New scoring system for security weaknesses
The Common Weakness Scoring System (CWSS) is intended to give developers and customers a better idea of which weaknesses should be accorded the highest priority. A buffer overflow discovered during a code audit is, for example, assigned a lower CWSS score if the data used to trigger the overflow is not derived from user input. Memory leaks which lead to crashes are given an even lower score.
A comparable system for classifying vulnerabilities already exists in the form of the relatively venerable Common Vulnerability Scoring System (CVSS). Factors used to calculate a vulnerability's CVSS score include basic metrics, local or remote exploitability, the trustworthiness of the discoverer, temporal metrics and the availability of an exploit. Environmental factors, such as the physical effects of the vulnerability or the number of potentially vulnerable systems are also evaluated.
According to the group behind the CWSS, there are significant parallels between the two systems, but CVSS lacks adequate organisational parameters. CWSS by contrast takes into account the effect on business-critical processes. The classification also considers the nature of the data to which a vulnerability might provide access and whether that data can merely be read or whether it can be modified or deleted. Unlike the CVSS, the CWSS is meant to be used during the development phase.
The scoring system (version 0.8 of which has now been published) has been developed by MITRE, which was also responsible for developing the Common Vulnerability Enumeration (CVE) system used to classify vulnerabilities. CWSS has been partly sponsored by the US Department of Homeland Security and National Cyber Security Division (NCSD). CWSS is complemented by the Common Weakness Risk Analysis Framework (CWRAF), which can be used to classify weaknesses in a consistent and demonstrable manner.