National DefenseCommerce

Software Security Knowledge:Software Security Knowledge:Training

Robert A. MartinSean Barnum

May 2011

Report Documentation Page Form ApprovedOMB No. 0704-0188

Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering andmaintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information,including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, ArlingtonVA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if itdoes not display a currently valid OMB control number.

1. REPORT DATE MAY 2011 2. REPORT TYPE

3. DATES COVERED 00-00-2011 to 00-00-2011

4. TITLE AND SUBTITLE Software Security Knowledge: Training

5a. CONTRACT NUMBER

5b. GRANT NUMBER

5c. PROGRAM ELEMENT NUMBER

6. AUTHOR(S) 5d. PROJECT NUMBER

5e. TASK NUMBER

5f. WORK UNIT NUMBER

7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) Mitre Corporation,202 Burlington Rd,Bedford,MA,01730-1420

8. PERFORMING ORGANIZATIONREPORT NUMBER

9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR’S ACRONYM(S)

11. SPONSOR/MONITOR’S REPORT NUMBER(S)

12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release; distribution unlimited

13. SUPPLEMENTARY NOTES Presented at the 23rd Systems and Software Technology Conference (SSTC), 16-19 May 2011, Salt LakeCity, UT. Sponsored in part by the USAF. U.S. Government or Federal Rights License

14. ABSTRACT

15. SUBJECT TERMS

16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF ABSTRACT Same as

Report (SAR)

18. NUMBEROF PAGES

28

19a. NAME OFRESPONSIBLE PERSON

a. REPORT unclassified

b. ABSTRACT unclassified

c. THIS PAGE unclassified

Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18

Agenda

8:00-8:45am Software Security Knowledge about Applications WeaknessesApplications Weaknesses

9:00-9:45am Software Security Knowledge about Attack Patterns Against ApplicationsTraining in Software Security

10:15-11:00am Software Security Practice11:15-12:00am Supporting Capabilities

Assurance CasesSecure Development & Secure Operations

© 2011 MITRE

CWE is Meant for People to Use

© 2011 MITRE

Security Measurable~

CWE Version 1.4

Edited by: Steven M. Christey, Conor 0 . Harris, and Janis E. Kenderdine

Project Lead: Robert A. Martin

MITRE

I I

I I

CWE Vernlon 1.4

f lfbiH ol CAJnlmrbr

................................ I ............................. I

.... 1 I

.......................... 2 ............. 3

................................ 4

................................. I 8 9

10 .......................... .... 12 ............................... 13

........ 13 13

... ............................ 14

····························· 14

" :>? ?<

............... 26 .... 27

?7 ?8

......... 29 ........................... 31

.......... 32 33 3<

····•················•·· ....• 30 ............................... 36

97 38 39

............................... 40 ..... 41

<? ...................... 43

.............................. 45 ............... ~

•s 4G . 7

.... 47

... 48 49 49

••••••••••••••••••••••••••• !>()

............. so 51

... 5 1 ~2 ~.:J

53

Ill

~ .. rY iD 2. 0 g lit a "'

T

CWE VenUon 1.4

CWE· 1: LOCGII<NI

roduccd during the

"' P:~~ge

6119 , 6119 1.1 61111 13 6119 /19:,

nmenlal

'8 Page 6QQ I 61111 1

~700 ? 700 3 700 4 700 s

" 700 8

700 7 700 8

"'• 700 9 699 tO 700 6119 12 6119 46& 6119 S60 6119 64.9 700 696

s

nmcntal conditions

w Page 800 1 6119 1 6fll/ 540

0 =: ~ ,... 0 n ~ g

C:W E Vero(on 1.4

/um ('SOl lnj«:llon?

es. limlnntc the SOL

II" boxes, the lion user has the

database.

First ol all, the n SOL II a user ~may bypass dala I command ble to aHer the possibly accessri!J slropl1eare programmer may

rcvcnt any data I

IO'w.l$0L i11joc:.110fl

r1y encOOed output. sc Java Beans •

ionbelween g, encoding. and Xlbllity at every

ored procedures. n<J. Oo nol .xec"orsirnitar

103

CWE Verclon 1 .4 lllcJ(IX

C WE Vcroion 1.4

Index 1 craar~ers.am "·--· pllelte ldentmet. G92

101 AulhOn.Lat!On 19 lf1lUT Output (FlO),

h 10 [)(1("(:t NULL PointL<t 0 EnYirOI"'Inefli (ENV),

I ~IS(SIG), 1'48 ""Y Autho.-bon. 33ol 2- (UOI tlan<llng (CRR). :.stze. '192

610 9-Miloellneous (MSC), • . :nl

fo · POSIX (POS), 738 -ttm.~ Mannt"',

(')

=: ... rr foono ('lo'On.;n-..,.,.mc~.

Algwnenl, ~

0> po.r....- . 592 ~ ., 9 !!. c ~r'ISoo EuOtS. 200 liOn, 319

"""· 336 a ~ tntormatkX'I. 342

0 r Skit Sret;unty, :.Me P..,. G5o "D ~0. 578

<0 " · 287 "' ~ (', 2 11

r-""""-:6 ~-OIIOCIOI)'. 500 >10

~;. , ~

514 , lrn,.~ltd OI~

r EnT C &.-am: COdiny 0 !Mcdt'lcotion0f$c."'alllty· :; <:: Q. TC. G20

"' ar eunM. 10 "' (?004). /HI :; -< " (2007). 619 c. ~ 7C2 "c. 652 ~ 2

nc-, GS3

n nJcv'.a.. 655

c IOfS), 247 ~·IP, G57

<D • 39G Top25 Most

139 ...., '"91, 606 (/) ~~lall0n, f03 0 !CtOf"/ wnn lnconea r reclot'IH. G21

= :; llSi"~.IIC P\.'frM'SionS, ~-- "" cs· !l.

... ...... .,.. 521 o· .=, 750

\lb<Jn lellk. 2U ~·· "" .,_ 373

Oullfl9~

"'*"''· 107 • klj<."dion), 611

F-<W>n-424 Cxoop!IOII. 425

ot. 487 1

I TOning Ch<lllrM.'t. 539

827

833

16 July 2010

© 2011 MITRE

c . c . a PI I a s I

Cyb~ ~e ec ity cJ 1 • ca Pr ofici cy , a tt ~ · s

A h ite ~ pe r of the CSIS Commission on Cybersecurity ·for the th Presidency

A compl·ete bo·dy ~of kno~wledge coverin.g th.e entire field of softwar~e enginee~ri.ng may be years away. Ho:wever, tl1e body of knowledge ne~eded by professionals to cr~eate software free of common and critica s~ecurity flaws has been d.~eveloped, vetted W'id.ely and kept up to date. That is the foundatio~n for a certification program in software assurance that can gai'n wide .adoptiont It was created in. late 2008 by a conso·rtium ofn.,ational exp~erts., sp~o~nsored by DHS and NSA, .a.nd was updated in late 20 09. It contains r,anked lists of the most com:mon errors, e~xplanations of why the

~errors are dangerous, example·s of those errors in multi.ple lan.guages, and ways of ~eliminating those erro~rs. It can be found at http:ffcwe.mitre.org/top25.

Any programmer who writes C'Ode \r-Vith~out betng aware of those proble~ms a·nd is not capable ~of writing· c·od.e free of those errors is a threat to hi.s or her employers and to others who use computers con,necte·d to systems running his or her software.

© 2011 MITRE

The Celtlfled Secure Software Llfecycle Professfonal (CSSLP) Certfficabon Program Vv'l ll show software llfecycle stakeholders not only how to Implement security, but how to gJean security requirements, design. architect, test and deploy secure software.

An Overview of the Steps:

(IS C)' ® 5-day CSSLP CB~ Education Program Educate yourself and leam security best practices and Industry standards for the software llfecycle through the CSSLP Education Program.(lscr provides education your way to fit your life and schedule.Completlng this course will, not only teach all of the

u ...... , ...... , a security plan across your

~bnps://Wftw.I!Cllr!codl~.c!rt.org/connu!IK!/dlsp~y/cplusplus/MSCOO-<:PP.;Com~l!+d!in~titthlgbfltimkl;tl!'l!k

c 1'.1"1"-'

IISCGOtPP. Com~ it dtMiy Ill high Wlllllng I Mit

THE CERT®C SECURE CODING

=~~010tt0t,IOOI~IIICWCOH~ll1

~·COiillllijltoi~9'*11lfiii!IMIMiiilir!Mit'illitlliMWoi'IIJO!trmli!JIIII"'IIil,

ittntlltiCII U!Oij!C!m tmii«<OIIIIJ

I A~~..,lhil~~~~~ .. ~"'""'<-l/lrlllii~.,-$..1P.ft-II•,...-.:•"''~MI"'II!II"""'"'"'""'-'....,r/llfl"""'"'""''liii!II,Mti!NM!Mrl* ~,.-~ .. ~-~iliiiiiiii(.!WUI'I.-1«11 ~ ~ -

• • •

••

• • •

•

STANDARD liilllfli'41Wo1J"'lll!i'INI!MOI, Milllt4 daj'IOitC l"ii~itti ol ;i!\ill(lllfl I filiCic • <0\llrlN liOIIIOil

R OBERT

(ISOIIEC 9899:1999] Section 5.1.1.3, "Diagnostics'' [MITRE 07] CWE ID 563, "Unused Variable"; CWE ID 5ZQ, "Expression is Always Fa lse"; ewE ID 571, "Expression is Always True" [Sutter Q5] Item 1 (Seac.ord 05a) Chapter 8, "Recommended Practices"

© 2011 MITRE

·lot•~rr..-n -,.m....,

l•dl.boi!U..,b~

N-.cttetA_ , _ wt lt-t&T_.., ... ,....~ ·~

,., ..... k> ... ,.,....;(._! ... b'o• u-... .. t,)~.....,,,_,~.,. .. ~1---'--

_,."'ltlt.c...,••"' •WI' .....,....,.. ..... _...,.__, lrltrl9rlk.-b ..... ltllf __ f o,.,._,,_ ._.,,_

.. __ Ulo.-..~""' ('_,.,.t._ .... _.,..,t~-( ..... • ..._.-w,_,.., ...... \.4'""

u..,.,,,'""'"-nr••• ~.r .. u m '" uo lll!ilfllfl'A'Uilrl '•nul

...

I Web Problems f .. t.rtl; ~rrlutlHJ !.~'3U\I;;II" HT1t'"-•..,.,

HT'P' Bnrcn~• ~plftJ'I11

h,UIUdtlf l l l lrJ'I'I<Ihlf .~lo4'TT' J.a!"i:p ... lh Kff' t • ...-t~"'C"''"I

"r'l .. l ~N11UIIU rt.-nll' ~fOI rr_. \.:flli tMJ ~ IU

L~'''"{r.i"Mt•••-~ Lit\ '•''''"" ~~n~ur n... .......

hlllilf-fiC:...Nt~l~~,.,.... .... lil.ttlk~t..._.,N.n-...-. .. ._....,.. ...... .__,........_.._ tn~atlldrt

~-.......... ~ . ...._. ...... '" ............ . .... .,.tlloi'Sor ...... ,., ......... t<llit_...,_C" ............ ..... .... ~oran:,...~~ll:rW' ............. ""'........,~~s--."911 .. .._ .... .-. ....... _ .... __ ~_..._

• ...._....._ ____ ._. .................... nr ........ . ........ NII: .... •M,.•11tlof • .,"J't.,...,... .. ~,•tbo••••JI•!"' .... IIi

~ttp;Nr- rm,..wtJcltt- dtkt~..,,... ,,, .. ,.,_"'

SANS MITRE •

lbWJT.,UC\'fCou>u u~s mp:nun CWk

.eq-.~,--t_,

. . .. ..., ......... ("'If'~· ...... ...

,,.,......., ......... ,~ ... ~ ...... ,. . . ..... h h 1' ... ,,.,_, ..... .

IndustryUptakeUptake

CWE

© 2011 MITRE

CAPEC

© 2011 MITRE

The Securilty Developrnen• Lifecyc:le MS0&-078 .and tl>e

a hup: /lblogs.rnsd n .corn/ sd l /archlvel2006/ 12118/rns08~07 8 -and -lhe-sd l .a.spx

Recenrt: Posts

.foCSIOI!t.-0:7 and 'the SOL

An~ng CAT-NET C"TP •ndl A...naDCSS v3-

SDL-

a u.H.t SD L. s...lor'w W....P""'UIIP

Secure Coding s..cr-?

~ er......a c:::ra:v.rl \Nalk Run

Pr;""<:V SDL SOL Pro N"""""'"'

Securi~ Assuranoe Secur ity BOioc­SDL threat rnocleJing

Blogroll

............ ~ &rleft.....a-

n- Ml<::l-.-.ft ~ ---c.r.­M~I HOO'W'•rd'• 'Web Log

rt. o.oa Prtvac:v llrn __..,.. Security vua ...... bJTlty -rdh • ..__ .,....., ~Code ................ ._

MSRC ~.._.,, Slbatesnr T--rn

Books I Papers I G 'uidance

T1w 5ecurfty D--poment Lnecyde (H.,_.rd and Llpner)

p~ Guktoa ,_-Develop(ng -. .. P..-.co:.and~

M~-~ ..... -I.Hecyde (SOL) - Porta1

.... ~-..-..... -urec:ya. {SOL)- p...,._ ~no:. (-eb)

s.o,_..,ber 2008{5)

----{2)

~uty2008{8)

.»...-2008(4)

MSOB-078 and ~e SDL IAAAAAI

Hl, Mlcbael here.

Bwery bug is an ~ty to lea"'- and the security update that Fooed the dlat:a binding bug ·lhart a ffected Internet: ~r lll5ei'S is no eJGCe:pt:ion..

·n.e Conwnon V u lnerabilities and Exposur'cs (CVE) entry fo.- t hois bug i s CYE-2~-

~ore I ~ started.,. I want: t:o e:Mplain the goa Is OJf l.1'le 'SDtL i!llnd tfle sec:JL..W'ity ........::>rk hel'le at MCI"'OSSft:. Tbe: SDL. is desig:ned as a rnulti>-laryerred proces.:s.to hel p ~IIY reduce: seourity<tJUIInerabili ties; i f one: con-tpOnent ot the SOLpcooess fai l.s to~ o.r e21td> a bug. tnen SOf"I"W> other~ shoutld ~ o.- e21td> ll:he bug. ""J"h.e SOL. also ma::nda.t:e:s l:he I!.JtSe of" :sea...-ity defenses .....nose i r.npad .....,;u be: reflec:tect in the '"n"ti:tigat:ions• section of a sea."ity bulletin, because w.e knotN tbat no ~re devel~ pn:x:e:ss 'tol'Wi ll catch a ll sea..rrity bugs_ .As rw.oe- ha·~ sai d lf'Tlar'Jflytirne:s ... Hlegoal of. the SOL is ·to ""R.ed':uoe vulne:.-a'bilit::ie:s., a nd ..-eduoet:Jh.e ~rity of .......t-.i>t"s missed.-

I n this post, I 'Milant. t:of'OCI.JIS on the SOL- required code· analysis., code revieYhr., fuz:zing and CltCXTlpiler and operating systen> def'enses and hooY they· Fared!.

The bug t~Nas a n j.f"W'',0Jfdl pointer derel"erenoe in ~When die c::ode: handl es data bindi ng. Jt,Ats: i mportant to point: out: ;that ·ttlere ios no heap ~jon andl l:he.re i s no heap-based buff erovern.Jn.fl

When data binding i s . used., .IE creates a n object 'Yot'hich contains a n array ol da·ta binding ~~ In the c:xxie in question,. 'When a data bindi ng object: i s released., t:he a r ray l e.ngt:!h i.s nol:: C'OIT'ectly updated leadi ng to a f'unction call into f reed IJ"llleennrV-

'The ....,.._,..nera~e code llooks..a little l i lloe: 'this (by the wary. t lhe real array name: is _ar,P'Xfe~ ... but. !I r .g:ured A~fObjed:sFR>n'IIE i s a l i ltie rTIO<'e ldescript:;Ne fcx people I'IOC in the ]nlte~ E>cplloorer team.)

i.niL M!ax::rdx ·- A.r:rayOfOb j ec:t•-P :ro:!IIIIIE . S:i.:ze ( ) -:1. ~

.fo r t :i.:n t. ::i.-0 r .:i. <-- Ma...x.Xdx; :i.•+, ·(

c:-ont.inu..e;

Ar .ra.y O :fO b _ject•P :ro=---I E ( :i.. J - > ? r an a £er.E"ro:m.Scn .:a:rce C j ;

}

1-ite:ft!:~ ~ lthe:Vl.lllne:r.a'bility manifests itself: i"f there are ·tv«> data 'l:ransl"ers 'Wi"t:h thc: same: i denl::ifier ( so Ma>otdx is 2 ), and the fi rst: transfe" updates the l e.ngt:!h d the Arr.oyC)EObjec:l:sFn:wni:E anav -'>en its v.oo<t< -as done and ,...,...,..,..,. fts data binding objec±. ·the I~ count: woould still be Wh;a~ Mivddx was a t: the st..rt d the 2 .

O lX :Stirtic ana lysis t:ools don"t find this because t:he t:ooils 1NOt.JIId need t o ...-.derstand l:he rre-enb'ant na'b.we of the code.

FuzzT:esdng

OWASP Top Ten 2007 & 2010 use CWE refs

© 2011 MITRE

OWASP TOP 10

THE TEN MOST C Our methodology for the Top 10 2007was simple: take the MITRE Vulnerability Trends for 1006, and d istill the Top

APPLICATION S 10 web opplicotlon security issues. The ranked results are as follows:

30.00%

2007 UPDATE 25.00%

20.00%

15.00%

Cl 100:Z~Z007 OWASI' f-o!H!Oi7tion

10.00%

5.00%

0 .00% -. ~ ~ t~ ~ c:"Co

~ ... .Y u: c G.l _QCt:CI'

,2CC · ·= :2 .,S! !!:!~ 4!0\ e~~~ ... c. Q,j

Ll.. ::> .... 0~ - ... __ ...,rae~C' ·~ olD 011

c: .2::0 ~~:i ~~ .. - ~~~(J u- ~ E g-~ :g ~ 8'o .Q ~~ !!:!~ "'""'VI ecv.~

! =a: ~~~ 0 .lC 2 "' co 4.1~ c c -~ .. w ~~ c: ~ g..C. fie:" - ~ ~~~ 2: u= ;"'e 0 c ..,~ Z' --~~ - c.E' -o a:

Making Security

Measurable·

Fil1ure 2: MITRE data on Top 10 -b appDc:ati~m vulnerablotles fgr '1006

Ill li .!.!§ ... ., ~a= ii:c =>f!!~ ........ ~ g; c""

-~~~ =E.E (2Ci! - ~E ,-'!;:) ... o

~ u

© 2011 MITRE

" 1'11 " Code Review Introduction - OW ASP

8):::~} @ ® m Gt ( http://www.owasp.org/index.php/Cocle_Review_lntroductlon i1 <CJ T) ftl { OWASP

I Done

Log in

OW ASP L_ ______________ __J~ ( search )

The Open Web Application Security Project

Navigation

• Home • News

OWASP Projects Downloads

Local Chapters Global Committees

AppSec Job Board AppSec Conferences

• Presentations • Video I Press I Get OWASP Books

I Get OW ASP Gear 1 Mailing lists

About OWASP Membership

Reference

1 HowTo ...

1 Principles Threat Agents

Attacks Vulnerabilities

1 Controls • Actlv1tles 1 Technologies 1 Glossary 1 Code Snippets 1 .NET Project

1 Java Project

Language

I English

1 Espaiiol

Code Review Introduction

««Code Review Guide History ..

Contents (hid~]

1 Introduction

1.1 Why Does Code Have Vulnerabilities?

1.2 What is Security Code Review?

Introduction

Page Discussion VIew source History

Main (Table of Contents) ••Preparation»>

Code review is probably the single·most effective technique for identifying security flaws. When used together with automated tools and manual penetration testing, code review can significantly increase the cost effectiveness of an application security verification effort.

This guide does not prescribe a process for performing a security code review. Rather, this guide focuses on the mechanics of rev•ewlng code for certain vulnerabilities, and provides limited guidance on how the effort should be structured and executed. OW ASP intends to develop a more detailed process in a future version of this guide.

Manual security code review provides insight into the "real risk" associated with insecure code. This is the single most important value from a manual approach. A human reviewer can understand the

context for certain coding practices, and make a serious risk estimate that accounts for both the likelihood of attack and the business impact of a breach.

Why Does Code Have Vulnerabilities? MITRE has catalogued almost 700 different kinds of software weaknesses in their CWE project. These are all different ways that software developers can make mistakes that lead to insecurity. Every one

of these weaknesses is subtle and many are seriously tricky. Software developers are not taught about these weaknesses in school and most do not receive any training on the job about these problems.

These problems have become so important in recent years because we continue to increase connectivity and to add technologies and protocols at a shocking rate. Our ability to invent technology has seriously outstripped our ability to secure it. Many of the technologies in use today simply have not received any security scrutiny.

Ther~ are many reasons why busin~ss~s are not spending the appropriate amount of time on security. Ultimately, these reasons stem from an underlying problem in the software market. B~cause

software is essentially a black·box, it is extremely difficult to tell the difference between ~ood code and insecure code. Without this visibility, buyers won't pay more for secure code, and vendors would be foolish to spend extra effort to produce secure code.

One goal for this project is to help software buyers gain visibility into the security of software and start to effect change in the software market.

Nevertheless, we still frequently get pushback when we advocate for security code revieV\, Here are some of the (unjustified) excuses that we hear for not putting more effort into security :

•we never get hacked (that I know of), we don't need security•

0

•

Some High-Level CWEs Are Now Part of the NVD CVE Information

NVD XML feeds Calso include CWE

NIST Special Publications:SP500-268 CWESP500-269 CWESP500 269 CWESP800-53a CVE, OVAL, CWESP800-115 CVE, CCE, CVSS, CWE

NIST I t R tNIST Interagency Reports:NISTIR-7435 CVE, CVSS, CWENISTIR-7628 CVE, CWE

Idaho National Labs SCADA Report

© 2011 MITRE

NSTB Assessments Summary Report:

fHU£XT. , 0.. ,.,.~

Common Industrial Control System Cyber Security Weaknesses

May2010

TB ® '

SECURE CONTROL SYSTEM/ENTERPRISE A RCHITECT RE

........,<·$ ...... Palnb

g , , .. ..._

Level 4 Enterprise Systems: Business Planning and Logistics I Engineering Systems

Level3 Operations Management: System Management I Supervisory Control

Leve l 2 Supervisory Control Equipment: Supervisory Control Functions I Site Monitoring and Local Display

Level1 Control Equipment: Protection and Local Control D evices

LeveiO Equipment Under Control: Sensors and Actuators

ICCP Server OPC ServBf Information Server Applicabon Server

© 2011 MITRE

Table 27. Most common pro 1in Y errors found in ICS code.

Weakness Classification Vulnerability Type

CWE-il9: Data Handling CWE-228: Im¥ ... "'Y'"'r Handling of Syntactically ilnvalid Structure CWE-229: Improper Handling ofValues

CWE-230: lmDroDer Handling ofMissine: Values CWE-20: l.rnpro~>er Input Validation

CWE-116: Improper Encoding or Escaping ol Output

CWE-195: Signed to Unsigned Conversion Error CWE-198: Use oflncorrect Byte Ordering

CWE-il 19: Failure to Constrain CWE- 120: Buffer Copy without Ch.eck:ing Size of Input c·classic Operations within the Bounds of a Buffer Overflow") Memory Buffer CWE-121: Stack-based Buffer Overflow

CWE- 122: Heap-based Buffer Overflow

CWE-125: Out-of-bounds Read

CWE-129: er Validation of Array Index CWE-131: Incorrect Calculation of Buffer Size CWE-170: .LUJV.&.u..,er Null Termination

CWE-190: Integer Overflow or Wraparound CWE-680: Integer Overflow to Buffer Overflow

CWE-398: Indicator of Poor Code CWE-454: External Initialization of Trusted Variables or Data Stores Quality CWE456: MissinJ;?; Initialization

CWE457: Use ofUninitialized Variable

CWE-476: NULL Pointer Dereference CWE-400: Uncontrolled Resource Consun:tption ("~Resource Exhaustion·~

CWE-252: Unchecked Return Value

CWE-690: Unchecked Return Value to NULL Pointer Dereference

CWE-772: Missing Release of Resource after Effective Lifetime

CWE442: Web Problems CWE-22: Improper Limitation of a Pathname to a Restricted Directory ( .. Path Traversal")

CWE-79: Failure to Preserve Web Page Structure ( .. Cross-site Scripting'"")

CWE-89: Failure to Preserve SOL Ouerv Structure ("~QL Injection•")

CWE-703: Failure to Handle CWE-43 1 : Missing Handler Exceptional Conditions CWE-248: Uncaught Exception

CWE-755: .uL>v.a.v..,er Handling of Exceptional Conditions

CWE-390: Detection of Error Condition Without Action

© 2011 MITRE

Top25 I AppSec Street Fighter- SANS Institute

~ @ @ @ ( mJ 1 http://blogs.sans.org/appsecstreetfighter/ category/ rop25 /

Top 25 Series - Summary and Links Posted by Frank Kim on April 6, 20 I 0 - 3:4 I pm Rled under Top25 ··········-·········-············-·········-··········-·

As requested here are the links to al l the posts on the Top 25 Most Dangerous Programming Errors. Please let us know if you

have any suggestions o r comments.

I - Cross-Site Scriptin1: (XSS)

2- SOL lniection

3 - Classic Buffer Overflow

4 - Cross-Site Request Forgery (CSRF)

5 - Improper Access Control (Authorization)

6 - Reliance on Untrusted Inputs in a Security Decision

7 - Path Traversal

8 - Unrestricted Upload of Dangerous File Type

9 - OS Command Injection

I 0 - Missing Encryption of Sensitive Data

I I - Hardcoded Credentials

12 - Buffer Access with Incorrect Leng.th Value

13 - PHP File Inclusion

14- Improper Validation of Array Index

15 - Improper Check for Unusual or Exceptional Conditions

16 - Information Exposure Through an Error Message

17- Integer Overflow Or Wraparound

18 - Incorrect Calculation of Buffer Size

19 - Missing Authentication for Critical Function

20 - Download of Code Without lntegrit;y Check

2 1 - Incorrect Permission Assignment for Critical Response

22 - Allocation of Resources Without Limits or Throttl ing

23- Open Redirect

24 - Use of a Broken or Risky Cryptographic Algorithm

25- Race Conditions

Passwords

Jim on Seven Security (Mis)Configurations in java web.xml files

0

Nick Owen on Some Thoughts

About Puowonl• ~

ARCHIVES ( Select Month

META

Login

Entries RSS

Comments RSS

WordPress.org

: J

© 2011 MITRE

The Security Development

Lifecyde

Recent Posts

SOL Threat Modeling Tool 3.1.4 shlpsl

Ear1y Days of the SOL, Part Four

Eilrly ~ of the SOL, Pilrt Three

Ear1y Days of the SOL, Part Two

Ear1y Days of the SOL, Part One

Tags

Common Cntena Crawl Walk

Run Privacy SDL SOL Pro

Network Security Assurance

Secunty Blackhat SOL threat modeling

News

About Us

Adam Shostack

Bryan Sullivan

David Ladd

Jeremy Dallman

Michael Howard

Steve Llpner

Blogroll

BlueHat Security Briefings

SOL and the CWE/SANS Top 25

Bryan here. The security community has been buzzing since SANS and MITRE's joint announcement ear lier this month of their list of the Top 25 Most Dangerous Programming Errors. Now, I don' t want to get into a debate in this blog about whether this new list will become the new de facto standard for analyzing security vulnerabilities (or indeed, whether it already has become the new standard). Instead, I'd like to esent an overview of how the Microsoft SOL to the CWE/SANS list, May.

Michael and I have wr; ..... l~;.:;........;;;~=~=;;.;.o.,~~=o:=-.:-=~--:--=..,....,......,.,.-:--------~----~---~-------.

y

25weredeveloped ·~~:~:~C:~~~~~~~~~~~t:~~::::::::::::::::::::::~::::::::::::::::JC:::::::v::::J root them out of the s1

ana lysis white paper a n~d,I.J!!.._J~!.Mlli!li!l!!!!!!.!!!!!i!2!!...!!!!l-__ -:-~---:--:------:-:---__:L ___ ...J~--~L----_J guidance around every"'

made manyof thesame ~~~~~~~~~~~~~~~--------------------------~~----------------------~--~ for you to download and

CWE Title

20 Improper 116 Improper Fnr·nrl iir1 Execution with Unnecessary Privileges

Escapingofuutpl~====c'=~="t=-s=~=e=E=n=fo=rre==m=e=nt=o=f=~=N=e=~=s=~=e========================================================~

CWE Outreach: A Team SportMay/June Issue of IEEE Security & Privacy…

© 2011 MITRE

i1~ ;~lw~~ run!"" li r ill.• codL• n!Xd 10 .C>]'fUI~ l r lu~l, koxp rhl"rimc.-spon tlr~": H•Lk i~ h~h l'rivilc!(l-"" · on pcm~bl.~ror ~· . ..::r.m jllo;, in~ ~ pon tk•l¢1.1.' 10.!~ rll a ~~ ... --~IL~>til.lll Tt"I]Uirn t)..,

b.· run oul"O(tt , lml ~h<'r

Basic Training

CX"I cw.b-'l'J • '"' ~~ "'•I CWE-352: Cross-Site ~~ rNkiL"'I cwE-IIo w(JM(', Ill Requusl Forgory rlr roN. IIU' toni.: XS"- It~"' l~hr- Cro«-+Jif' ~ j(,~ ~ko ly, b ul: 1~10'-\· w~ ~"'"'n>nn• th41 \.-:111 l.nuwn ~ OR.F) ~ulnrnblmn

l"!\plU.: XS~ \"UinerJbdm~ an ~o iJir(' .1 rd:.U\'dy new tofm llt Wdl ,,,, rn ... OJi..,~t'"h.-.~ \\,·~~t"(f"o.w ~ul.oc. ~u·td. m p.lrt. by~ b.ad t'"'tAtnrl.r, the- S.anTt' "'""rill) AI'"• Wrb AJ-.plrnlliJfl. ~~ In Uturt, r~rch lnco Wc-b-rc-IJ:rc-d \"Ulnt:r. lhu dcsi.;n doc-~n'r \'m(yWt3 1\....._

.tbtllltn lu,. rr.:,:n·ntJ -...IMAu• q.~u <"Ml"ll" ti-ow ~,WJ ~' 1..'\J..lre

naDy 0\'fl tht-pm f~"''lo ~··..n. wuh and u t.INUd k'tlf~. nt.'IK .ou-f)

r"K"w Wl), •o -.t.kt h"iC~on. r~u- OJ) chc- mc(l k hllf. Gcntral)y, br!y u•~n;d For pure X~ 1~- d:rc tx-~t dcfnr~ ... II) n 'oC' a unir:JUC' IIK'I u d..W,.,<d bv L W~-71J. the -rtd unpred.n~ble l~y t-or eatb

be .. dd'cnwo ~ '" •alid.ttr :~II m· w« Trxlruomlt)·. w tlfymg urput \Cimuac d.au. TbKh,:u.ll~)bo;n du,_·,•"• •n•ijplC" •h"-l'olt~I)'J'C' 1-chc- right ;~pprt»ch ~..t wUI prd:J- Otto.~'" tllt" mpuc IS ~":lhd.

i!t.l) ~011tmuc rubc)()IUt chc-(dfc•

cc"'~lt" (uiUR". IX"-."'klpt..'l" o n 1lo,o CWE--362: aJd I bvC'f Q( dc-(rt"M bv ~UliC Race ConditiOII o....rpm de-rn-cd fmrn unuu\lrd m­

puc (~l!t' CWE-l lb).

CWE-78: Failure to Preservo OS CommtJnd Structure /1.·1 .. 0)- ... ~kllli,.:,m, put4ullrly :.cn"t'r aprl l(OICIOlr.. n-tri-..r- un­

t nNcd ~ ~ad UlC' cht- data 111 thrmlu llllt'"rJn \4-ICh tbl.' un­

d~~·rn, OJIC'Ulmr '>"""'('"' U11· (ottun.ad~, t lus <:an Jud rG ICYCN"

-en-crromrron•~sr •tdk' •noom••lf(. d.IU I!D I.UUJ)'I:C"d--:1~111. d'oe bee dl+-n~ b 10 cb«l ~~ d:K;L Ak(J, fUIUllll.J, Ihc j)C«IIIUUy vulnr:r;it]f

JprJi.o .. '"llrion wdl ~· PfWdctc can ~~~ I..OUI,nn tbr J.MJU~,

CWE-319: Cleartext Transmission of Sensitive l11formolion ~l'ft\Tfft'C' dMil ftlfi'(C oln•wo..•t, iX" r rtXc««< t.t lt"lit ~nd \\hllc On

th~ I.I.U~ llil bt-.t 0lt.i!u; In

thu vuJnrnbll.ay tt 10 l r< a 1.-dl· t~ted u.•chnob(cy uh .- ~LJ TU or II'Sc-c I}(WI\ (nTr1) CrGil f"

ymar~n O>m.mt.~c.K:Oruon mc:dlod ~,.] lrHIIIJIJrJf'lll< d!:fnlloe'. Tb\1 \\t ahn1 " rthrcd ro CWF-127 C'" tho: of:~ Oro ke-n« R.ilky Crnt­logt••J~nc Algorlllun'). 110 n.ul«o ..Urt" )"OU an::n'l \UIO¥ WC'». ~1-bJt

l-lC"-I orWT"\'cl--kf') ll1'5«

RJCC conr:IIIIOfl• <111'" I IIUU 'tt f'R'b­ltnli t."lt..t lor~d to une" pcc:tcd Ldl~o,· t~oM--IUr o..tn1pk, 111:1 op­j·lt~lltim II'C"U tikn;amc- to Yt't t·

fy du t Jr fik c:tnu .rnd dlC'n Ufll:1

lb: Qlllt" filen:~n1e to op!n tlul hie 11w pwblen1 " 111 drc ... u.~ll

nnw dd~· bc-nu~o.."'ft t h.; ch~~t .wul 1hc- iik· npt'tl, "hkh JCt-:K·\­

crs nn tHe to ctl:.ne,"C" the- fik or

dt"lc-tf' Or crrJO: a. 1 tw ~kn " '" 10 ln111JP«' Jilt" tytenll Ul\' CU.•

dKlon~ tJ to opm 1hl: oio)('n 11 d

thr•n utc- the- rt'~ulm-.: h:mdlot l"cw futthn opc.-nt tOII'. At~. C'!Jn­

~I.L.·r rcducu~ r.ht "'-'OJ'f of3furcd o~«n-fcu t'<i~mi)W. '""pot"Ji"' fi)u ihould be li>t'.•l 10 Ill<" u o,n

.llld r.ot 'lu!"f'r:i '-'ltb ntl.lbplc-u$tt

.etlOU.JM\.. Cutll"•t 1-•.,r '''r)o.lnv­n b.UMlCI pnllllllVI."t 4nluttX~ '""nJphon-, , cntJOI secoom:) " \lm•l~orl)tlllporum ..

CWE-209: Error Message lnformllticn Lttak Enot m...,rnudc. 1..'1 U IUGII 10 dt­NBJCH~ flilrd Opc"rlll.nnt. Nr you

tnwa 11tld tTOUnd \\ bo c.~ n rod th.lt d..u..l. lnlo'C't'M"Nl you~ !"'1"-.rton Jn1rk-d t"lh)f llle1U_, co

trU!Ird we:rs. Rnnoo: a;od Mlon­

vuwu~ Uk'n tiuuld ~~ ... 1~rumc me'"""~ wd tht" drt.ulc-J tiJia

l~1o~n.JrU<Ia"~

h'~ C!lll1110l.UI lo "'= uxk "!)C~­

t iOn \'ulncr.ab:lhl•d 111 J:l".tStt!pt

<"ud~ d1~t ~""' ~ u.nn){ ~·l'l!lml· CAlly o~rlll r.r~~1 !I \0 ev.d I) lo

~:XeCllU·, II th: ~.eka controls LbC""W!II'(o:"\Crillfl,in.•ny.,..~·,lwc:or

lhr: u n l"THH". J. nuhcow pl)"bld The flmplrst WI)' tO mdioce chii kmJ of bUR~ ro rndtcJlt' 11tc U\t'

or evolU. but d!~t rould m.:.m n'dN~l.lng the 1prbc:uion.

lll'nl:". f"un lt"itU'S 1S ~ISO ctkCI"fYie

:11 tk-t\.'"~"1:. CWE-665.

CWE-682: lnco.rrect Calculation M:w•t bv~ ovc:rrum in C ~,u

C++ oodo: tech)- arc .u:nu.Uy ~l;n­N 10 IIIWU('l."1 b\rffi·t-OT;!tny-<:iZ~:

nkulmom If Jll Jn JCb:l (OJ}.

uo b ¢11(" 01" utOI\: of the o:kml'llt$ m a si:ze~ akubuon. he oc dlt em

chc \Tr')' kan, IO<Ik kv ft"m11 hko: ·pwd~ and ·pa~-ord" :md I.T.l;tkt" ~~~~ \ou luVC'" II¢ hAr<:l-coded p.m­Wffl"dl or x cn.."'t daca m the- code. VoLt i h au ld :tho JtOflt' tlm d;to m

_.'<.'Cure lm'~Mion w 11lu n the Oj>­

a-..:ang.f)'Stl!lll. ll)' kCt.lll', l~ll pNitetrlwlth.;rn -1ppropri:~~t"pt"r•

lllliOOIJ()f m .. r)I{H 11 .1nd JlOil'l l

!he '-'llcrypnon key wtth an ~PJ'fO­prixii." J'C'""'~o"ion

Basic Training ld ... : .. k-.r hnl.dcnlct-.11.-lu ......... .,._.., ml"'-'-''i!mil::......,fl.c::oi>r-.

Improving Software Security by Eliminating the CWE

f\hliAll

H<M""' M,•(;r()$()/t

..

Top 25 Vulnerabilities

I njanuary2fl09. MITR.E ancl SANS i~~nc;"d rhc "2009

CWE/51\NS Top :B Most Dangcrou> Prognm•

ming Ermrs" to hd p make developers more aware

of rhe buS' th:n C:."ln c.a.u.~ r.ecurity comprornisd

(hnp://cwe.mim·.ol)tltop25). I \\l;l.S one of the m:my

from indunry. [:0\"o:-rnm~IW, 1nd ac;:KI.e!lri;:r wflO provi<k.>d input 10

llll.· do:xiiiiM;(I(,

CWE. ""'hu:h $tlnds !Or CA11t• ni<'Jn Wc-~h•ti~ F.slll!llld".lfitlll, i• 1

I"'QJI'CI" tp(n'Wm:d by the Nniott:~l

C)-bn- Security Oh·ision ~ t!~ US Jlt-pumto::·nt c-IHomrb Jid Socuritr 10 cUwfy Sl"CUf~' bup. I t :wit;m. I uniqut number co "~1lmc.~ f}f<!S ~11.:11 n but!Cr on rrmh or cro~t k"riplinjf,l.l~ (for.ot:l.mpk. C WE­yn i~ "Use Q( ..1 Um h'11 nr R tlk~·

CryJ'(ognrhir lllGM thni'), Shtwt­ly :;r.(C\"1" dk: Top 2.5 1.~·, t't'l~,

MkrUIOft unvt:'iiOO a docvrnmt t·n· ntk.-d. ~Tile M tntMfl: SOL ~nd the C WE/5ANS Tup 2S,"' to (':o;pJm huw Mi<'MSOrr's ~ • ..,my pr~~ Olin lwlp ptt."\' \!"ltt the want ottCnd­ef"!l 0mp:1/blo~m\lln.c0lll/w.:ll/ au: lli"e/2U09/Q 1/27/;J l-:u1d·lhc

-(\\'li'-4:ti!J·top-l5~p:(), Fu ll <lo)c:ln..un-: I' m o nr: ol1lut

dorurn •. •nt's oo.urthon. but Ill) ' pur­pose he-n- isn't (0 tq;!"to:tyit-Atl" th:­MKfi.N)fi pk"Cc.-. lhd1l't. Ill)' J::OOI n

ro dt'SCribr !Clue bC'st pncti-!'t."& t lut c:m hdp yo.r d.imin;n..- the CW £ Tor25 ' '"'l.!ld"lbilr.tib in )-uurown d~ltlplllllltl: l!nvbomrw1a :md j)«XIUl"K )1\ t ho i lli]'Oit~llf t l) llll­

dm!~frd 1h<M Old~nt:: the wo:4k-

68

l'lk:Odln~Wdo..N.'>C.'dnutpo!!is..t dc:­

'"n~ in t ..-w rhe do.-v.-.l<.per do~"'n'r dctei."t Jnd prewm ntJticiom Web inp11 (...,.,. C.WE-79 ~no.l G 'll:.rE.

ZO). Hawt.'"\"l'f. rhl" mdumy tm seoo m~n~· ~urit)· bu~ ti!Jl .-.-..,Jo.l h:n•t b._.._ .• \ f"'C\"cnc:etl ;;r, ohu•~<= t..l

Improving Software Security by Eliminating the CWE Top 25 Vulnerabilities M tCIIAll HOWAAD

© 2011 MITRE

Korean

© 2011 MITRE

Japanese

© 2011 MITRE

The Web Application Security Consortium I Threat Classification Taxonomy Cross Reference View

@:::8 .. @) @ (!) @ http:f/proj ects.webappsec.orgtw/page/ 13246975/Threat-Ciassification-Taxonomy-Cross-Reference-View Q ,. ) (,t• { Google

The Web Application Security Consortium

Q wiki Pages & Files Search this worts pace

VIEW

Threat Classification Taxonomy Cross Reference View 0 Tags: Threat Classification

last ed~ed by 8 Robert Auger 10 months, 3 weeks ago u Page hlstol'f ~ Check for plagiarism

Threat Classification 'Taxonomy Cross Reference View'

This view contains a mapping of the WASC Threat Classification's Attacks and Weaknesses with MITRE's Common Weakness Enumeration, MITRE's Common Attack Pattern Enumeration and

Classification, OW ASP Top Ten 2010 RCl (original mapping with OW ASP Top Ten from Jeremiah Grossman & Bill Corry) and SANS/CWE and OW ASP Top Ten 2007 and 2004 (original mapping

from Dan Cornell, Denim Group)

-WASC ID Name CWE ID CAPEC SANS/CWE Top 25 OWASP Top Ten 2010 OW ASP Top Ten 2007 OWASPTop

ID 2009 Ten 2004 -WASC-01 Insufficient Authentication 287 642 A3 -Broken A7- Broken A3- Broken

Authentication and Authentication and Authentication Session Wanagement, Session Management, and Session

A4 - Insecure Direct A4 - Insecure Direct management,

Object References Object Reference A2- Broken

Access Control -WASC-02 Insufficient Authorization 284 28S A4 - Insecure Direct A10- Failure to A2- Broken

Object References, A7 Restrict URL Access, A4 Access Control - Failure to Restrict - Insecure Direct

URL Access Object Reference -WASC-03 Integer Overflows 190 128 682

WASC- 04 Insufficient Transport La~er Protection 311 523 319 AlO - Insufficient A9 - Insecure Transport Layer Communications

Protection -WASC-OS Remote File Inclusion ~ 193 2S3 426 A3 - Malicious File

Execution - --WASC-06 Format String 134 §l

WASC- 07 Buffer Overflow 119 120 !Q 100 119 AS - Buffer Overflows

WASC- 08 Cross- site Scrl ptinq Z2 1UH1 Z2 A2 - Cross-Site A1 - Cross Site A4 - Cross Site Scripting Scripting ()(55) Scripting ()(55)

WASC-09 Cross- site Req uest Forger:t 3S2 §I 3S2 AS - Cross-Site AS - Cross Site Request Request Forgery Forgery (CSRF)

·"· ·' I Done

SideBar

WASC Projetts • Distributed Open Proxy Honeypots • S<ript Mapping • The Web Securitv Glossarv • Web Application Firewall Evaluation

Criteria • Web Application Security Scanner

Evaluation Criteria • Web Application Securi!Y Statistics • Web Hacking Incidents Database • WASC Threat Classification

WASC Project Leaders • Robert Auger • Ryan Barnett • Romain Gaucher • Sergey Gordeychik • Ofer Shezaf • Brian Shura

WASC Main Website • http:Uwww.webappsec.orgl

WASC Mailing Lists • http: l/lists.webappsec.org/

IYASC on Twitter • http: l/twitter.com/wascupdates

Join us on Unkedln! • http: uwww.linkedin.com

/grouos?gid=83336

Recent Activity

) Insufficient Data Protection Working

0

,. ~ • • .AI

© 2011 MITRE

IBM Software Technical White Paper

Test and vulnerability assessment

One way to improve software security is to gain a better understanding of the most common weaknesses dm can affect software security. 'V\r.th that in mind, there are many resources available online to help organizations learn about

Testing applications for security defects should be an integral and organic part of any software testing process. During security testing, organizations should test to help ensure that the security requirements have been implemented and the product is free of vulnerabilities.

Resources available to help organizations protect systems

Resource

DoD lnformaoon AsSI.tance Certification and Accreditation Process (DIACAP)

Oe~ense ln!ormatk>n Systems Agency (DISA)

U.S. Dep~nt of Homeland Secumy (DHSl

The Common Weaknesses Erl.Jmeraoon pro!ect, a comrrl.Jnity·based program sponsored by the MITRE C01poration, an IBM 8usi1ess Partner

The Open woo AppfiCatlon Secumy Pro!ect (ONASP)

Cighal BuiX:Mg Security In Maturity Model (BSIMM)

IBM X-Foroellol research and development team

IBM lnsthiAe for Advanced Security (lAS)

Focus

The DIACAP defllles the ffilrlilllllll accredited by the DoD and authorized application-level security controls, rut it activities, geoer~ tasks, and a ma~>aoetnl

The DISA provides a security technical 10

devek>pment that offer more granular inld!'l'l'lll'~'el"'"!~!emlel'l""~le!'l'l'l'lll'll'"!!m~ll"'mm tliity assessment techniques. The Checklist IS the

The DHS offere lllforma!lOn on secLtity best practices and toots for application· and part of its 'Butld Security In" initative.

The MITRE Corporaoon mailta.ns the online common vulnerabilities and exposures enumerallon (C'M) knowledge bases aboiA cLtrently known vulnerabi~ies and types knowledge base focuses on packaged software and deals with patches <Wld known knowledge base focuses on code \'\Jinerabilities.

one or the best sources for l'lloonatlon on web afl)lcallon security Issues, the ONN:R 1 o list of the most dangerous and most commonty !oltld and ccmmonty exptlited how to iden!dy, r.x and avoid them.

Created by Ogital, M IBM Business Partner. the BSIMM is designed to he'p OI'Q<lniZlUIOt and plan a software security 111illative. The fccus is on makng applca!lOns more process and at later stages 111 the software ife cycle.

A global cyberthreat and risk analys;s team that monhors traffiC and attacka around the IB'vl X·Force team is an exce ent resoLtCe lor trend analysis and answ·ers to questions a!tacka are most common, where they are ccmilg !rom and what organizations can do the risks.

This cc~arly'Mde cybersecurity initiative applies IB'vl research, seno!ces, software and he'p governments and other crents i'llprove the security and resi ency of their IT and

Common

--------- ----= = =---= - -- ---==-=·=

Security in Development: The IBM Secure Engineering Framework

• Investigating common development processes and the IBM Integrated Product Development ptocoss

• Emphasizing security uworonoss and roquiromonts In tho sottwnro dovOiopmont procoss

• Discussing test and vulnerability assessments

Li/JI Redbooks

© 2011 MITRE

~ Software Enginee ring Institute

Security Measurable·

Making the Business Case for Software Assurance

NaneyRMea.d Julia H. Allen W. Althi.U Conklin Antonio Orornmi John Hamson Jeff Ingalsbe James Raney Oan Shoemaker

April 2009

SPECIAL REPORT CMUISEI-2009-SR.()O 1

CERT P-rogram .Un1mtled distribuclor 'ubject » :Jle a:~~ht..

C.1rn•-giel\lcllon

OVM: An Ontology for Vulnerability Management JuAn Wang & Minzhe Guo

SoUlhom Polytoctwc Slato Unlvorsity 1100 South Mariclta Parl<way

Marietta. GA 30060 (01) 578-915-3718

jwang@spsu.edu ABSTRACT ln. order lO l't'Mb lbe goals ()( llle lnforma.tioo Sett~ri.ty Au:tc.natioa Progra.o (JSAI') ( I). we propose .., O<l»>OSi<>l 'l'proach to ~pLurin& and us.ifu-jng tbc fw'lda:mcAtaJ conttptS in infomwioa security ~d their rtlahottS!up, t't'trievuli V\.ol ttctabit t~)' dau a.11d rtuaning oltoot the tlust a:nd irnpfiC'l oJ \1lloerabilitieJ. Ou ontOk>ai for wlneral:uhty mac~ageoent (OVM) bai been popUa!Cd will! aU \'Uioet:l.bilities in ~'VO [2] wilh adc!itioaal it~fttt"GOC rules.. ktiO\\ ledge ttpc"eSC'c.tatiOC'L atJd dat.a·minang elcd!Mist:1&. \\'itlt l~ seruniCM inttfllt.ioft of co1~~ \"\l!ncrabtlrtitli a:nd thcu- rel2:1ed cooocpts s:ueh a.-1 ~tacks a.11d countet1'001su.rtt.. OVM pnwidet a proe~.iii!t& pa!hway to makit~ I SAP Si.JCQtSSful

Categories and Subject Descriptors C.2.0 [Computtr<ClmmuniCidGn :litf\'l-ot'ICJ~ GtneraJ [Seturity and protect.lon), K.6.S [Mana;t1ntnt of Cotuputtnc u d Lnforma.tlon SyJttnu): Sccuri1y end Prott'Ction;

General Ter ms On:~>logy, Sceuril)', Vu.lnernhfl ity Ana.l)-sl:s ~~ld ~a088ez~t

Ke)'words Stturi1y \'\lltlm:bility. Vulecral:ullty tnai)'SU

1. INTRODUCfi ON

~tthooiOf!Y.

'lbe lnformMion: Sccw-iry AUitlrnltioD Progr&~n ((SAP) Li a t:.S. ~·ttn~neat multi-ag.mcy uuli:!.twe to enable tLtomation tjld Star'ldanhzi:tioa of toch.Utal stcumy optraUOilS ( I). h.s blgh-!1!'\'t! p)s include S:ltnch:tb M:!ed ac10f~tian or stl!tlnl)' ~~ing and rtmcdra.OOtl u well ti a.utOrn&tioo of uxbrlical ~baoct acth tlics. Its low·k\el objtetl\ ts u)CI.Jde enabJi.a& sta!ld!.!ds baud Mml!'lunicalicon. of wln~lit)• &:lUI, ~uw•rmi~ina and t:'lanagifti CC)ftfigurttioa basclii)('S for '-'li!'io~ IT product&. tiSC:'Uing tnfCWI':'!alM)It S)'Rtlns and rtpoc1u~.g eornplia:ux 'lalllS.. tl5iJ~.& stMda.-d. t!'le'Lriet to wdsltt at:~d aggrt£Mt potential \'\I!I.C1'11bibty i.mpatt. .. ~ rtmediancg ide:Dtifitd \'Ulnttabtbtics (t ], Seeurc cocnputer !)'~tC!!:\5 ~l::$tn that ocmlide1Uial11y. intcsrity, -~ availablbty an: rua.inta:intd for wm. da&a. a.t~d ocho' l!lf<lm!:3Uon ti..iets.. C>vc:r tbe. pa.'it a ! I!'IA' d«adcs, 2. !lattifi-eanlly lar£c amouR!. of kno'll'locli.e bas bttl1 attusnu.latcd ic me lrta of infamttuon !ecutily. How~. a. lot of conee-p~S irt infon~tiot1 IC'CUrity art \'lguc.ly detioed aDd JOC'Itci:rtlts they ba\"C dJ.fferun

Per:n:11:c:a ta rrde dis:-t:l a r h-.""1! Cllpie:s; or :~f) D:" ~~~ of tb:ll -.--c:& illlr pcrMXll) or (":U.roQ!ID me is gnm!CU 11.11ixnu fcc pwndcd t:lz: ~ ~ 11101 !Ia& cc- tinrillt:ttd few Jftll11 « commrtrial ~~c.h-ar.:gp W dill c~~ bt:::t tlu Mt!e~ 11~:~d ~he full d~uo an. t!!c l"a:K pa4tc. To CO;'I)' O'Jiawi sc, 11:t :cp;~bbb. w po:s; oc I'C\~ ar XI redislribi;;".C' 10 li~"' rtqlaftJ prior 9«ifk pcnt'li1llioa.tmd'or a ire..

CSDRW'09. A.pril U· JS., O&t Riqc.. TCCDC'Ute. USA Cop)'f...gJ\l C 2009 ACM 971-I 60SSI 511 5 - · U.OO

.sema.ntie:s in difftmll C()(ltclO.tl. eau:ting mdundc:ri1andiDg among stale holdm due to lite lart~ ~tbi~t)". 0!1 tlx Ollter llatld, the standardil.ation. desi&n and dc"-clopelC'tlt of security tools ( I · S] requue a S:)-stetna.tic classa(!Cflt.IOO attd dtti::ubQitl of Sffi.lt'ltY

coneeplJ and t:ecbuiques. Jt is i:mpo1tan1 to ha\'C a dcatly dcfutrd ''OCibvlaty attd i t&lldatciizcd lattguage as means 10 accurately comnw!tiell!c !I)'Uttn ''t..lncrUility information lt!ld their c:oorttttmeasll:les amona all the people b"olved. We bdi-e~-e that semuti-e tecb2101og:y i" gcec.r:ll!. and oetology in pa.·•'tict.1at. couJd bt a useful tOOl (Of S)"Stt~ 5C<'IU11)'. Our rtS~b wort ll&i (:Qilfl.nncd d 1.i,. bd.ic f aud llti• ~""ill tC!)Cnl 310nlC Of Ot.il .,."Od,.

u1 lhis area.

Aa ontology lS 1 spec'ificalioll of eooctplS Wtd their n:lauooship. Or.tology tq~ts kDOYA-cdgc in a fomtal &tid s.tructiJ:Ied foro. Tbtrtfort~ ontology pr<widcs a bcncr [001 for tocnl'ml.nie.atiort tct.tsabihty, and ot~l'!.iU"!l.O!I or k.M'Iili leqc. OtuoiOB)' IS a k.....t~ reprcscnO>tioo (KR) S)'lltm bosod oo D<scnplion Log,cs (DL.s) (6]. wrucll ;, .., ""'!><ella •• ,.., for. r.,.l)' of I(J(

forma.Jis.tn!l ~ tnowkdg,c in \'lriOtJ! domJ.im. The Dt formal iant spec~racs a knowkdge do.na1n ai !he ~-orld .. by first defmin& dte rel~'D!lt eooecpts o f lltc dotnail'!... and men it IJl.C'i

these: concept~ to specify ~ties of obJociS and 1ndlvidl:!a!s oct~.~;rri~ in d~.e domain (10· 12~ Semantic &c~h.notogies DOC onJy provide a 1.001 f01 C«''rnurtlcatjc,a, b~.:l a.lso a fOUttd:u.ton for ~­Je\,'cl n:;a§()(litlg aDd dtcision .. ma};jng_ Ontology. in pcl1licular. provides &he polezn iaJ of f<1nnal logic infcrtoec: ba.ied oc• well· deftned data and lrru!O'Witd.ge bouts. Ontology Ctpi.U."'Ci lhc n:lationships bnv.'tt!l colk«ed ciata and tast lbt tApiiC'It

ki)()Y.'led~ of ooneepa and rclatiom.h.i!)l to deduce d~e impli-cit and inbci"(''t ktl~ ledge~ As a maatr of fact. a hea"y-we1gln oetology roWd bt defined a& a fetm,al1ogte t) stem. as it i!lelcdts facu and tuJcs. tooXp1&. <"OIICc:pt: w:onomies. rdatio!tsl'tip8. propertjes. uiotns and eo.!tStra!!lts.

A \'UI:lerability IS a secunty na.w. which. anscs froo OOI~I)alttt S)'Sttm dni~ imp1mltnta.t.ibrl. •naintccanet'. and opcratioo. R~ 11t tbe a..-ea of vuloerabiLty a•~l)'s.ts focus.es on d:SCO\-Ct')' of prt:Viously W\kl1i()'liVn ' 'WDC:tthititici and q.ul:ntif.catic:m o f the SC('wtty of S)'filt::ns aocotdin,g tO SOI:'IC C'IC'IncJ. Rc:scarehtrJ at .Mint.E ha\'C ptO\'ided a. i!lltld!n! fomw fllr na:ni.ng • seturit.y \'L.Jneratuhty. e~lod Com!~ \'ulntrab1h~ies and Ex:poiUteS (CVE) ( 14}. \\1lich asi.igns eteb vulnei'Ollility a Wl!.qtJC .dtnttfication n;.~mbtt . We havedcsiSI~ a vuh'ltrabtlii> OOt(>loG)"

OVM (oi\Ullosy Ill< \-ulncrobilily lllll!lll!l<"""') populated""" Ill tx:~.Stiag ,'11JOO"&b11ititi in t\ VD (2). Jt suppons resc:arch Olt J'C'tiOning abot4 vutnc.rabilities and eb!lt9CICJiza:tion of \'ioJI."»Ct'abbliCS and tbc1t u:'lpa~ OQ COC'l'lt~Uti::IS: S)'SIC'I~~. Vendots and tHen tan !lie Obt ontOlogy in i"'potl of ~~!J!CI'Ibility ana~is.. tOOl de.,.elo,)l:nent and \'Ulncrabtlity rnarta~C;:'I\t'l'lt.

Tbt rest of this pipet • ~c:d 111 foll~11: Seccion 2 pmcrm tl~e vci'-Jteccw-e or ow OVM. Scetion 3 di~ecsses bO!.O.• to popUa!e­lhe OVM "'""th vulnerability i.z:.stlnoti from NVD ltld ocbtr

© 2011 MITRE

Making Security

Measurable·

A Policy-Based Vulnerability Analysis Framework

By

SOPHIE JEAN E:-IGLE B.S. (University of Nebraska nt OmnbAJ 2002

DISSERTATION

Subntiued in JlArtlal sad.sfactlon of tile rcqulrcm~ms for the degree of

DOCTOR OF PlllLOSOPIIY

in

Computer Science

in tlte

OFFICE OF GRADUATE STUDIES

of the

UNIVERSITY OF CALIFORNIA

DAVIS

Approved:

Professor Matt BlsllOJl (Olalrl

ProfessorS. Fdix Wu

Professor Karl Uwln

Professor Stan Pclscrt

Committee In Charge

2010

Analysis-Based Verification: A Programmer­

Oriented Approach to the Assurance of

Mechanical Program Properties

T. J . Halloran /\lay 27, 2010

C.'AU-LSR-IG-112

ltt•Litutc for Software ll.cscarch School of Comput<>r Science Carnegie Mellon 1,; ni"crsity

Pitl,J,urgh, PA i52 i3

Subrnittrd in par·tial ful}illment of 11•• ""Juin:mtn~• for the degn:e of Doctor of 1'/ulosor•hrJ.

Thesis Co nunlttcc : WiUiam L. Scllcrlis (advisor)

J atncs D. HcrL.,Ich ~lo.ry Shaw

Joshua ,J. Bloch, Googlc, II>c.

Copyright @ 2010 T . J . llalloran

~-~..,b._,.~Uo..,. ... ..,,._....,""""'"-~U·•·t,.....,. . 11&1.,"- 'Al!-' '<."Ca.12M....,~'~"1Loc..kll.oeod.Mw''- RJV.:JI.Slrtt ,.., O-\"-D1!102 0* I.MIA.I ~ IC..O'O 'O!"• ·-.-... ~I•t ... 40tll•!~-lllooo~,. .. l .. t>...._...,_afldl...,...~t(I(M""1~1Ht'44'11 - .....,_.~ t"-~ ,.1~ .. ,.lllll',_l or •••~ttltltoo .,._,..,. \.'"' ('_.,,...,,,.,c-.,....., \1•11,.., u._,.

Linkage with Fundamental Changes in Enterprise Security Initiatives

CWE and CAPEC included in Control 7 of the “Twenty Critical Controls for Effective Cyber Defense: Consensus A dit G id li ”Audit Guidelines”

© 2011 MITRE

Linkage with Fundamental Changes in Enterprise Security Initiatives

CWE and CAPEC included inCWE and CAPEC included in “Enabling Distributed Security in Cyberspace: Building a Healthy and Resilient Cyber Ecosystem

© 2011 MITRE

y ywith Automated Collective Action”

© 2011 MITRE

https: // bui ldsecu ri tyin.us- cert.govt swat foru ms.html

~~~:~E:,,:;!~~~E~1~.e 4Y

, ..... , ...... ~ . .., .• _._ ... " · SE!'~h-(S!Jcu'!>tcwnl:le

HOME I AeOliT I RESOURCES I ADVISOFUES EVENT'S WEBINARS PODCAS'TS PROCESS VIEW

SwA Communit iu

SwA forums. • Woriclng Groups

Workforce Educabon & Triilnmg

Proc(!S5es & Practices

Tedvloi09V, Tools a Prodi.Kt Eval.

Aequlsibon & Outsourcang

Meuurement

Bus1ness Case

Malware

SwA Mitrtl:et Pl~e

SwA Ecosyst em

Making Security Me.asun~ble

lultd Security l n

Fonuns

The Software Assurance Progr.lm of the Department of Homeland cyt>er seru~ty Divis'on co-sponsors SwA Foru~ semi-annually Department of Oc'cnse a.nd the National [nsbtut c for Standards and purpose of the forums: is t o bring together members of government, a~demLa with vested itlterests In software assurance to diSCuss and se<:t.ui ty, and rellab lity In software.

FORUM PRfSENTATIONS

SwA Forum presentations: that arc relcas<.'d for publicat ion are posted

~}_t;!I,.,~.'!I-1.:~~~~!! .. ~~~~--~-L!.~-~-~-~~- - september 27-0Ctobcr

~-~-t-~---~-~-1::.~~~~~~--~~~~~--~!.~.~-~--~-~~- • Marcf1 9·12, 2010

~}_t_~---~-~-1.:~~~~~~--~~~~--~!.~.~-~--~-~~- · Novcm~r 3·5, 2009

~-~---~-~-~.:~~~~~~ .. :?.~~~~~~--~-~-~-~-~-~~- · March 10· 12, 2009

~-~~~~~~.~.u.a.l .s.o.":~~r,~ ,A,S~~:a~ .. ~~-~ • october 14· 16# 2008

SWA WORKING GROUPS

Jn between SwA Forums, the DHS SwA ~rogram hOst s SwA Worl<:lng provide venues for publ~c-prlvate collaboration in advandng init iatives. and status updat es rram the SwA Wor1dng G rOups are Forums and to other relevant stakei\Oidcr grOups. For tnOre lnrormat!on

SwA Communities

SwA Forums & Working Groups

Workforce Education & Training

Processes & Practices

Technology, Tools & Product Eval.

• Activities

· Resources

• Collaborations

·Research

Acquisition & Outsourcing

Measurement

Business case

Technology, Tools and Product Evaluation Working Group

Resources

SwA Tools Overview

Common Attack Pattern Enumeration and Classification

Federal Plan for Cyber Security and Information Assurance Research and Development:

Available for download on the ~~~i~~~ l ~e~t~ i~~~i~~Qffi~~f~~ ~~~'lle~~i~g ~~~

!~f~~~.~ti~.~ ... T~.~.h.~glg.9Y. ... ~.~~.~~.~~h .... ~ .. ~.9 ... q~y~lgp.f!l.~.~.~ site.

F~QS~i~Q ~~tr:a~tigQ : A~tg~a~e~ ~~~~yig~ ~gf!lp~~a~i~Q f~r A~rg~p~~~ ?g~'ll~t~ Verification and Certification (PDF)

Questions?

© 2011 MITREramartin@mitre.orgramartin@mitre.org