Software Security: Now Threat-Informed!

Written by Mark E. Haase.

The CWE with Environmental CVSS Calculator brings threat-informed defense into the software development lifecycle. The result is better prioritization of weaknesses while software is being created and ultimately guides software engineering teams to develop software with fewer vulnerabilities.

In vulnerability management, defenders can prioritize which Common Vulnerabilities and Exposures (CVEs) to tackle first; a scoring system known as Common Vulnerability Scoring System (CVSS) was created to rank and prioritize CVEs. CVSS contains threat-informed elements such as the existence of exploit code. But nothing equivalent has existed for weakness management! CWE Calculator fills this gap by adapting the CWE Top 25 methodology to make it easy for cyber defenders to generate their own, customized CWE rankings.

Weakness management can overwhelm software development with too many weaknesses, and not enough engineers to investigate and repair them.

The Common Weakness Enumeration (CWE) is a community-developed list of software and hardware weaknesses that can become vulnerabilities. Static Application Security Testing (SAST) tools analyze software for potential security issues and associate those issues with a CWE number, e.g. CWE-862: Missing Authorization. Engineers use CWE to understand the nature of the weakness, the ways that adversaries might exploit it, and how to repair the weakness to create more robust software.

In partnership with members FIS Global, Fujitsu, and JPMorgan Chase, the Center for Threat-Informed Defense (Center) created the CWE with Environmental CVSS Calculator: CWE tells us what the weakness is; this Calculator answers “so what?” so that engineers can decide “now what?”

The CWE with Environmental CVSS Calculator estimates the severity of weaknesses by locating CVEs related to that weakness and averaging their scores together. This empirical approach scores the CWEs based on real-world outcomes and guides software engineers to fix the weaknesses which historically created the most severe vulnerabilities down the road. The calculator supports CVSS environmental and temporal factors. These factors allow engineers to model the specific conditions in which their code is expected to run, such as mitigating security controls and confidentiality/integrity/availability requirements. As a result, the Calculator can fine tune the scores to each unique operating environment.

The Calculator can be used in a command-line mode that will be familiar to software engineers. The calculator also offers a Dockerized web service that is ideal for integration into continuous integration & deployment (CI/CD) pipelines for integration with automated SAST tools and automated build processes.

To learn more, see our GitHub Wiki, which goes over the installation, command line, and web service modes of operation. We welcome your feedback and contributions to continue to advance CWE with Environmental CVSS Calculator. You are also welcome to submit issues here for any technical questions/concerns or contact ctid@mitre-engenuity.org directly for more general inquiries.

About the Center for Threat-Informed Defense

The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.

© 2024 MITRE Engenuity. Approved for Public Release. Document number CT0119.