The document discusses three standards used for classifying vulnerabilities: CVE, CWE, and CVSS. CVE provides identifiers for known vulnerabilities. CWE defines common weakness types. CVSS provides a scoring system to assess vulnerability severity levels. The Heartbleed bug is used as an example, which is identified by CVE-2014-0160, classified under CWE-200 for information exposure, and given a CVSS score of 6.4.

1. 1
Classification of vulnerabilities
Using CVE, CWE and CVSS
26/03/2015
Mayur Mehta

2. 2
Index
> Introduction
> Building Blocks
> Acronyms
> Heartbleed bug example
> CVE
> CWE
> CVSS
> Main differences

3. 3
Everything is Connected

4. 4
Cyber Threats Emerged Over Time

5. 5
Solutions Also Emerged Over Time

6. 6
Architecting Security with Information Standards

7. 7
Building Blocks
> Enumerations : Standard ways for enumerating “things we care about”
> Catalog the fundamental entities in IA, Cyber Security, and Software Assurance
- Vulnerabilities (CVE), misconfigurations (CCE), software packages (CPE), malware (CME),
attack patterns (CAPEC), weaknesses in code/design/architecture (CWE)
> Languages/Formats: Languages/Formats for encoding/carrying high fidelity content
about the “things we care about”
> Support the creation of machine-readable state assertions, assessment results, and messages
- Configuration/vulnerability/patch/asset patterns (XCCDF & OVAL), results from standards-based
assessments (CRF), software security patterns (SBVR), event patterns (CEE), malware patterns
(MAEC), risk of a vulnerability (CVSS), information messages (CAIF & *DEF)
> Repositories: Repositories of this content for use in communities or individual
organizations
> Packages of assertions supporting a specific application
- Vulnerability advisories & alerts, (US-CERT Advisories/IAVAs), configuration assessment (NIST
Checklists, CIS Benchmarks, NSA Configuration Guides, DISA STIGS), asset inventory
(NIST/DHS NVD), code assessment & certification (NIST SAMATE, DoD DIACAP & eMASS)

8. 8
Acronyms
Security Content Automation
Protocol (SCAP)

9. 9
Heartbleed bug example
> Taking the Heartbleed bug as an example, this particular vulnerability is listed under a
specific CVE identifier of CVE-2014-0160. It is also classified under the more
general CWE-200: Information Exposure weakness. In addition, it has been given an
CVSS Score of 6.4.

10. 10
CVE
The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for
publicly known information-security vulnerabilities and exposures. MITRE Corporation maintains the system, with
funding from the National Cyber Security Division of the United States Department of Homeland Security.[1] CVE is
used by the Security Content Automation Protocol, and CVE IDs are listed on MITRE's system[2] as well as the
US National Vulnerability Database.
Wiki link: http://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures
Year wise data: http://www.cvedetails.com/browse-by-date.php

11. 11
CWE
Common Weakness Enumeration is a software community project that aims at creating a catalog of
software weaknesses and vulnerabilities. The goal of the project is to better understand flaws in software and to create
automated tools that can be used to identify, fix, and prevent those flaws.[1]The project is sponsored by Mitre
Corporation. In order to obtain CWE Compatible status a product or a service must meet 4 out of 6 requirements,
shown below:
Wiki link: http://en.wikipedia.org/wiki/Common_Weakness_Enumeration
MITRE database: http://cwe.mitre.org/data/slices/2000.html

12. 12
CVSS
Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing
the severity of computer system security vulnerabilities. It is under the custodianship of NIST.[1] It attempts to establish
a measure of how much concern a vulnerability warrants, compared to other vulnerabilities, so efforts can be
prioritized. The scores are based on a series of measurements (called metrics) based on expert assessment. The
scores range from 0 to 10. Vulnerabilities with a base score in the range 7.0-10.0 are High, those in the range 4.0-6.9
as Medium, and 0-3.9 as Low.
Versions: CVSSv1 – 2004, CVSSv2 – (the current version) launched in 2007, CVSSv3 – expected to be released in
late 2015.
The CVSS assessment measures three areas of concern:
1. Base Metrics for qualities intrinsic to a vulnerability
2. Temporal Metrics for characteristics that evolve over the lifetime of vulnerability
3. Environmental Metrics for vulnerabilities that depend on a particular implementation or environment
Wiki link: http://en.wikipedia.org/wiki/CVSS
Calculator: https://nvd.nist.gov/CVSS-v2-Calculator?vector=%28AV:L/AC:H/Au:N/C:N/I:P/A:C%29

13. 13
Main differences
> Main differences between the three standards
CVE CWE CVSS
Full Name Common Vulnerabilities and
Exposures
Common Weaknesses Enumeration Common Vulnerabilities Scoring
System
What is it? A dictionary of publicly known
security vulnerabilities and
exposures.
A community-developed dictionary
of software weakness types.
A vendor-agnostic industry open-
standard designed to convey
vulnerability severity.
Main Benefit Easier to share vulnerability data
across different databases and
tools. Different security tools can
now “talk” to each other using a
common language.
Provides a standard measuring
stick for software security.
Helps determine urgency and
priority of response when
vulnerabilities are detected.
Solution Provides a baseline for evaluating
the coverage of an organization’s
security tools.
Provides a common baseline for
weaknesses identification,
mitigation and prevention efforts.
Solves the problem of multiple
incompatible scoring systems.
More information http://cve.mitre.org/index.html https://cwe.mitre.org http://www.first.org/cvss

14. 14