Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Each rule has an assigned priority. Priorities are assigned using a metric based on Failure Mode, Effects, and Criticality Analysis (FMECA) [IEC 60812]. Three values are assigned for each rule on a scale of 1 to 3 for

  • Severity - How

Wiki Markup
Each guideline has an assigned priority. Priorities are assigned using a metric based on Failure Mode, Effects, and Criticality Analysis (FMECA) \[[IEC 60812|AA. C References#IEC 60812 2006]\]. Three values are assigned for each guideline on a scale of 1 to 3 for

  • severity - how serious are the consequences of the guideine rule being ignored:
    1 = low (denial-of-service attack, abnormal termination)
    2 = medium (data integrity violation, unintentional information disclosure)
    3 = high (run arbitrary code, privilege escalation)
  • likelihood Likelihood - how How likely is it that a flaw introduced by ignoring violating the guideline rule could lead to an exploitable vulnerability:
    1 = unlikely
    2 = probable
    3 = likely
  • remediation Remediation cost - how How expensive is it to remediate existing code to comply with the guidelinerule:
    1 = high (manual detection and correction)
    2 = medium (automatic detection and manual correction)
    3 = low (automatic detection and correction)

The three values are then multiplied together for each guidelinerule. This product provides a measure that can be used in prioritizing the application of the guidelinesrules. These products range from 1 to 27. Guidelines and recommendations Rules with a priority in the range of 1 -to 4 are level 3 guidelinesrules, 6 -to 9 are level 2, and 12 -to 27 are level 1. As a result, it is possible to claim level 1, level 2, or complete compliance (level 3) with a standard by implementing all guidelines rules in a level, as shown in the following illustration:Figure P-1.

Image Modified

Recommendations are not compulsory and are provided for information purposes only.

The metric is designed primarily for remediation projects . It is assumed that and does note apply to new development efforts will conform with the entire that are implemented to the standard.