CWE Top 25 Most Dangerous Software Errors

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

CWE Top 25 Most Dangerous Software Errors

asummers
Administrator

Dear CWE community members,

 

I hope you are all well! 

 

The CWE team is working towards the generation and publication of a new list of the Top 25 Most Dangerous Software Errors. 

 

In previous years, the Top 25 list was constructed through aggregating survey responses from a wide selection of organizations, and by engaging developers, security analysts, researchers, and vendors. Respondents were asked to nominate weaknesses that they considered to be the most prevalent or important, and then a customized part of CWSS was used to determine a ranking. There were a number of positives in this approach, but it was also labor intensive and subjective.

 

For the upcoming new Top 25, the CWE team are going for a more rigorous, statistical data-driven process leveraging information about actual reported vulnerabilities to determine how prevalent and dangerous a weakness is. The CWE team will use weakness data pulled directly from the National Vulnerability Database (NVD) to calculate metrics for CWEs. While this method introduces a bias through analyzing only reported vulnerabilities and could potentially exclude some software and a breadth of other data, the CWE team believe it will result in a more repeatable and accurate Top 25 list.

 

There are two components in our scoring process that will be combined to determine the total score for a CWE. The first component is the frequency that a CWE is root cause of a vulnerability. The second component is a weakness' average CVSS score, which is meant to determine the overall severity of a weakness. We determine the average CVSS score for a CWE by calculating the sum of all of the CVSS scores for CVEs that map to a given CWE, and then dividing this sum by the total number of CVEs with that CWE. These two components are normalized before being multiplied together. This process is represented below:

 

W = All CWEs

CVE_w = All CVEs with a weakness w

Freq = {count(CVE_w') for each w' in W}

Freq_w = Number of CVEs with a weakness w

CVSS = All CVSS Scores

CVSS_w = All CVSS Scores for w

F_w = (Freq_w - min(Freq)) / (max(Freq) - min(Freq))

C_w = (average(CVSS_w) - min(CVSS)) / (max(CVSS) - min(CVSS))

 

Final score = F_w * C_w

 

The CWE team is still reviewing this formula, and it may change before the new Top 25 List is published.

 

One of the challenges that we are faced with is addressing the many CVEs currently mapped to CWE Categories. Categories are not technically weaknesses and therefore any existing mapping to them is considered incorrect. As such, we have coordinated with NVD and are in the process of finalizing a "mapping analysis" on these CVEs to map them to more accurate CWEs at lower levels of abstraction. Relatedly, we published a new CWE View 1003: Weaknesses for Simplified Mapping of Published Vulnerabilities in our last minor release (version 3.3) on June 24, 2019. Going forward, newly reported vulnerabilities will be mapped to the entries in this view where possible. If over time vulnerability data indicates that certain weaknesses not currently part of View 1003 are occurring more frequently in the wild, View 1003 will evolve needed to accommodate these new trends.

 

This has been a large undertaking, but we hope that it will all result in repeatable and more accurate Top 25 list, as well as drive discussions about better ways to approach CVE<->CWE mapping in the future. It is our intent to share the draft form of the new Top 25 with you when available at some point in the coming weeks. We would love to hear feedback from you at that time. After the request-for-comment period, we will be officially publishing the new Top 25 to the wider community. 

 

We certainly appreciate all your interest, participation, and engagement with CWE, and we look forward to your continued support. Thank you!

 

Cheers,

Alec

 

 

-- 

Alec J. Summers

Cyber Solutions Division

Cyber Security Engineer, Lead

(781) 271-6970

 

signature_443661441

 

MITRE - Solving Problems for a Safer World

cid:image001.png@01D0A90C.2B5B2680cid:image002.png@01D0A90C.2B5B2680cid:image003.png@01D0A90C.2B5B2680cid:image004.png@01D0A90C.2B5B2680cid:image005.png@01D0A90C.2B5B2680

 


smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

[EXT] Re: CWE Top 25 Most Dangerous Software Errors

Tom Brennan
Thank you for the information 

On Tue, Jul 16, 2019 at 2:31 PM Summers, Alec J <[hidden email]> wrote:

Dear CWE community members,

 

I hope you are all well! 

 

The CWE team is working towards the generation and publication of a new list of the Top 25 Most Dangerous Software Errors. 

 

In previous years, the Top 25 list was constructed through aggregating survey responses from a wide selection of organizations, and by engaging developers, security analysts, researchers, and vendors. Respondents were asked to nominate weaknesses that they considered to be the most prevalent or important, and then a customized part of CWSS was used to determine a ranking. There were a number of positives in this approach, but it was also labor intensive and subjective.

 

For the upcoming new Top 25, the CWE team are going for a more rigorous, statistical data-driven process leveraging information about actual reported vulnerabilities to determine how prevalent and dangerous a weakness is. The CWE team will use weakness data pulled directly from the National Vulnerability Database (NVD) to calculate metrics for CWEs. While this method introduces a bias through analyzing only reported vulnerabilities and could potentially exclude some software and a breadth of other data, the CWE team believe it will result in a more repeatable and accurate Top 25 list.

 

There are two components in our scoring process that will be combined to determine the total score for a CWE. The first component is the frequency that a CWE is root cause of a vulnerability. The second component is a weakness' average CVSS score, which is meant to determine the overall severity of a weakness. We determine the average CVSS score for a CWE by calculating the sum of all of the CVSS scores for CVEs that map to a given CWE, and then dividing this sum by the total number of CVEs with that CWE. These two components are normalized before being multiplied together. This process is represented below:

 

W = All CWEs

CVE_w = All CVEs with a weakness w

Freq = {count(CVE_w') for each w' in W}

Freq_w = Number of CVEs with a weakness w

CVSS = All CVSS Scores

CVSS_w = All CVSS Scores for w

F_w = (Freq_w - min(Freq)) / (max(Freq) - min(Freq))

C_w = (average(CVSS_w) - min(CVSS)) / (max(CVSS) - min(CVSS))

 

Final score = F_w * C_w

 

The CWE team is still reviewing this formula, and it may change before the new Top 25 List is published.

 

One of the challenges that we are faced with is addressing the many CVEs currently mapped to CWE Categories. Categories are not technically weaknesses and therefore any existing mapping to them is considered incorrect. As such, we have coordinated with NVD and are in the process of finalizing a "mapping analysis" on these CVEs to map them to more accurate CWEs at lower levels of abstraction. Relatedly, we published a new CWE View 1003: Weaknesses for Simplified Mapping of Published Vulnerabilities in our last minor release (version 3.3) on June 24, 2019. Going forward, newly reported vulnerabilities will be mapped to the entries in this view where possible. If over time vulnerability data indicates that certain weaknesses not currently part of View 1003 are occurring more frequently in the wild, View 1003 will evolve needed to accommodate these new trends.

 

This has been a large undertaking, but we hope that it will all result in repeatable and more accurate Top 25 list, as well as drive discussions about better ways to approach CVE<->CWE mapping in the future. It is our intent to share the draft form of the new Top 25 with you when available at some point in the coming weeks. We would love to hear feedback from you at that time. After the request-for-comment period, we will be officially publishing the new Top 25 to the wider community. 

 

We certainly appreciate all your interest, participation, and engagement with CWE, and we look forward to your continued support. Thank you!

 

Cheers,

Alec

 

 

-- 

Alec J. Summers

Cyber Solutions Division

Cyber Security Engineer, Lead

(781) 271-6970

 

signature_443661441

 

MITRE - Solving Problems for a Safer World

cid:image001.png@01D0A90C.2B5B2680cid:image002.png@01D0A90C.2B5B2680cid:image003.png@01D0A90C.2B5B2680cid:image004.png@01D0A90C.2B5B2680cid:image005.png@01D0A90C.2B5B2680

 

--
Sent from my mobile. Please excuse any typographical errors.