Making the Case for Cybersecurity
Figure 5-1: Contextualized vulnerability objects.
This is where generic vulnerability repositories play a key role:
• CVE( Common Vulnerabilities and Exposures): Cataloged flaws in known software components, useful for inventory-based scanning.
• CWE( Common Weakness Enumeration): A taxonomy of generalized coding flaws and design errors, used primarily by static analysis tools.
While foundational, these sources are limited in their ability to support tailoring. They are detection-oriented— not inference-ready— and lack direct alignment with system-specific models or mission goals. Furthermore, they are typically invoked late in the lifecycle, when options for architectural change are limited and remediations become costly. As knowledge items, generic vulnerabilities are unacceptably reactive.
The proposed framework is proactive, as vulnerability is characterized as a necessary condition of an attack, directly linking vulnerability enumeration to attack enumeration and control selection. To support a living, proactive assurance case, community-curated vulnerability knowledge must also flow seamlessly through the DevSecOps pipeline. For example, the publication of a new CVE should automatically trigger re-evaluation of associated vulnerability conditions, updating the risk argument and notifying stakeholders. This depends on a mended digital thread between vulnerability databases, system models, and the argument structure— a thread that is not yet fully realized.
In the meantime, findings from vulnerability scans— while reactive— can still be valuable. They can be linked as evidence to the appropriate Vulnerability Condition objects, strengthening mitigation claims and anchoring risk assertions in verifiable data.
50 May 2025