Programming – Counterintuitive remediation cost scale within the SEI CERT Coding Guidelines for priority


The SEI CERT coding guidelines assign a priority to each rule, formed from the product of three factors: severity, probability and cost of remediation. Each of these three factors is assigned a value of 1-3, and the highest priority formed by that product is 27.

While gravity and probability correspond to my intuition (assigning a 3 to very serious consequences and a 3 to a probable vulnerability), I find that the scale of value for remediation is counterintuitive. A remediation value of 3 is described as the most cheap rule to apply; allowing the use of automatic detection and automatic correction. However, this would correspond to a 27 (3x3x3): that is, the higher possible priority Surely the highest and most likely rule, which also has the highest cost to comply, must be assigned the highest priority? After all, the cost may correspond to the time when staffing levels are low.

The relevant section of the SEI CERT Coding Guidlines wiki is here.