Making Security Measurable a'k'a', Architecting for Measurable Security

1
Making Security Measurable (a.k.a.,
Architecting for Measurable Security)
Robert A. Martin Presentation 2.3 ARO Workshop on
Cyber Situational Awareness 14 November 2007
2
2007 InformationWeek/Accenture Global Information
Security Survey
Published July 16, 2007
3
2007 InformationWeek/Accenture Global Information
Security Survey

• Many Types of Attacks
• known vulns in OS packaged apps misconfigured
  systems unknown vulns in own apps aimed at DB,
  applications, and web sites
• Need to Master Many Technologies
• firewalls anti-virus anti-spyware app
  firewalls IDS SIMS vulnerability scans
  patching
• More Vulnerable Because of
• exposed backend homegrown apps increased
  sophistication volume of attacks more
  malicious intent lack of senior attention
  incompatible security products unable to adapt
  policies/configuration rules outsourcing

Published July 16, 2007
4
Today Every Organization Has a Different Way of
Doing Cyber Security

• Cyber security, tools, practices and technology
  have evolved dramatically over the last 10 years
• The result has been that most enterprises have
  been buying each new tool training their people
  on it integrating it as they realize they need
  to address a new area of Cyber Security
• Then they buy another tool train their people
  on that one too integrate it with the other
  tools
• Repeat for each type of security tool/challenge
  that appears
• Result - each organization has a different
  tapestry of tools/processes integrated together
  trying to do the Cyber Security job
• Assets, Configuration, Vulnerabilities, Patches,
  Intrusions, Malware, Malicious Code, etc.
• Instead we should be architecting our security
  measurement and management method and get
  tools to implement and support it.

5
What Do The Building Blocks for Architecting
Security Look Like?

• Standard ways for enumerating things we care
  about
• Languages/Formats for encoding/carrying high
  fidelity content about the things we care about
• Repositories of this content for use in
  communities or individual organizations
• Adoption/branding and vetting programs to
  encourage adoption by tools and services

6
The Building Blocks Are

• Enumerations
• Catalog the fundamental entities in IA, Cyber
  Security, and Software Assurance
• Vulnerabilities (CVE), misconfigurations (CCE),
  software packages (CPE), malware (CME), attack
  patterns (CAPEC), weaknesses in
  code/design/architecture (CWE)
• Languages/Formats
• Support the creation of machine-readable state
  assertions, assessment results, and messages
• Configuration/vulnerability/patch/asset patterns
  (XCCDF OVAL), results from standards-based
  assessments (CRF), software security patterns
  (SBVR), event patterns (CEE), malware patterns
  (MAEC), risk of a vulnerability (CVSS),
  information messages (CAIF DEF)
• Knowledge Repositories
• Packages of assertions supporting a specific
  application
• Vulnerability advisories alerts, (US-CERT
  Advisories/IAVAs), configuration assessment (NIST
  Checklists, CIS Benchmarks, NSA Configuration
  Guides, DISA STIGS), asset inventory (NIST/DHS
  NVD), code assessment certification (NIST
  SAMATE, DoD DIACAP eMASS)
• Tools
• Interpret IA, Cyber Security, and SwA content in
  context of enterprise network
• Methods for assessing compliance to languages,
  formats, and enumerations

7
The Building Blocks Are
Benchmark
8
Knowledge Repositories
Configuration Guidance
Operations Security Management Processes
Configuration Guidance Analysis
Operational Enterprise Networks
Enterprise IT Asset Management
Enterprise IT Change Management
Centralized Reporting
9
Knowledge Repositories
Configuration Guidance
Benchmark
Benchmark
Operations Security Management Processes
Configuration Guidance Analysis
Benchmark
Benchmark
Benchmark
Operational Enterprise Networks
Benchmark
Benchmark
Benchmark
Benchmark
Benchmark
Benchmark
Benchmark
Benchmark Results
Benchmark Results
Benchmark
Benchmark
Benchmark Results
Enterprise IT Asset Management
Enterprise IT Change Management
Centralized Reporting
10
Operations Security Management Processes
Operational Enterprise Networks
Enterprise IT Asset Management
11
Asset Inventory
Configuration Guidance Analysis
Vulnerability Analysis
Threat Analysis
Intrusion Detection
Incident Management
Operations Security Management Processes
Assessment of System Development, Integration,
Sustainment Activities and Certification
Accreditation
Operational Enterprise Networks
Development Sustainment Security
Management Processes
Centralized Reporting
Enterprise IT Change Management
Enterprise IT Asset Management
12
Asset Inventory
Configuration Guidance Analysis
Vulnerability Analysis
Threat Analysis
Intrusion Detection
Incident Management
CCE/ OVAL/ CRF/ XCCDF/ CPE
CPE/ OVAL/ CRF
CVE/CWE/ CVSS/CRF/ CCE/ OVAL/ XCCDF/ CPE
CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/
MAEC
CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/
MAEC/CEE
Operations Security Management Processes
Assessment of System Development, Integration,
Sustainment Activities and Certification
Accreditation
Operational Enterprise Networks
Centralized Reporting
Enterprise IT Change Management
Development Sustainment Security
Management Processes
Enterprise IT Asset Management
13
Knowledge Repositories
Mitigating Risk Exposures
Responding to Security Threats
CAIF/VEDEF/SIDEF/SCDEF/SFDEF/ IDMEF/IODEF/FIDEF/CV
E/CWE/ OVAL/CPE/CME/MAEC/CE/CRFE
CPE/OVAL
XCCDF/OVAL/ CCE
CVE/CWE/ OVAL/CVSS
CVSS/CME/ CAPEC/MAEC
Asset Inventory
Configuration Guidance Analysis
Vulnerability Analysis
Threat Analysis
Intrusion Detection
Incident Management
CCE/ OVAL/ CRF/ XCCDF/ CPE
CPE/ OVAL/ CRF
CVE/CWE/ CVSS/CRF/ CCE/ OVAL/ XCCDF/ CPE
CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/
MAEC
CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/
MAEC/CEE
Operations Security Management Processes
Assessment of System Development, Integration,
Sustainment Activities and Certification
Accreditation
Operational Enterprise Networks
Centralized Reporting
Enterprise IT Change Management
Development Sustainment Security
Management Processes
Enterprise IT Asset Management
14
Knowledge Repositories
CAIF/VEDEF/SIDEF/SCDEF/SFDEF/ IDMEF/IODEF/FIDEF/CV
E/CWE/ OVAL/CPE/CME/MAEC/CE/CRFE
CPE/OVAL
XCCDF/OVAL/ CCE
CVSS/CME/ CAPEC/MAEC
CVE/CWE/ OVAL/CVSS
CVE
CVE
Asset Inventory
Configuration Guidance Analysis
Vulnerability Analysis
Threat Analysis
Intrusion Detection
Incident Management
CVE
CVE
CVE
CCE/ OVAL/ CRF/ XCCDF/ CPE
CPE/ OVAL/ CRF
CVE/CWE/ CVSS/CRF/ CCE/ OVAL/ XCCDF/ CPE
CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/
MAEC
CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/
MAEC/CEE
Operations Security Management Processes
CVE
Assessment of System Development, Integration,
Sustainment Activities and Certification
Accreditation
Operational Enterprise Networks
Centralized Reporting
Enterprise IT Change Management
Development Sustainment Security
Management Processes
Enterprise IT Asset Management
15
Knowledge Repositories
CAIF/VEDEF/SIDEF/SCDEF/SFDEF/ IDMEF/IODEF/FIDEF/CV
E/CWE/ OVAL/CPE/CME/MAEC/CE/CRFE
CPE/OVAL
XCCDF/OVAL/ CCE
CVSS/CME/ CAPEC/MAEC
CVE/CWE/ OVAL/CVSS
Asset Inventory
Configuration Guidance Analysis
Vulnerability Analysis
Threat Analysis
Intrusion Detection
Incident Management
CCE/ OVAL/ CRF/ XCCDF/ CPE
CPE/ OVAL/ CRF
CVE/CWE/ CVSS/CRF/ CCE/ OVAL/ XCCDF/ CPE
CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/
MAEC
CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/
MAEC/CEE
Operations Security Management Processes
Assessment of System Development, Integration,
Sustainment Activities and Certification
Accreditation
Operational Enterprise Networks
Centralized Reporting
Enterprise IT Change Management
Development Sustainment Security
Management Processes
Enterprise IT Asset Management
16
Knowledge Repositories
CAIF/VEDEF/SIDEF/SCDEF/SFDEF/ IDMEF/IODEF/FIDEF/CV
E/CWE/ OVAL/CPE/CME/MAEC/CE/CRFE
CPE/OVAL
XCCDF/OVAL/ CCE
CVSS/CME/ CAPEC/MAEC
CVE/CWE/ OVAL/CVSS
CRF
Asset Inventory
Configuration Guidance Analysis
Vulnerability Analysis
Threat Analysis
Intrusion Detection
Incident Management
CRF
CRF
CRF
CRF
CRF
CCE/ OVAL/ CRF/ XCCDF/ CPE
CPE/ OVAL/ CRF
CVE/CWE/ CVSS/CRF/ CCE/ OVAL/ XCCDF/ CPE
CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/
MAEC
CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/
MAEC/CEE
CRF
Operations Security Management Processes
CRF
CRF
CRF
CRF
Assessment of System Development, Integration,
Sustainment Activities and Certification
Accreditation
CRF
Operational Enterprise Networks
Centralized Reporting
Enterprise IT Change Management
Development Sustainment Security
Management Processes
Enterprise IT Asset Management
17
Knowledge Repositories
CAIF/VEDEF/SIDEF/SCDEF/SFDEF/ IDMEF/IODEF/FIDEF/CV
E/CWE/ OVAL/CPE/CME/MAEC/CE/CRFE
CPE/OVAL
XCCDF/OVAL/ CCE
CVSS/CME/ CAPEC/MAEC
CVE/CWE/ OVAL/CVSS
Asset Inventory
Configuration Guidance Analysis
Vulnerability Analysis
Threat Analysis
Intrusion Detection
Incident Management
CCE/ OVAL/ CRF/ XCCDF/ CPE
CPE/ OVAL/ CRF
CVE/CWE/ CVSS/CRF/ CCE/ OVAL/ XCCDF/ CPE
CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/
MAEC
CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/
MAEC/CEE
Operations Security Management Processes
Assessment of System Development, Integration,
Sustainment Activities and Certification
Accreditation
Operational Enterprise Networks
Centralized Reporting
Enterprise IT Change Management
Development Sustainment Security
Management Processes
Enterprise IT Asset Management
18
Knowledge Repositories
CAIF/VEDEF/SIDEF/SCDEF/SFDEF/ IDMEF/IODEF/FIDEF/CV
E/CWE/ OVAL/CPE/CME/MAEC/CE/CRFE
CPE/OVAL
XCCDF/OVAL/ CCE
CVSS/CME/ CAPEC/MAEC
CVE/CWE/ OVAL/CVSS
Asset Inventory
Configuration Guidance Analysis
Vulnerability Analysis
Threat Analysis
Intrusion Detection
Incident Management
CCE/ OVAL/ CRF/ XCCDF/ CPE
CPE/ OVAL/ CRF
CVE/CWE/ CVSS/CRF/ CCE/ OVAL/ XCCDF/ CPE
CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/
MAEC
CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/
MAEC/CEE
Operations Security Management Processes
Assessment of System Development, Integration,
Sustainment Activities and Certification
Accreditation
Operational Enterprise Networks
Centralized Reporting
Enterprise IT Change Management
Development Sustainment Security
Management Processes
Enterprise IT Asset Management
19
Knowledge Repositories
CAIF/VEDEF/SIDEF/SCDEF/SFDEF/ IDMEF/IODEF/FIDEF/CV
E/CWE/ OVAL/CPE/CME/MAEC/CE/CRFE
CPE/OVAL
XCCDF/OVAL/ CCE
CVSS/CME/ CAPEC/MAEC
CVE/CWE/ OVAL/CVSS
Asset Inventory
Configuration Guidance Analysis
Vulnerability Analysis
Threat Analysis
Intrusion Detection
Incident Management
CCE/ OVAL/ CRF/ XCCDF/ CPE
CPE/ OVAL/ CRF
CVE/CWE/ CVSS/CRF/ CCE/ OVAL/ XCCDF/ CPE
CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/
MAEC
CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/
MAEC/CEE
Operations Security Management Processes
Assessment of System Development, Integration,
Sustainment Activities and Certification
Accreditation
Operational Enterprise Networks
Centralized Reporting
Enterprise IT Change Management
Development Sustainment Security
Management Processes
Enterprise IT Asset Management
20
Knowledge Repositories
CAIF/VEDEF/SIDEF/SCDEF/SFDEF/ IDMEF/IODEF/FIDEF/CV
E/CWE/ OVAL/CPE/CME/MAEC/CE/CRFE
CPE/OVAL
XCCDF/OVAL/ CCE
CVSS/CME/ CAPEC/MAEC
CVE/CWE/ OVAL/CVSS
Asset Inventory
Configuration Guidance Analysis
Vulnerability Analysis
Threat Analysis
Intrusion Detection
Incident Management
CCE/ OVAL/ CRF/ XCCDF/ CPE
CPE/ OVAL/ CRF
CVE/CWE/ CVSS/CRF/ CCE/ OVAL/ XCCDF/ CPE
CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/
MAEC
CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/
MAEC/CEE
Operations Security Management Processes
Assessment of System Development, Integration,
Sustainment Activities and Certification
Accreditation
Operational Enterprise Networks
Centralized Reporting
Enterprise IT Change Management
Development Sustainment Security
Management Processes
Enterprise IT Asset Management
21
Knowledge Repositories
CAIF/VEDEF/SIDEF/SCDEF/SFDEF/ IDMEF/IODEF/FIDEF/CV
E/CWE/ OVAL/CPE/CME/MAEC/CE/CRFE
CPE/OVAL
XCCDF/OVAL/ CCE
CVSS/CME/ CAPEC/MAEC
CVE/CWE/ OVAL/CVSS
Asset Inventory
Configuration Guidance Analysis
Vulnerability Analysis
Threat Analysis
Intrusion Detection
Incident Management
CCE/ OVAL/ CRF/ XCCDF/ CPE
CPE/ OVAL/ CRF
CVE/CWE/ CVSS/CRF/ CCE/ OVAL/ XCCDF/ CPE
CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/
MAEC
CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/
MAEC/CEE
Operations Security Management Processes
Assessment of System Development, Integration,
Sustainment Activities and Certification
Accreditation
Operational Enterprise Networks
Centralized Reporting
Enterprise IT Change Management
Development Sustainment Security
Management Processes
Enterprise IT Asset Management
22
Knowledge Repositories
CAIF/VEDEF/SIDEF/SCDEF/SFDEF/ IDMEF/IODEF/FIDEF/CV
E/CWE/ OVAL/CPE/CME/MAEC/CE/CRFE
CPE/OVAL
XCCDF/OVAL/ CCE
CVSS/CME/ CAPEC/MAEC
CVE/CWE/ OVAL/CVSS
Asset Inventory
Configuration Guidance Analysis
Vulnerability Analysis
Threat Analysis
Intrusion Detection
Incident Management
CCE/ OVAL/ CRF/ XCCDF/ CPE
CPE/ OVAL/ CRF
CVE/CWE/ CVSS/CRF/ CCE/ OVAL/ XCCDF/ CPE
CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/
MAEC
CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/
MAEC/CEE
Operations Security Management Processes
Assessment of System Development, Integration,
Sustainment Activities and Certification
Accreditation
Operational Enterprise Networks
Centralized Reporting
Enterprise IT Change Management
Development Sustainment Security
Management Processes
Enterprise IT Asset Management
23
Knowledge Repositories
CAIF/VEDEF/SIDEF/SCDEF/SFDEF/ IDMEF/IODEF/FIDEF/CV
E/CWE/ OVAL/CPE/CME/MAEC/CE/CRFE
CPE/OVAL
XCCDF/OVAL/ CCE
CVSS/CME/ CAPEC/MAEC
CVE/CWE/ OVAL/CVSS
Asset Inventory
Configuration Guidance Analysis
Vulnerability Analysis
Threat Analysis
Intrusion Detection
Incident Management
CCE/ OVAL/ CRF/ XCCDF/ CPE
CPE/ OVAL/ CRF
CVE/CWE/ CVSS/CRF/ CCE/ OVAL/ XCCDF/ CPE
CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/
MAEC
CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/
MAEC/CEE
Operations Security Management Processes
Assessment of System Development, Integration,
Sustainment Activities and Certification
Accreditation
Operational Enterprise Networks
Centralized Reporting
Enterprise IT Change Management
Development Sustainment Security
Management Processes
Enterprise IT Asset Management
24
Knowledge Repositories
CAIF/VEDEF/SIDEF/SCDEF/SFDEF/ IDMEF/IODEF/FIDEF/CV
E/CWE/ OVAL/CPE/CME/MAEC/CE/CRFE
CPE/OVAL
XCCDF/OVAL/ CCE
CVSS/CME/ CAPEC/MAEC
CVE/CWE/ OVAL/CVSS
Asset Inventory
Configuration Guidance Analysis
Vulnerability Analysis
Threat Analysis
Intrusion Detection
Incident Management
CCE/ OVAL/ CRF/ XCCDF/ CPE
CPE/ OVAL/ CRF
CVE/CWE/ CVSS/CRF/ CCE/ OVAL/ XCCDF/ CPE
CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/
MAEC
CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/
MAEC/CEE
Operations Security Management Processes
Assessment of System Development, Integration,
Sustainment Activities and Certification
Accreditation
Operational Enterprise Networks
Centralized Reporting
Enterprise IT Change Management
Development Sustainment Security
Management Processes
Enterprise IT Asset Management
25
Knowledge Repositories
CAIF/VEDEF/SIDEF/SCDEF/SFDEF/ IDMEF/IODEF/FIDEF/CV
E/CWE/ OVAL/CPE/CME/MAEC/CE/CRFE
CPE/OVAL
XCCDF/OVAL/ CCE
CVSS/CME/ CAPEC/MAEC
CVE/CWE/ OVAL/CVSS
Asset Inventory
Configuration Guidance Analysis
Vulnerability Analysis
Threat Analysis
Intrusion Detection
Incident Management
CCE/ OVAL/ CRF/ XCCDF/ CPE
CPE/ OVAL/ CRF
CVE/CWE/ CVSS/CRF/ CCE/ OVAL/ XCCDF/ CPE
CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/
MAEC
CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/
MAEC/CEE
Operations Security Management Processes
Assessment of System Development, Integration,
Sustainment Activities and Certification
Accreditation
SBVR
Operational Enterprise Networks
Centralized Reporting
Enterprise IT Change Management
Development Sustainment Security
Management Processes
Enterprise IT Asset Management
26
Knowledge Repositories
CAIF/VEDEF/SIDEF/SCDEF/SFDEF/ IDMEF/IODEF/FIDEF/CV
E/CWE/ OVAL/CPE/CME/MAEC/CE/CRFE
CPE/OVAL
XCCDF/OVAL/ CCE
CVSS/CME/ CAPEC/MAEC
CVE/CWE/ OVAL/CVSS
Asset Inventory
Configuration Guidance Analysis
Vulnerability Analysis
Threat Analysis
Intrusion Detection
Incident Management
CCE/ OVAL/ CRF/ XCCDF/ CPE
CPE/ OVAL/ CRF
CVE/CWE/ CVSS/CRF/ CCE/ OVAL/ XCCDF/ CPE
CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/
MAEC
CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/
MAEC/CEE
Operations Security Management Processes
Assessment of System Development, Integration,
Sustainment Activities and Certification
Accreditation
Operational Enterprise Networks
Centralized Reporting
Enterprise IT Change Management
Development Sustainment Security
Management Processes
Enterprise IT Asset Management
27
Knowledge Repositories
CAIF/VEDEF/SIDEF/SCDEF/SFDEF/ IDMEF/IODEF/FIDEF/CV
E/CWE/ OVAL/CPE/CME/MAEC/CE/CRFE
CPE/OVAL
XCCDF/OVAL/ CCE
CVSS/CME/ CAPEC/MAEC
CVE/CWE/ OVAL/CVSS
Asset Inventory
Configuration Guidance Analysis
Vulnerability Analysis
Threat Analysis
Intrusion Detection
Incident Management
CCE/ OVAL/ CRF/ XCCDF/ CPE
CPE/ OVAL/ CRF
CVE/CWE/ CVSS/CRF/ CCE/ OVAL/ XCCDF/ CPE
CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/
MAEC
CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/
MAEC/CEE
Operations Security Management Processes
Assessment of System Development, Integration,
Sustainment Activities and Certification
Accreditation
Operational Enterprise Networks
Centralized Reporting
Enterprise IT Change Management
Development Sustainment Security
Management Processes
Enterprise IT Asset Management
28
CCE/ OVAL/ CRF/ XCCDF/ CPE
29
Knowledge Repositories
CAIF/VEDEF/SIDEF/SCDEF/SFDEF/ IDMEF/IODEF/FIDEF/CV
E/CWE/ OVAL/CPE/CME/MAEC/CE/CRFE
CPE/OVAL
XCCDF/OVAL/ CCE
CVSS/CME/ CAPEC/MAEC
CVE/CWE/ OVAL/CVSS
Asset Inventory
Configuration Guidance Analysis
Vulnerability Analysis
Threat Analysis
Intrusion Detection
Incident Management
CCE/ OVAL/ CRF/ XCCDF/ CPE
CPE/ OVAL/ CRF
CVE/CWE/ CVSS/CRF/ CCE/ OVAL/ XCCDF/ CPE
CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/
MAEC
CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/
MAEC/CEE
Operations Security Management Processes
Assessment of System Development, Integration,
Sustainment Activities and Certification
Accreditation
Operational Enterprise Networks
Centralized Reporting
Enterprise IT Change Management
Development Sustainment Security
Management Processes
Enterprise IT Asset Management
30
CPE/ OVAL/ CRF
31
Knowledge Repositories
CAIF/VEDEF/SIDEF/SCDEF/SFDEF/ IDMEF/IODEF/FIDEF/CV
E/CWE/ OVAL/CPE/CME/MAEC/CE/CRFE
CPE/OVAL
XCCDF/OVAL/ CCE
CVSS/CME/ CAPEC/MAEC
CVE/CWE/ OVAL/CVSS
Asset Inventory
Configuration Guidance Analysis
Vulnerability Analysis
Threat Analysis
Intrusion Detection
Incident Management
CCE/ OVAL/ CRF/ XCCDF/ CPE
CPE/ OVAL/ CRF
CVE/CWE/ CVSS/CRF/ CCE/ OVAL/ XCCDF/ CPE
CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/
MAEC
CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/
MAEC/CEE
Operations Security Management Processes
Assessment of System Development, Integration,
Sustainment Activities and Certification
Accreditation
Operational Enterprise Networks
Centralized Reporting
Enterprise IT Change Management
Development Sustainment Security
Management Processes
Enterprise IT Asset Management
32
(No Transcript)
33
(No Transcript)
34
Knowledge Repositories
CAIF/VEDEF/SIDEF/SCDEF/SFDEF/ IDMEF/IODEF/FIDEF/CV
E/CWE/ OVAL/CPE/CME/MAEC/CE/CRFE
CPE/OVAL
XCCDF/OVAL/ CCE
CVSS/CME/ CAPEC/MAEC
CVE/CWE/ OVAL/CVSS
Asset Inventory
Configuration Guidance Analysis
Vulnerability Analysis
Threat Analysis
Intrusion Detection
Incident Management
CCE/ OVAL/ CRF/ XCCDF/ CPE
CPE/ OVAL/ CRF
CVE/CWE/ CVSS/CRF/ CCE/ OVAL/ XCCDF/ CPE
CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/
MAEC
CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/
MAEC/CEE
Operations Security Management Processes
Assessment of System Development, Integration,
Sustainment Activities and Certification
Accreditation
Operational Enterprise Networks
Centralized Reporting
Enterprise IT Change Management
Development Sustainment Security
Management Processes
Enterprise IT Asset Management
35
(No Transcript)
36
makingsecuritymeasurable.mitre.org
Robert A. Martin ramartin_at_mitre.org
37
Difficult to Integrate Information on
Vulnerabilities and Exposures
Security Advisories
Software Vendor Patches
Priority Lists
Vulnerability Scanners
Intrusion Detection Systems
Incident Response Reporting
Research
Vulnerability Web Sites Databases
38
CVE Growth
Status (as of Nov 6, 2007)

• 27,663 unique CVE names

39
Vulnerability Type TrendsA Look at the CVE List
(2001 - 2006)
40
Removing and Preventing the Vulnerabilities
Requires More Specific DefinitionsCWEs
41
(No Transcript)
42
Using A Unilateral NDA with MITRE to Bring in Info

• Purpose
• Sharing the proprietary/company confidential
  information contained in the underlying Knowledge
  Repository of the Knowledge Owners Capability
  for the sole purpose of establishing a public
  Common Weakness Enumeration (CWE) dictionary that
  can be used by vendors, customers, and
  researchers to describe software, design, and
  architecture related weaknesses that have
  security ramifications.
• The individual contributions from numerous
  organizations, based on their proprietary/company-
  confidential information, will be combined into a
  consolidated collection of weakness descriptions
  and definitions with the resultant collection
  being shared publicly.
• The consolidated collection of knowledge about
  weaknesses in software, design, and architecture
  will make no reference to the source of the
  information used to describe, define, and explain
  the individual weaknesses.

43
Current Community Contributing to the Common
Weakness Enumeration

• AppSIC
• Aspect Security
• Booz Allen Hamilton Inc.
• Cenzic
• CERIAS/Purdue University
• CERT/CC
• Cigital
• CodescanLabs
• Core Security
• Coverity
• Fortify
• Gramma Tech
• IBM
• Interoperability Clearing House
• JHU/APL
• JMU
• Kestrel Technology
• KDM Analytics
• Klocwork

• NSA
• OMG
• Oracle
• Ounce Labs
• OWASP
• Palamida
• Parasoft
• PolySpace Technologies
• proServices Corporation
• SANS Institute
• SecurityInnovation
• Secure Software
• Security University
• Semantic Designs
• SofCheck
• SPI Dynamics
• SureLogic, Inc.
• Symantec
• UNISYS

To join send e-mail to cwe_at_mitre.org
44
PLOVER
300 nodes
2005
45
Timeline of Items Enumerated and Defined in CWE
of items
time
46

• To subscribe, see
• http//cwe.mitre.org/community/registration.html
• or just send an email to listserv_at_lists.mitre.org
  with the command subscribe CWE-RESEARCH-LIST

47
Symbolic Link Following
(composition)

Symlink Following CWE-41
Symlink Following - CWE 61
Predictability CWE-340
Race Condition CWE-362
Path Equivalence CWE-41
Insecure directory permissions CWE-275
48
Symbolic Link Following (composite)
CWE-61 Symlink Following

• Filename can be predicted
• File can be created by other party before it is
  opened for writing
• File created in a shared directory with writable
  permissions
• Equivalence a symlink can act an alternate name
  for a critical file