software security knowledge: training(is c)'® 5-day csslp cb~ education program educate...
TRANSCRIPT
National DefenseCommerce
Software Security Knowledge:Software Security Knowledge:Training
Robert A. MartinSean Barnum
May 2011
Report Documentation Page Form ApprovedOMB No. 0704-0188
Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering andmaintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information,including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, ArlingtonVA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if itdoes not display a currently valid OMB control number.
1. REPORT DATE MAY 2011 2. REPORT TYPE
3. DATES COVERED 00-00-2011 to 00-00-2011
4. TITLE AND SUBTITLE Software Security Knowledge: Training
5a. CONTRACT NUMBER
5b. GRANT NUMBER
5c. PROGRAM ELEMENT NUMBER
6. AUTHOR(S) 5d. PROJECT NUMBER
5e. TASK NUMBER
5f. WORK UNIT NUMBER
7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) Mitre Corporation,202 Burlington Rd,Bedford,MA,01730-1420
8. PERFORMING ORGANIZATIONREPORT NUMBER
9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR’S ACRONYM(S)
11. SPONSOR/MONITOR’S REPORT NUMBER(S)
12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release; distribution unlimited
13. SUPPLEMENTARY NOTES Presented at the 23rd Systems and Software Technology Conference (SSTC), 16-19 May 2011, Salt LakeCity, UT. Sponsored in part by the USAF. U.S. Government or Federal Rights License
14. ABSTRACT
15. SUBJECT TERMS
16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF ABSTRACT Same as
Report (SAR)
18. NUMBEROF PAGES
28
19a. NAME OFRESPONSIBLE PERSON
a. REPORT unclassified
b. ABSTRACT unclassified
c. THIS PAGE unclassified
Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18
Agenda
8:00-8:45am Software Security Knowledge about Applications WeaknessesApplications Weaknesses
9:00-9:45am Software Security Knowledge about Attack Patterns Against ApplicationsTraining in Software Security
10:15-11:00am Software Security Practice11:15-12:00am Supporting Capabilities
Assurance CasesSecure Development & Secure Operations
© 2011 MITRE
CWE is Meant for People to Use
© 2011 MITRE
Security Measurable~
CWE Version 1.4
Edited by: Steven M. Christey, Conor 0 . Harris, and Janis E. Kenderdine
Project Lead: Robert A. Martin
MITRE
I I
I I
CWE Vernlon 1.4
f lfbiH ol CAJnlmrbr
................................ I ............................. I
.... 1 I
.......................... 2 ............. 3
................................ 4
................................. I 8 9
10 .......................... .... 12 ............................... 13
........ 13 13
... ............................ 14
····························· 14
" :>? ?<
............... 26 .... 27
?7 ?8
......... 29 ........................... 31
.......... 32 33 3<
····•················•·· ....• 30 ............................... 36
97 38 39
............................... 40 ..... 41
<? ...................... 43
.............................. 45 ............... ~
•s 4G . 7
.... 47
... 48 49 49
••••••••••••••••••••••••••• !>()
............. so 51
... 5 1 ~2 ~.:J
53
Ill
~ .. rY iD 2. 0 g lit a "'
T
CWE VenUon 1.4
CWE· 1: LOCGII<NI
roduccd during the
"' P:~~ge
6119 , 6119 1.1 61111 13 6119 /19:,
nmenlal
'8 Page 6QQ I 61111 1
~700 ? 700 3 700 4 700 s
" 700 8
700 7 700 8
"'• 700 9 699 tO 700 6119 12 6119 46& 6119 S60 6119 64.9 700 696
s
nmcntal conditions
w Page 800 1 6119 1 6fll/ 540
0 =: ~ ,... 0 n ~ g
C:W E Vero(on 1.4
/um ('SOl lnj«:llon?
es. limlnntc the SOL
II" boxes, the lion user has the
database.
First ol all, the n SOL II a user ~may bypass dala I command ble to aHer the possibly accessri!J slropl1eare programmer may
rcvcnt any data I
IO'w.l$0L i11joc:.110fl
r1y encOOed output. sc Java Beans •
ionbelween g, encoding. and Xlbllity at every
ored procedures. n<J. Oo nol .xec"orsirnitar
103
CWE Verclon 1 .4 lllcJ(IX
C WE Vcroion 1.4
Index 1 craar~ers.am "·--· pllelte ldentmet. G92
101 AulhOn.Lat!On 19 lf1lUT Output (FlO),
h 10 [)(1("(:t NULL PointL<t 0 EnYirOI"'Inefli (ENV),
I ~IS(SIG), 1'48 ""Y Autho.-bon. 33ol 2- (UOI tlan<llng (CRR). :.stze. '192
610 9-Miloellneous (MSC), • . :nl
fo · POSIX (POS), 738 -ttm.~ Mannt"',
(')
=: ... rr foono ('lo'On.;n-..,.,.mc~.
Algwnenl, ~
0> po.r....- . 592 ~ ., 9 !!. c ~r'ISoo EuOtS. 200 liOn, 319
"""· 336 a ~ tntormatkX'I. 342
0 r Skit Sret;unty, :.Me P..,. G5o "D ~0. 578
<0 " · 287 "' ~ (', 2 11
r-""""-:6 ~-OIIOCIOI)'. 500 >10
~;. , ~
514 , lrn,.~ltd OI~
r EnT C &.-am: COdiny 0 !Mcdt'lcotion0f$c."'alllty· :; <:: Q. TC. G20
"' ar eunM. 10 "' (?004). /HI :; -< " (2007). 619 c. ~ 7C2 "c. 652 ~ 2
nc-, GS3
n nJcv'.a.. 655
c IOfS), 247 ~·IP, G57
<D • 39G Top25 Most
139 ...., '"91, 606 (/) ~~lall0n, f03 0 !CtOf"/ wnn lnconea r reclot'IH. G21
= :; llSi"~.IIC P\.'frM'SionS, ~-- "" cs· !l.
... ...... .,.. 521 o· .=, 750
\lb<Jn lellk. 2U ~·· "" .,_ 373
Oullfl9~
"'*"''· 107 • klj<."dion), 611
F-<W>n-424 Cxoop!IOII. 425
ot. 487 1
I TOning Ch<lllrM.'t. 539
827
833
16 July 2010
© 2011 MITRE
c . c . a PI I a s I
Cyb~ ~e ec ity cJ 1 • ca Pr ofici cy , a tt ~ · s
A h ite ~ pe r of the CSIS Commission on Cybersecurity ·for the th Presidency
A compl·ete bo·dy ~of kno~wledge coverin.g th.e entire field of softwar~e enginee~ri.ng may be years away. Ho:wever, tl1e body of knowledge ne~eded by professionals to cr~eate software free of common and critica s~ecurity flaws has been d.~eveloped, vetted W'id.ely and kept up to date. That is the foundatio~n for a certification program in software assurance that can gai'n wide .adoptiont It was created in. late 2008 by a conso·rtium ofn.,ational exp~erts., sp~o~nsored by DHS and NSA, .a.nd was updated in late 20 09. It contains r,anked lists of the most com:mon errors, e~xplanations of why the
~errors are dangerous, example·s of those errors in multi.ple lan.guages, and ways of ~eliminating those erro~rs. It can be found at http:ffcwe.mitre.org/top25.
Any programmer who writes C'Ode \r-Vith~out betng aware of those proble~ms a·nd is not capable ~of writing· c·od.e free of those errors is a threat to hi.s or her employers and to others who use computers con,necte·d to systems running his or her software.
© 2011 MITRE
The Celtlfled Secure Software Llfecycle Professfonal (CSSLP) Certfficabon Program Vv'l ll show software llfecycle stakeholders not only how to Implement security, but how to gJean security requirements, design. architect, test and deploy secure software.
An Overview of the Steps:
(IS C)' ® 5-day CSSLP CB~ Education Program Educate yourself and leam security best practices and Industry standards for the software llfecycle through the CSSLP Education Program.(lscr provides education your way to fit your life and schedule.Completlng this course will, not only teach all of the
u ...... , ...... , a security plan across your
~bnps://Wftw.I!Cllr!codl~.c!rt.org/connu!IK!/dlsp~y/cplusplus/MSCOO-<:PP.;Com~l!+d!in~titthlgbfltimkl;tl!'l!k
c 1'.1"1"-'
IISCGOtPP. Com~ it dtMiy Ill high Wlllllng I Mit
THE CERT®C SECURE CODING
=~~010tt0t,IOOI~IIICWCOH~ll1
~·COiillllijltoi~9'*11lfiii!IMIMiiilir!Mit'illitlliMWoi'IIJO!trmli!JIIII"'IIil,
ittntlltiCII U!Oij!C!m tmii«<OIIIIJ
I A~~..,lhil~~~~~ .. ~"'""'<-l/lrlllii~.,-$..1P.ft-II•,...-.:•"''~MI"'II!II"""'"'"'""'-'....,r/llfl"""'"'""''liii!II,Mti!NM!Mrl* ~,.-~ .. ~-~iliiiiiiii(.!WUI'I.-1«11 ~ ~ -
• • •
••
• • •
•
STANDARD liilllfli'41Wo1J"'lll!i'INI!MOI, Milllt4 daj'IOitC l"ii~itti ol ;i!\ill(lllfl I filiCic • <0\llrlN liOIIIOil
R OBERT
(ISOIIEC 9899:1999] Section 5.1.1.3, "Diagnostics'' [MITRE 07] CWE ID 563, "Unused Variable"; CWE ID 5ZQ, "Expression is Always Fa lse"; ewE ID 571, "Expression is Always True" [Sutter Q5] Item 1 (Seac.ord 05a) Chapter 8, "Recommended Practices"
© 2011 MITRE
·lot•~rr..-n -,.m....,
l•dl.boi!U..,b~
N-.cttetA_ , _ wt lt-t&T_.., ... ,....~ ·~
,., ..... k> ... ,.,....;(._! ... b'o• u-... .. t,)~.....,,,_,~.,. .. ~1---'--
_,."'ltlt.c...,••"' •WI' .....,....,.. ..... _...,.__, lrltrl9rlk.-b ..... ltllf __ f o,.,._,,_ ._.,,_
.. __ Ulo.-..~""' ('_,.,.t._ .... _.,..,t~-( ..... • ..._.-w,_,.., ...... \.4'""
u..,.,,,'""'"-nr••• ~.r .. u m '" uo lll!ilfllfl'A'Uilrl '•nul
...
I Web Problems f .. t.rtl; ~rrlutlHJ !.~'3U\I;;II" HT1t'"-•..,.,
HT'P' Bnrcn~• ~plftJ'I11
h,UIUdtlf l l l lrJ'I'I<Ihlf .~lo4'TT' J.a!"i:p ... lh Kff' t • ...-t~"'C"''"I
"r'l .. l ~N11UIIU rt.-nll' ~fOI rr_. \.:flli tMJ ~ IU
L~'''"{r.i"Mt•••-~ Lit\ '•''''"" ~~n~ur n... .......
hlllilf-fiC:...Nt~l~~,.,.... .... lil.ttlk~t..._.,N.n-...-. .. ._....,.. ...... .__,........_.._ tn~atlldrt
~-.......... ~ . ...._. ...... '" ............ . .... .,.tlloi'Sor ...... ,., ......... t<llit_...,_C" ............ ..... .... ~oran:,...~~ll:rW' ............. ""'........,~~s--."911 .. .._ .... .-. ....... _ .... __ ~_..._
• ...._....._ ____ ._. .................... nr ........ . ........ NII: .... •M,.•11tlof • .,"J't.,...,... .. ~,•tbo••••JI•!"' .... IIi
~ttp;Nr- rm,..wtJcltt- dtkt~..,,... ,,, .. ,.,_"'
SANS MITRE •
lbWJT.,UC\'fCou>u u~s mp:nun CWk
.eq-.~,--t_,
. . .. ..., ......... ("'If'~· ...... ...
,,.,......., ......... ,~ ... ~ ...... ,. . . ..... h h 1' ... ,,.,_, ..... .
IndustryUptakeUptake
CWE
© 2011 MITRE
CAPEC
© 2011 MITRE
The Securilty Developrnen• Lifecyc:le MS0&-078 .and tl>e
a hup: /lblogs.rnsd n .corn/ sd l /archlvel2006/ 12118/rns08~07 8 -and -lhe-sd l .a.spx
Recenrt: Posts
.foCSIOI!t.-0:7 and 'the SOL
An~ng CAT-NET C"TP •ndl A...naDCSS v3-
SDL-
a u.H.t SD L. s...lor'w W....P""'UIIP
Secure Coding s..cr-?
~ er......a c:::ra:v.rl \Nalk Run
Pr;""<:V SDL SOL Pro N"""""'"'
Securi~ Assuranoe Secur ity BOiocSDL threat rnocleJing
Blogroll
............ ~ &rleft.....a-
n- Ml<::l-.-.ft ~ ---c.r.M~I HOO'W'•rd'• 'Web Log
rt. o.oa Prtvac:v llrn __..,.. Security vua ...... bJTlty -rdh • ..__ .,....., ~Code ................ ._
MSRC ~.._.,, Slbatesnr T--rn
Books I Papers I G 'uidance
T1w 5ecurfty D--poment Lnecyde (H.,_.rd and Llpner)
p~ Guktoa ,_-Develop(ng -. .. P..-.co:.and~
M~-~ ..... -I.Hecyde (SOL) - Porta1
.... ~-..-..... -urec:ya. {SOL)- p...,._ ~no:. (-eb)
s.o,_..,ber 2008{5)
----{2)
~uty2008{8)
.»...-2008(4)
MSOB-078 and ~e SDL IAAAAAI
Hl, Mlcbael here.
Bwery bug is an ~ty to lea"'- and the security update that Fooed the dlat:a binding bug ·lhart a ffected Internet: ~r lll5ei'S is no eJGCe:pt:ion..
·n.e Conwnon V u lnerabilities and Exposur'cs (CVE) entry fo.- t hois bug i s CYE-2~-
~ore I ~ started.,. I want: t:o e:Mplain the goa Is OJf l.1'le 'SDtL i!llnd tfle sec:JL..W'ity ........::>rk hel'le at MCI"'OSSft:. Tbe: SDL. is desig:ned as a rnulti>-laryerred proces.:s.to hel p ~IIY reduce: seourity<tJUIInerabili ties; i f one: con-tpOnent ot the SOLpcooess fai l.s to~ o.r e21td> a bug. tnen SOf"I"W> other~ shoutld ~ o.- e21td> ll:he bug. ""J"h.e SOL. also ma::nda.t:e:s l:he I!.JtSe of" :sea...-ity defenses .....nose i r.npad .....,;u be: reflec:tect in the '"n"ti:tigat:ions• section of a sea."ity bulletin, because w.e knotN tbat no ~re devel~ pn:x:e:ss 'tol'Wi ll catch a ll sea..rrity bugs_ .As rw.oe- ha·~ sai d lf'Tlar'Jflytirne:s ... Hlegoal of. the SOL is ·to ""R.ed':uoe vulne:.-a'bilit::ie:s., a nd ..-eduoet:Jh.e ~rity of .......t-.i>t"s missed.-
I n this post, I 'Milant. t:of'OCI.JIS on the SOL- required code· analysis., code revieYhr., fuz:zing and CltCXTlpiler and operating systen> def'enses and hooY they· Fared!.
The bug t~Nas a n j.f"W'',0Jfdl pointer derel"erenoe in ~When die c::ode: handl es data bindi ng. Jt,Ats: i mportant to point: out: ;that ·ttlere ios no heap ~jon andl l:he.re i s no heap-based buff erovern.Jn.fl
When data binding i s . used., .IE creates a n object 'Yot'hich contains a n array ol da·ta binding ~~ In the c:xxie in question,. 'When a data bindi ng object: i s released., t:he a r ray l e.ngt:!h i.s nol:: C'OIT'ectly updated leadi ng to a f'unction call into f reed IJ"llleennrV-
'The ....,.._,..nera~e code llooks..a little l i lloe: 'this (by the wary. t lhe real array name: is _ar,P'Xfe~ ... but. !I r .g:ured A~fObjed:sFR>n'IIE i s a l i ltie rTIO<'e ldescript:;Ne fcx people I'IOC in the ]nlte~ E>cplloorer team.)
i.niL M!ax::rdx ·- A.r:rayOfOb j ec:t•-P :ro:!IIIIIE . S:i.:ze ( ) -:1. ~
.fo r t :i.:n t. ::i.-0 r .:i. <-- Ma...x.Xdx; :i.•+, ·(
c:-ont.inu..e;
Ar .ra.y O :fO b _ject•P :ro=---I E ( :i.. J - > ? r an a £er.E"ro:m.Scn .:a:rce C j ;
}
1-ite:ft!:~ ~ lthe:Vl.lllne:r.a'bility manifests itself: i"f there are ·tv«> data 'l:ransl"ers 'Wi"t:h thc: same: i denl::ifier ( so Ma>otdx is 2 ), and the fi rst: transfe" updates the l e.ngt:!h d the Arr.oyC)EObjec:l:sFn:wni:E anav -'>en its v.oo<t< -as done and ,...,...,..,..,. fts data binding objec±. ·the I~ count: woould still be Wh;a~ Mivddx was a t: the st..rt d the 2 .
O lX :Stirtic ana lysis t:ools don"t find this because t:he t:ooils 1NOt.JIId need t o ...-.derstand l:he rre-enb'ant na'b.we of the code.
FuzzT:esdng
OWASP Top Ten 2007 & 2010 use CWE refs
© 2011 MITRE
OWASP TOP 10
THE TEN MOST C Our methodology for the Top 10 2007was simple: take the MITRE Vulnerability Trends for 1006, and d istill the Top
APPLICATION S 10 web opplicotlon security issues. The ranked results are as follows:
30.00%
2007 UPDATE 25.00%
20.00%
15.00%
Cl 100:Z~Z007 OWASI' f-o!H!Oi7tion
10.00%
5.00%
0 .00% -. ~ ~ t~ ~ c:"Co
~ ... .Y u: c G.l _QCt:CI'
,2CC · ·= :2 .,S! !!:!~ 4!0\ e~~~ ... c. Q,j
Ll.. ::> .... 0~ - ... __ ...,rae~C' ·~ olD 011
c: .2::0 ~~:i ~~ .. - ~~~(J u- ~ E g-~ :g ~ 8'o .Q ~~ !!:!~ "'""'VI ecv.~
! =a: ~~~ 0 .lC 2 "' co 4.1~ c c -~ .. w ~~ c: ~ g..C. fie:" - ~ ~~~ 2: u= ;"'e 0 c ..,~ Z' --~~ - c.E' -o a:
Making Security
Measurable·
Fil1ure 2: MITRE data on Top 10 -b appDc:ati~m vulnerablotles fgr '1006
Ill li .!.!§ ... ., ~a= ii:c =>f!!~ ........ ~ g; c""
-~~~ =E.E (2Ci! - ~E ,-'!;:) ... o
~ u
© 2011 MITRE
" 1'11 " Code Review Introduction - OW ASP
8):::~} @ ® m Gt ( http://www.owasp.org/index.php/Cocle_Review_lntroductlon i1 <CJ T) ftl { OWASP
I Done
Log in
OW ASP L_ ______________ __J~ ( search )
The Open Web Application Security Project
Navigation
• Home • News
OWASP Projects Downloads
Local Chapters Global Committees
AppSec Job Board AppSec Conferences
• Presentations • Video I Press I Get OWASP Books
I Get OW ASP Gear 1 Mailing lists
About OWASP Membership
Reference
1 HowTo ...
1 Principles Threat Agents
Attacks Vulnerabilities
1 Controls • Actlv1tles 1 Technologies 1 Glossary 1 Code Snippets 1 .NET Project
1 Java Project
Language
I English
1 Espaiiol
Code Review Introduction
««Code Review Guide History ..
Contents (hid~]
1 Introduction
1.1 Why Does Code Have Vulnerabilities?
1.2 What is Security Code Review?
Introduction
Page Discussion VIew source History
Main (Table of Contents) ••Preparation»>
Code review is probably the single·most effective technique for identifying security flaws. When used together with automated tools and manual penetration testing, code review can significantly increase the cost effectiveness of an application security verification effort.
This guide does not prescribe a process for performing a security code review. Rather, this guide focuses on the mechanics of rev•ewlng code for certain vulnerabilities, and provides limited guidance on how the effort should be structured and executed. OW ASP intends to develop a more detailed process in a future version of this guide.
Manual security code review provides insight into the "real risk" associated with insecure code. This is the single most important value from a manual approach. A human reviewer can understand the
context for certain coding practices, and make a serious risk estimate that accounts for both the likelihood of attack and the business impact of a breach.
Why Does Code Have Vulnerabilities? MITRE has catalogued almost 700 different kinds of software weaknesses in their CWE project. These are all different ways that software developers can make mistakes that lead to insecurity. Every one
of these weaknesses is subtle and many are seriously tricky. Software developers are not taught about these weaknesses in school and most do not receive any training on the job about these problems.
These problems have become so important in recent years because we continue to increase connectivity and to add technologies and protocols at a shocking rate. Our ability to invent technology has seriously outstripped our ability to secure it. Many of the technologies in use today simply have not received any security scrutiny.
Ther~ are many reasons why busin~ss~s are not spending the appropriate amount of time on security. Ultimately, these reasons stem from an underlying problem in the software market. B~cause
software is essentially a black·box, it is extremely difficult to tell the difference between ~ood code and insecure code. Without this visibility, buyers won't pay more for secure code, and vendors would be foolish to spend extra effort to produce secure code.
One goal for this project is to help software buyers gain visibility into the security of software and start to effect change in the software market.
Nevertheless, we still frequently get pushback when we advocate for security code revieV\, Here are some of the (unjustified) excuses that we hear for not putting more effort into security :
•we never get hacked (that I know of), we don't need security•
0
•
Some High-Level CWEs Are Now Part of the NVD CVE Information
NVD XML feeds Calso include CWE
NIST Special Publications:SP500-268 CWESP500-269 CWESP500 269 CWESP800-53a CVE, OVAL, CWESP800-115 CVE, CCE, CVSS, CWE
NIST I t R tNIST Interagency Reports:NISTIR-7435 CVE, CVSS, CWENISTIR-7628 CVE, CWE
Idaho National Labs SCADA Report
© 2011 MITRE
NSTB Assessments Summary Report:
fHU£XT. , 0.. ,.,.~
Common Industrial Control System Cyber Security Weaknesses
May2010
TB ® '
SECURE CONTROL SYSTEM/ENTERPRISE A RCHITECT RE
........,<·$ ...... Palnb
g , , .. ..._
Level 4 Enterprise Systems: Business Planning and Logistics I Engineering Systems
Level3 Operations Management: System Management I Supervisory Control
Leve l 2 Supervisory Control Equipment: Supervisory Control Functions I Site Monitoring and Local Display
Level1 Control Equipment: Protection and Local Control D evices
LeveiO Equipment Under Control: Sensors and Actuators
ICCP Server OPC ServBf Information Server Applicabon Server
© 2011 MITRE
Table 27. Most common pro 1in Y errors found in ICS code.
Weakness Classification Vulnerability Type
CWE-il9: Data Handling CWE-228: Im¥ ... "'Y'"'r Handling of Syntactically ilnvalid Structure CWE-229: Improper Handling ofValues
CWE-230: lmDroDer Handling ofMissine: Values CWE-20: l.rnpro~>er Input Validation
CWE-116: Improper Encoding or Escaping ol Output
CWE-195: Signed to Unsigned Conversion Error CWE-198: Use oflncorrect Byte Ordering
CWE-il 19: Failure to Constrain CWE- 120: Buffer Copy without Ch.eck:ing Size of Input c·classic Operations within the Bounds of a Buffer Overflow") Memory Buffer CWE-121: Stack-based Buffer Overflow
CWE- 122: Heap-based Buffer Overflow
CWE-125: Out-of-bounds Read
CWE-129: er Validation of Array Index CWE-131: Incorrect Calculation of Buffer Size CWE-170: .LUJV.&.u..,er Null Termination
CWE-190: Integer Overflow or Wraparound CWE-680: Integer Overflow to Buffer Overflow
CWE-398: Indicator of Poor Code CWE-454: External Initialization of Trusted Variables or Data Stores Quality CWE456: MissinJ;?; Initialization
CWE457: Use ofUninitialized Variable
CWE-476: NULL Pointer Dereference CWE-400: Uncontrolled Resource Consun:tption ("~Resource Exhaustion·~
CWE-252: Unchecked Return Value
CWE-690: Unchecked Return Value to NULL Pointer Dereference
CWE-772: Missing Release of Resource after Effective Lifetime
CWE442: Web Problems CWE-22: Improper Limitation of a Pathname to a Restricted Directory ( .. Path Traversal")
CWE-79: Failure to Preserve Web Page Structure ( .. Cross-site Scripting'"")
CWE-89: Failure to Preserve SOL Ouerv Structure ("~QL Injection•")
CWE-703: Failure to Handle CWE-43 1 : Missing Handler Exceptional Conditions CWE-248: Uncaught Exception
CWE-755: .uL>v.a.v..,er Handling of Exceptional Conditions
CWE-390: Detection of Error Condition Without Action
© 2011 MITRE
Top25 I AppSec Street Fighter- SANS Institute
~ @ @ @ ( mJ 1 http://blogs.sans.org/appsecstreetfighter/ category/ rop25 /
Top 25 Series - Summary and Links Posted by Frank Kim on April 6, 20 I 0 - 3:4 I pm Rled under Top25 ··········-·········-············-·········-··········-·
As requested here are the links to al l the posts on the Top 25 Most Dangerous Programming Errors. Please let us know if you
have any suggestions o r comments.
I - Cross-Site Scriptin1: (XSS)
2- SOL lniection
3 - Classic Buffer Overflow
4 - Cross-Site Request Forgery (CSRF)
5 - Improper Access Control (Authorization)
6 - Reliance on Untrusted Inputs in a Security Decision
7 - Path Traversal
8 - Unrestricted Upload of Dangerous File Type
9 - OS Command Injection
I 0 - Missing Encryption of Sensitive Data
I I - Hardcoded Credentials
12 - Buffer Access with Incorrect Leng.th Value
13 - PHP File Inclusion
14- Improper Validation of Array Index
15 - Improper Check for Unusual or Exceptional Conditions
16 - Information Exposure Through an Error Message
17- Integer Overflow Or Wraparound
18 - Incorrect Calculation of Buffer Size
19 - Missing Authentication for Critical Function
20 - Download of Code Without lntegrit;y Check
2 1 - Incorrect Permission Assignment for Critical Response
22 - Allocation of Resources Without Limits or Throttl ing
23- Open Redirect
24 - Use of a Broken or Risky Cryptographic Algorithm
25- Race Conditions
Passwords
Jim on Seven Security (Mis)Configurations in java web.xml files
0
Nick Owen on Some Thoughts
About Puowonl• ~
ARCHIVES ( Select Month
META
Login
Entries RSS
Comments RSS
WordPress.org
: J
© 2011 MITRE
The Security Development
Lifecyde
Recent Posts
SOL Threat Modeling Tool 3.1.4 shlpsl
Ear1y Days of the SOL, Part Four
Eilrly ~ of the SOL, Pilrt Three
Ear1y Days of the SOL, Part Two
Ear1y Days of the SOL, Part One
Tags
Common Cntena Crawl Walk
Run Privacy SDL SOL Pro
Network Security Assurance
Secunty Blackhat SOL threat modeling
News
About Us
Adam Shostack
Bryan Sullivan
David Ladd
Jeremy Dallman
Michael Howard
Steve Llpner
Blogroll
BlueHat Security Briefings
SOL and the CWE/SANS Top 25
Bryan here. The security community has been buzzing since SANS and MITRE's joint announcement ear lier this month of their list of the Top 25 Most Dangerous Programming Errors. Now, I don' t want to get into a debate in this blog about whether this new list will become the new de facto standard for analyzing security vulnerabilities (or indeed, whether it already has become the new standard). Instead, I'd like to esent an overview of how the Microsoft SOL to the CWE/SANS list, May.
Michael and I have wr; ..... l~;.:;........;;;~=~=;;.;.o.,~~=o:=-.:-=~--:--=..,....,......,.,.-:--------~----~---~-------.
y
25weredeveloped ·~~:~:~C:~~~~~~~~~~~t:~~::::::::::::::::::::::~::::::::::::::::JC:::::::v::::J root them out of the s1
ana lysis white paper a n~d,I.J!!.._J~!.Mlli!li!l!!!!!!.!!!!!i!2!!...!!!!l-__ -:-~---:--:------:-:---__:L ___ ...J~--~L----_J guidance around every"'
made manyof thesame ~~~~~~~~~~~~~~~--------------------------~~----------------------~--~ for you to download and
CWE Title
20 Improper 116 Improper Fnr·nrl iir1 Execution with Unnecessary Privileges
Escapingofuutpl~====c'=~="t=-s=~=e=E=n=fo=rre==m=e=nt=o=f=~=N=e=~=s=~=e========================================================~
CWE Outreach: A Team SportMay/June Issue of IEEE Security & Privacy…
© 2011 MITRE
i1~ ;~lw~~ run!"" li r ill.• codL• n!Xd 10 .C>]'fUI~ l r lu~l, koxp rhl"rimc.-spon tlr~": H•Lk i~ h~h l'rivilc!(l-"" · on pcm~bl.~ror ~· . ..::r.m jllo;, in~ ~ pon tk•l¢1.1.' 10.!~ rll a ~~ ... --~IL~>til.lll Tt"I]Uirn t)..,
b.· run oul"O(tt , lml ~h<'r
Basic Training
CX"I cw.b-'l'J • '"' ~~ "'•I CWE-352: Cross-Site ~~ rNkiL"'I cwE-IIo w(JM(', Ill Requusl Forgory rlr roN. IIU' toni.: XS"- It~"' l~hr- Cro«-+Jif' ~ j(,~ ~ko ly, b ul: 1~10'-\· w~ ~"'"'n>nn• th41 \.-:111 l.nuwn ~ OR.F) ~ulnrnblmn
l"!\plU.: XS~ \"UinerJbdm~ an ~o iJir(' .1 rd:.U\'dy new tofm llt Wdl ,,,, rn ... OJi..,~t'"h.-.~ \\,·~~t"(f"o.w ~ul.oc. ~u·td. m p.lrt. by~ b.ad t'"'tAtnrl.r, the- S.anTt' "'""rill) AI'"• Wrb AJ-.plrnlliJfl. ~~ In Uturt, r~rch lnco Wc-b-rc-IJ:rc-d \"Ulnt:r. lhu dcsi.;n doc-~n'r \'m(yWt3 1\....._
.tbtllltn lu,. rr.:,:n·ntJ -...IMAu• q.~u <"Ml"ll" ti-ow ~,WJ ~' 1..'\J..lre
naDy 0\'fl tht-pm f~"''lo ~··..n. wuh and u t.INUd k'tlf~. nt.'IK .ou-f)
r"K"w Wl), •o -.t.kt h"iC~on. r~u- OJ) chc- mc(l k hllf. Gcntral)y, br!y u•~n;d For pure X~ 1~- d:rc tx-~t dcfnr~ ... II) n 'oC' a unir:JUC' IIK'I u d..W,.,<d bv L W~-71J. the -rtd unpred.n~ble l~y t-or eatb
be .. dd'cnwo ~ '" •alid.ttr :~II m· w« Trxlruomlt)·. w tlfymg urput \Cimuac d.au. TbKh,:u.ll~)bo;n du,_·,•"• •n•ijplC" •h"-l'olt~I)'J'C' 1-chc- right ;~pprt»ch ~..t wUI prd:J- Otto.~'" tllt" mpuc IS ~":lhd.
i!t.l) ~011tmuc rubc)()IUt chc-(dfc•
cc"'~lt" (uiUR". IX"-."'klpt..'l" o n 1lo,o CWE--362: aJd I bvC'f Q( dc-(rt"M bv ~UliC Race ConditiOII o....rpm de-rn-cd fmrn unuu\lrd m
puc (~l!t' CWE-l lb).
CWE-78: Failure to Preservo OS CommtJnd Structure /1.·1 .. 0)- ... ~kllli,.:,m, put4ullrly :.cn"t'r aprl l(OICIOlr.. n-tri-..r- un
t nNcd ~ ~ad UlC' cht- data 111 thrmlu llllt'"rJn \4-ICh tbl.' un
d~~·rn, OJIC'Ulmr '>"""'('"' U11· (ottun.ad~, t lus <:an Jud rG ICYCN"
-en-crromrron•~sr •tdk' •noom••lf(. d.IU I!D I.UUJ)'I:C"d--:1~111. d'oe bee dl+-n~ b 10 cb«l ~~ d:K;L Ak(J, fUIUllll.J, Ihc j)C«IIIUUy vulnr:r;it]f
JprJi.o .. '"llrion wdl ~· PfWdctc can ~~~ I..OUI,nn tbr J.MJU~,
CWE-319: Cleartext Transmission of Sensitive l11formolion ~l'ft\Tfft'C' dMil ftlfi'(C oln•wo..•t, iX" r rtXc««< t.t lt"lit ~nd \\hllc On
th~ I.I.U~ llil bt-.t 0lt.i!u; In
thu vuJnrnbll.ay tt 10 l r< a 1.-dl· t~ted u.•chnob(cy uh .- ~LJ TU or II'Sc-c I}(WI\ (nTr1) CrGil f"
ymar~n O>m.mt.~c.K:Oruon mc:dlod ~,.] lrHIIIJIJrJf'lll< d!:fnlloe'. Tb\1 \\t ahn1 " rthrcd ro CWF-127 C'" tho: of:~ Oro ke-n« R.ilky Crntlogt••J~nc Algorlllun'). 110 n.ul«o ..Urt" )"OU an::n'l \UIO¥ WC'». ~1-bJt
l-lC"-I orWT"\'cl--kf') ll1'5«
RJCC conr:IIIIOfl• <111'" I IIUU 'tt f'R'bltnli t."lt..t lor~d to une" pcc:tcd Ldl~o,· t~oM--IUr o..tn1pk, 111:1 opj·lt~lltim II'C"U tikn;amc- to Yt't t·
fy du t Jr fik c:tnu .rnd dlC'n Ufll:1
lb: Qlllt" filen:~n1e to op!n tlul hie 11w pwblen1 " 111 drc ... u.~ll
nnw dd~· bc-nu~o.."'ft t h.; ch~~t .wul 1hc- iik· npt'tl, "hkh JCt-:K·\
crs nn tHe to ctl:.ne,"C" the- fik or
dt"lc-tf' Or crrJO: a. 1 tw ~kn " '" 10 ln111JP«' Jilt" tytenll Ul\' CU.•
dKlon~ tJ to opm 1hl: oio)('n 11 d
thr•n utc- the- rt'~ulm-.: h:mdlot l"cw futthn opc.-nt tOII'. At~. C'!Jn
~I.L.·r rcducu~ r.ht "'-'OJ'f of3furcd o~«n-fcu t'<i~mi)W. '""pot"Ji"' fi)u ihould be li>t'.•l 10 Ill<" u o,n
.llld r.ot 'lu!"f'r:i '-'ltb ntl.lbplc-u$tt
.etlOU.JM\.. Cutll"•t 1-•.,r '''r)o.lnvn b.UMlCI pnllllllVI."t 4nluttX~ '""nJphon-, , cntJOI secoom:) " \lm•l~orl)tlllporum ..
CWE-209: Error Message lnformllticn Lttak Enot m...,rnudc. 1..'1 U IUGII 10 dtNBJCH~ flilrd Opc"rlll.nnt. Nr you
tnwa 11tld tTOUnd \\ bo c.~ n rod th.lt d..u..l. lnlo'C't'M"Nl you~ !"'1"-.rton Jn1rk-d t"lh)f llle1U_, co
trU!Ird we:rs. Rnnoo: a;od Mlon
vuwu~ Uk'n tiuuld ~~ ... 1~rumc me'"""~ wd tht" drt.ulc-J tiJia
l~1o~n.JrU<Ia"~
h'~ C!lll1110l.UI lo "'= uxk "!)C~
t iOn \'ulncr.ab:lhl•d 111 J:l".tStt!pt
<"ud~ d1~t ~""' ~ u.nn){ ~·l'l!lml· CAlly o~rlll r.r~~1 !I \0 ev.d I) lo
~:XeCllU·, II th: ~.eka controls LbC""W!II'(o:"\Crillfl,in.•ny.,..~·,lwc:or
lhr: u n l"THH". J. nuhcow pl)"bld The flmplrst WI)' tO mdioce chii kmJ of bUR~ ro rndtcJlt' 11tc U\t'
or evolU. but d!~t rould m.:.m n'dN~l.lng the 1prbc:uion.
lll'nl:". f"un lt"itU'S 1S ~ISO ctkCI"fYie
:11 tk-t\.'"~"1:. CWE-665.
CWE-682: lnco.rrect Calculation M:w•t bv~ ovc:rrum in C ~,u
C++ oodo: tech)- arc .u:nu.Uy ~l;nN 10 IIIWU('l."1 b\rffi·t-OT;!tny-<:iZ~:
nkulmom If Jll Jn JCb:l (OJ}.
uo b ¢11(" 01" utOI\: of the o:kml'llt$ m a si:ze~ akubuon. he oc dlt em
chc \Tr')' kan, IO<Ik kv ft"m11 hko: ·pwd~ and ·pa~-ord" :md I.T.l;tkt" ~~~~ \ou luVC'" II¢ hAr<:l-coded p.mWffl"dl or x cn.."'t daca m the- code. VoLt i h au ld :tho JtOflt' tlm d;to m
_.'<.'Cure lm'~Mion w 11lu n the Oj>
a-..:ang.f)'Stl!lll. ll)' kCt.lll', l~ll pNitetrlwlth.;rn -1ppropri:~~t"pt"r•
lllliOOIJ()f m .. r)I{H 11 .1nd JlOil'l l
!he '-'llcrypnon key wtth an ~PJ'fOprixii." J'C'""'~o"ion
Basic Training ld ... : .. k-.r hnl.dcnlct-.11.-lu ......... .,._.., ml"'-'-''i!mil::......,fl.c::oi>r-.
Improving Software Security by Eliminating the CWE
f\hliAll
H<M""' M,•(;r()$()/t
..
Top 25 Vulnerabilities
I njanuary2fl09. MITR.E ancl SANS i~~nc;"d rhc "2009
CWE/51\NS Top :B Most Dangcrou> Prognm•
ming Ermrs" to hd p make developers more aware
of rhe buS' th:n C:."ln c.a.u.~ r.ecurity comprornisd
(hnp://cwe.mim·.ol)tltop25). I \\l;l.S one of the m:my
from indunry. [:0\"o:-rnm~IW, 1nd ac;:KI.e!lri;:r wflO provi<k.>d input 10
llll.· do:xiiiiM;(I(,
CWE. ""'hu:h $tlnds !Or CA11t• ni<'Jn Wc-~h•ti~ F.slll!llld".lfitlll, i• 1
I"'QJI'CI" tp(n'Wm:d by the Nniott:~l
C)-bn- Security Oh·ision ~ t!~ US Jlt-pumto::·nt c-IHomrb Jid Socuritr 10 cUwfy Sl"CUf~' bup. I t :wit;m. I uniqut number co "~1lmc.~ f}f<!S ~11.:11 n but!Cr on rrmh or cro~t k"riplinjf,l.l~ (for.ot:l.mpk. C WEyn i~ "Use Q( ..1 Um h'11 nr R tlk~·
CryJ'(ognrhir lllGM thni'), Shtwtly :;r.(C\"1" dk: Top 2.5 1.~·, t't'l~,
MkrUIOft unvt:'iiOO a docvrnmt t·n· ntk.-d. ~Tile M tntMfl: SOL ~nd the C WE/5ANS Tup 2S,"' to (':o;pJm huw Mi<'MSOrr's ~ • ..,my pr~~ Olin lwlp ptt."\' \!"ltt the want ottCndef"!l 0mp:1/blo~m\lln.c0lll/w.:ll/ au: lli"e/2U09/Q 1/27/;J l-:u1d·lhc
-(\\'li'-4:ti!J·top-l5~p:(), Fu ll <lo)c:ln..un-: I' m o nr: ol1lut
dorurn •. •nt's oo.urthon. but Ill) ' purpose he-n- isn't (0 tq;!"to:tyit-Atl" th:MKfi.N)fi pk"Cc.-. lhd1l't. Ill)' J::OOI n
ro dt'SCribr !Clue bC'st pncti-!'t."& t lut c:m hdp yo.r d.imin;n..- the CW £ Tor25 ' '"'l.!ld"lbilr.tib in )-uurown d~ltlplllllltl: l!nvbomrw1a :md j)«XIUl"K )1\ t ho i lli]'Oit~llf t l) llll
dm!~frd 1h<M Old~nt:: the wo:4k-
68
l'lk:Odln~Wdo..N.'>C.'dnutpo!!is..t dc:
'"n~ in t ..-w rhe do.-v.-.l<.per do~"'n'r dctei."t Jnd prewm ntJticiom Web inp11 (...,.,. C.WE-79 ~no.l G 'll:.rE.
ZO). Hawt.'"\"l'f. rhl" mdumy tm seoo m~n~· ~urit)· bu~ ti!Jl .-.-..,Jo.l h:n•t b._.._ .• \ f"'C\"cnc:etl ;;r, ohu•~<= t..l
Improving Software Security by Eliminating the CWE Top 25 Vulnerabilities M tCIIAll HOWAAD
© 2011 MITRE
Korean
© 2011 MITRE
Japanese
© 2011 MITRE
The Web Application Security Consortium I Threat Classification Taxonomy Cross Reference View
@:::8 .. @) @ (!) @ http:f/proj ects.webappsec.orgtw/page/ 13246975/Threat-Ciassification-Taxonomy-Cross-Reference-View Q ,. ) (,t• { Google
The Web Application Security Consortium
Q wiki Pages & Files Search this worts pace
VIEW
Threat Classification Taxonomy Cross Reference View 0 Tags: Threat Classification
last ed~ed by 8 Robert Auger 10 months, 3 weeks ago u Page hlstol'f ~ Check for plagiarism
Threat Classification 'Taxonomy Cross Reference View'
This view contains a mapping of the WASC Threat Classification's Attacks and Weaknesses with MITRE's Common Weakness Enumeration, MITRE's Common Attack Pattern Enumeration and
Classification, OW ASP Top Ten 2010 RCl (original mapping with OW ASP Top Ten from Jeremiah Grossman & Bill Corry) and SANS/CWE and OW ASP Top Ten 2007 and 2004 (original mapping
from Dan Cornell, Denim Group)
-WASC ID Name CWE ID CAPEC SANS/CWE Top 25 OWASP Top Ten 2010 OW ASP Top Ten 2007 OWASPTop
ID 2009 Ten 2004 -WASC-01 Insufficient Authentication 287 642 A3 -Broken A7- Broken A3- Broken
Authentication and Authentication and Authentication Session Wanagement, Session Management, and Session
A4 - Insecure Direct A4 - Insecure Direct management,
Object References Object Reference A2- Broken
Access Control -WASC-02 Insufficient Authorization 284 28S A4 - Insecure Direct A10- Failure to A2- Broken
Object References, A7 Restrict URL Access, A4 Access Control - Failure to Restrict - Insecure Direct
URL Access Object Reference -WASC-03 Integer Overflows 190 128 682
WASC- 04 Insufficient Transport La~er Protection 311 523 319 AlO - Insufficient A9 - Insecure Transport Layer Communications
Protection -WASC-OS Remote File Inclusion ~ 193 2S3 426 A3 - Malicious File
Execution - --WASC-06 Format String 134 §l
WASC- 07 Buffer Overflow 119 120 !Q 100 119 AS - Buffer Overflows
WASC- 08 Cross- site Scrl ptinq Z2 1UH1 Z2 A2 - Cross-Site A1 - Cross Site A4 - Cross Site Scripting Scripting ()(55) Scripting ()(55)
WASC-09 Cross- site Req uest Forger:t 3S2 §I 3S2 AS - Cross-Site AS - Cross Site Request Request Forgery Forgery (CSRF)
·"· ·' I Done
SideBar
WASC Projetts • Distributed Open Proxy Honeypots • S<ript Mapping • The Web Securitv Glossarv • Web Application Firewall Evaluation
Criteria • Web Application Security Scanner
Evaluation Criteria • Web Application Securi!Y Statistics • Web Hacking Incidents Database • WASC Threat Classification
WASC Project Leaders • Robert Auger • Ryan Barnett • Romain Gaucher • Sergey Gordeychik • Ofer Shezaf • Brian Shura
WASC Main Website • http:Uwww.webappsec.orgl
WASC Mailing Lists • http: l/lists.webappsec.org/
IYASC on Twitter • http: l/twitter.com/wascupdates
Join us on Unkedln! • http: uwww.linkedin.com
/grouos?gid=83336
Recent Activity
) Insufficient Data Protection Working
0
,. ~ • • .AI
© 2011 MITRE
IBM Software Technical White Paper
Test and vulnerability assessment
One way to improve software security is to gain a better understanding of the most common weaknesses dm can affect software security. 'V\r.th that in mind, there are many resources available online to help organizations learn about
Testing applications for security defects should be an integral and organic part of any software testing process. During security testing, organizations should test to help ensure that the security requirements have been implemented and the product is free of vulnerabilities.
Resources available to help organizations protect systems
Resource
DoD lnformaoon AsSI.tance Certification and Accreditation Process (DIACAP)
Oe~ense ln!ormatk>n Systems Agency (DISA)
U.S. Dep~nt of Homeland Secumy (DHSl
The Common Weaknesses Erl.Jmeraoon pro!ect, a comrrl.Jnity·based program sponsored by the MITRE C01poration, an IBM 8usi1ess Partner
The Open woo AppfiCatlon Secumy Pro!ect (ONASP)
Cighal BuiX:Mg Security In Maturity Model (BSIMM)
IBM X-Foroellol research and development team
IBM lnsthiAe for Advanced Security (lAS)
Focus
The DIACAP defllles the ffilrlilllllll accredited by the DoD and authorized application-level security controls, rut it activities, geoer~ tasks, and a ma~>aoetnl
The DISA provides a security technical 10
devek>pment that offer more granular inld!'l'l'lll'~'el"'"!~!emlel'l""~le!'l'l'l'lll'll'"!!m~ll"'mm tliity assessment techniques. The Checklist IS the
The DHS offere lllforma!lOn on secLtity best practices and toots for application· and part of its 'Butld Security In" initative.
The MITRE Corporaoon mailta.ns the online common vulnerabilities and exposures enumerallon (C'M) knowledge bases aboiA cLtrently known vulnerabi~ies and types knowledge base focuses on packaged software and deals with patches <Wld known knowledge base focuses on code \'\Jinerabilities.
one or the best sources for l'lloonatlon on web afl)lcallon security Issues, the ONN:R 1 o list of the most dangerous and most commonty !oltld and ccmmonty exptlited how to iden!dy, r.x and avoid them.
Created by Ogital, M IBM Business Partner. the BSIMM is designed to he'p OI'Q<lniZlUIOt and plan a software security 111illative. The fccus is on makng applca!lOns more process and at later stages 111 the software ife cycle.
A global cyberthreat and risk analys;s team that monhors traffiC and attacka around the IB'vl X·Force team is an exce ent resoLtCe lor trend analysis and answ·ers to questions a!tacka are most common, where they are ccmilg !rom and what organizations can do the risks.
This cc~arly'Mde cybersecurity initiative applies IB'vl research, seno!ces, software and he'p governments and other crents i'llprove the security and resi ency of their IT and
Common
--------- ----= = =---= - -- ---==-=·=
Security in Development: The IBM Secure Engineering Framework
• Investigating common development processes and the IBM Integrated Product Development ptocoss
• Emphasizing security uworonoss and roquiromonts In tho sottwnro dovOiopmont procoss
• Discussing test and vulnerability assessments
Li/JI Redbooks
© 2011 MITRE
~ Software Enginee ring Institute
Security Measurable·
Making the Business Case for Software Assurance
NaneyRMea.d Julia H. Allen W. Althi.U Conklin Antonio Orornmi John Hamson Jeff Ingalsbe James Raney Oan Shoemaker
April 2009
SPECIAL REPORT CMUISEI-2009-SR.()O 1
CERT P-rogram .Un1mtled distribuclor 'ubject » :Jle a:~~ht..
C.1rn•-giel\lcllon
OVM: An Ontology for Vulnerability Management JuAn Wang & Minzhe Guo
SoUlhom Polytoctwc Slato Unlvorsity 1100 South Mariclta Parl<way
Marietta. GA 30060 (01) 578-915-3718
[email protected] ABSTRACT ln. order lO l't'Mb lbe goals ()( llle lnforma.tioo Sett~ri.ty Au:tc.natioa Progra.o (JSAI') ( I). we propose .., O<l»>OSi<>l 'l'proach to ~pLurin& and us.ifu-jng tbc fw'lda:mcAtaJ conttptS in infomwioa security ~d their rtlahottS!up, t't'trievuli V\.ol ttctabit t~)' dau a.11d rtuaning oltoot the tlust a:nd irnpfiC'l oJ \1lloerabilitieJ. Ou ontOk>ai for wlneral:uhty mac~ageoent (OVM) bai been popUa!Cd will! aU \'Uioet:l.bilities in ~'VO [2] wilh adc!itioaal it~fttt"GOC rules.. ktiO\\ ledge ttpc"eSC'c.tatiOC'L atJd dat.a·minang elcd!Mist:1&. \\'itlt l~ seruniCM inttfllt.ioft of co1~~ \"\l!ncrabtlrtitli a:nd thcu- rel2:1ed cooocpts s:ueh a.-1 ~tacks a.11d countet1'001su.rtt.. OVM pnwidet a proe~.iii!t& pa!hway to makit~ I SAP Si.JCQtSSful
Categories and Subject Descriptors C.2.0 [Computtr<ClmmuniCidGn :litf\'l-ot'ICJ~ GtneraJ [Seturity and protect.lon), K.6.S [Mana;t1ntnt of Cotuputtnc u d Lnforma.tlon SyJttnu): Sccuri1y end Prott'Ction;
General Ter ms On:~>logy, Sceuril)', Vu.lnernhfl ity Ana.l)-sl:s ~~ld ~a088ez~t
Ke)'words Stturi1y \'\lltlm:bility. Vulecral:ullty tnai)'SU
1. INTRODUCfi ON
~tthooiOf!Y.
'lbe lnformMion: Sccw-iry AUitlrnltioD Progr&~n ((SAP) Li a t:.S. ~·ttn~neat multi-ag.mcy uuli:!.twe to enable tLtomation tjld Star'ldanhzi:tioa of toch.Utal stcumy optraUOilS ( I). h.s blgh-!1!'\'t! p)s include S:ltnch:tb M:!ed ac10f~tian or stl!tlnl)' ~~ing and rtmcdra.OOtl u well ti a.utOrn&tioo of uxbrlical ~baoct acth tlics. Its low·k\el objtetl\ ts u)CI.Jde enabJi.a& sta!ld!.!ds baud Mml!'lunicalicon. of wln~lit)• &:lUI, ~uw•rmi~ina and t:'lanagifti CC)ftfigurttioa basclii)('S for '-'li!'io~ IT product&. tiSC:'Uing tnfCWI':'!alM)It S)'Rtlns and rtpoc1u~.g eornplia:ux 'lalllS.. tl5iJ~.& stMda.-d. t!'le'Lriet to wdsltt at:~d aggrt£Mt potential \'\I!I.C1'11bibty i.mpatt. .. ~ rtmediancg ide:Dtifitd \'Ulnttabtbtics (t ], Seeurc cocnputer !)'~tC!!:\5 ~l::$tn that ocmlide1Uial11y. intcsrity, -~ availablbty an: rua.inta:intd for wm. da&a. a.t~d ocho' l!lf<lm!:3Uon ti..iets.. C>vc:r tbe. pa.'it a ! I!'IA' d«adcs, 2. !lattifi-eanlly lar£c amouR!. of kno'll'locli.e bas bttl1 attusnu.latcd ic me lrta of infamttuon !ecutily. How~. a. lot of conee-p~S irt infon~tiot1 IC'CUrity art \'lguc.ly detioed aDd JOC'Itci:rtlts they ba\"C dJ.fferun
Per:n:11:c:a ta rrde dis:-t:l a r h-.""1! Cllpie:s; or :~f) D:" ~~~ of tb:ll -.--c:& illlr pcrMXll) or (":U.roQ!ID me is gnm!CU 11.11ixnu fcc pwndcd t:lz: ~ ~ 11101 !Ia& cc- tinrillt:ttd few Jftll11 « commrtrial ~~c.h-ar.:gp W dill c~~ bt:::t tlu Mt!e~ 11~:~d ~he full d~uo an. t!!c l"a:K pa4tc. To CO;'I)' O'Jiawi sc, 11:t :cp;~bbb. w po:s; oc I'C\~ ar XI redislribi;;".C' 10 li~"' rtqlaftJ prior 9«ifk pcnt'li1llioa.tmd'or a ire..
CSDRW'09. A.pril U· JS., O&t Riqc.. TCCDC'Ute. USA Cop)'f...gJ\l C 2009 ACM 971-I 60SSI 511 5 - · U.OO
.sema.ntie:s in difftmll C()(ltclO.tl. eau:ting mdundc:ri1andiDg among stale holdm due to lite lart~ ~tbi~t)". 0!1 tlx Ollter llatld, the standardil.ation. desi&n and dc"-clopelC'tlt of security tools ( I · S] requue a S:)-stetna.tic classa(!Cflt.IOO attd dtti::ubQitl of Sffi.lt'ltY
coneeplJ and t:ecbuiques. Jt is i:mpo1tan1 to ha\'C a dcatly dcfutrd ''OCibvlaty attd i t&lldatciizcd lattguage as means 10 accurately comnw!tiell!c !I)'Uttn ''t..lncrUility information lt!ld their c:oorttttmeasll:les amona all the people b"olved. We bdi-e~-e that semuti-e tecb2101og:y i" gcec.r:ll!. and oetology in pa.·•'tict.1at. couJd bt a useful tOOl (Of S)"Stt~ 5C<'IU11)'. Our rtS~b wort ll&i (:Qilfl.nncd d 1.i,. bd.ic f aud llti• ~""ill tC!)Cnl 310nlC Of Ot.il .,."Od,.
u1 lhis area.
Aa ontology lS 1 spec'ificalioll of eooctplS Wtd their n:lauooship. Or.tology tq~ts kDOYA-cdgc in a fomtal &tid s.tructiJ:Ied foro. Tbtrtfort~ ontology pr<widcs a bcncr [001 for tocnl'ml.nie.atiort tct.tsabihty, and ot~l'!.iU"!l.O!I or k.M'Iili leqc. OtuoiOB)' IS a k.....t~ reprcscnO>tioo (KR) S)'lltm bosod oo D<scnplion Log,cs (DL.s) (6]. wrucll ;, .., ""'!><ella •• ,.., for. r.,.l)' of I(J(
forma.Jis.tn!l ~ tnowkdg,c in \'lriOtJ! domJ.im. The Dt formal iant spec~racs a knowkdge do.na1n ai !he ~-orld .. by first defmin& dte rel~'D!lt eooecpts o f lltc dotnail'!... and men it IJl.C'i
these: concept~ to specify ~ties of obJociS and 1ndlvidl:!a!s oct~.~;rri~ in d~.e domain (10· 12~ Semantic &c~h.notogies DOC onJy provide a 1.001 f01 C«''rnurtlcatjc,a, b~.:l a.lso a fOUttd:u.ton for ~Je\,'cl n:;a§()(litlg aDd dtcision .. ma};jng_ Ontology. in pcl1licular. provides &he polezn iaJ of f<1nnal logic infcrtoec: ba.ied oc• well· deftned data and lrru!O'Witd.ge bouts. Ontology Ctpi.U."'Ci lhc n:lationships bnv.'tt!l colk«ed ciata and tast lbt tApiiC'It
ki)()Y.'led~ of ooneepa and rclatiom.h.i!)l to deduce d~e impli-cit and inbci"(''t ktl~ ledge~ As a maatr of fact. a hea"y-we1gln oetology roWd bt defined a& a fetm,al1ogte t) stem. as it i!lelcdts facu and tuJcs. tooXp1&. <"OIICc:pt: w:onomies. rdatio!tsl'tip8. propertjes. uiotns and eo.!tStra!!lts.
A \'UI:lerability IS a secunty na.w. which. anscs froo OOI~I)alttt S)'Sttm dni~ imp1mltnta.t.ibrl. •naintccanet'. and opcratioo. R~ 11t tbe a..-ea of vuloerabiLty a•~l)'s.ts focus.es on d:SCO\-Ct')' of prt:Viously W\kl1i()'liVn ' 'WDC:tthititici and q.ul:ntif.catic:m o f the SC('wtty of S)'filt::ns aocotdin,g tO SOI:'IC C'IC'IncJ. Rc:scarehtrJ at .Mint.E ha\'C ptO\'ided a. i!lltld!n! fomw fllr na:ni.ng • seturit.y \'L.Jneratuhty. e~lod Com!~ \'ulntrab1h~ies and Ex:poiUteS (CVE) ( 14}. \\1lich asi.igns eteb vulnei'Ollility a Wl!.qtJC .dtnttfication n;.~mbtt . We havedcsiSI~ a vuh'ltrabtlii> OOt(>loG)"
OVM (oi\Ullosy Ill< \-ulncrobilily lllll!lll!l<"""') populated""" Ill tx:~.Stiag ,'11JOO"&b11ititi in t\ VD (2). Jt suppons resc:arch Olt J'C'tiOning abot4 vutnc.rabilities and eb!lt9CICJiza:tion of \'ioJI."»Ct'abbliCS and tbc1t u:'lpa~ OQ COC'l'lt~Uti::IS: S)'SIC'I~~. Vendots and tHen tan !lie Obt ontOlogy in i"'potl of ~~!J!CI'Ibility ana~is.. tOOl de.,.elo,)l:nent and \'Ulncrabtlity rnarta~C;:'I\t'l'lt.
Tbt rest of this pipet • ~c:d 111 foll~11: Seccion 2 pmcrm tl~e vci'-Jteccw-e or ow OVM. Scetion 3 di~ecsses bO!.O.• to popUa!elhe OVM "'""th vulnerability i.z:.stlnoti from NVD ltld ocbtr
© 2011 MITRE
Making Security
Measurable·
A Policy-Based Vulnerability Analysis Framework
By
SOPHIE JEAN E:-IGLE B.S. (University of Nebraska nt OmnbAJ 2002
DISSERTATION
Subntiued in JlArtlal sad.sfactlon of tile rcqulrcm~ms for the degree of
DOCTOR OF PlllLOSOPIIY
in
Computer Science
in tlte
OFFICE OF GRADUATE STUDIES
of the
UNIVERSITY OF CALIFORNIA
DAVIS
Approved:
Professor Matt BlsllOJl (Olalrl
ProfessorS. Fdix Wu
Professor Karl Uwln
Professor Stan Pclscrt
Committee In Charge
2010
Analysis-Based Verification: A Programmer
Oriented Approach to the Assurance of
Mechanical Program Properties
T. J . Halloran /\lay 27, 2010
C.'AU-LSR-IG-112
ltt•Litutc for Software ll.cscarch School of Comput<>r Science Carnegie Mellon 1,; ni"crsity
Pitl,J,urgh, PA i52 i3
Subrnittrd in par·tial ful}illment of 11•• ""Juin:mtn~• for the degn:e of Doctor of 1'/ulosor•hrJ.
Thesis Co nunlttcc : WiUiam L. Scllcrlis (advisor)
J atncs D. HcrL.,Ich ~lo.ry Shaw
Joshua ,J. Bloch, Googlc, II>c.
Copyright @ 2010 T . J . llalloran
~-~..,b._,.~Uo..,. ... ..,,._....,""""'"-~U·•·t,.....,. . 11&1.,"- 'Al!-' '<."Ca.12M....,~'~"1Loc..kll.oeod.Mw''- RJV.:JI.Slrtt ,.., O-\"-D1!102 0* I.MIA.I ~ IC..O'O 'O!"• ·-.-... ~I•t ... 40tll•!~-lllooo~,. .. l .. t>...._...,_afldl...,...~t(I(M""1~1Ht'44'11 - .....,_.~ t"-~ ,.1~ .. ,.lllll',_l or •••~ttltltoo .,._,..,. \.'"' ('_.,,...,,,.,c-.,....., \1•11,.., u._,.
Linkage with Fundamental Changes in Enterprise Security Initiatives
CWE and CAPEC included in Control 7 of the “Twenty Critical Controls for Effective Cyber Defense: Consensus A dit G id li ”Audit Guidelines”
© 2011 MITRE
Linkage with Fundamental Changes in Enterprise Security Initiatives
CWE and CAPEC included inCWE and CAPEC included in “Enabling Distributed Security in Cyberspace: Building a Healthy and Resilient Cyber Ecosystem
© 2011 MITRE
y ywith Automated Collective Action”
© 2011 MITRE
https: // bui ldsecu ri tyin.us- cert.govt swat foru ms.html
~~~:~E:,,:;!~~~E~1~.e 4Y
, ..... , ...... ~ . .., .• _._ ... " · SE!'~h-(S!Jcu'!>tcwnl:le
HOME I AeOliT I RESOURCES I ADVISOFUES EVENT'S WEBINARS PODCAS'TS PROCESS VIEW
SwA Communit iu
SwA forums. • Woriclng Groups
Workforce Educabon & Triilnmg
Proc(!S5es & Practices
Tedvloi09V, Tools a Prodi.Kt Eval.
Aequlsibon & Outsourcang
Meuurement
Bus1ness Case
Malware
SwA Mitrtl:et Pl~e
SwA Ecosyst em
Making Security Me.asun~ble
lultd Security l n
Fonuns
The Software Assurance Progr.lm of the Department of Homeland cyt>er seru~ty Divis'on co-sponsors SwA Foru~ semi-annually Department of Oc'cnse a.nd the National [nsbtut c for Standards and purpose of the forums: is t o bring together members of government, a~demLa with vested itlterests In software assurance to diSCuss and se<:t.ui ty, and rellab lity In software.
FORUM PRfSENTATIONS
SwA Forum presentations: that arc relcas<.'d for publicat ion are posted
~}_t;!I,.,~.'!I-1.:~~~~!! .. ~~~~--~-L!.~-~-~-~~- - september 27-0Ctobcr
~-~-t-~---~-~-1::.~~~~~~--~~~~~--~!.~.~-~--~-~~- • Marcf1 9·12, 2010
~}_t_~---~-~-1.:~~~~~~--~~~~--~!.~.~-~--~-~~- · Novcm~r 3·5, 2009
~-~---~-~-~.:~~~~~~ .. :?.~~~~~~--~-~-~-~-~-~~- · March 10· 12, 2009
~-~~~~~~.~.u.a.l .s.o.":~~r,~ ,A,S~~:a~ .. ~~-~ • october 14· 16# 2008
SWA WORKING GROUPS
Jn between SwA Forums, the DHS SwA ~rogram hOst s SwA Worl<:lng provide venues for publ~c-prlvate collaboration in advandng init iatives. and status updat es rram the SwA Wor1dng G rOups are Forums and to other relevant stakei\Oidcr grOups. For tnOre lnrormat!on
SwA Communities
SwA Forums & Working Groups
Workforce Education & Training
Processes & Practices
Technology, Tools & Product Eval.
• Activities
· Resources
• Collaborations
·Research
Acquisition & Outsourcing
Measurement
Business case
Technology, Tools and Product Evaluation Working Group
Resources
SwA Tools Overview
Common Attack Pattern Enumeration and Classification
Federal Plan for Cyber Security and Information Assurance Research and Development:
Available for download on the ~~~i~~~ l ~e~t~ i~~~i~~Qffi~~f~~ ~~~'lle~~i~g ~~~
!~f~~~.~ti~.~ ... T~.~.h.~glg.9Y. ... ~.~~.~~.~~h .... ~ .. ~.9 ... q~y~lgp.f!l.~.~.~ site.
F~QS~i~Q ~~tr:a~tigQ : A~tg~a~e~ ~~~~yig~ ~gf!lp~~a~i~Q f~r A~rg~p~~~ ?g~'ll~t~ Verification and Certification (PDF)
Questions?
© 2011 [email protected]@mitre.org