Assuring Trustworthiness via Structured Assurance Cases
Exposures (CVE) initiative 20 , which started in
1999 and is now used throughout the
industry of software-based systems. There is
also the Common Vulnerability Scoring
System (CVSS) 21 , which is a risk scoring
mechanism
for
prioritizing
those
vulnerabilities. Another mechanism used in
the software community to discuss the types
of vulnerabilities is the Common Weakness
Enumeration (CWE) 22 , which is the actual
weaknesses that manifest as vulnerabilities.
There is also a scoring system for prioritizing
and focusing on the weaknesses that matter,
called the Common Weakness Scoring
System (CWSS) 23 , and a standard way of
referring to the attack patterns, Common
Attack
Pattern
Enumeration
and
24
Classification (CAPEC)
. They are all
described in international standards, part of
the
International
Telecommunication
Union’s Technical Standard Series, X.1500 25,
26, 27, 28, 29 .
20
MITRE Corporation, “Common Vulnerabilities and Exposures (CVE®),” https://cve.mitre.org/
21 FIRST, “Common Vulnerability Scoring System (CVSS),” https://www.first.org/cvss/
22 MITRE Corporation, “Common Weakness Enumeration (CWE™),” https://cwe.mitre.org/
23 MITRE Corporation, “Common Weakness Scoring System (CWSS™),” https://cwe.mitre.org/cwss/
24 MITRE Corporation, “Common Attack Pattern Enumeration and Characterization (CAPEC™),” https://capec.mitre.org/
25
International Telecommunications Union Standardization Sector (ITU-T), “X.1520: Common vulnerabilities and exposures,”
2011 & 2014, https://www.itu.int/rec/T-REC-X.1520
26
International Telecommunications Union Standardization Sector (ITU-T), “X.1521: Common vulnerability scoring system,”
2011 & 2014, https://www.itu.int/rec/T-REC-X.1521
27
International Telecommunications Union Standardization Sector (ITU-T), “X.1524: Common weakness enumeration,” 2012,
https://www.itu.int/rec/