...
Each rule and recommendation has an assigned Priority. Priorities are assigned using a metric based on Failure Mode, Effects, and Criticality Analysis (FMECA) [IEC 60812]. Three values are assigned for each rule on a scale of 1 to 3 for severity, likelihood, and remediation cost.
Severity—How serious are the consequences of the rule being ignored?
Value
Meaning
Examples of Vulnerability
1
lowLow
denialDenial-of-service attack, abnormal termination
2
mediumMedium
data Data integrity violation, unintentional information disclosure
3
highHigh
run Run arbitrary code
Likelihood—How likely is it that a flaw introduced by ignoring the rule can lead to an exploitable vulnerability?
Value
Meaning
1
unlikelyUnlikely
2
probableProbable
3
likelyLikely
Remediation Cost—How expensive is it to comply with the rule?
Value
Meaning
Detection
Correction
1
highHigh
manualManualmanual
Manual
2
mediumMedium
automaticAutomatic
manualManual
3
lowLow
automaticAutomaticautomatic
Automatic
The three values are then multiplied together for each rule. This product provides a measure that can be used in prioritizing the application of the rules. These The products range from 1 to 27, although only the following 10 distinct values are possible: 1, 2, 3, 4, 6, 8, 9, 12, 18, and 27. Rules and recommendations with a priority in the range of 1–4 1 to 4 are Level 3 rules, 6–9 6 to 9 are Level 2, and 12–27 12 to 27 are Level 1.
Priorities and Levels
Level
Priorities
Possible Interpretation
L1
12, 18, 27
High severity, likely, inexpensive to repair
L2
6, 8, 9
Medium severity, probable, medium cost to repair
L3
1, 2, 3, 4
Low severity, unlikely, expensive to repair
As a result, it is possible to claim Level 1, Level 2, or complete compliance (Level 3) with a standard by implementing all rules in a level, as shown in the following illustration:
Recommendations are not compulsory and are provided for information purposes only.
...
Where applicable, guidelines provide information on analyzer tools that can automatically diagnose violations of secure coding guidelines. Most automated analysis analyses for the C programming language are neither sound nor complete, so the inclusion of a tool in this section typically means that this the tool can diagnose some violations of this particular rule. Currently, there is no conformance test suite available that can be used to access the false-positive and false-negative rates of analyzers when checking conformance for a particular guideline against source code (although CERT has announced it will coordinate the development of a freely available, open source–licensed conformance test).
Because of the lack of an existing conformance test, the information in these sections may be
- provided Provided by the vendors
- determined Determined by CERT by informally evaluating the analyzer
- determined Determined by CERT by reviewing the vendor documentation
...