ISO/IEC JTC 1/SC 22/OWGV N0031a

From: Robert C. Seacord [mailto:rcs@cert.org] 
Sent: Tuesday, August 22, 2006 1:49 PM
To: Moore, Jim
Cc: sc22-owgv-list ISO/IEC JTC 1/SC 22/OWGV Standards Development
Subject: Re: [SC22-OWGV] Preparation for September meeting


Jim,

It's very unlikely that CERT be represented at this upcoming meeting,
although we are still interested in participating in the group.

As Tom mentioned earlier, we have had not had the opportunity to come to
a consensus on an approach to levels, mainly because we have not had the
time or opportunity to work on it and not because of any inherent
differences in opinion.  In the meantime, I have decided on the
following approach for priorities and levels for the CERT Secure Coding
Standards work:

Each rule and recommendation in a secure coding standard has an assigned
priority. Priorities are assigned using a metric based on Failure Mode,
Effects, and Criticality Analysis (FMECA). Three values are assigned for
each rule on a scale of 1 - 3 for:

severity - how serious are the consequences of the rule being ignored;
  1 = low (denial-of-service attack, abnormal termination)
  2 = medium (data integrity violation, unintentional information
disclosure)
  3 = high (run arbitrary code)
likelihood - how likely is it that a flaw, introduced by ignoring the
rule, could lead to an exploitable vulnerability;
  1 = unlikely
  2 = probable
  3 = likely
remediation cost - how expensive is it to comply with the rule.
  1 = high (manual detection and correction)
  2 = medium (automatic detection / manual correction)
  3 = low (automatic detection and correction)

The three values are then multiplied together for each rule. This
product provides a measure that can be used in prioritizing the
application of the rules. These products range from 1 to 27. Rules and
recommendations with a priority in the range of 1-4 are level 3 rules,
6-9 are level 2, and 12-27 are level 1. As a result, it is possible to
claim level 1, level 2, or complete compliance (level 3) with a standard
by implementing all rules in a level as shown in the attached illustration.

The metric is designed primarily for remediation projects. It is assumed
that new development efforts will conform with the entire standard.

Tom did have a concern about the unscientific nature of multiplying
random values together.  This has the benefit of being easy to
implement, and I think that in practice it works out OK.  However, if
you want something more scientific I can apply my creaky knowledge of
multi-criteria utility theory (MAUT) to the problem but that might turn
out to be too scientific.  8^)

rCs
-- 
Robert C. Seacord
Senior Vulnerability Analyst
CERT/CC

Work: 412-268-7608
FAX: 412-268-6989