Prioritizing CWE/SANS and OWASP Vulnerabilities: A Network-Based Model

Abstract

Nowadays, software applications have become ubiquitous and a centric need in our life. Most of our business, education, and social activities cannot be performed without software applications. Moreover, the development of software has become the main focus in the market due to the wide variety of customer needs. However, the vast amounts of software that are distributed around the world have dangerous weaknesses and vulnerabilities that can be exploited by cybercriminals to get unauthorized access to users’ data. Thousands of cybercrimes are reported every day around the world due to these vulnerabilities. Therefore, it is critically needed to understand software vulnerabilities and the relations among them aiming at having convenient practices against the dangerous attacks and mitigate their impact. This article analyses the weaknesses that have been defined by the CWE/SANS and OWASP, which are considered as the most trusted and accredited cyber-security organizations. These organizations use a specific scoring system called Common Weakness Scoring System (CWSS) for ranking vulnerabilities based on their frequency of broken and other factors. We involve the concepts of complex networks in the methodology of our analysis. To this end, we generate networks each of which represents the CWE/SANS and OWASP top vulnerabilities issued in a particular year. We, then, analyze the generated networks based on network level and node level measurements. The findings show that CWSS can include centrality measurements for ranking vulnerabilities in a more accurate way. Finally, we believe that centrality measurements can play a significant role and can be considered as a powerful tool in improving CWSS in terms of accuracy.