpretation of the severity of discovered weaknesses.
Vignettes allow CWRAF to support diverse audiences who may have different requirements for how to prioritize weaknesses. CWSS scoring occurs within the context of a vignette.
Business Value Context (BVC)
An important part of a vignette is the Business Value Context (BVC). The BVC contains two main parts:
Technical Impact Scorecard
A Technical Impact Scorecard connects the business concerns in the BVC with the possible technical impacts that could happen if an attacker can successfully exploit the weakness, such as code execution, reading of sensitive application data, or a software crash. For each potential technical impact, the scorecard assigns a subscore and provides a rationale for the assignment of the subscore. When a CWSS score is calculated for a weakness, the data from the Technical Impact Scorecard is used to influence the score to reflect the requirements as described in the BVC.
A selection of example vignettes is presented below. These vignettes were selected to represent diverse communities and use cases. Note that these vignettes are subject to change or removal based on community review. A more extensive, up-to-date list of vignettes is provided on a separate page.
Note that the Technical Impact Scorecard is omitted from this example for the sake of brevity; more details are available in a later section.
In addition to a summary, each vignette is annotated with additional, lower-level details that can be used to describe how the technical aspects of weaknesses relate to the business or mission-level requirements. These details are discussed in another section.
Disclaimer: these vignettes are in the early stages of development and are intended primarily to demonstrate the concept. They are subject to review and feedback, and they may be modified. An up-to-date list of vignettes is on a separate page.
Organizations can customize CWRAF to define their own domains, vignettes, etc. For example, an e-Commerce company could use Domains to divide a software package into different processes, then use vignettes to identify the most important functional components:
(A larger picture is available.)
More information is available — Please select a different filter.