Scoring AppSec issues for Baseline-analysis (CWE, SAST, DAST, CAST)

Credits / sources

This is inspired by from

  • Veracode’s documented idea[1] of an application security scoring based on MITRE’s CWE catalog [2]
  • the OWASP Application Security Verification Standard 2021 (4.x)[3]
  • Praerit Garg, Loren Kohnfelder et. al. (Microsoft) - STRIDE as a base terminology
  • Adam Shostack et. al. - DREAD as a base score

CWE based Application Security scoring

Flaw Category CWE ID CWE Name Flaw Severity (see below) Static Dynamic
API Abuse 234 Failure to Handle Missing Parameter 3 X
243 Creation of Chroot Jail Without Changing Working Directory 4 X
245 J2EE Bad Practices: Direct Management of Connections 2 X
560 Use of Umask() with Chmod-Style Argument 3 X
628 Function Call with Incorrectly Specified Arguments 2 X
675 Duplicate Operations on Resource 2 X
Flaw Category CWE ID CWE Name Flaw Severity (see below) Static Dynamic
Authentication Issues 287 Improper Authentication 4 X X
352 Cross-Site Request Forgery (CSRF) 3 X X
693 Protection Mechanism Failure 3 X X
Flaw Category CWE ID CWE Name Flaw Severity (see below) Static Dynamic
Authorization Issues 99 Improper Control of Resource Identifiers 3 X
272 Least Privilege Violation 3 X
273 Improper Check for Dropped Privileges 3 X
274 Improper Handling of Insufficient Privileges 0 X
282 Improper Ownership Management 3 X
285 Improper Authorization 3 X X
346 Origin Validation Error 3 X
350 Reliance on Reverse DNS Resolution for a Security-Critical Action 3 X
639 Authorization Bypass Through User-Controlled Key 4 X
566 Authorization Bypass Through User-Controlled SQL Primary Key 3 X
708 Incorrect Ownership Assignment 4 X
732 Incorrect Permission Assignment for Critical Resource 3 X
942 Permissive Cross-domain Policy with Untrusted Domains 3 X X
Flaw Category CWE ID CWE Name Flaw Severity (see below) Static Dynamic
Buffer Management Errors 118 Improper Access of Indexable Resource (Range Error) 3 X
125 Out-of-Bounds Read 3 X
129 Improper Validation of Array Index 3 X
135 Incorrect Calculation of Multi-Byte String Length 5 X
170 Improper Null Termination 3 X
193 Off-by-One Error 3 X
787 Out-of-Bounds Write 3 X
823 Use of Out-of-Range Pointer Offset 3 X
824 Access of Uninitialized Pointer 3 X
Buffer Overflow 121 Stack-Based Buffer Overflow 5 X
Flaw Category CWE ID CWE Name Flaw Severity (see below) Static Dynamic
Code Injection 74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection) 4 X
91 XML Injection (Blind XPath Injection) 3 X X
94 Improper Control of Generation of Code 3 X
95 Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’) 5 X X
98 Improper Control of Filename for Include/Require Statement in PHP Program (PHP File Inclusion) 4 X X
185 Incorrect Regular Expression 2 X
830 Inclusion of Web Functionality from an Untrusted Source 2 X
Flaw Category CWE ID CWE Name Flaw Severity (see below) Static Dynamic
Code Quality 111 Direct Use of Unsafe JNI 4 X
159 Failure to Sanitize Special Element 0 X
401 Improper Release of Memory Before Removing Last Reference (Memory Leak) 2 X
404 Improper Resource Shutdown or Release 0 X
415 Double Free 3 X
416 Use After Free 2 X
477 Use of Obsolete Functions 0 X X
479 Signal Handler Use of a Non-Reentrant Function 3 X
489 Leftover Debug Code 3 X
597 Use of Wrong Operator in String Comparison 2 X
Flaw Category CWE ID CWE Name Flaw Severity (see below) Static Dynamic
Command or Argument Injection 77 Improper Neutralization of Special Elements used in a Command (Command Injection) 5 X
78 Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) 5 X X
88 Argument Injection or Modification 3 X
Flaw Category CWE ID CWE Name Flaw Severity (see below) Static Dynamic
Credentials Management 256 Plaintext Storage of a Password 3 X
259 Use of Hard-coded Password 3 X X
522 Insufficiently Protected Credentials 3 X X
798 Use of Hard-code Credentials 3 X
Flaw Category CWE ID CWE Name Flaw Severity (see below) Static Dynamic
CRLF Injection 93 Improper Neutralization of CRLF Sequences (CRLF Injection) 3 X
113 Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Response Splitting) 3 X X
117 Improper Output Neutralization for Logs 3 X
Flaw Category CWE ID CWE Name Flaw Severity (see below) Static Dynamic
Cross-Site Scripting (XSS) 79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) 3 X X
80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) 3 X X
83 Improper Neutralization of Script in Attributes in a Web Page 3 X X
86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages 3 X
Flaw Category CWE ID CWE Name Flaw Severity (see below) Static Dynamic
Cryptographic Issues 261 Weak Cryptography for Passwords 3 X
295 Improper Certificate Validation 3 X
296 Improper Following of Chain of Trust for Certificate Validation 3 X
297 Improper Validation of Host-specific Certificate Data 3 X X
298 Improper Validation of Certificate Expiration 3 X
299 Improper Check for Certificate Revocation 3 X
311 Missing Encryption of Sensitive Data 3 X
312 Cleartext Storage of Sensitive Information 3 X
313 Plaintext Storage in a File or on Disk 3 X
316 Plaintext Storage in Memory 3 X
319 Cleartext Transmission of Sensitive Information 3 X
321 Use of Hard-coded Cryptographic Key 3 X X
326 Inadequate Encryption Strength 3 X X
327 Use of a Broken or Risky Cryptographic Algorithm 3 X X
328 Reversible One-Way Hash 3 X
329 Not Using a Random IV with CBC Mode 2 X
330 Use of Insufficiently Random Values 3 X
331 Insufficient Entropy 3 X
338 Use of Cryptographically Weak Pseudo-Random Number Generator 3 X
347 Improper Verification of Cryptographic Signature 2 X
354 Improper Validation of Integrity Check Value 3 X
547 Use of Hard-coded, Security-relevant Constants 3 X
614 Sensitive Cookie in HTTPS Session Without Secure Attribute 2 X X
760 Use of a One-Way Hash with a Predictable Salt 3 X
780 Use of RSA with Optimal Asymmetric Encryption Padding 3 X
916 Use of Password Hash With Insufficient Computational Effort 3 X
Flaw Category CWE ID CWE Name Flaw Severity (see below) Static Dynamic
Dangerous Functions 242 Use of Inherently Dangerous Function 5 X
676 Use of Potentially Dangerous Function 3 X
Flaw Category CWE ID CWE Name Flaw Severity (see below) Static Dynamic
Deployment Configuration 402 Transmission of Private Resources into a New Sphere (Resource Leak) 3 X
668 Exposure of Resource to Wrong Sphere 3 X X
926 Improper Export of Android Application Components 3 X
Flaw Category CWE ID CWE Name Flaw Severity (see below) Static Dynamic
Directory Traversal 22 Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) 3 X X
35 Path Traversal 2 X
73 External Control of File Name or Path 3 X
Flaw Category CWE ID CWE Name Flaw Severity (see below) Static Dynamic
Encapsulation 494 Download of Code Without Integrity Check 5 X
501 Trust Boundary Violation 3 X
502 Deserialization of Untrusted Data 3 X
749 Exposed Dangerous Method or Function 4 X
Flaw Category CWE ID CWE Name Flaw Severity (see below) Static Dynamic
Error Handling 248 Uncaught Exception 2 X
252 Unchecked Return Value 2 X
Flaw Category CWE ID CWE Name Flaw Severity (see below) Static Dynamic
Format String 134 Use of Externally-Controlled Format String 5 X
Information Leakage 200 Information Exposure 2 X
201 Insertion of Sensitive Information Into Sent Data 2 X
209 Information Exposure Through an Error Message 2 X X
215 Information Exposure Through Debug Information 2 X X
359 Exposure of Private Information (Privacy Violation) 2 X
497 Exposure of System Data to an Unauthorized Control Sphere 2 X
526 Information Exposure Through Environmental Variables 2 X
530 Exposure of Backup File to an Unauthorized Control Sphere 2 X
532 Insertion of Sensitive Information into Log File 2 X
538 File and Directory Information Exposure 0 X
548 Information Exposure Through Directory Listing 2 X
611 Information Exposure Through XML External Entity Reference 3 X X
615 Information Exposure Through Comments 0 X X
665 Improper Initialization 2 X
918 Server-side Request Forgery 3 X X
Flaw Category CWE ID CWE Name Flaw Severity (see below) Static Dynamic
Insecure Dependencies 829 Inclusion of Functionality from Untrusted Control Sphere 3 X X
Flaw Category CWE ID CWE Name Flaw Severity (see below) Static Dynamic
Insufficient Input Validation 20 Improper Input Validation 0 X
90 Improper Neutralization of Special Elements Used in an LDAP Query (LDAP Injection) 3 X
103 Struts: Incomplete validate() Method Definition 3 X
104 Struts: Form Bean Does Not Extend Validation Class 3 X
112 Missing XML Validation 3 X
183 Permissive List of Allowed Inputs 3 X
345 Insufficient Verification of Data Authenticity 4 X
434 Unrestricted Upload of File with Dangerous Type 4 X
470 Use of Externally-Controlled Input to Select Classes or Code (Unsafe Reflection) 3 X
472 External Control of Assumed-Immutable Web Parameter 3 X
601 URL Redirection to Untrusted Site (Open Redirect) 3 X X
618 Exposed Unsafe ActiveX Method 5 X
915 Improperly Controlled Modification of Dynamically-Determined Object Attributes 3 X
1174 ASP.NET Misconfiguration: Improper Model Validation 2 X
1236 Improper Neutralization of Formula Elements in a CSV File 3 X
Flaw Category CWE ID CWE Name Flaw Severity (see below) Static Dynamic
Insufficient Logging & Monitoring 223 Omission of Security-relevant Information 2 X
Flaw Category CWE ID CWE Name Flaw Severity (see below) Static Dynamic
Numeric Errors 190 Integer Overflow or Wraparound 5 X
191 Integer Underflow (Wrap or Wraparound) 3 X
192 Integer Coercion Error 3 X
195 Signed to Unsigned Conversion Error 3 X
196 Unsigned to Signed Conversion Error 3 X
197 Numeric Truncation Error 3 X
Flaw Category CWE ID CWE Name Flaw Severity (see below) Static Dynamic
Potential Backdoor 398 Indicator of Poor Code Quality 0 X
506 Embedded Malicious Code 4 X
511 Logic/Time Bomb 5 X
514 Covert Channel 2 X
656 Reliance on Security Through Obscurity 0 X
Flaw Category CWE ID CWE Name Flaw Severity (see below) Static Dynamic
Race Conditions 366 Race Condition within a Thread 3 X
367 Time-of-check Time-of-use (TOCTOU) Race Condition 3 X
421 Race Condition During Access to Alternate Channel 3 X
Flaw Category CWE ID CWE Name Flaw Severity (see below) Static Dynamic
Server Configuration 16 Configuration 0 X
441 Unintended Proxy or Intermediary (Confused Deputy) 3 X
642 External Control of Critical State Data 2 X
757 Selection of Less-Secure Algorithm During Negotiation (Algorithm Downgrade) 3 X X
Flaw Category CWE ID CWE Name Flaw Severity (see below) Static Dynamic
Session Fixation 384 Session Fixation 3 X X
SQL Injection 89 Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) 4 X
564 SQL Injection: Hibernate 4 X
943 Improper Neutralization of Special Elements in Data Query Logic 4 X
Flaw Category CWE ID CWE Name Flaw Severity (see below) Static Dynamic
Time and State 377 Insecure Temporary File 3 X
382 J2EE Bad Practices: Use of System.exit() 2 X
557 Concurrency Issues 2 X
691 Insufficient Control Flow Management 0 X
Flaw Category CWE ID CWE Name Flaw Severity (see below) Static Dynamic
Untrusted Initialization 15 External Control of System or Configuration Setting 4 X
454 External Initialization of Trusted Variables or Data Stores 0 X
Flaw Category CWE ID CWE Name Flaw Severity (see below) Static Dynamic
Untrusted Search Path 114 Process Control 5 X
426 Untrusted Search Path 3 X
427 Uncontrolled Search Path Element 3 X

This defines flaw severities on the following severity scale:

  • 0: Informational,
  • 1: Very Low,
  • 2: Low,
  • 3: Medium,
  • 4: High,
  • 5: Very High.

Understanding Severity, Exploitability, and Effort to Fix

  • Severity and exploitability are two different measurements of the seriousness of a finding.

  • Effort to Fix measures the complexity of the work required to fix the finding.

  • Severity is the potential impact on confidentiality, integrity, and availability of the application as defined in the CVSS.

  • Exploitability is the likelihood or ease with which an attacker could exploit a finding.

A high-severity finding with a high likelihood of being exploited by an attacker is potentially more dangerous than a high-severity finding with a low likelihood of being exploited.

  • Effort to Fix, also called Complexity of Fix, is a measure of the expected effort required to fix a finding. In addition to severity, we can use Effort to Fix to provide “Fix First guidance”: how to reach the highest risk reduction with the least investment of resources.

Finding Severities

This defines finding severities on a severity scale, which, for Source Code Analysis and manual results, is based on the CVSS rating assigned to the CVE:

Severity CVSS Rating (SCA and MPT only) Description
5 - Very High 8.1-10 These lines of code have a very serious weakness and are an easy target for an attacker. Fix this finding immediately to avoid potential attacks.
4 - High 6.1-8 These lines of code have a serious weakness and are an easy target for an attacker. Fix this finding immediately to avoid potential attacks.
3 - Medium 4.1-6 These lines of code have a moderate weakness and might be an easy target for an attacker. Fix this finding after fixing all Very High and High findings.
2 - Low 2.1-4 These lines of code have a low weakness. Consider fixing this finding after fixing all Very High, High, and Medium findings.
1 - Very Low 0.1-2 These lines of code have a very low weakness. The finding might indicate other problems in the code, but you do not need to mitigate it.
0 - Informational 0 These lines of code have an issue with no impact on the security of the application, but the finding might indicate other problems in the code. You can safely ignore this issue.

Informational Findings

Informational (Severity 0) findings are items observed in the application scan that have no impact on the security quality of the application but might be interesting to the reviewer for other reasons. These findings might include code quality issues, API usage, and other factors.

Informational findings have no impact on the security quality score of the application and are not included in the summary tables of findings for the application.

Exploitability

Each finding instance in a static scan might receive an exploitability rating. The rating is the likelihood that a finding can be found and used by an attacker to cause damage to the application or the data it protects. Veracode recommends that you use the exploitability rating to prioritize finding remediation within a specific group of findings with the same severity and difficulty of fix classification.

The possible exploitability ratings include:

Exploitability Description
V. Unlikely Very unlikely to be exploited
Unlikely Unlikely to be exploited
Neutral Neither likely nor unlikely to be exploited
Likely Likely to be exploited
V. Likely Very likely to be exploited

Two different methods determine exploitability:

Categorical exploitability

Describes the likelihood of exploit, from Very Unlikely to Very Likely, based on proprietary formula and input from the Veracode security research team. All Veracode static flaw categories have categorical exploitability.

Contextual exploitability

Increases or decreases the categorical exploitability assigned to an individual flaw using this data:

  • Information about the data flow path, specifically, the source of the tainted data
  • Heuristics

If the tainted data comes from an HTTP request, the contextual exploitability calculations might increase the exploitability of a cross-site scripting flaw. If the tainted data comes from a file on the application local file system, the contextual exploitability calculations might decrease the exploitability of a SQL injection flaw.

Effort to Fix

Each finding instance receives an effort-to-fix rating based on the classification of the finding. The effort-to-fix rating is a scale from 1 to 5, as explained in this table.

Effort to Fix Description
5 Complex design error. Requires significant redesign.
4 Simple design error. Requires redesign and up to 5 days to fix.
3 Complex implementation error. Fix is approx. 51-500 lines of code. Up to 5 days to fix.
2 Implementation error. Fix is approx. 6-50 lines of code. 1 day to fix.
1 Trivial implementation error. Fix is up to 5 lines of code. One hour or less to fix.

  1. https://docs.veracode.com/r/DGHxSJy3Gn3gtuSIN2jkRQ/civ7DGQfn2Kk4xh4Cz4UtA ↩︎

  2. https://cwe.mitre.org/ ↩︎

  3. GitHub - OWASP/ASVS at v4.0.3 ↩︎