Each rule and recommendation in a secure coding standard has an assigned priority. Priorities are assigned using a metric based on Failure Mode, Effects, and Criticality Analysis (FMECA). Three values are assigned for each rule on a scale of 1 - 3 for:
- severity - how serious are the consequences of the rule being ignored;
1 = low (denial-of-service attack, abnormal termination)
2 = medium (data integrity violation, unintentional information disclosure)
3 = high (run arbitrary code)
- likelihood - how likely is it that a flaw, introduced by ignoring the rule, could lead to an exploitable vulnerability;
1 = unlikely
2 = probable
3 = likely
- remediation cost - how expensive is it to comply with the rule.
1 = high (manual detection and correction)
2 = medium (automatic detection / manual correction)
3 = low (automatic detection and correction)
The three values are then multiplied together for each rule. This product provides a measure that can be used in prioritizing the application of the rules. These products range from 1 to 27. Rules and recommendations with a priority in the range of 1-4 are level 3 rules, 6-9 are level 2, and 12-27 are level 1. As a result, it is possible to claim level 1, level 2, or complete compliance (level 3) with a standard by implementing all rules in a level as shown in the following illustration:
Recommendations are not compulsory and are provided for information purposes only.
The metric is designed primarily for remediation projects. It is assumed that new development efforts will conform with the entire standard.