Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Measurements of the Most Significant Software Security Weaknesses

Published

Author(s)

Carlos E. Cardoso Galhardo, Peter Mell, Irena Bojanova, Assane Gueye

Abstract

In this work, we provide a metric to calculate the most significant software security weaknesses as defined by an aggregate metric of the frequency, exploitability, and impact of related vulnerabilities. The Common Weakness Enumeration (CWE) is a well known and used list of software security weaknesses. The CWE community publishes such an aggregate metric to calculate the 'Most Dangerous Software Errors'. However, we find that the published equation highly biases frequency and almost ignores exploitability and impact in generating top lists of varying sizes. This is due to the differences in the distributions of the component metric values. To mitigate this, we linearize the frequency distribution using a double log function. We then propose a variety of other improvements, provide top lists of the most significant CWEs for 2019, and provide an analysis of the identified software security weaknesses.
Conference Dates
December 7-11, 2020
Conference Location
Austin, TX, US
Conference Title
Annual Computer Security Applications Conference (ACSAC)

Keywords

Security, Weakness, Software Flaw, Severity

Citation

Cardoso Galhardo, C. , Mell, P. , Bojanova, I. and Gueye, A. (2020), Measurements of the Most Significant Software Security Weaknesses, Annual Computer Security Applications Conference (ACSAC), Austin, TX, US, [online], https://doi.org/10.1145/3427228.3427257, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=930459 (Accessed December 7, 2024)

Issues

If you have any questions about this publication or are having problems accessing it, please contact reflib@nist.gov.

Created December 6, 2020, Updated April 19, 2022