# WIA-SEC-018: Vulnerability Assessment ## Phase 1 - Core Foundation **Standard ID:** WIA-SEC-018 **Category:** Security (SEC) **Version:** 1.0.0 **Status:** Active **Last Updated:** 2025-12-25 --- ## 1. Executive Summary WIA-SEC-018 establishes a comprehensive vulnerability assessment standard for systematic identification, classification, prioritization, and remediation of security vulnerabilities across enterprise systems. This standard integrates industry-leading practices including CVE database integration, CVSS v3.1 scoring, automated scanning tools, and risk-based prioritization frameworks to enable continuous vulnerability management and maintain robust security postures. ### Key Objectives 1. **Systematic Vulnerability Detection** - Automated and continuous vulnerability scanning across all assets 2. **Standardized Risk Assessment** - CVSS-based scoring and risk prioritization framework 3. **CVE Database Integration** - Real-time intelligence from NVD, MITRE, and other vulnerability databases 4. **Remediation Workflow** - Structured vulnerability remediation and tracking processes 5. **Compliance Support** - Support for security compliance frameworks (ISO 27001, SOC2, NIST) --- ## 2. Core Architecture ### 2.1 Vulnerability Assessment System Components The WIA-SEC-018 system consists of five primary components: #### Vulnerability Scanner - **Static Application Security Testing (SAST)** - Source code analysis - **Dynamic Application Security Testing (DAST)** - Runtime testing - **Software Composition Analysis (SCA)** - Dependency vulnerability detection - **Infrastructure Scanning** - Network and system vulnerability scanning - **Configuration Auditing** - Security misconfiguration detection #### CVE Intelligence Engine - CVE database synchronization and updates - Threat intelligence integration - Exploit availability tracking - Vulnerability trend analysis - Zero-day vulnerability monitoring #### Risk Assessment Engine - CVSS v3.1 score calculation - Asset criticality evaluation - Exploit probability assessment - Business impact analysis - Risk-based prioritization #### Remediation Manager - Vulnerability ticket generation - Patch management integration - Remediation workflow tracking - Verification and re-scanning - SLA monitoring and alerting #### Reporting & Analytics - Executive dashboards - Compliance reporting - Trend analysis and metrics - Vulnerability heat maps - Risk posture visualization ### 2.2 System Architecture Diagram ``` ┌──────────────────────────────────────────────────────────────┐ │ Asset Layer │ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ │ │ Web App │ │ API Server│ │ Database │ │ Container│ │ │ └────┬─────┘ └────┬─────┘ └────┬─────┘ └────┬─────┘ │ └───────┼─────────────┼─────────────┼─────────────┼───────────┘ │ │ │ │ └─────────────┴─────────────┴─────────────┘ │ ┌───────────────▼────────────────┐ │ Vulnerability Scanner │ │ ┌──────┐ ┌──────┐ ┌──────┐ │ │ │ SAST │ │ DAST │ │ SCA │ │ │ └──────┘ └──────┘ └──────┘ │ └───────────────┬────────────────┘ │ ┌───────────────▼────────────────┐ │ CVE Intelligence Engine │ │ - NVD Integration │ │ - MITRE CVE Database │ │ - Exploit-DB │ │ - Threat Intelligence Feeds │ └───────────────┬────────────────┘ │ ┌───────────────▼────────────────┐ │ Risk Assessment Engine │ │ - CVSS Calculation │ │ - Asset Criticality │ │ - Exploit Probability │ │ - Business Impact │ └───────────────┬────────────────┘ │ ┌───────────────▼────────────────┐ │ Remediation Manager │ │ - Ticket Creation │ │ - Patch Management │ │ - Verification Testing │ │ - Compliance Tracking │ └───────────────┬────────────────┘ │ ┌───────────────▼────────────────┐ │ Reporting & Analytics │ │ - Executive Dashboard │ │ - Compliance Reports │ │ - Trend Analysis │ │ - Risk Visualization │ └────────────────────────────────┘ ``` --- ## 3. Vulnerability Data Model ### 3.1 Standard Vulnerability Entry Structure Every vulnerability assessment follows this standardized structure: ```json { "vulnerability": { "id": "WIA-VULN-2025-0001", "externalReferences": { "cveId": "CVE-2025-12345", "cweId": "CWE-79", "osvId": "OSV-2025-001", "ghsaId": "GHSA-xxxx-yyyy-zzzz" }, "metadata": { "title": "Cross-Site Scripting (XSS) Vulnerability", "description": "Reflected XSS vulnerability in user input fields allows attackers to inject malicious scripts", "discoveryDate": "2025-12-25T10:30:00Z", "publicationDate": "2025-12-25T12:00:00Z", "lastModifiedDate": "2025-12-25T14:00:00Z", "discoveredBy": "security-team@example.com", "reportedBy": "external-researcher@example.com" }, "severity": { "rating": "HIGH", "cvss": { "version": "3.1", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "temporalScore": 7.2, "exploitCodeMaturity": "FUNCTIONAL", "remediationLevel": "OFFICIAL_FIX", "reportConfidence": "CONFIRMED" } }, "affectedAssets": [ { "assetId": "WEB-APP-001", "assetName": "Customer Portal", "assetType": "WEB_APPLICATION", "component": "User Profile Form", "version": "2.3.1", "criticality": "HIGH", "exposure": "INTERNET_FACING", "dataClassification": "CONFIDENTIAL", "businessOwner": "product-team@example.com" } ], "technicalDetails": { "vulnerabilityType": "INJECTION", "attackVector": "User input fields without proper sanitization", "exploitScenario": "Attacker submits crafted input containing JavaScript code", "affectedFunctions": [ "processUserInput()", "renderProfilePage()" ], "affectedEndpoints": [ "/api/user/profile", "/user/edit-profile" ], "proofOfConcept": "https://internal-wiki.example.com/vuln-poc-001" }, "exploitability": { "exploitAvailable": true, "exploitMaturity": "FUNCTIONAL", "exploitComplexity": "LOW", "weaponized": false, "exploitPublicationDate": "2025-12-25T13:00:00Z", "exploitReferences": [ "https://exploit-db.com/exploits/50001", "https://github.com/security/exploit-2025-001" ], "attackPrerequisites": [ "Network access to application", "Valid user account (for stored XSS variant)" ], "attackComplexity": "User must click malicious link or view compromised page" }, "remediation": { "status": "OPEN", "priority": "P1", "assignedTo": "security-team@example.com", "assignedTeam": "Application Security", "createdDate": "2025-12-25T10:30:00Z", "dueDate": "2025-12-30T23:59:59Z", "patchAvailable": true, "patchVersion": "2.3.2", "patchReleaseDate": "2025-12-26T00:00:00Z", "workaround": "Implement input sanitization and output encoding using OWASP ESAPI", "remediationSteps": [ "1. Apply input validation on all user-supplied data", "2. Implement context-aware output encoding", "3. Add Content Security Policy headers", "4. Deploy WAF rules to block XSS patterns", "5. Conduct security testing to verify fix" ], "estimatedEffort": "4 hours", "verificationRequired": true, "retestingScheduled": "2025-12-27T10:00:00Z" }, "references": { "advisories": [ "https://nvd.nist.gov/vuln/detail/CVE-2025-12345", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-12345" ], "vendorAdvisories": [ "https://vendor.example.com/security/advisory-2025-001" ], "researchPapers": [ "https://owasp.org/www-community/attacks/xss/" ], "relatedCVEs": [ "CVE-2024-54321", "CVE-2024-98765" ] }, "riskAssessment": { "riskScore": 8.5, "businessImpact": "HIGH", "dataAtRisk": [ "Customer PII", "Session tokens", "Authentication credentials" ], "impactedUsers": 50000, "revenueAtRisk": 100000, "complianceImpact": ["GDPR", "SOC2", "ISO27001"], "reputationalRisk": "MEDIUM", "financialImpact": "MEDIUM", "operationalImpact": "LOW", "attackLikelihood": "HIGH", "exploitationInWild": false }, "compliance": { "regulations": ["GDPR", "SOC2", "ISO27001"], "controls": ["AC-3", "SI-10", "SC-7"], "complianceViolations": true, "reportingRequired": true, "notificationDeadline": "2025-12-27T23:59:59Z" } } } ``` --- ## 4. CVSS v3.1 Scoring System ### 4.1 Base Score Metrics The Common Vulnerability Scoring System (CVSS) v3.1 provides a standardized method for rating vulnerability severity: #### Attack Vector (AV) - **Network (N)**: 0.85 - Vulnerability exploitable remotely - **Adjacent (A)**: 0.62 - Requires local network access - **Local (L)**: 0.55 - Requires local system access - **Physical (P)**: 0.20 - Requires physical device access #### Attack Complexity (AC) - **Low (L)**: 0.77 - No special conditions required - **High (H)**: 0.44 - Requires specific conditions or timing #### Privileges Required (PR) - **None (N)**: 0.85 - No authentication required - **Low (L)**: 0.62/0.68 - Basic user privileges - **High (H)**: 0.27/0.50 - Administrative privileges #### User Interaction (UI) - **None (N)**: 0.85 - No user interaction required - **Required (R)**: 0.62 - Requires user action #### Scope (S) - **Unchanged (U)**: Vulnerability affects only vulnerable component - **Changed (C)**: Vulnerability affects resources beyond vulnerable component #### Impact Metrics (C/I/A) - **High (H)**: 0.56 - Total loss of confidentiality/integrity/availability - **Low (L)**: 0.22 - Partial loss - **None (N)**: 0 - No impact ### 4.2 CVSS Score Calculation ```javascript function calculateCVSSBaseScore(metrics) { // Calculate Impact Sub-Score (ISS) const ISS = 1 - ((1 - metrics.C) * (1 - metrics.I) * (1 - metrics.A)); // Calculate Impact Score let impact; if (metrics.scope === 'UNCHANGED') { impact = 6.42 * ISS; } else { impact = 7.52 * (ISS - 0.029) - 3.25 * Math.pow(ISS - 0.02, 15); } // Calculate Exploitability Score const exploitability = 8.22 * metrics.AV * metrics.AC * metrics.PR * metrics.UI; // Calculate Base Score let baseScore; if (impact <= 0) { baseScore = 0; } else if (metrics.scope === 'UNCHANGED') { baseScore = Math.min(impact + exploitability, 10); } else { baseScore = Math.min(1.08 * (impact + exploitability), 10); } return roundUp(baseScore); } function roundUp(score) { return Math.ceil(score * 10) / 10; } // Severity Rating Mapping function getSeverityRating(cvssScore) { if (cvssScore === 0) return 'NONE'; if (cvssScore >= 0.1 && cvssScore <= 3.9) return 'LOW'; if (cvssScore >= 4.0 && cvssScore <= 6.9) return 'MEDIUM'; if (cvssScore >= 7.0 && cvssScore <= 8.9) return 'HIGH'; if (cvssScore >= 9.0 && cvssScore <= 10.0) return 'CRITICAL'; } ``` ### 4.3 Temporal Score Metrics ```javascript function calculateTemporalScore(baseScore, temporal) { const exploitCodeMaturity = { 'NOT_DEFINED': 1.0, 'UNPROVEN': 0.91, 'PROOF_OF_CONCEPT': 0.94, 'FUNCTIONAL': 0.97, 'HIGH': 1.0 }; const remediationLevel = { 'NOT_DEFINED': 1.0, 'OFFICIAL_FIX': 0.95, 'TEMPORARY_FIX': 0.96, 'WORKAROUND': 0.97, 'UNAVAILABLE': 1.0 }; const reportConfidence = { 'NOT_DEFINED': 1.0, 'UNKNOWN': 0.92, 'REASONABLE': 0.96, 'CONFIRMED': 1.0 }; const temporalScore = baseScore * exploitCodeMaturity[temporal.E] * remediationLevel[temporal.RL] * reportConfidence[temporal.RC]; return roundUp(temporalScore); } ``` --- ## 5. Vulnerability Scanning Protocols ### 5.1 Scanning Types #### Static Application Security Testing (SAST) ```yaml sast_configuration: name: "Source Code Analysis" engines: - semgrep - sonarqube - checkmarx scan_settings: languages: - javascript - typescript - python - java - go rules: - owasp-top-10 - cwe-top-25 - custom-rules exclusions: - "node_modules/**" - "vendor/**" - "test/**" thresholds: critical: 0 high: 5 medium: 20 low: 50 integration: ci_cd: true pre_commit: true pull_request: true ``` #### Dynamic Application Security Testing (DAST) ```yaml dast_configuration: name: "Runtime Security Testing" engines: - owasp-zap - burp-suite - acunetix scan_settings: target_urls: - "https://app.example.com" - "https://api.example.com" authentication: type: "oauth2" credentials_vault: "hashicorp-vault" scan_policies: - sql-injection - xss-attacks - authentication-bypass - session-management - csrf spider_settings: max_depth: 10 max_duration: 3600 exclude_patterns: - "/logout" - "/delete" thresholds: critical: 0 high: 3 medium: 15 ``` #### Software Composition Analysis (SCA) ```yaml sca_configuration: name: "Dependency Vulnerability Scanning" engines: - snyk - dependabot - owasp-dependency-check scan_settings: package_managers: - npm - pip - maven - gradle - go-modules vulnerability_databases: - nvd - github-advisories - snyk-db - oss-index license_compliance: allowed: - MIT - Apache-2.0 - BSD-3-Clause forbidden: - GPL-3.0 - AGPL-3.0 remediation: auto_update: true create_pr: true security_only: true ``` ### 5.2 Scanning Schedule ```javascript const scanningSchedule = { // Continuous scanning for critical assets continuous: { targets: ['production-api', 'customer-portal'], frequency: 'realtime', triggers: ['code-commit', 'deployment', 'configuration-change'] }, // Daily scans for high-priority assets daily: { targets: ['all-production-systems'], frequency: 'daily', time: '02:00 UTC', types: ['SAST', 'SCA'] }, // Weekly comprehensive scans weekly: { targets: ['all-systems'], frequency: 'weekly', day: 'Sunday', time: '00:00 UTC', types: ['SAST', 'DAST', 'SCA', 'INFRASTRUCTURE'] }, // Monthly deep scans monthly: { targets: ['all-systems-and-infrastructure'], frequency: 'monthly', day: 1, time: '00:00 UTC', types: ['COMPREHENSIVE', 'PENETRATION_TEST'] }, // On-demand scans onDemand: { triggers: ['security-incident', 'new-cve', 'manual-request'], priorityEscalation: true } }; ``` --- ## 6. Risk Prioritization Framework ### 6.1 Risk Score Calculation ```javascript function calculateRiskScore(vulnerability) { const weights = { cvss: 0.35, // CVSS base score weight exploitability: 0.25, // Exploit availability weight assetCriticality: 0.20, // Asset importance weight businessImpact: 0.15, // Business impact weight complianceImpact: 0.05 // Compliance requirement weight }; // Normalize CVSS (0-10) to 0-100 const cvssScore = vulnerability.cvss.baseScore * 10; // Exploitability score (0-100) const exploitScore = calculateExploitabilityScore(vulnerability); // Asset criticality (0-100) const assetScore = getAssetCriticalityScore(vulnerability.affectedAssets); // Business impact (0-100) const businessScore = calculateBusinessImpact(vulnerability); // Compliance impact (0-100) const complianceScore = calculateComplianceImpact(vulnerability); // Calculate weighted risk score const riskScore = ( cvssScore * weights.cvss + exploitScore * weights.exploitability + assetScore * weights.assetCriticality + businessScore * weights.businessImpact + complianceScore * weights.complianceImpact ); return { score: Math.round(riskScore), rating: getRiskRating(riskScore), priority: getPriority(riskScore), sla: getSLA(riskScore) }; } function getRiskRating(score) { if (score >= 90) return 'CRITICAL'; if (score >= 70) return 'HIGH'; if (score >= 40) return 'MEDIUM'; if (score >= 20) return 'LOW'; return 'INFO'; } function getPriority(score) { if (score >= 90) return 'P0'; if (score >= 70) return 'P1'; if (score >= 40) return 'P2'; if (score >= 20) return 'P3'; return 'P4'; } function getSLA(score) { const slaHours = { 'P0': 24, // 1 day 'P1': 168, // 7 days 'P2': 720, // 30 days 'P3': 2160, // 90 days 'P4': 4320 // 180 days }; const priority = getPriority(score); return { priority: priority, hours: slaHours[priority], deadline: new Date(Date.now() + slaHours[priority] * 60 * 60 * 1000) }; } ``` ### 6.2 Prioritization Matrix | CVSS Score | Asset Criticality | Exploit Available | Priority | SLA | |------------|------------------|-------------------|----------|-----| | 9.0-10.0 | Critical | Yes | P0 | 24h | | 9.0-10.0 | Critical | No | P1 | 7d | | 9.0-10.0 | Medium/Low | Yes | P1 | 7d | | 7.0-8.9 | Critical | Yes | P1 | 7d | | 7.0-8.9 | Critical | No | P2 | 30d | | 7.0-8.9 | Medium | Yes | P2 | 30d | | 4.0-6.9 | Critical | Yes | P2 | 30d | | 4.0-6.9 | Medium/Low | Yes/No | P3 | 90d | | 0.1-3.9 | Any | Any | P4 | 180d| --- ## 7. CVE Database Integration ### 7.1 National Vulnerability Database (NVD) Integration ```javascript class NVDIntegration { constructor(apiKey) { this.baseUrl = 'https://services.nvd.nist.gov/rest/json/cves/2.0'; this.apiKey = apiKey; this.rateLimit = 50; // requests per 30 seconds with API key } async getCVEDetails(cveId) { const response = await this.makeRequest(`?cveId=${cveId}`); return this.parseCVEResponse(response); } async searchVulnerabilities(params) { const { keywordSearch, cvssV3Severity, lastModStartDate, lastModEndDate, resultsPerPage = 100 } = params; const queryParams = new URLSearchParams({ keywordSearch, cvssV3Severity, lastModStartDate, lastModEndDate, resultsPerPage }); return await this.makeRequest(`?${queryParams}`); } async syncLatestCVEs(since) { // Fetch CVEs modified since last sync const response = await this.searchVulnerabilities({ lastModStartDate: since.toISOString(), lastModEndDate: new Date().toISOString() }); return this.processCVEBatch(response.vulnerabilities); } parseCVEResponse(data) { const cve = data.vulnerabilities[0].cve; return { cveId: cve.id, description: cve.descriptions.find(d => d.lang === 'en').value, publishedDate: cve.published, lastModifiedDate: cve.lastModified, cvssV3: cve.metrics?.cvssMetricV31?.[0]?.cvssData, weaknesses: cve.weaknesses?.map(w => w.description[0].value), references: cve.references?.map(r => r.url), configurations: cve.configurations }; } } ``` ### 7.2 MITRE CVE Integration ```javascript class MITRECVEIntegration { constructor() { this.cveListUrl = 'https://cve.mitre.org/data/downloads/allitems.csv'; this.cweUrl = 'https://cwe.mitre.org/data/xml/cwec_latest.xml.zip'; } async syncCVEList() { // Download and parse CVE list const csvData = await this.downloadCVEList(); return this.parseCVEList(csvData); } async getCWEDetails(cweId) { // Fetch CWE (Common Weakness Enumeration) details return await this.queryCWE(cweId); } mapCVEtoCWE(cveId) { // Map CVE to related CWE categories return this.cveToC weMapping[cveId]; } } ``` --- ## 8. Implementation Guidelines ### 8.1 Initial Setup ```bash # 1. Install vulnerability scanning tools npm install -g @wia/vulnerability-scanner # 2. Configure scanner wia-vuln-scan init # 3. Set up CVE database sync wia-vuln-scan sync-cve-db --source nvd,mitre # 4. Configure asset inventory wia-vuln-scan assets add --config assets.yaml # 5. Run initial baseline scan wia-vuln-scan baseline --comprehensive ``` ### 8.2 Configuration Example ```yaml # vulnerability-assessment.yaml assessment: name: "Production Environment Vulnerability Assessment" version: "1.0.0" standard: "WIA-SEC-018" scanners: sast: enabled: true tools: [semgrep, sonarqube] schedule: "0 2 * * *" # Daily at 2 AM dast: enabled: true tools: [owasp-zap] schedule: "0 0 * * 0" # Weekly on Sunday sca: enabled: true tools: [snyk, dependabot] schedule: "@hourly" infrastructure: enabled: true tools: [nessus, openvas] schedule: "0 0 1 * *" # Monthly cve_sync: sources: - nvd - mitre - github-advisories frequency: "@hourly" risk_thresholds: critical: 0 high: 5 medium: 20 low: 50 notifications: email: - security-team@example.com slack: webhook: "https://hooks.slack.com/services/..." channels: ["#security-alerts"] pagerduty: service_key: "..." remediation: auto_ticket: true ticket_system: "jira" sla_enforcement: true verification_required: true ``` --- ## 9. API Specification ### 9.1 Vulnerability Scanning API ```typescript // Start vulnerability scan POST /api/v1/vulnerability/scan { "scanId": "SCAN-2025-001", "targetAssets": ["asset-id-1", "asset-id-2"], "scanType": "COMPREHENSIVE", "scanners": ["SAST", "DAST", "SCA"], "priority": "HIGH", "notifyOn": ["CRITICAL", "HIGH"] } // Get scan status GET /api/v1/vulnerability/scan/{scanId} // Get scan results GET /api/v1/vulnerability/scan/{scanId}/results // Get vulnerability details GET /api/v1/vulnerability/{vulnId} // Update vulnerability status PATCH /api/v1/vulnerability/{vulnId} { "status": "IN_REMEDIATION", "assignedTo": "security-team@example.com", "notes": "Patch scheduled for deployment" } // Get vulnerabilities by severity GET /api/v1/vulnerability?severity=CRITICAL&status=OPEN // Get risk dashboard GET /api/v1/vulnerability/dashboard ``` --- ## 10. Compliance and Reporting ### 10.1 Compliance Frameworks Support - **ISO 27001**: Information Security Management - **SOC 2**: Service Organization Control - **NIST CSF**: Cybersecurity Framework - **PCI DSS**: Payment Card Industry Data Security Standard - **HIPAA**: Health Insurance Portability and Accountability Act ### 10.2 Standard Reports 1. **Executive Summary Report** 2. **Technical Vulnerability Report** 3. **Compliance Status Report** 4. **Trend Analysis Report** 5. **SLA Compliance Report** 6. **Asset Risk Profile Report** --- **Document Version:** 1.0.0 **Last Updated:** 2025-12-25 **Next Review:** 2026-03-25 --- 弘益人間 (홍익인간) - Benefit All Humanity © 2025 SmileStory Inc. / WIA