Meeting Archive

Topic: January 2012
Date:	Tuesday - January 17, 2012
Topic:	Recognizing and Measuring Software Security Dangers and Risk
Speaker:	Robert Martin

Abstract

Recognizing and Measuring Software Security Dangers and Risk

Until recently, the absence of a common measure for software weaknesses has limited the software industry's ability to consistently assess and remediate exploitable software flaws. The Common Weakness Enumeration (CWE) offers all aspects of the software and security industry a list of potentially dangerous contaminants to software. Providing a standard method for identifying which of these items are most harmful given the intended use of a specific piece of software is the focus of the risk assessment approach underlying the Common Weakness Scoring System (CWSS) and Common Weakness Risk Analysis Framework (CWRAF).

The development of CWSS and CWRAF is the result of 3 years of collaborative work with a broad group of individuals and organizations on the CWE/SANS Top 25 Most Dangerous Software Errors. That list, like the OWASP Top 10 are useful tools for gaining focus and attention on the perils of software mistakes but they quickly lead to the need for more pointed guidance on specific projects.

This talk will discuss how all of these efforts come together to allow for systematic and verifiable ways of identifying, removing, and gaining assurance that contaminated software has been addressed and you can have confidence in your software-based systems. The Common Weakness Enumeration effort, led by MITRE, is a joint effort of the US Federal Government, industry groups like OWASP, WASQ, and commercial software and security vendors, and academia.

CWE itself is a standardized dictionary used in diagnosing exploitable software faults and reporting findings; enabling interoperability among tools and automation of risk mitigation measures. Currently there are over 880 software weaknesses identified and cataloged in CWE and 49 software diagnostic tools and services offer CWE-compatible capabilities.

Whether you manage or are engaged in software security for internal development activities, third party development or have to work with a commercial application for external use, your mandate is clear - safeguard your applications and make sure your team has identified and mitigated those software weaknesses most dangerous to your business.

About the Speaker

Robert Martin

Robert A. Martin is a Principal Engineer at MITRE, a company that works in partnership with the government to address issues of critical national importance. For the past 20 years, Robert's efforts focused on the interplay of risk management, cyber security, and quality assessment. The majority of this time has been spent working on cyber security standards initiatives in addition to working to make software security a key component of basic software quality measurement and management. Robert is a frequent speaker on the various security and quality issues surrounding information technology systems and has published numerous papers on these topics as well as being active participant within the national and international standards communities working to create effective and usable security standards.

Website: https://cwe.mitre.org/data/slices/2000.html