Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Severity—How serious are the consequences of the rule being ignored?

    Value

    Meaning

    Examples of Vulnerability

    1

    low

    denial-of-service attack, abnormal termination

    2

    medium

    data integrity violation, unintentional information disclosure

    3

    high

    run arbitrary code

  • Likelihood—How likely is it that a flaw introduced by ignoring the rule can lead to an exploitable vulnerability?

    Value

    Meaning

    1

    unlikely

    2

    probable

    3

    likely

  • Remediation Cost—How expensive is it to comply with the rule?

    Value

    Meaning

    Detection

    Correction

    1

    high

    manual

    manual

    2

    medium

    automatic

    manual

    3

    low

    automatic

    automatic

The three values are then multiplied together for each rule. This product provides a measure that can be used in prioritizing the application of the rules. These products range from 1 to 27, although only the following 10 distinct values are possible: 1, 2, 3, 4, 6, 8, 9, 12, 18, and 27. Rules and recommendations with a priority in the range 1–4 are Level 3 rules, 6–9 are Level 2, and 12–27 are Level 1.

  • Priorities and Levels

    Level

    Priorities

    Possible Interpretation

    L1

    12, 18, 27

    High severity, likely, inexpensive to repair

    L2

    6, 8, 9

    Medium severity, probable, medium cost to repair

    L3

    1, 2, 3, 4

    Low severity, unlikely, expensive to repair

As a result, it is possible to claim Level 1, Level 2, or complete compliance (Level 3) with a standard by implementing all rules in a level, as shown in the following illustration:

...

The risk analysis section also contains a link to search for related vulnerabilities on the CERT website. Whenever possible, CERT Vulnerability Notes are tagged with a keyword corresponding to the unique ID of the coding guideline. This search provides you with an up-to-date list of real-world vulnerabilities that have been determined to be at least partially caused by a violation of this specific guideline. These vulnerabilities are labeled as such only when the vulnerability analysis team at the CERT/CC is able to evaluate the source code and precisely determine the cause of the vulnerability. Because many vulnerability notes refer to vulnerabilities in closed-source software systems, it is not always possible to provide this additional analysis. Consequently, the related vulnerabilities field tends to be somewhat sparsely populated.

Image Removed      Image Removed       Image Removed