search menu icon-carat-right cmu-wordmark

A Structured Approach to Classifying Security Vulnerabilities

Technical Note
In this 2005 report, the authors propose a classification scheme that uses attribute-value pairs to provide a multidimensional view of vulnerabilities.
Publisher

Software Engineering Institute

CMU/SEI Report Number
CMU/SEI-2005-TN-003
DOI (Digital Object Identifier)
10.1184/R1/6571760.v1

Abstract

Understanding vulnerabilities is critical to understanding the threats they represent. Vulnerability classifications enable collection of frequency data; trend analysis of vulnerabilities; correlation with incidents, exploits, and artifacts; and evaluation of the effectiveness of countermeasures. Existing classification schemes are based on vulnerability reports and not on an engineering analysis of the problem domain. In this report, a classification scheme that uses attribute-value pairs to provide a multidimensional view of vulnerabilities is proposed. Attributes and values are selected based on engineering distinctions that allow vulnerabilities to be exploited by a given technique or determine which countermeasures are effective. Successful classification of vulnerabilities should lead to greater automation in analyzing code vulnerabilities and supporting effective communication between geographically remote vulnerability handling teams and vendors.

Cite This Technical Note

Seacord, R., & Householder, A. (2005, January 1). A Structured Approach to Classifying Security Vulnerabilities. (Technical Note CMU/SEI-2005-TN-003). Retrieved March 28, 2024, from https://doi.org/10.1184/R1/6571760.v1.

@techreport{seacord_2005,
author={Seacord, Robert and Householder, Allen},
title={A Structured Approach to Classifying Security Vulnerabilities},
month={Jan},
year={2005},
number={CMU/SEI-2005-TN-003},
howpublished={Carnegie Mellon University, Software Engineering Institute's Digital Library},
url={https://doi.org/10.1184/R1/6571760.v1},
note={Accessed: 2024-Mar-28}
}

Seacord, Robert, and Allen Householder. "A Structured Approach to Classifying Security Vulnerabilities." (CMU/SEI-2005-TN-003). Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, January 1, 2005. https://doi.org/10.1184/R1/6571760.v1.

R. Seacord, and A. Householder, "A Structured Approach to Classifying Security Vulnerabilities," Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, Technical Note CMU/SEI-2005-TN-003, 1-Jan-2005 [Online]. Available: https://doi.org/10.1184/R1/6571760.v1. [Accessed: 28-Mar-2024].

Seacord, Robert, and Allen Householder. "A Structured Approach to Classifying Security Vulnerabilities." (Technical Note CMU/SEI-2005-TN-003). Carnegie Mellon University, Software Engineering Institute's Digital Library, Software Engineering Institute, 1 Jan. 2005. https://doi.org/10.1184/R1/6571760.v1. Accessed 28 Mar. 2024.

Seacord, Robert; & Householder, Allen. A Structured Approach to Classifying Security Vulnerabilities. CMU/SEI-2005-TN-003. Software Engineering Institute. 2005. https://doi.org/10.1184/R1/6571760.v1