Securing the Cyber Ecosystem Automation and Standards to Build Security In

advertisement
Securing the Cyber Ecosystem
Automation and Standards to Build Security In
August 2011
Robert A. Martin
Making Security Measurable (MSM)
““You Are Here””
Software Assurance
Enterprise Security Management
Design
Design
Threat Management
Vulnerabilities
Build Assess
Deploy
Test
Exploits
Attacks
Test
CWE, CAPEC, CWSS, CWRAF
Deploy
CPE, CCE, OVAL, OCIL,
XCCDF, AssetId, ARF
Malware
CVE, CWE, CAPEC, MAEC,
CybOX, IODEF, CYBEX
© 2011 MITRE
Today Everything’’s Connected –– Like an Ecosystem
Your System is
attackable……
When this Other System gets subverted
through an un-patched vulnerability, a
mis-configuration, or an application
weakness……
© 2011 MITRE
© 2011 MITRE
© 2011 MITRE
© 2011 MITRE
© 2011 MITRE
© 2011 MITRE
© 2011 MITRE
Cyber Threats Emerged Over Time
email propagation of malicious code
DDoS attacks
““stealth””/advanced scanning techniques
binary encryption
widespread attacks using NNTP to distribute attack
increase in tailored worms
widespread attacks on DNS infrastructure
sophisticated
command & control
automated probes/scans
executable code attacks (against browsers)
automated widespread attacks
Attack
Sophistication
GUI intruder tools
network mgmt. diagnostics
diffuse spyware
anti-forensic techniques
home users targeted
sniffers
distributed attack tools
increase in wide-scale Trojan horse distribution
Windows-based remote controllable
Trojans (Back Orifice)
hijacking sessions
back doors
disabling audits
www attacks
Internet social engineering attacks
widespread
denial-ofservice attacks
password cracking
packet spoofing
password
guessing
1980’’s
exploiting known
vulnerabilities
techniques to analyze code for
vulnerabilities without source
code
automated probes/scans
burglaries
1990’’s
2000’’s
2010’’s
Solutions Also Emerged Over Time
email propagation of malicious code
DDoS attacks
““stealth””/advanced scanning techniques
binary encryption
widespread attacks using NNTP to distribute attack
increase in tailored worms
widespread attacks on DNS infrastructure
sophisticated
command & control
automated probes/scans
executable code attacks (against browsers)
automated widespread attacks
Attack
Sophistication
GUI intruder tools
network mgmt. diagnostics
diffuse spyware
anti-forensic techniques
home users targeted
sniffers
distributed attack tools
increase in wide-scale Trojan horse distribution
Windows-based remote controllable
Trojans (Back Orifice)
hijacking sessions
back doors
disabling audits
www attacks
Internet social engineering attacks
widespread
denial-ofservice attacks
password cracking
packet spoofing
password
guessing
1980’’s
exploiting known
vulnerabilities
techniques to analyze code for
vulnerabilities without source
code
automated probes/scans
burglaries
1990’’s
2000’’s
2010’’s
Like Security - Networks Evolved
Each new solution had to integrate with the existing solutions
-->> every enterprise ends up learning as they go and has a
““unique”” tapestry of solutions with ““local practices””
© 2011 MITRE
But A More Supportable
Solution Is Possible
with Standardized
Approaches and the
application of
Architecting Principles
© 2011 MITRE
© 2011 MITRE
© 2011 MITRE
© 2011 MITRE
© 2011 MITRE
CVE 1999 to 2011
2000
© 2011 MITRE
Architecting Security with Information
Standards for COIs
© 2011 MITRE
Asset
Inventory
Configuration
Guidance
Analysis
Vulnerability
Analysis
Threat
Analysis
Intrusion
Detection
Incident
Management
Operations Security Management Processes
Assessment
of System
Development,
Integration, &
Sustainment
Activities
and
Certification &
Accreditation
Operational Enterprise Networks
Development &
Sustainment
Security
Management
Processes
Trust
Management
Enterprise IT
Change Management
Identity
Management
Centralized Reporting
Enterprise IT Asset Management
Configuration
Guidance
Analysis
Asset
Inventory
CPE/
OVAL/
ARF
Vulnerability
Analysis
CCE/
CCSS/
OVAL/ARF/
XCCDF/CPE
Threat
Analysis
CVE/CWE/
CVSS/ARF/
CCE/CCSS/
ARF/CWSS/
OVAL/CPE/
XCCDF
Intrusion
Detection
CVE/CWE/
CVSS/ARF/
CCE/CCSS/
OVAL/CWSS/
XCCDF/CPE/
CAPEC/MAEC
Incident
Management
CVE/CWE/
CVSS/ARF/.
CCE/OVAL/CCSS/
XCCDF/CPE/
CAPEC/CWSS/
MAEC/CEE
Operations Security Management Processes
Assessment
of System
Development,
Integration, &
Sustainment
Activities
and
Certification &
Accreditation
CWE/CAPEC/
CWSS/MAEC/
OVAL/OCIL/
XCCDF/CCE/
CPE/ARF/
SAFES/SACM
Development &
Sustainment
Security
Management
Processes
Operational Enterprise Networks
CVE/CWE/CVSS/
CCE/CCSS/
OVAL/XCCDF/
CPE/CAPEC/
MAEC/SBVR/
CWSS/CEE/ARF
Trust
Management
Enterprise IT
Change Management
CVE/CWE/CVSS/CCE/CCSS/OVAL/XCCDF/
CPE/CAPEC/MAEC/SBVR/CWSS/CEE/ARF
Identity
Management
Centralized
CentralizedReporting
Reporting
Enterprise IT Asset Management
Cyber Ecosystem Standardization Efforts
&%/%& %",! /!&$#$%2
4'"$ %5
&!"-!,+!$(%"!&"-"$$/"+&2
4+!$(%5
&,+!$(%"!&"-"$$/"+&$&!"-2
4"$!/%& 5
"-!"!+$ /%/%& % "$%+$/2
"-"!#"/"%+$"!+$("!%2
"-!%+$ /%/%& %"!"$ &"#"/2
"-!%+$&"#$("!" /%/%& %"!"$ %&"#"/2
4"!+$("!%5
4"!+$("!%&%5
4%%%% !&!+5
4!&$(,!+5
&-!%%%! /%"-$"+.#"&2 4!%%%5
&*%!.#"&--!%%%2
"-!-$"!0 -$6%$&&!"2
4**$!%5
4
-$*$+&%5
&"%$,,"$ &#+& /!&$#$%&$%2 /4/$%$,%5
&,!&%%"+"3!"-2
4,!&%5
"-!$&%%%% !&$%+&%2
4%%%% !&%+&%5
© 2011 MITRE
Standardization Efforts leveraged by the
Security Content Automation Protocol (SCAP)
&%/%& %",! /!&$#$%2
4'"$ %5
&!"-!,+!$(%"!&"-"$$/"+&2
4+!$(%5
&,+!$(%"!&"-"$$/"+&$&!"-2
4"$!/%& 5
"-!"!+$ /%/%& % "$%+$/2
"-"!#"/"%+$"!+$("!%2
"-!%+$ /%/%& %"!"$ &"#"/2
"-!%+$&"#$("!" /%/%& %"!"$ %&"#"/2
4"!+$("!%5
4"!+$("!%&%5
4%%%% !&!+5
4!&$(,!+5
&-!%%%! /%"-$"+.#"&2 4!%%%5
&*%!.#"&--!%%%2
"-!-$"!0 -$6%$&&!"2
4**$!%5
4
-$*$+&%5
&"%$,,"$ &#+& /!&$#$%&$%2 /4/$%$,%5
&,!&%%"+"3!"-2
4,!&%5
"-!$&%%%% !&$%+&%2
4%%%% !&%+&%5
© 2011 MITRE
Standardization Efforts focused on mitigating
risks and enabling faster incident response
&%/%& %",! /!&$#$%2
4'"$ %5
&!"-!,+!$(%"!&"-"$$/"+&2
4+!$(%5
&,+!$(%"!&"-"$$/"+&$&!"-2
4"$!/%& 5
"-!"!+$ /%/%& % "$%+$/2
"-"!#"/"%+$"!+$("!%2
"-!%+$ /%/%& %"!"$ &"#"/2
"-!%+$&"#$("!" /%/%& %"!"$ %&"#"/2
4"!+$("!%5
4"!+$("!%&%5
4%%%% !&!+5
4!&$(,!+5
&-!%%%! /%"-$"+.#"&2 4!%%%5
&*%!.#"&--!%%%2
"-!-$"!0 -$6%$&&!"2
4**$!%5
4
-$*$+&%5
&"%$,,"$ &#+& /!&$#$%&$%2 /4/$%$,%5
&,!&%%"+"3!"-2
4,!&%5
"-!$&%%%% !&$%+&%2
4%%%% !&%+&%5
© 2011 MITRE
Configuration
Guidance
Analysis
Asset
Inventory
CPE/
OVAL/
ARF
Vulnerability
Analysis
CCE/
CCSS/
OVAL/ARF/
XCCDF/CPE
Threat
Analysis
CVE/CWE/
CVSS/ARF/
CCE/CCSS/
ARF/CWSS/
OVAL/CPE/
XCCDF
Intrusion
Detection
CVE/CWE/
CVSS/ARF/
CCE/CCSS/
OVAL/CWSS/
XCCDF/CPE/
CAPEC/MAEC
Incident
Management
CVE/CWE/
CVSS/ARF/.
CCE/OVAL/
CCSS/
XCCDF/CPE/
CAPEC/CWSS/
MAEC/CEE
Operations Security Management Processes
Assessment
of System
Development,
Integration, &
Sustainment
Activities
and
Certification &
Accreditation
CVE/CWE/
CVSS/CCE/
CCSS/OVAL/
XCCDF/
CPE/CAPEC/
MAEC/CWSS/
CEE/ARF
CWE/CAPEC/
CWSS/MAEC/
OVAL/OCIL/
XCCDF/CCE/
CPE/ARF/
SAFES/SACM
Development &
Sustainment
Security
Management
Processes
Trust
Management
Enterprise IT
Change Management
Operational Enterprise Networks
CVE/CWE/CVSS/CCE/CCSS/OVAL/XCCDF/
CPE/CAPEC/MAEC/CWSS/CEE/ARF
Identity
Management
Centralized Reporting
Enterprise IT Asset Management
Knowledge Repositories
Mitigating Risk Exposures
Asset
Definition
Configuration
Guidance
CPE/OVAL
System &
Software
Assurance
Guidance/
Requirements
CWE/CAPEC/
SBVR/CWSS/
MAEC
Vulnerability
Alert
XCCDF/OVAL/
CCE/CCSS
Configuration
Guidance
Analysis
Asset
Inventory
OVAL/XCCDF/
CCE/CCSS/
CPE/ARF
Responding to Security Threats
CPE/
OVAL/
ARF
Threat
Alert
CVE/CWE/OVAL/
CVSS/CWSS
Vulnerability
Analysis
CCE/
CCSS/
OVAL/ARF/
XCCDF/CPE
CVE/CWE/CVSS/
CPE/CWSS/
CAPEC/MAEC
Threat
Analysis
CVE/CWE/
CVSS/ARF/
CCE/CCSS/
ARF/CWSS/
OVAL/CPE/
XCCDF
Incident
Report
CAIF/IDMEF/IODEF/CVE/CWE/
OVAL/CPE/MAEC/CCSS/CWSS/
CEE/ARF
Intrusion
Detection
CVE/CWE/
CVSS/ARF/
CCE/CCSS/
OVAL/CWSS/
XCCDF/CPE/
CAPEC/MAEC
Incident
Management
CVE/CWE/
CVSS/ARF/.
CCE/OVAL/
CCSS/
XCCDF/CPE/
CAPEC/CWSS/
MAEC/CEE
Operations Security Management Processes
Assessment
of System
Development,
Integration, &
Sustainment
Activities
and
Certification &
Accreditation
CVE/CWE/
CVSS/CCE/
CCSS/OVAL/
XCCDF/
CPE/CAPEC/
MAEC/CWSS/
CEE/ARF
CWE/CAPEC/
CWSS/MAEC/
OVAL/OCIL/
XCCDF/CCE/
CPE/ARF/
SAFES/SACM
Development &
Sustainment
Security
Management
Processes
Trust
Management
Enterprise IT
Change Management
Operational Enterprise Networks
CVE/CWE/CVSS/CCE/CCSS/OVAL/XCCDF/
CPE/CAPEC/MAEC/CWSS/CEE/ARF
Identity
Management
Centralized Reporting
Enterprise IT Asset Management
Knowledge Repositories
XCCDF/OVAL/
CCE/CCSS
Configuration
Guidance
Analysis
Asset
Inventory
OVAL/XCCDF/
CCE/CCSS/
CPE/ARF
System &
Software
Assurance
Guidance/
Requirements
CWE/CAPEC/
SBVR/CWSS/
MAEC
CVE/CWE/OVAL/
CVSS/CWSS
CVE
Vulnerability
Analysis
Threat
Analysis
CVE/CWE/
CVSS/ARF/
CCE/CCSS/
ARF/CWSS/
OVAL/CPE/
XCCDF
CVE
Incident
Report
CVE/CWE/CVSS/
CPE/CWSS/
CAPEC/MAEC
CVE
CCE/
CCSS/
OVAL/ARF/
XCCDF/CPE
CPE/
OVAL/
ARF
Threat
Alert
CAIF/IDMEF/IODEF/CVE/CWE/
OVAL/CPE/MAEC/CCSS/CWSS/
CEE/ARF
CVE
Intrusion
Detection
CVE/CWE/
CVSS/ARF/
CCE/CCSS/
OVAL/CWSS/
XCCDF/CPE/
CAPEC/MAEC
CVE
CPE/OVAL
Vulnerability
Alert
CVE
Configuration
Guidance
CVE
Asset
Definition
Incident
Management
CVE/CWE/
CVSS/ARF/.
CCE/OVAL/
CCSS/
XCCDF/CPE/
CAPEC/CWSS/
MAEC/CEE
Operations Security Management Processes
Assessment
of System
Development,
Integration, &
Sustainment
Activities
and
Certification &
Accreditation
CWE/CAPEC/
CWSS/MAEC/
OVAL/OCIL/
XCCDF/CCE/
CPE/ARF/
SAFES/SACM
Development &
Sustainment
Security
Management
Processes
CVE
Trust
Management
CVE/CWE/
CVSS/CCE/
CCSS/OVAL/
XCCDF/
CPE/CAPEC/
MAEC/CWSS/
CEE/ARF
Enterprise IT
Change Management
Operational Enterprise Networks
CVE CVE/CWE/CVSS/CCE/CCSS/OVAL/XCCDF/
CPE/CAPEC/MAEC/CWSS/CEE/ARF
Identity
Management
Centralized Reporting
Enterprise IT Asset Management
Knowledge Repositories
Configuration
Guidance
XCCDF/OVAL/
CCE/CCSS
System &
Software
Assurance
Guidance/
Requirements
CWE/CAPEC/
SBVR/CWSS/
MAEC
OVAL
Assessment
of System
Development,
Integration, &
Sustainment
Activities
and
Certification &
Accreditation
CAIF/IDMEF/IODEF/CVE/CWE/
OVAL/CPE/MAEC/CCSS/CWSS/
CEE/ARF
Vulnerability
Analysis
CCE/
CCSS/
OVAL/ARF/
XCCDF/CPE
OVAL
OVAL
CVE/CWE/
CVSS/ARF/
CCE/CCSS/
ARF/CWSS/
OVAL/CPE/
XCCDF
OVAL
Threat
Analysis
Intrusion
Detection
CVE/CWE/
CVSS/ARF/
CCE/CCSS/
OVAL/CWSS/
XCCDF/CPE/
CAPEC/MAEC
Incident
Management
CVE/CWE/
CVSS/ARF/.
CCE/OVAL/
CCSS/
XCCDF/CPE/
CAPEC/CWSS/
MAEC/CEE
Operations
Security Management Processes
OVAL
OVAL
CVE/CWE/
CVSS/CCE/
CCSS/OVAL/
XCCDF/
CPE/CAPEC/
MAEC/CWSS/
CEE/ARF
CWE/CAPEC/
CWSS/MAEC/
OVAL/OCIL/
XCCDF/CCE/
CPE/ARF/
SAFES/SACM
Development &
Sustainment
Security
Management
Processes
OVAL
Configuration
Guidance
Analysis
CPE/
OVAL/
ARF
OVAL
CVE/CWE/CVSS/
CPE/CWSS/
CAPEC/MAEC
OVAL
OVAL
Asset
Inventory
OVAL/XCCDF/
CCE/CCSS/
CPE/ARF
CVE/CWE/OVAL/
CVSS/CWSS
Incident
Report
OVAL
OVAL
Threat
Alert
OVAL
CPE/OVAL
Vulnerability
Alert
OVAL
Asset
Definition
Operational Enterprise Networks
OVALCVE/CWE/CVSS/CCE/CCSS/OVAL/XCCDF/
OVAL
Trust
Management
Enterprise IT
Change Management
CPE/CAPEC/MAEC/CWSS/CEE/ARF
Identity
Management
Centralized Reporting
Enterprise IT Asset Management
Knowledge Repositories
Asset
Definition
Configuration
Guidance
CPE/OVAL
Vulnerability
Alert
XCCDF/OVAL/
CCE/CCSS
Threat
Alert
CVE/CWE/OVAL/
CVSS/CWSS
Incident
Report
CVE/CWE/CVSS/
CPE/CWSS/
CAPEC/MAEC
CAIF/IDMEF/IODEF/CVE/CWE/
OVAL/CPE/MAEC/CCSS/CWSS/
CEE/ARF
OVAL/XCCDF/
CCE/CCSS/
CPE/ARF
System &
Software
Assurance
Guidance/
Requirements
CWE/CAPEC/
SBVR/CWSS/
MAEC
CCE/
CCSS/
OVAL/ARF/
XCCDF/CPE
CPE/
OVAL/
ARF
ARF
ARF
Assessment
of System
Development,
Integration, &
Sustainment
Activities
and
Certification &
Accreditation
ARF
CVE/CWE/
CVSS/ARF/
CCE/CCSS/
ARF/CWSS/
OVAL/CPE/
XCCDF
ARF
Intrusion
Detection
CVE/CWE/
CVSS/ARF/
CCE/CCSS/
OVAL/CWSS/
XCCDF/CPE/
CAPEC/MAEC
ARF
ARF
Threat
Analysis
Incident
Management
CVE/CWE/
CVSS/ARF/.
CCE/OVAL/
CCSS/
XCCDF/CPE/
CAPEC/CWSS/
MAEC/CEE
Operations
Security Management Processes
ARF
ARF
CVE/CWE/
CVSS/CCE/
CCSS/OVAL/
XCCDF/
CPE/CAPEC/
MAEC/CWSS/
CEE/ARF
CWE/CAPEC/
CWSS/MAEC/
OVAL/OCIL/
XCCDF/CCE/
CPE/ARF/
SAFES/SACM
Development &
Sustainment
Security
Management
Processes
Vulnerability
Analysis
ARF
Configuration
Guidance
Analysis
ARF
Asset
Inventory
ARF
ARF
Operational Enterprise Networks
ARF CVE/CWE/CVSS/CCE/CCSS/OVAL/XCCDF/
ARF
Trust
Management
Enterprise IT
Change Management
CPE/CAPEC/MAEC/CWSS/CEE/ARF
Identity
Management
Centralized Reporting
Enterprise IT Asset Management
Knowledge Repositories
Asset
Definition
Configuration
Guidance
CPE/OVAL
Vulnerability
Alert
XCCDF/OVAL/
CCE/CCSS
Threat
Alert
CVE/CWE/OVAL/
CVSS/CWSS
Incident
Report
CVE/CWE/CVSS/
CPE/CWSS/
CAPEC/MAEC
CAIF/IDMEF/IODEF/CVE/CWE/
OVAL/CPE/MAEC/CCSS/CWSS/
CEE/ARF
XCCDF
OVAL/XCCDF/
CCE/CCSS/
CPE/ARF
CPE/
OVAL/
ARF
XCCDF
System &
Software
Assurance
Guidance/
Requirements
CWE/CAPEC/
SBVR/CWSS/
MAEC
CCE/
CCSS/
OVAL/ARF/
XCCDF/CPE
CVE/CWE/
CVSS/ARF/
CCE/CCSS/
ARF/CWSS/
OVAL/CPE/
XCCDF
Intrusion
Detection
CVE/CWE/
CVSS/ARF/
CCE/CCSS/
OVAL/CWSS/
XCCDF/CPE/
CAPEC/MAEC
XCCDF
Threat
Analysis
XCCDF
Vulnerability
Analysis
XCCDF
XCCDF
Configuration
Guidance
Analysis
Asset
Inventory
XCCDF
Incident
Management
CVE/CWE/
CVSS/ARF/.
CCE/OVAL/
CCSS/
XCCDF/CPE/
CAPEC/CWSS/
MAEC/CEE
Operations Security Management Processes
Assessment
of System
Development,
Integration, &
Sustainment
Activities
and
Certification &
Accreditation
XCCDF
CVE/CWE/
CVSS/CCE/
CCSS/OVAL/
XCCDFXCCDF/
CPE/CAPEC/
MAEC/CWSS/
CEE/ARF
CWE/CAPEC/
CWSS/MAEC/
OVAL/OCIL/
XCCDF/CCE/
CPE/ARF/
SAFES/SACM
Development &
Sustainment
Security
Management
Processes
Trust
Management
Enterprise IT
Change Management
Operational Enterprise Networks
XCCDF
Identity
Management
CVE/CWE/CVSS/CCE/CCSS/OVAL/XCCDF/
CPE/CAPEC/MAEC/CWSS/CEE/ARF
Centralized Reporting
Enterprise IT Asset Management
Knowledge Repositories
Asset
Definition
Configuration
Guidance
CPE/OVAL
Vulnerability
Alert
XCCDF/OVAL/
CCE/CCSS
Threat
Alert
CVE/CWE/OVAL/
CVSS/CWSS
Incident
Report
CVE/CWE/CVSS/
CPE/CWSS/
CAPEC/MAEC
CAIF/IDMEF/IODEF/CVE/CWE/
OVAL/CPE/MAEC/CCSS/CWSS/
CEE/ARF
CCE
System &
Software
Assurance
Guidance/
Requirements
CWE/CAPEC/
SBVR/CWSS/
MAEC
CCE
CVE/CWE/
CVSS/ARF/
CCE/CCSS/
ARF/CWSS/
OVAL/CPE/
XCCDF
Intrusion
Detection
CVE/CWE/
CVSS/ARF/
CCE/CCSS/
OVAL/CWSS/
XCCDF/CPE/
CAPEC/MAEC
CCE
Threat
Analysis
CCE
CCE
Vulnerability
Analysis
CCE/
CCSS/
OVAL/ARF/
XCCDF/CPE
CPE/
OVAL/
ARF
CCE
CCE
Configuration
Guidance
Analysis
Asset
Inventory
OVAL/XCCDF/
CCE/CCSS/
CPE/ARF
CCE
Incident
Management
CVE/CWE/
CVSS/ARF/.
CCE/OVAL/
CCSS/
XCCDF/CPE/
CAPEC/CWSS/
MAEC/CEE
Operations Security Management Processes
Assessment
of System
Development,
Integration, &
Sustainment
Activities
and
Certification &
Accreditation
CCE
CVE/CWE/
CVSS/CCE/
CCSS/OVAL/
XCCDF/
CPE/CAPEC/
MAEC/CWSS/
CEE/ARF
CWE/CAPEC/
CWSS/MAEC/
OVAL/OCIL/
XCCDF/CCE/
CPE/ARF/
SAFES/SACM
Development &
Sustainment
Security
Management
Processes
Operational Enterprise Networks
CCECVE/CWE/CVSS/CCE/CCSS/OVAL/XCCDF/
CCE
Trust
Management
Enterprise IT
Change Management
CPE/CAPEC/MAEC/CWSS/CEE/ARF
Identity
Management
Centralized Reporting
Enterprise IT Asset Management
Knowledge Repositories
Asset
Definition
Configuration
Guidance
CPE/OVAL
Vulnerability
Alert
XCCDF/OVAL/
CCE/CCSS
Threat
Alert
CVE/CWE/OVAL/
CVSS/CWSS
Incident
Report
CVE/CWE/CVSS/
CPE/CWSS/
CAPEC/MAEC
CAIF/IDMEF/IODEF/CVE/CWE/
OVAL/CPE/MAEC/CCSS/CWSS/
CEE/ARF
CPE
OVAL/XCCDF/
CCE/CCSS/
CPE/ARF
System &
Software
Assurance
Guidance/
Requirements
CWE/CAPEC/
SBVR/CWSS/
MAEC
CPE
CPE
CCE/
CCSS/
OVAL/ARF/
XCCDF/CPE
CPE/
OVAL/
ARF
CVE/CWE/
CVSS/ARF/
CCE/CCSS/
ARF/CWSS/
OVAL/CPE/
XCCDF
Intrusion
Detection
CVE/CWE/
CVSS/ARF/
CCE/CCSS/
OVAL/CWSS/
XCCDF/CPE/
CAPEC/MAEC
CPE
Threat
Analysis
CPE
Vulnerability
Analysis
CPE
Configuration
Guidance
Analysis
CPE
CPE
Asset
Inventory
CPE
Incident
Management
CVE/CWE/
CVSS/ARF/.
CCE/OVAL/
CCSS/
XCCDF/CPE/
CAPEC/CWSS/
MAEC/CEE
Operations Security Management Processes
Assessment
of System
Development,
Integration, &
Sustainment
Activities
and
Certification &
Accreditation
CPE
CVE/CWE/
CVSS/CCE/
CCSS/OVAL/
XCCDF/
CPE/CAPEC/
MAEC/CWSS/
CEE/ARF
CWE/CAPEC/
CWSS/MAEC/
OVAL/OCIL/
XCCDF/CCE/
CPE/ARF/
SAFES/SACM
Development &
Sustainment
Security
Management
Processes
Operational Enterprise Networks
CPE
CPE
Trust
Management
Enterprise IT
Change Management
Identity
Management
CVE/CWE/CVSS/CCE/CCSS/OVAL/XCCDF/
CPE/CAPEC/MAEC/CWSS/CEE/ARF
Centralized Reporting
Enterprise IT Asset Management
Knowledge Repositories
XCCDF/OVAL/
CCE/CCSS
Configuration
Guidance
Analysis
Asset
Inventory
OVAL/XCCDF/
CCE/CCSS/
CPE/ARF
System &
Software
Assurance
Guidance/
Requirements
CWE/CAPEC/
SBVR/CWSS/
MAEC
CVE/CWE/OVAL/
CVSS/CWSS
Incident
Report
CVE/CWE/CVSS/
CPE/CWSS/
CAPEC/MAEC
CVSS
CVSS
Vulnerability
Analysis
Threat
Analysis
CCE/
CCSS/
OVAL/ARF/
XCCDF/CPE
CPE/
OVAL/
ARF
Threat
Alert
CVE/CWE/
CVSS/ARF/
CCE/CCSS/
ARF/CWSS/
OVAL/CPE/
XCCDF
CAIF/IDMEF/IODEF/CVE/CWE/
OVAL/CPE/MAEC/CCSS/CWSS/
CEE/ARF
CVSS
Intrusion
Detection
CVE/CWE/
CVSS/ARF/
CCE/CCSS/
OVAL/CWSS/
XCCDF/CPE/
CAPEC/MAEC
CVSS
CPE/OVAL
Vulnerability
Alert
CVSS
Configuration
Guidance
CVSS
Asset
Definition
Incident
Management
CVE/CWE/
CVSS/ARF/.
CCE/OVAL/
CCSS/
XCCDF/CPE/
CAPEC/CWSS/
MAEC/CEE
Operations Security Management Processes
Assessment
of System
Development,
Integration, &
Sustainment
Activities
and
Certification &
Accreditation
CVE/CWE/
CVSS/CCE/
CCSS/OVAL/
XCCDF/
CPE/CAPEC/
MAEC/CWSS/
CEE/ARF
CWE/CAPEC/
CWSS/MAEC/
OVAL/OCIL/
XCCDF/CCE/
CPE/ARF/
SAFES/SACM
Development &
Sustainment
Security
Management
Processes
Operational Enterprise Networks
CVSSCVE/CWE/CVSS/CCE/CCSS/OVAL/XCCDF/
CVSS
Trust
Management
Enterprise IT
Change Management
CPE/CAPEC/MAEC/CWSS/CEE/ARF
Identity
Management
Centralized Reporting
Enterprise IT Asset Management
Knowledge Repositories
XCCDF/OVAL/
CCE/CCSS
Configuration
Guidance
Analysis
Asset
Inventory
OVAL/XCCDF/
CCE/CCSS/
CPE/ARF
System &
Software
Assurance
Guidance/
Requirements
CWSS
CWE/CAPEC/
SBVR/CWSS/
MAEC
CVE/CWE/OVAL/
CVSS/CWSS
Incident
Report
CVE/CWE/CVSS/
CPE/CWSS/
CAPEC/MAEC
CWSS
CWSS
Vulnerability
Analysis
Threat
Analysis
CCE/
CCSS/
OVAL/ARF/
XCCDF/CPE
CPE/
OVAL/
ARF
Threat
Alert
CVE/CWE/
CVSS/ARF/
CCE/CCSS/
ARF/CWSS/
OVAL/CPE/
XCCDF
CAIF/IDMEF/IODEF/CVE/CWE/
OVAL/CPE/MAEC/CCSS/CWSS/
CEE/ARF
CWSS
Intrusion
Detection
CVE/CWE/
CVSS/ARF/
CCE/CCSS/
OVAL/CWSS/
XCCDF/CPE/
CAPEC/MAEC
CWSS
CPE/OVAL
Vulnerability
Alert
CWSS
Configuration
Guidance
CWSS
Asset
Definition
Incident
Management
CVE/CWE/
CVSS/ARF/.
CCE/OVAL/
CCSS/
XCCDF/CPE/
CAPEC/CWSS/
MAEC/CEE
Operations Security Management Processes
Assessment
of System
Development,
Integration, &
Sustainment
Activities
and
Certification &
Accreditation
CWSS
CVE/CWE/
CVSS/CCE/
CCSS/OVAL/
XCCDF/
CPE/CAPEC/
MAEC/CWSS/
CEE/ARF
CWE/CAPEC/
CWSS/MAEC/
OVAL/OCIL/
XCCDF/CCE/
CPE/ARF/
SAFES/SACM
Development &
Sustainment
Security
Management
Processes
Operational Enterprise Networks
CWSSCVE/CWE/CVSS/CCE/CCSS/OVAL/XCCDF/
CWSS
Trust
Management
Enterprise IT
Change Management
CPE/CAPEC/MAEC/CWSS/CEE/ARF
Identity
Management
Centralized Reporting
Enterprise IT Asset Management
Knowledge Repositories
Asset
Definition
Configuration
Guidance
CPE/OVAL
XCCDF/OVAL/
CCE/CCSS
Configuration
Guidance
Analysis
Asset
Inventory
OVAL/XCCDF/
CCE/CCSS/
CPE/ARF
System &
Software
Assurance
Guidance/
Requirements
SAFES
CWE/CAPEC/
SBVR/CWSS/
MAEC
Vulnerability
Alert
CVE/CWE/OVAL/
CVSS/CWSS
Vulnerability
Analysis
CCE/
CCSS/
OVAL/ARF/
XCCDF/CPE
CPE/
OVAL/
ARF
Threat
Alert
Incident
Report
CVE/CWE/CVSS/
CPE/CWSS/
CAPEC/MAEC
Threat
Analysis
CVE/CWE/
CVSS/ARF/
CCE/CCSS/
ARF/CWSS/
OVAL/CPE/
XCCDF
CAIF/IDMEF/IODEF/CVE/CWE/
OVAL/CPE/MAEC/CCSS/CWSS/
CEE/ARF
Intrusion
Detection
CVE/CWE/
CVSS/ARF/
CCE/CCSS/
OVAL/CWSS/
XCCDF/CPE/
CAPEC/MAEC
Incident
Management
CVE/CWE/
CVSS/ARF/.
CCE/OVAL/
CCSS/
XCCDF/CPE/
CAPEC/CWSS/
MAEC/CEE
Operations Security Management Processes
Assessment
of System
Development,
Integration, &
Sustainment
Activities
and
Certification &
Accreditation
SAFES
CVE/CWE/
CVSS/CCE/
CCSS/OVAL/
XCCDF/
CPE/CAPEC/
MAEC/CWSS/
CEE/ARF
CWE/CAPEC/
CWSS/MAEC/
OVAL/OCIL/
XCCDF/CCE/
CPE/ARF/
SAFES/SACM
Development &
Sustainment
Security
Management
Processes
Operational Enterprise Networks
SAFESCVE/CWE/CVSS/CCE/CCSS/OVAL/XCCDF/
SAFES
Trust
Management
Enterprise IT
Change Management
CPE/CAPEC/MAEC/CWSS/CEE/ARF
Identity
Management
Centralized Reporting
Enterprise IT Asset Management
Knowledge Repositories
Asset
Definition
Configuration
Guidance
CPE/OVAL
XCCDF/OVAL/
CCE/CCSS
Configuration
Guidance
Analysis
Asset
Inventory
OVAL/XCCDF/
CCE/CCSS/
CPE/ARF
System &
Software
Assurance
Guidance/
Requirements
SACM
CWE/CAPEC/
SBVR/CWSS/
MAEC
Vulnerability
Alert
CVE/CWE/OVAL/
CVSS/CWSS
Vulnerability
Analysis
CCE/
CCSS/
OVAL/ARF/
XCCDF/CPE
CPE/
OVAL/
ARF
Threat
Alert
CVE/CWE/CVSS/
CPE/CWSS/
CAPEC/MAEC
Threat
Analysis
CVE/CWE/
CVSS/ARF/
CCE/CCSS/
ARF/CWSS/
OVAL/CPE/
XCCDF
Incident
Report
CAIF/IDMEF/IODEF/CVE/CWE/
OVAL/CPE/MAEC/CCSS/CWSS/
CEE/ARF
Intrusion
Detection
CVE/CWE/
CVSS/ARF/
CCE/CCSS/
OVAL/CWSS/
XCCDF/CPE/
CAPEC/MAEC
Incident
Management
CVE/CWE/
CVSS/ARF/.
CCE/OVAL/
CCSS/
XCCDF/CPE/
CAPEC/CWSS/
MAEC/CEE
Operations Security Management Processes
Assessment
of System
Development,
Integration, &
Sustainment
Activities
and
Certification &
Accreditation
SACM
CVE/CWE/
CVSS/CCE/
CCSS/OVAL/
XCCDF/
CPE/CAPEC/
MAEC/CWSS/
CEE/ARF
CWE/CAPEC/
CWSS/MAEC/
OVAL/OCIL/
XCCDF/CCE/
CPE/ARF/
SAFES/SACM
Development &
Sustainment
Security
Management
Processes
Operational Enterprise Networks
SACM CVE/CWE/CVSS/CCE/CCSS/OVAL/XCCDF/
SACM
Trust
Management
Enterprise IT
Change Management
CPE/CAPEC/MAEC/CWSS/CEE/ARF
Identity
Management
Centralized Reporting
Enterprise IT Asset Management
Knowledge Repositories
Asset
Definition
Configuration
Guidance
CPE/OVAL
Vulnerability
Alert
XCCDF/OVAL/
CCE/CCSS
Threat
Alert
CVE/CWE/OVAL/
CVSS/CWSS
Incident
Report
CVE/CWE/CVSS/
CPE/CWSS/
CAPEC/MAEC
CAIF/IDMEF/IODEF/CVE/CWE/
OVAL/CPE/MAEC/CCSS/CWSS/
CEE/ARF
CAPEC
OVAL/XCCDF/
CCE/CCSS/
CPE/ARF
System &
Software
Assurance
Guidance/
Requirements
CAPEC
CWE/CAPEC/
SBVR/CWSS/
MAEC
CCE/
CCSS/
OVAL/ARF/
XCCDF/CPE
CPE/
OVAL/
ARF
Threat
Analysis
CVE/CWE/
CVSS/ARF/
CCE/CCSS/
ARF/CWSS/
OVAL/CPE/
XCCDF
CAPEC
Intrusion
Detection
CVE/CWE/
CVSS/ARF/
CCE/CCSS/
OVAL/CWSS/
XCCDF/CPE/
CAPEC/MAEC
CAPEC
CAPEC
Vulnerability
Analysis
CAPEC
Configuration
Guidance
Analysis
Asset
Inventory
CAPEC
Incident
Management
CVE/CWE/
CVSS/ARF/.
CCE/OVAL/
CCSS/
XCCDF/CPE/
CAPEC/CWSS/
MAEC/CEE
Operations Security Management Processes
Assessment
of System
Development,
Integration, &
Sustainment
Activities
and
Certification &
Accreditation
CAPEC
CVE/CWE/
CVSS/CCE/
CCSS/OVAL/
XCCDF/
CPE/CAPEC/
MAEC/CWSS/
CEE/ARF
CWE/CAPEC/
CWSS/MAEC/
OVAL/OCIL/
XCCDF/CCE/
CPE/ARF/
SAFES/SACM
Development &
Sustainment
Security
Management
Processes
Operational Enterprise Networks
CAPECCVE/CWE/CVSS/CCE/CCSS/OVAL/XCCDF/
CAPEC
Trust
Management
Enterprise IT
Change Management
CPE/CAPEC/MAEC/CWSS/CEE/ARF
Identity
Management
Centralized Reporting
Enterprise IT Asset Management
Knowledge Repositories
Asset
Definition
Configuration
Guidance
CPE/OVAL
Vulnerability
Alert
XCCDF/OVAL/
CCE/CCSS
Threat
Alert
CVE/CWE/OVAL/
CVSS/CWSS
Incident
Report
CVE/CWE/CVSS/
CPE/CWSS/
CAPEC/MAEC
CAIF/IDMEF/IODEF/CVE/CWE/
OVAL/CPE/MAEC/CCSS/CWSS/
CEE/ARF
CEE
OVAL/XCCDF/
CCE/CCSS/
CPE/ARF
System &
Software
Assurance
Guidance/
Requirements
CWE/CAPEC/
SBVR/CWSS/
MAEC
Vulnerability
Analysis
CCE/
CCSS/
OVAL/ARF/
XCCDF/CPE
CPE/
OVAL/
ARF
Threat
Analysis
CVE/CWE/
CVSS/ARF/
CCE/CCSS/
ARF/CWSS/
OVAL/CPE/
XCCDF
Intrusion
Detection
CVE/CWE/
CVSS/ARF/
CCE/CCSS/
OVAL/CWSS/
XCCDF/CPE/
CAPEC/MAEC
CEE
CEE
Configuration
Guidance
Analysis
Asset
Inventory
CEE
Incident
Management
CVE/CWE/
CVSS/ARF/.
CCE/OVAL/
CCSS/
XCCDF/CPE/
CAPEC/CWSS/
MAEC/CEE
Operations Security Management Processes
Assessment
of System
Development,
Integration, &
Sustainment
Activities
and
Certification &
Accreditation
CVE/CWE/
CVSS/CCE/
CCSS/OVAL/
XCCDF/
CPE/CAPEC/
MAEC/CWSS/
CEE/ARF
CWE/CAPEC/
CWSS/MAEC/
OVAL/OCIL/
XCCDF/CCE/
CPE/ARF/
SAFES/SACM
Development &
Sustainment
Security
Management
Processes
Operational Enterprise Networks
CEE CVE/CWE/CVSS/CCE/CCSS/OVAL/XCCDF/
CEE
Trust
Management
Enterprise IT
Change Management
CPE/CAPEC/MAEC/CWSS/CEE/ARF
Identity
Management
Centralized Reporting
Enterprise IT Asset Management
Knowledge Repositories
XCCDF/OVAL/
CCE/CCSS
Configuration
Guidance
Analysis
Asset
Inventory
OVAL/XCCDF/
CCE/CCSS/
CPE/ARF
CVE/CWE/OVAL/
CVSS/CWSS
CWE
Vulnerability
Analysis
Threat
Analysis
CWE
System &
Software
Assurance
Guidance/
Requirements
CWE
CWE/CAPEC/
SBVR/CWSS/
MAEC
Assessment
of System
Development,
Integration, &
Sustainment
Activities
and
Certification &
Accreditation
CAIF/IDMEF/IODEF/CVE/CWE/
OVAL/CPE/MAEC/CCSS/CWSS/
CEE/ARF
CWE
Intrusion
Detection
CVE/CWE/
CVSS/ARF/
CCE/CCSS/
OVAL/CWSS/
XCCDF/CPE/
CAPEC/MAEC
Incident
Management
CVE/CWE/
CVSS/ARF/.
CCE/OVAL/
CCSS/
XCCDF/CPE/
CAPEC/CWSS/
MAEC/CEE
Operations Security Management Processes
CWE
CVE/CWE/
CVSS/CCE/
CCSS/OVAL/
XCCDF/
CPE/CAPEC/
MAEC/CWSS/
CEE/ARF
CWE/CAPEC/
CWSS/MAEC/
OVAL/OCIL/
XCCDF/CCE/
CPE/ARF/
SAFES/SACM
Development &
Sustainment
Security
Management
Processes
CVE/CWE/
CVSS/ARF/
CCE/CCSS/
ARF/CWSS/
OVAL/CPE/
XCCDF
Incident
Report
CVE/CWE/CVSS/
CPE/CWSS/
CAPEC/MAEC
CWE
CCE/
CCSS/
OVAL/ARF/
XCCDF/CPE
CPE/
OVAL/
ARF
Threat
Alert
CWE
CPE/OVAL
Vulnerability
Alert
CWE
Configuration
Guidance
CWE
Asset
Definition
Operational Enterprise Networks
CWECVE/CWE/CVSS/CCE/CCSS/OVAL/XCCDF/
CWE
Trust
Management
Enterprise IT
Change Management
CPE/CAPEC/MAEC/CWSS/CEE/ARF
Identity
Management
Centralized Reporting
Enterprise IT Asset Management
Knowledge Repositories
Asset
Definition
Configuration
Guidance
CPE/OVAL
XCCDF/OVAL/
CCE/CCSS
Configuration
Guidance
Analysis
Asset
Inventory
OVAL/XCCDF/
CCE/CCSS/
CPE/ARF
System &
Software
Assurance
Guidance/
Requirements
CWE/CAPEC/
SBVR/CWSS/
MAEC
Vulnerability
Alert
CPE/
OVAL/
ARF
Threat
Alert
CVE/CWE/OVAL/
CVSS/CWSS
Vulnerability
Analysis
CCE/
CCSS/
OVAL/ARF/
XCCDF/CPE
CVE/CWE/CVSS/
CPE/CWSS/
CAPEC/MAEC
Threat
Analysis
CVE/CWE/
CVSS/ARF/
CCE/CCSS/
ARF/CWSS/
OVAL/CPE/
XCCDF
Incident
Report
CAIF/IDMEF/IODEF/CVE/CWE/
OVAL/CPE/MAEC/CCSS/CWSS/
CEE/ARF
Intrusion
Detection
CVE/CWE/
CVSS/ARF/
CCE/CCSS/
OVAL/CWSS/
XCCDF/CPE/
CAPEC/MAEC
Incident
Management
CVE/CWE/
CVSS/ARF/.
CCE/OVAL/
CCSS/
XCCDF/CPE/
CAPEC/CWSS/
MAEC/CEE
Operations Security Management Processes
Assessment
of System
Development,
Integration, &
Sustainment
Activities
and
Certification &
Accreditation
CVE/CWE/
CVSS/CCE/
CCSS/OVAL/
XCCDF/
CPE/CAPEC/
MAEC/CWSS/
CEE/ARF
CWE/CAPEC/
CWSS/MAEC/
OVAL/OCIL/
XCCDF/CCE/
CPE/ARF/
SAFES/SACM
Development &
Sustainment
Security
Management
Processes
Trust
Management
Enterprise IT
Change Management
Operational Enterprise Networks
CVE/CWE/CVSS/CCE/CCSS/OVAL/XCCDF/
CPE/CAPEC/MAEC/CWSS/CEE/ARF
Identity
Management
Centralized Reporting
Enterprise IT Asset Management
Linkage with Fundamental Changes in Enterprise Security Initiatives
© 2011 MITRE
““Enabling Distributed Security in Cyberspace: Building a Healthy
and Resilient Cyber Ecosystem with Automated Collective Action””
Testing,
attestation,
and
assurance
Software
Assurance
Collaborative
threat
Malware
intelligence
Analysis
Engineering
Remote
Assessment
Design
Architecture
Vulnerability
Assessment
Network
Device
Assessment
Configuration
Assessment
Remediation
Supply Chain
Assurance
Asset
Inventory
Compliance
Management
Event
Management
Modeling and Simulation
Sensing
and
Warning
Structured
Threat
Information
Response
Incident
Reporting
Enterprise
Reporting
Forensics
and
Damage
Assessment
Recovery
Reconstitution
3
© 2011 MITRE
Ecosystem Areas Directly Enabled/Supported by
Enumerations/Languages
Testing,
attestation,
and
assurance
Collaborative
threat
intelligence
MAEC, CAPEC,
OVAL, CybOX
CVE, OVAL, CWE,
CAPEC, MAEC,
CybOX, CWRAF,
Engineering CWSS, CCR,
SAFES, SACM,
ISO 15026-2,
OVAL, CVE, CVSS,
ISO TR 20004,
CPE, XCCDF, SCAP,
SWID, SWAAP
CWE, CVRF, SWID
Sensing
and
Warning
MAEC, OVAL,
CPE,
OVAL, AI,
SWID
Design
CVE, OVAL, TNC
Architecture
CCE, OVAL, CPE,
CCSS, XCCDF,
OCIL, SCAP,
CVE, OVAL,
SWID
TNC
ERAP, CRE,
ERI, RCL, RPL,
CWE
Supply Chain
Assurance
CVE, CVSS, CCE,
OVAL, CPE, CCSS,
XCCDF, OCIL,
SCAP, SWID
CAPEC, CybOX,
CVE
CYBEX, IODEF,
RID, TLP, MAEC,
CybOX, CVE,
Forensics
CWE, CAPEC
AI, ARF,
ASR, PLARR
CEE, CLS, CLT,
CELR, CybOX,
EMAP
Modeling and Simulation
Response
and
Damage
Assessment
Recovery
Reconstitution
© 2011 MITRE
Status of ITU-T Recommendations
xseries
Title
ITU-T
Status
Planned
Determination
x.1500
Cybersecurity Information Exchange (CYBEX) Techniques
Final
Dec 2010
x.1520
Common Vulnerabilities and Exposures
Final
Dec 2010
x.1521
Common Vulnerability Scoring System
Final
Dec 2010
x.cwe
Common Weakness Enumeration
Draft
Aug 2011
x.oval
Open Vulnerability and Assessment Language
Draft
Aug 2011
x.cce
Common Configuration Enumeration
Draft
Aug 2011
x.capec
Common Attack Pattern Enumeration and Classification
Draft
Feb 2012
x.maec
Malware Attribute Enumeration and Classification
Draft
2012
x.cwss
Common Weakness Scoring System
Draft
2012
x.cee
Common Event Expression
Draft
2012
x.cpe
Common Platform Enumeration
Draft
2012
x.arf
Asset Reporting Format
Draft
2012
x.xccdf
Extensible Configuration Checklist Description Format
Draft
2012
© 2011 MITRE
Vulnerability Type Trends:
A Look at the CVE List (2001 - 2007)
© 2011 MITRE
Removing and Preventing the Vulnerabilities
Requires More Specific Definitions……CWEs
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting’’) (79)
•• Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (80)
•• Improper Neutralization of Script in an Error Message Web Page (81)
•• Improper Neutralization of Script in Attributes of IMG Tags in a Web Page (82)
•• Improper Neutralization of Script in Attributes in a Web Page (83)
•• Improper Neutralization of Encoded URI Schemes in a Web Page (84)
•• Doubled Character XSS Manipulations (85)
•• Improper Neutralization of Invalid Characters in Identifiers in Web Pages (86)
•• Improper Neutralization of Alternate XSS Syntax (87)
9
14
19
Improper Restriction of Operations within the Bounds of a Memory Buffer (119)
•• Buffer Copy without Checking Size of Input ('Classic Buffer Overflow’’) (120)
•• Write-what-where Condition (123)
•• Out-of-bounds Read (125)
•• Improper Handling of Length Parameter Inconsistency (130)
•• Improper Validation of Array Index (129)
•• Return of Pointer Value Outside of Expected Range (466)
•• Access of Memory Location Before Start of Buffer (786)
•• Access of Memory Location After End of Buffer (788)
•• Buffer Access with Incorrect Length Value 805
•• Untrusted Pointer Dereference (822)
•• Use of Out-of-range Pointer Offset (823)
•• Access of Uninitialized Pointer (824)
•• Expired Pointer Dereference (825)
Path Traversal (22)
•• Relative Path Traversal (23)
•• Path Traversal: '../filedir' (24)
•• Path Traversal: '/../filedir' (25)
•• <------------8 more here -------------->
•• Path Traversal: '....//' (34)
•• Path Traversal: '.../...//' (35)
•• Absolute Path Traversal (36)
••
••
••
••
Path Traversal: '/absolute/pathname/here’’ (37)
Path Traversal: '\absolute\pathname\here’’ (38)
Path Traversal: 'C:dirname’’ (39)
Path Traversal: '\\UNC\share\name\' (Windows UNC Share) (40)
© 2011 MITRE
Wouldn’’t
it beisnice
What
wrong
if the weaknesses
in software were as
easy to spot and
their impact as
easy to understand
as a screen door in
a submarine……
with this picture?
© 2011 MITRE
Linkage with Fundamental Changes in Enterprise Security Initiatives
© 2011 MITRE
Status of ITU-T Recommendations
xseries
Title
ITU-T
Status
Planned
Determination
x.1500
Cybersecurity Information Exchange (CYBEX) Techniques
Final
Dec 2010
x.1520
Common Vulnerabilities and Exposures
Final
Dec 2010
x.1521
Common Vulnerability Scoring System
Final
Dec 2010
x.cwe
Common Weakness Enumeration
Draft
Aug 2011
x.oval
Open Vulnerability and Assessment Language
Draft
Aug 2011
x.cce
Common Configuration Enumeration
Draft
Aug 2011
x.capec
Common Attack Pattern Enumeration and Classification
Draft
Feb 2012
x.maec
Malware Attribute Enumeration and Classification
Draft
2012
x.cwss
Common Weakness Scoring System
Draft
2012
x.cee
Common Event Expression
Draft
2012
x.cpe
Common Platform Enumeration
Draft
2012
x.arf
Asset Reporting Format
Draft
2012
x.xccdf
Extensible Configuration Checklist Description Format
Draft
2012
© 2011 MITRE
© 2011 MITRE
But you also needed to deal with the people that are
out there trying to take advantage of vulnerabilities
and weaknesses in your technologies, processes, or
practices……
……with defensive and
offensive security
capabilities.
© 2009 The MITRE Corporation. All rights reserved.
Security
Feature
XSS (CWE-79)
Exploit
(CAPEC-86)
SQL Injection
(CWE-89)
Exploit
(CAPEC-66)
© 2011 MITRE
© 2011 MITRE
© 2011 MITRE
© 2011 MITRE
CWE web site visitors by City
© 2011 MITRE
© 2011 MITRE
© 2011 MITRE
16 July 2010
© 2011 MITRE
© 2011 MITRE
Industry
Uptake
CWE
© 2011 MITRE
© 2011 MITRE
© 2011 MITRE
ISO/IEC JTC 1/SC 27/WG 3, NWP
© 2011 MITRE
CWE Compatibility & Effectiveness Program
( launched Feb 2007)
cwe.mitre.org/compatible/
53
31
© 2011 MITRE
© 2011 MITRE
Korean
Japanese
© 2011 MITRE
CWE Coverage ––
Implemented……
CWE IDs mapped to Klocwork Java issue types - current
http://www.klocwork.com/products/documentation/curren...
CWE IDs mapped to Klocwork Java issue
types
From current
CWE IDs mapped to Klocwork Java issue types
See also Detected Java Issues.
CWE ID
Klocwork Checker Code and Description
CWE IDs mapped to Klocwork C and C++ issue types/ja20
-...(http://cwe.mitre.org
http://www.klocwork.com/products/documentation/curren...
SV.TAINT Tainted data
/data/definitions/20.html)
73 (http://cwe.mitre.org
/data/definitions/73.html)
79 (http://cwe.mitre.org
/data/definitions/79.html)
< CWE IDs mapped to Klocwork C and C++ issue types
80 (http://cwe.mitre.org
CWE IDs mapped to Klocwork C and C++ issue types/ja
/data/definitions/80.html)
?; Detected C and C++ Issues.
From current
Cenzic Product Suite is CWE Compatible
Cenzic Hailstorm Enterprise ARC, Cenzic Hailstorm Professional and Cenzic ClickToSecure are
compatible with the CWE standard or Common Weakness Enumeration as maintained by Mitre
Corporation. Web security assessment results from the Hailstorm product suite are mapped to
the relevant CWE ID's providing users with additional information to classify and describe
common weaknesses found in Web applications.
CWE ID
For additional details on CWE, please visit: http://cwe.mitre.org/index.html
20
(http://cwe.mitre.org
/data/definitions
/20.html)
The following is a mapping between Cenzic’’s SmartAttacks and CWE ID's:
13
Check HTTP
Methods
SV.TMPFILE Temporary file path tampering
SV.PATH Path and file name injection
CWE IDs mapped to Klocwork C and
C++File injection
SV.PATH.INJ
77 (http://cwe.mitre.org
SV.EXEC Process Injection
issue types/ja
/data/definitions/77.html)
SV.EXEC.DIR Process Injection. Working Directory
www.cenzic.com | (866) 4-CENZIC (866-423-6942)
Cenzic
SmartAttack
Name
Application
1
Exception
Application
2
Exception (WS)
Application Path
3
Disclosure
Authentication
4
Bypass
Authorization
5
Boundary
Blind SQL
6
Injection
Blind SQL
7
Injection (WS)
Browse HTTP
8
from HTTPS List
9 Brute Force Login
10 Buffer Overflow
Buffer Overflow
11
(WS)
Check Basic Auth
12
over HTTP
SV.TAINT_NATIVE Tainted data goes to native code
CWE ID/s
22
(http://cwe.mitre.org
/data/definitions
/22.html)
CWE-388: Error Handling
CWE-388: Error Handling
73
(http://cwe.mitre.org
/data/definitions
/73.html)
CWE-200: Information Leak (rough match)
CWE-89: Failure to Sanitize Data into SQL Queries (aka
'SQL Injection') (rough match)
CWE-285: Missing or Inconsistent Access Control, CWE-425:
Direct Request ('Forced Browsing')
CWE-89: Failure to Sanitize Data into SQL Queries (aka
'SQL Injection')
CWE-89: Failure to Sanitize Data into SQL Queries (aka
'SQL Injection')
CWE-200: Information Leak
CWE-521: Weak Password Requirements
CWE-120: Unbounded Transfer ('Classic Buffer Overflow')
CWE-120: Unbounded Transfer ('Classic Buffer Overflow')
CWE-200: Information Leak
SV.XSS.DB Cross Site Scripting (Stored XSS)
SV.DATA.DB Data injection
SV.XSS.REF Cross Site Scripting (Reflected XSS)
SV.XSS.DB Cross Site Scripting (Stored XSS)
SV.XSS.REF Cross Site Scripting (Reflected XSS)
SV.SQL Sql Injection
89 (http://cwe.mitre.org
SV.SQL.DBSOURCE Unchecked information from the
/data/definitions/89.html)
database is used in SQL statements
SV.DATA.DB Data injection
ABV.TAINTED @E<8"$ .".$,.
SV.TAINTED.GENERIC
@EAH9
.=D
103 (http://cwe.mitre.org
SV.STRUTS.VALIDMET Struts Forms: validate method
SV.TAINTED.ALLOC_SIZE
&'*41
@EG>
/data/definitions/103.html)
=D
105 (http://cwe.mitre.org
SV.TAINTED.CALL.INDEX_ACCESS
=I>50@E
SV.STRUTS.NOTVALID Struts Forms: inconsistent validate
G>:9-/data/definitions/105.html)
=D
113 (http://cwe.mitre.org
SV.HTTP_SPLIT HTTP Response Splitting
/data/definitions/113.html) $+,.!7
SV.CUDS.MISSING_ABSOLUTE_PATH
#/=D 117 (http://cwe.mitre.org
SV.LOG_FORGING Log Forging
/data/definitions/117.html)
129 (http://cwe.mitre.org
SV.DOS.ARRINDEX Tainted index used for array access
SV.CUDS.MISSING_ABSOLUTE_PATH
/data/definitions/129.html)$+,.!7
#/=D
74
(http://cwe.mitre.org
/data/definitions
/74.html)
SV.TAINTED.INJECTION
%-! -)1 of 4
77
(http://cwe.mitre.org
/data/definitions
/77.html)
SV.CODE_INJECTION.SHELL_EXEC +B%-! )-
78
(http://cwe.mitre.org
/data/definitions
/78.html)
NNTS.TAINTED @E(.<8FC"$ .".$,.
- 3 NULL 62AH9
SV.TAINTED.INJECTION %-! -)-
88
(http://cwe.mitre.org
SV.TAINTED.INJECTION %-! -)NNTS.TAINTED @E(.<8FC"$ .".$,.
2/26/11 10:35 AM
CWE-650: Trusting HTTP Permission Methods on the Server
Side
Cenzic CWE Brochure | October 2009
Company Confidential
Cenzic®, Hailstorm® and ClickToSecure® are registered trademarks of Cenzic, Inc.
The Cenzic logo, Hailstorm Enterprise ARC, and GovShield are trademarks of Cenzic, Inc.
© 2009 Cenzic, Inc. All rights reserved.
1 of 7
2/26/11 10:34 AM
1
© 2011 MITRE
The Software Supply Chain
*
Legacy
Software
Reuse
Program
Office
?
Other
Programs
?
?
US
Global
Supplier
?
Foreign
Develop
In-house
Acquire
?
Contractor
Outsource
Prime
Contractor
?
Contractor
Off-shore
Supplier
Foreign
Location
Software
COTS
US
Foreign
Developers
Supplier
Reuse
Acquire
Develop
In-house
?
?
*
Outsource
?
?
?
““Scope of Supplier Expansion and Foreign Involvement”” graphic in DACS www.softwaretechnews.com Secure Software
Engineering, July 2005 article ““Software Development Security: A Risk Management Perspective”” synopsis of May 2004
GAO-04-678 report ““Defense Acquisition: Knowledge of Software Suppliers Needed to Manage Risks””
© 2011 MITRE
Recreation Use
Industrial Use
Power Use
Agricultural Use
Home Use
Recreation Use
Agricultural
© 2011 Use
MITRE
Scoring Weaknesses Based on Context
Archetypes:
•• Web Browser User Interface
•• Web Servers
•• Application Servers
•• Database Systems
•• Desktop Systems
•• SSL
Vignettes:
1. Web-based Retail Provider
2. Intranet resident health
records management system
of hospital
Web
Browser
Web
Browser
Web
Browser
2
1
Web
Browser
Web
Browser
Web
Browser
Web
Browser
© 2011 MITRE
© 2011 MITRE
© 2011 MITRE
Vignettes –– Technology Groups & Business/Mission Domains
Common Weakness Risk Assessment Framework uses Vignettes with Archetypes to identify top CWEs in respective Domain/Technology
Groups
© 2011 MITRE
CWRAF-Level Technical Impacts
1. Modify data
2. Read data
3. DoS: unreliable execution
4. DoS: resource consumption
5. Execute unauthorized code or commands
6. Gain privileges / assume identity
7. Bypass protection mechanism
8. Hide activities
© 2011 MITRE
Technical Impact Scorecard
Links business value with the technical
impact of weakness exploitation
Stays away from technical details of
individual weaknesses
Operates within the context of a vignette
© 2011 MITRE
Calculating CWSS Impact Weights
© 2011 MITRE
Scoring Relevant Weaknesses using CWSS
© 2011 MITRE
Scoring Weaknesses Discovered in Code using CWSS
© 2011 MITRE
CWSS for a Technology Group
50%
10%
10%
10%
15%
15%
Web Vignette 1 …… TI(1), TI(2), TI(3),……
Web Vignette 2 …… TI(1), TI(2), TI(3),……
Web Vignette 3 …… TI(1), TI(2), TI(3),……
Web Vignette 4 …… TI(1), TI(2), TI(3),……
Web Vignette 5 …… TI(1), TI(2), TI(3),……
Web Vignette 6 …… TI(1), TI(2), TI(3),……
Web Application Technology Group
Top N List 1
Top N List 2
Top N List 3
Top N List 4
Top N List 5
Top N List 6
Top 10 List
CWE Top 10 List for Web Applications can be used to:
•• Identify skill and training needs for your web team
•• Include in T’’s & C’’s for contracting for web development
•• Identify tool capability needs to support web assessment
© 2011 MITRE
Relationships between CWRAF, CWSS, and CWE
© 2011 MITRE
Contact Info
cwe@mitre.org
capec@mitre.org
© 2011 MITRE
Download