...
Severity—How serious are the consequences of the rule being ignored?
Value
Meaning
Examples of Vulnerability
1
low
denial-of-service attack, abnormal termination
2
medium
data integrity violation, unintentional information disclosure
3
high
run arbitrary code
Likelihood—How likely is it that a flaw introduced by ignoring the rule can lead to an exploitable vulnerability?
Value
Meaning
1
unlikely
2
probable
3
likely
Remediation Cost—How expensive is it to comply with the rule?
Value
Meaning
Detection
Correction
1
high
manual
manual
2
medium
automatic
manual
3
low
automatic
automatic
The three values are then multiplied together for each rule. This product provides a measure that can be used in prioritizing the application of the rules. These products range from 1 to 27, although only the following 10 distinct values are possible: 1, 2, 3, 4, 6, 8, 9, 12, 18, and 27. Rules and recommendations with a priority in the range 1–4 are Level 3 rules, 6–9 are Level 2, and 12–27 are Level 1.
Priorities and Levels
Level
Priorities
Possible Interpretation
L1
12, 18, 27
High severity, likely, inexpensive to repair
L2
6, 8, 9
Medium severity, probable, medium cost to repair
L3
1, 2, 3, 4
Low severity, unlikely, expensive to repair
As a result, it is possible to claim Level 1, Level 2, or complete compliance (Level 3) with a standard by implementing all rules in a level, as shown in the following illustration:
...
The risk analysis section also contains a link to search for related vulnerabilities on the CERT website. Whenever possible, CERT Vulnerability Notes are tagged with a keyword corresponding to the unique ID of the coding guideline. This search provides you with an up-to-date list of real-world vulnerabilities that have been determined to be at least partially caused by a violation of this specific guideline. These vulnerabilities are labeled as such only when the vulnerability analysis team at the CERT/CC is able to evaluate the source code and precisely determine the cause of the vulnerability. Because many vulnerability notes refer to vulnerabilities in closed-source software systems, it is not always possible to provide this additional analysis. Consequently, the related vulnerabilities field tends to be somewhat sparsely populated.