Each rule has an assigned priority. Priorities are assigned using a metric based on Failure Mode, Effects, and Criticality Analysis (FMECA) [IEC 60812]. Three values are assigned for each rule on a scale of 1 to 3 for
- Severity - How serious are the consequences of the rule being ignored:
1 = low (denial-of-service attack, abnormal termination)
2 = medium (data integrity violation, unintentional information disclosure)
3 = high (run arbitrary code, privilege escalation)
- Likelihood - How likely is it that a flaw introduced by violating the rule could lead to an exploitable vulnerability:
1 = unlikely
2 = probable
3 = likely
- Remediation cost - How expensive is it to remediate existing code to comply with the rule:
1 = high (manual detection and correction)
2 = medium (automatic detection and manual correction)
3 = low (automatic detection and correction)
The three values are multiplied together for each rule. This product provides a measure that can be used in prioritizing the application of the rules. These products range from 1 to 27. Rules with a priority in the range of 1 to 4 are level 3 rules, 6 to 9 are level 2, and 12 to 27 are level 1. As a result, it is possible to claim level 1, level 2, or complete compliance (level 3) with a standard by implementing all rules in a level, as shown in Figure P-1.
The metric is designed primarily for remediation projects and does note apply to new development efforts that are implemented to the standard.