WIA-SEC-018 Interactive Learning Environment
Standard data structures for vulnerability reporting and tracking.
{
"vulnerability": {
"id": "WIA-VULN-2025-0001",
"cveId": "CVE-2025-12345",
"cweId": "CWE-79",
"title": "Cross-Site Scripting (XSS) Vulnerability",
"description": "Reflected XSS vulnerability in user input fields",
"discoveryDate": "2025-12-25T10:30:00Z",
"severity": "HIGH",
"cvssScore": {
"version": "3.1",
"baseScore": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"availabilityImpact": "NONE"
},
"affectedAssets": [
{
"assetId": "WEB-APP-001",
"assetName": "Customer Portal",
"component": "User Profile Form",
"version": "2.3.1",
"criticality": "HIGH"
}
],
"exploitability": {
"exploitAvailable": true,
"exploitMaturity": "FUNCTIONAL",
"exploitComplexity": "LOW",
"weaponized": false
},
"remediation": {
"status": "OPEN",
"priority": "P1",
"assignedTo": "security-team@example.com",
"dueDate": "2025-12-30T23:59:59Z",
"patchAvailable": true,
"workaround": "Input sanitization and output encoding",
"references": [
"https://nvd.nist.gov/vuln/detail/CVE-2025-12345",
"https://owasp.org/www-community/attacks/xss/"
]
},
"riskAssessment": {
"businessImpact": "HIGH",
"dataAtRisk": "Customer PII",
"complianceImpact": ["GDPR", "SOC2"],
"financialImpact": "MEDIUM"
}
}
}
function calculateCVSSScore(metrics) {
// Base Score Calculation (CVSS v3.1)
const impact = calculateImpact(metrics);
const exploitability = calculateExploitability(metrics);
if (impact <= 0) return 0;
let baseScore;
if (metrics.scope === 'UNCHANGED') {
baseScore = Math.min(impact + exploitability, 10);
} else {
baseScore = Math.min(1.08 * (impact + exploitability), 10);
}
return roundUp(baseScore);
}
function calculateImpact(metrics) {
const ISS = 1 - ((1 - metrics.C) * (1 - metrics.I) * (1 - metrics.A));
if (metrics.scope === 'UNCHANGED') {
return 6.42 * ISS;
} else {
return 7.52 * (ISS - 0.029) - 3.25 * Math.pow(ISS - 0.02, 15);
}
}
function calculateExploitability(metrics) {
return 8.22 * metrics.AV * metrics.AC * metrics.PR * metrics.UI;
}
// Risk Prioritization Algorithm
function prioritizeVulnerabilities(vulnerabilities) {
return vulnerabilities
.map(vuln => ({
...vuln,
riskScore: calculateRiskScore(vuln)
}))
.sort((a, b) => b.riskScore - a.riskScore);
}
function calculateRiskScore(vulnerability) {
const cvssWeight = 0.4;
const exploitWeight = 0.3;
const assetWeight = 0.2;
const complianceWeight = 0.1;
return (
vulnerability.cvss * cvssWeight +
vulnerability.exploitability * exploitWeight +
vulnerability.assetCriticality * assetWeight +
vulnerability.complianceImpact * complianceWeight
);
}
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Vulnerability Assessment Lifecycle โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
1. DISCOVERY PHASE
โโโโโโโโโโโโโโโโโโโ
โ Asset Discovery โ โ Identify all systems, applications, networks
โโโโโโโโโโฌโโโโโโโโโ
โ
โโโโโโโโโโผโโโโโโโโโ
โ Scan Scheduling โ โ Configure automated and manual scans
โโโโโโโโโโฌโโโโโโโโโ
โ
โโโโโโโโโโผโโโโโโโโโ
โ Vulnerability โ โ Execute scanning tools
โ Scanning โ - Static Analysis (SAST)
โโโโโโโโโโฌโโโโโโโโโ - Dynamic Analysis (DAST)
โ - Dependency Checking
โ - Configuration Auditing
2. ANALYSIS PHASE
โโโโโโโโโโผโโโโโโโโโ
โ Data Collection โ โ Aggregate scan results
โโโโโโโโโโฌโโโโโโโโโ
โ
โโโโโโโโโโผโโโโโโโโโ
โ CVE Matching โ โ Match with vulnerability databases
โโโโโโโโโโฌโโโโโโโโโ
โ
โโโโโโโโโโผโโโโโโโโโ
โ False Positive โ โ Remove false positives
โ Filtering โ
โโโโโโโโโโฌโโโโโโโโโ
โ
โโโโโโโโโโผโโโโโโโโโ
โ CVSS Scoring โ โ Calculate severity scores
โโโโโโโโโโฌโโโโโโโโโ
3. PRIORITIZATION PHASE
โโโโโโโโโโผโโโโโโโโโ
โ Risk Assessment โ โ Evaluate business impact
โโโโโโโโโโฌโโโโโโโโโ
โ
โโโโโโโโโโผโโโโโโโโโ
โ Exploit Check โ โ Verify exploit availability
โโโโโโโโโโฌโโโโโโโโโ
โ
โโโโโโโโโโผโโโโโโโโโ
โ Prioritization โ โ Rank by risk score
โโโโโโโโโโฌโโโโโโโโโ
4. REMEDIATION PHASE
โโโโโโโโโโผโโโโโโโโโ
โ Ticket Creation โ โ Generate remediation tasks
โโโโโโโโโโฌโโโโโโโโโ
โ
โโโโโโโโโโผโโโโโโโโโ
โ Patch/Fix Apply โ โ Implement security fixes
โโโโโโโโโโฌโโโโโโโโโ
โ
โโโโโโโโโโผโโโโโโโโโ
โ Verification โ โ Re-scan to confirm fix
โโโโโโโโโโฌโโโโโโโโโ
โ
โโโโโโโโโโผโโโโโโโโโ
โ Closure โ โ Close vulnerability record
โโโโโโโโโโโโโโโโโโโ
// Scan Request
POST /api/v1/vulnerability/scan
{
"scanId": "SCAN-2025-001",
"targetAssets": ["WEB-APP-001", "API-SRV-002"],
"scanType": "COMPREHENSIVE",
"scanners": ["SAST", "DAST", "SCA"],
"schedule": "IMMEDIATE",
"notifyOn": ["CRITICAL", "HIGH"]
}
// Scan Response
{
"scanId": "SCAN-2025-001",
"status": "RUNNING",
"startTime": "2025-12-25T10:00:00Z",
"estimatedCompletion": "2025-12-25T11:30:00Z",
"progress": 45.2,
"vulnerabilitiesFound": 12
}
// Vulnerability Report
{
"reportId": "VULN-REPORT-2025-001",
"scanId": "SCAN-2025-001",
"summary": {
"total": 12,
"critical": 1,
"high": 4,
"medium": 5,
"low": 2
},
"vulnerabilities": [...]
}
// NVD API Integration
class NVDIntegration {
constructor(apiKey) {
this.baseUrl = 'https://services.nvd.nist.gov/rest/json/cves/2.0';
this.apiKey = apiKey;
}
async getCVEDetails(cveId) {
const response = await fetch(
`${this.baseUrl}?cveId=${cveId}`,
{
headers: {
'apiKey': this.apiKey
}
}
);
return await response.json();
}
async searchVulnerabilities(params) {
const {
keywordSearch,
cvssV3Severity,
lastModStartDate,
lastModEndDate
} = params;
const queryParams = new URLSearchParams({
keywordSearch,
cvssV3Severity,
lastModStartDate,
lastModEndDate
});
const response = await fetch(
`${this.baseUrl}?${queryParams}`,
{
headers: {
'apiKey': this.apiKey
}
}
);
return await response.json();
}
}
// SIEM Integration (Splunk)
class SIEMIntegration {
constructor(splunkUrl, token) {
this.splunkUrl = splunkUrl;
this.token = token;
}
async sendVulnerabilityEvent(vulnerability) {
await fetch(
`${this.splunkUrl}/services/collector/event`,
{
method: 'POST',
headers: {
'Authorization': `Splunk ${this.token}`,
'Content-Type': 'application/json'
},
body: JSON.stringify({
event: {
sourcetype: 'vulnerability',
...vulnerability
}
})
}
);
}
}
// Ticketing System Integration (Jira)
class JiraIntegration {
async createVulnerabilityTicket(vulnerability) {
const ticket = {
fields: {
project: { key: 'SEC' },
summary: vulnerability.title,
description: vulnerability.description,
issuetype: { name: 'Security Vulnerability' },
priority: this.mapSeverityToPriority(vulnerability.severity),
labels: ['vulnerability', vulnerability.cveId],
customfield_cvss: vulnerability.cvssScore
}
};
return await this.jiraClient.createIssue(ticket);
}
mapSeverityToPriority(severity) {
const mapping = {
'CRITICAL': { name: 'Highest' },
'HIGH': { name: 'High' },
'MEDIUM': { name: 'Medium' },
'LOW': { name: 'Low' }
};
return mapping[severity];
}
}
// CI/CD Pipeline Integration (GitHub Actions)
name: Security Vulnerability Scan
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: '0 2 * * *'
jobs:
vulnerability-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run Dependency Check
uses: dependency-check/Dependency-Check_Action@main
with:
project: 'my-app'
path: '.'
format: 'JSON'
- name: Run SAST Scan
run: |
npm install -g semgrep
semgrep --config=auto --json > sast-results.json
- name: Upload to WIA-SEC-018
run: |
curl -X POST https://api.wia-sec-018.io/v1/scans \
-H "Authorization: Bearer ${{ secrets.WIA_API_KEY }}" \
-F "dependencyCheck=@dependency-check-report.json" \
-F "sastResults=@sast-results.json"
- name: Check Vulnerability Threshold
run: |
python scripts/check-vuln-threshold.py \
--critical-max 0 \
--high-max 2 \
--fail-on-violation
{
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://wia.org/credentials/vulnerability/v1"
],
"id": "https://wia.org/credentials/vulnerability/cert-001",
"type": ["VerifiableCredential", "VulnerabilityAssessmentCertificate"],
"issuer": {
"id": "did:wia:security-team:12345",
"name": "WIA Security Assessment Team"
},
"issuanceDate": "2025-12-25T10:00:00Z",
"expirationDate": "2026-01-25T10:00:00Z",
"credentialSubject": {
"id": "did:wia:asset:web-app-001",
"assetName": "Customer Portal",
"assessmentType": "Comprehensive Vulnerability Assessment",
"assessmentDate": "2025-12-25",
"assessmentResults": {
"totalVulnerabilities": 12,
"criticalCount": 0,
"highCount": 2,
"mediumCount": 7,
"lowCount": 3,
"remediationStatus": "IN_PROGRESS",
"complianceStatus": "COMPLIANT",
"nextAssessmentDue": "2026-01-25"
},
"certification": {
"standard": "WIA-SEC-018",
"version": "1.0",
"certificationLevel": "SILVER"
}
},
"proof": {
"type": "Ed25519Signature2020",
"created": "2025-12-25T10:00:00Z",
"verificationMethod": "did:wia:security-team:12345#key-1",
"proofPurpose": "assertionMethod",
"proofValue": "z3FXQjecWRUyeKGu...base58-encoded-signature"
}
}
async function verifyVulnerabilityCredential(credential) {
// Step 1: Verify credential structure
if (!credential['@context'] || !credential.credentialSubject) {
throw new Error('Invalid credential structure');
}
// Step 2: Verify issuer DID
const issuer = await resolveIssuerDID(credential.issuer.id);
if (!issuer) {
throw new Error('Invalid issuer');
}
// Step 3: Verify cryptographic proof
const isValid = await verifyProof(
credential,
credential.proof
);
if (!isValid) {
throw new Error('Invalid cryptographic signature');
}
// Step 4: Check expiration
const now = new Date();
const expirationDate = new Date(credential.expirationDate);
if (now > expirationDate) {
throw new Error('Credential expired');
}
// Step 5: Verify against blockchain record
const onChainRecord = await getBlockchainRecord(credential.id);
if (!onChainRecord || onChainRecord.hash !== credential.proof.proofValue) {
throw new Error('Credential not found on blockchain');
}
return {
valid: true,
issuer: issuer.name,
subject: credential.credentialSubject.assetName,
assessmentResults: credential.credentialSubject.assessmentResults
};
}