Securing the Cyber Ecosystem Automation and Standards to Build Security In August 2011 Robert A. Martin Making Security Measurable (MSM) “You Are Here” Software Assurance Enterprise Security Management Design Design Threat Management Vulnerabilities Build Assess Deploy Test Exploits Attacks Test CWE, CAPEC, CWSS, CWRAF Deploy CPE, CCE, OVAL, OCIL, XCCDF, AssetId, ARF Malware CVE, CWE, CAPEC, MAEC, CybOX, IODEF, CYBEX © 2011 MITRE Today Everything’s Connected – Like an Ecosystem Your System is attackable … When this Other System gets subverted through an un-patched vulnerability, a mis-configuration, or an application weakness … © 2011 MITRE © 2011 MITRE © 2011 MITRE © 2011 MITRE © 2011 MITRE © 2011 MITRE © 2011 MITRE Cyber Threats Emerged Over Time email propagation of malicious code DDoS attacks “stealth”/advanced scanning techniques binary encryption widespread attacks using NNTP to distribute attack increase in tailored worms widespread attacks on DNS infrastructure sophisticated command & control automated probes/scans executable code attacks (against browsers) automated widespread attacks Attack Sophistication GUI intruder tools network mgmt. diagnostics diffuse spyware anti-forensic techniques home users targeted sniffers distributed attack tools increase in wide-scale Trojan horse distribution Windows-based remote controllable Trojans (Back Orifice) hijacking sessions back doors disabling audits www attacks Internet social engineering attacks widespread denial-ofservice attacks password cracking packet spoofing password guessing 1980’s exploiting known vulnerabilities techniques to analyze code for vulnerabilities without source code automated probes/scans burglaries 1990’s 2000’s 2010’s Solutions Also Emerged Over Time email propagation of malicious code DDoS attacks “stealth”/advanced scanning techniques binary encryption widespread attacks using NNTP to distribute attack increase in tailored worms widespread attacks on DNS infrastructure sophisticated command & control automated probes/scans executable code attacks (against browsers) automated widespread attacks Attack Sophistication GUI intruder tools network mgmt. diagnostics diffuse spyware anti-forensic techniques home users targeted sniffers distributed attack tools increase in wide-scale Trojan horse distribution Windows-based remote controllable Trojans (Back Orifice) hijacking sessions back doors disabling audits www attacks Internet social engineering attacks widespread denial-ofservice attacks password cracking packet spoofing password guessing 1980’s exploiting known vulnerabilities techniques to analyze code for vulnerabilities without source code automated probes/scans burglaries 1990’s 2000’s 2010’s Like Security - Networks Evolved Each new solution had to integrate with the existing solutions -->> every enterprise ends up learning as they go and has a “unique” tapestry of solutions with “local practices” © 2011 MITRE But A More Supportable Solution Is Possible with Standardized Approaches and the application of Architecting Principles © 2011 MITRE © 2011 MITRE © 2011 MITRE © 2011 MITRE © 2011 MITRE CVE 1999 to 2011 2000 © 2011 MITRE Architecting Security with Information Standards for COIs © 2011 MITRE Asset Inventory Configuration Guidance Analysis Vulnerability Analysis Threat Analysis Intrusion Detection Incident Management Operations Security Management Processes Assessment of System Development, Integration, & Sustainment Activities and Certification & Accreditation Operational Enterprise Networks Development & Sustainment Security Management Processes Trust Management Enterprise IT Change Management Identity Management Centralized Reporting Enterprise IT Asset Management Configuration Guidance Analysis Asset Inventory CPE/ OVAL/ ARF Vulnerability Analysis CCE/ CCSS/ OVAL/ARF/ XCCDF/CPE Threat Analysis CVE/CWE/ CVSS/ARF/ CCE/CCSS/ ARF/CWSS/ OVAL/CPE/ XCCDF Intrusion Detection CVE/CWE/ CVSS/ARF/ CCE/CCSS/ OVAL/CWSS/ XCCDF/CPE/ CAPEC/MAEC Incident Management CVE/CWE/ CVSS/ARF/. CCE/OVAL/CCSS/ XCCDF/CPE/ CAPEC/CWSS/ MAEC/CEE Operations Security Management Processes Assessment of System Development, Integration, & Sustainment Activities and Certification & Accreditation CWE/CAPEC/ CWSS/MAEC/ OVAL/OCIL/ XCCDF/CCE/ CPE/ARF/ SAFES/SACM Development & Sustainment Security Management Processes Operational Enterprise Networks CVE/CWE/CVSS/ CCE/CCSS/ OVAL/XCCDF/ CPE/CAPEC/ MAEC/SBVR/ CWSS/CEE/ARF Trust Management Enterprise IT Change Management CVE/CWE/CVSS/CCE/CCSS/OVAL/XCCDF/ CPE/CAPEC/MAEC/SBVR/CWSS/CEE/ARF Identity Management Centralized CentralizedReporting Reporting Enterprise IT Asset Management Cyber Ecosystem Standardization Efforts &%/%& %",! /!&$#$%2 4'"$ %5 &!"-!,+!$(%"!&"-"$$/"+&2 4+!$(%5 &,+!$(%"!&"-"$$/"+&$&!"-2 4"$!/%& 5 "-!"!+$ /%/%& % "$%+$/2 "-"!#"/"%+$"!+$("!%2 "-!%+$ /%/%& %"!"$ &"#"/2 "-!%+$&"#$("!" /%/%& %"!"$ %&"#"/2 4"!+$("!%5 4"!+$("!%&%5 4%%%% !&!+5 4!&$(,!+5 &-!%%%! /%"-$"+.#"&2 4!%%%5 &*%!.#"&--!%%%2 "-!-$"!0 -$6%$&&!"2 4**$!%5 4 -$*$+&%5 &"%$,,"$ &#+& /!&$#$%&$%2 /4/$%$,%5 &,!&%%"+"3!"-2 4,!&%5 "-!$&%%%% !&$%+&%2 4%%%% !&%+&%5 © 2011 MITRE Standardization Efforts leveraged by the Security Content Automation Protocol (SCAP) &%/%& %",! /!&$#$%2 4'"$ %5 &!"-!,+!$(%"!&"-"$$/"+&2 4+!$(%5 &,+!$(%"!&"-"$$/"+&$&!"-2 4"$!/%& 5 "-!"!+$ /%/%& % "$%+$/2 "-"!#"/"%+$"!+$("!%2 "-!%+$ /%/%& %"!"$ &"#"/2 "-!%+$&"#$("!" /%/%& %"!"$ %&"#"/2 4"!+$("!%5 4"!+$("!%&%5 4%%%% !&!+5 4!&$(,!+5 &-!%%%! /%"-$"+.#"&2 4!%%%5 &*%!.#"&--!%%%2 "-!-$"!0 -$6%$&&!"2 4**$!%5 4 -$*$+&%5 &"%$,,"$ &#+& /!&$#$%&$%2 /4/$%$,%5 &,!&%%"+"3!"-2 4,!&%5 "-!$&%%%% !&$%+&%2 4%%%% !&%+&%5 © 2011 MITRE Standardization Efforts focused on mitigating risks and enabling faster incident response &%/%& %",! /!&$#$%2 4'"$ %5 &!"-!,+!$(%"!&"-"$$/"+&2 4+!$(%5 &,+!$(%"!&"-"$$/"+&$&!"-2 4"$!/%& 5 "-!"!+$ /%/%& % "$%+$/2 "-"!#"/"%+$"!+$("!%2 "-!%+$ /%/%& %"!"$ &"#"/2 "-!%+$&"#$("!" /%/%& %"!"$ %&"#"/2 4"!+$("!%5 4"!+$("!%&%5 4%%%% !&!+5 4!&$(,!+5 &-!%%%! /%"-$"+.#"&2 4!%%%5 &*%!.#"&--!%%%2 "-!-$"!0 -$6%$&&!"2 4**$!%5 4 -$*$+&%5 &"%$,,"$ &#+& /!&$#$%&$%2 /4/$%$,%5 &,!&%%"+"3!"-2 4,!&%5 "-!$&%%%% !&$%+&%2 4%%%% !&%+&%5 © 2011 MITRE Configuration Guidance Analysis Asset Inventory CPE/ OVAL/ ARF Vulnerability Analysis CCE/ CCSS/ OVAL/ARF/ XCCDF/CPE Threat Analysis CVE/CWE/ CVSS/ARF/ CCE/CCSS/ ARF/CWSS/ OVAL/CPE/ XCCDF Intrusion Detection CVE/CWE/ CVSS/ARF/ CCE/CCSS/ OVAL/CWSS/ XCCDF/CPE/ CAPEC/MAEC Incident Management CVE/CWE/ CVSS/ARF/. CCE/OVAL/ CCSS/ XCCDF/CPE/ CAPEC/CWSS/ MAEC/CEE Operations Security Management Processes Assessment of System Development, Integration, & Sustainment Activities and Certification & Accreditation CVE/CWE/ CVSS/CCE/ CCSS/OVAL/ XCCDF/ CPE/CAPEC/ MAEC/CWSS/ CEE/ARF CWE/CAPEC/ CWSS/MAEC/ OVAL/OCIL/ XCCDF/CCE/ CPE/ARF/ SAFES/SACM Development & Sustainment Security Management Processes Trust Management Enterprise IT Change Management Operational Enterprise Networks CVE/CWE/CVSS/CCE/CCSS/OVAL/XCCDF/ CPE/CAPEC/MAEC/CWSS/CEE/ARF Identity Management Centralized Reporting Enterprise IT Asset Management Knowledge Repositories Mitigating Risk Exposures Asset Definition Configuration Guidance CPE/OVAL System & Software Assurance Guidance/ Requirements CWE/CAPEC/ SBVR/CWSS/ MAEC Vulnerability Alert XCCDF/OVAL/ CCE/CCSS Configuration Guidance Analysis Asset Inventory OVAL/XCCDF/ CCE/CCSS/ CPE/ARF Responding to Security Threats CPE/ OVAL/ ARF Threat Alert CVE/CWE/OVAL/ CVSS/CWSS Vulnerability Analysis CCE/ CCSS/ OVAL/ARF/ XCCDF/CPE CVE/CWE/CVSS/ CPE/CWSS/ CAPEC/MAEC Threat Analysis CVE/CWE/ CVSS/ARF/ CCE/CCSS/ ARF/CWSS/ OVAL/CPE/ XCCDF Incident Report CAIF/IDMEF/IODEF/CVE/CWE/ OVAL/CPE/MAEC/CCSS/CWSS/ CEE/ARF Intrusion Detection CVE/CWE/ CVSS/ARF/ CCE/CCSS/ OVAL/CWSS/ XCCDF/CPE/ CAPEC/MAEC Incident Management CVE/CWE/ CVSS/ARF/. CCE/OVAL/ CCSS/ XCCDF/CPE/ CAPEC/CWSS/ MAEC/CEE Operations Security Management Processes Assessment of System Development, Integration, & Sustainment Activities and Certification & Accreditation CVE/CWE/ CVSS/CCE/ CCSS/OVAL/ XCCDF/ CPE/CAPEC/ MAEC/CWSS/ CEE/ARF CWE/CAPEC/ CWSS/MAEC/ OVAL/OCIL/ XCCDF/CCE/ CPE/ARF/ SAFES/SACM Development & Sustainment Security Management Processes Trust Management Enterprise IT Change Management Operational Enterprise Networks CVE/CWE/CVSS/CCE/CCSS/OVAL/XCCDF/ CPE/CAPEC/MAEC/CWSS/CEE/ARF Identity Management Centralized Reporting Enterprise IT Asset Management Knowledge Repositories XCCDF/OVAL/ CCE/CCSS Configuration Guidance Analysis Asset Inventory OVAL/XCCDF/ CCE/CCSS/ CPE/ARF System & Software Assurance Guidance/ Requirements CWE/CAPEC/ SBVR/CWSS/ MAEC CVE/CWE/OVAL/ CVSS/CWSS CVE Vulnerability Analysis Threat Analysis CVE/CWE/ CVSS/ARF/ CCE/CCSS/ ARF/CWSS/ OVAL/CPE/ XCCDF CVE Incident Report CVE/CWE/CVSS/ CPE/CWSS/ CAPEC/MAEC CVE CCE/ CCSS/ OVAL/ARF/ XCCDF/CPE CPE/ OVAL/ ARF Threat Alert CAIF/IDMEF/IODEF/CVE/CWE/ OVAL/CPE/MAEC/CCSS/CWSS/ CEE/ARF CVE Intrusion Detection CVE/CWE/ CVSS/ARF/ CCE/CCSS/ OVAL/CWSS/ XCCDF/CPE/ CAPEC/MAEC CVE CPE/OVAL Vulnerability Alert CVE Configuration Guidance CVE Asset Definition Incident Management CVE/CWE/ CVSS/ARF/. CCE/OVAL/ CCSS/ XCCDF/CPE/ CAPEC/CWSS/ MAEC/CEE Operations Security Management Processes Assessment of System Development, Integration, & Sustainment Activities and Certification & Accreditation CWE/CAPEC/ CWSS/MAEC/ OVAL/OCIL/ XCCDF/CCE/ CPE/ARF/ SAFES/SACM Development & Sustainment Security Management Processes CVE Trust Management CVE/CWE/ CVSS/CCE/ CCSS/OVAL/ XCCDF/ CPE/CAPEC/ MAEC/CWSS/ CEE/ARF Enterprise IT Change Management Operational Enterprise Networks CVE CVE/CWE/CVSS/CCE/CCSS/OVAL/XCCDF/ CPE/CAPEC/MAEC/CWSS/CEE/ARF Identity Management Centralized Reporting Enterprise IT Asset Management Knowledge Repositories Configuration Guidance XCCDF/OVAL/ CCE/CCSS System & Software Assurance Guidance/ Requirements CWE/CAPEC/ SBVR/CWSS/ MAEC OVAL Assessment of System Development, Integration, & Sustainment Activities and Certification & Accreditation CAIF/IDMEF/IODEF/CVE/CWE/ OVAL/CPE/MAEC/CCSS/CWSS/ CEE/ARF Vulnerability Analysis CCE/ CCSS/ OVAL/ARF/ XCCDF/CPE OVAL OVAL CVE/CWE/ CVSS/ARF/ CCE/CCSS/ ARF/CWSS/ OVAL/CPE/ XCCDF OVAL Threat Analysis Intrusion Detection CVE/CWE/ CVSS/ARF/ CCE/CCSS/ OVAL/CWSS/ XCCDF/CPE/ CAPEC/MAEC Incident Management CVE/CWE/ CVSS/ARF/. CCE/OVAL/ CCSS/ XCCDF/CPE/ CAPEC/CWSS/ MAEC/CEE Operations Security Management Processes OVAL OVAL CVE/CWE/ CVSS/CCE/ CCSS/OVAL/ XCCDF/ CPE/CAPEC/ MAEC/CWSS/ CEE/ARF CWE/CAPEC/ CWSS/MAEC/ OVAL/OCIL/ XCCDF/CCE/ CPE/ARF/ SAFES/SACM Development & Sustainment Security Management Processes OVAL Configuration Guidance Analysis CPE/ OVAL/ ARF OVAL CVE/CWE/CVSS/ CPE/CWSS/ CAPEC/MAEC OVAL OVAL Asset Inventory OVAL/XCCDF/ CCE/CCSS/ CPE/ARF CVE/CWE/OVAL/ CVSS/CWSS Incident Report OVAL OVAL Threat Alert OVAL CPE/OVAL Vulnerability Alert OVAL Asset Definition Operational Enterprise Networks OVALCVE/CWE/CVSS/CCE/CCSS/OVAL/XCCDF/ OVAL Trust Management Enterprise IT Change Management CPE/CAPEC/MAEC/CWSS/CEE/ARF Identity Management Centralized Reporting Enterprise IT Asset Management Knowledge Repositories Asset Definition Configuration Guidance CPE/OVAL Vulnerability Alert XCCDF/OVAL/ CCE/CCSS Threat Alert CVE/CWE/OVAL/ CVSS/CWSS Incident Report CVE/CWE/CVSS/ CPE/CWSS/ CAPEC/MAEC CAIF/IDMEF/IODEF/CVE/CWE/ OVAL/CPE/MAEC/CCSS/CWSS/ CEE/ARF OVAL/XCCDF/ CCE/CCSS/ CPE/ARF System & Software Assurance Guidance/ Requirements CWE/CAPEC/ SBVR/CWSS/ MAEC CCE/ CCSS/ OVAL/ARF/ XCCDF/CPE CPE/ OVAL/ ARF ARF ARF Assessment of System Development, Integration, & Sustainment Activities and Certification & Accreditation ARF CVE/CWE/ CVSS/ARF/ CCE/CCSS/ ARF/CWSS/ OVAL/CPE/ XCCDF ARF Intrusion Detection CVE/CWE/ CVSS/ARF/ CCE/CCSS/ OVAL/CWSS/ XCCDF/CPE/ CAPEC/MAEC ARF ARF Threat Analysis Incident Management CVE/CWE/ CVSS/ARF/. CCE/OVAL/ CCSS/ XCCDF/CPE/ CAPEC/CWSS/ MAEC/CEE Operations Security Management Processes ARF ARF CVE/CWE/ CVSS/CCE/ CCSS/OVAL/ XCCDF/ CPE/CAPEC/ MAEC/CWSS/ CEE/ARF CWE/CAPEC/ CWSS/MAEC/ OVAL/OCIL/ XCCDF/CCE/ CPE/ARF/ SAFES/SACM Development & Sustainment Security Management Processes Vulnerability Analysis ARF Configuration Guidance Analysis ARF Asset Inventory ARF ARF Operational Enterprise Networks ARF CVE/CWE/CVSS/CCE/CCSS/OVAL/XCCDF/ ARF Trust Management Enterprise IT Change Management CPE/CAPEC/MAEC/CWSS/CEE/ARF Identity Management Centralized Reporting Enterprise IT Asset Management Knowledge Repositories Asset Definition Configuration Guidance CPE/OVAL Vulnerability Alert XCCDF/OVAL/ CCE/CCSS Threat Alert CVE/CWE/OVAL/ CVSS/CWSS Incident Report CVE/CWE/CVSS/ CPE/CWSS/ CAPEC/MAEC CAIF/IDMEF/IODEF/CVE/CWE/ OVAL/CPE/MAEC/CCSS/CWSS/ CEE/ARF XCCDF OVAL/XCCDF/ CCE/CCSS/ CPE/ARF CPE/ OVAL/ ARF XCCDF System & Software Assurance Guidance/ Requirements CWE/CAPEC/ SBVR/CWSS/ MAEC CCE/ CCSS/ OVAL/ARF/ XCCDF/CPE CVE/CWE/ CVSS/ARF/ CCE/CCSS/ ARF/CWSS/ OVAL/CPE/ XCCDF Intrusion Detection CVE/CWE/ CVSS/ARF/ CCE/CCSS/ OVAL/CWSS/ XCCDF/CPE/ CAPEC/MAEC XCCDF Threat Analysis XCCDF Vulnerability Analysis XCCDF XCCDF Configuration Guidance Analysis Asset Inventory XCCDF Incident Management CVE/CWE/ CVSS/ARF/. CCE/OVAL/ CCSS/ XCCDF/CPE/ CAPEC/CWSS/ MAEC/CEE Operations Security Management Processes Assessment of System Development, Integration, & Sustainment Activities and Certification & Accreditation XCCDF CVE/CWE/ CVSS/CCE/ CCSS/OVAL/ XCCDFXCCDF/ CPE/CAPEC/ MAEC/CWSS/ CEE/ARF CWE/CAPEC/ CWSS/MAEC/ OVAL/OCIL/ XCCDF/CCE/ CPE/ARF/ SAFES/SACM Development & Sustainment Security Management Processes Trust Management Enterprise IT Change Management Operational Enterprise Networks XCCDF Identity Management CVE/CWE/CVSS/CCE/CCSS/OVAL/XCCDF/ CPE/CAPEC/MAEC/CWSS/CEE/ARF Centralized Reporting Enterprise IT Asset Management Knowledge Repositories Asset Definition Configuration Guidance CPE/OVAL Vulnerability Alert XCCDF/OVAL/ CCE/CCSS Threat Alert CVE/CWE/OVAL/ CVSS/CWSS Incident Report CVE/CWE/CVSS/ CPE/CWSS/ CAPEC/MAEC CAIF/IDMEF/IODEF/CVE/CWE/ OVAL/CPE/MAEC/CCSS/CWSS/ CEE/ARF CCE System & Software Assurance Guidance/ Requirements CWE/CAPEC/ SBVR/CWSS/ MAEC CCE CVE/CWE/ CVSS/ARF/ CCE/CCSS/ ARF/CWSS/ OVAL/CPE/ XCCDF Intrusion Detection CVE/CWE/ CVSS/ARF/ CCE/CCSS/ OVAL/CWSS/ XCCDF/CPE/ CAPEC/MAEC CCE Threat Analysis CCE CCE Vulnerability Analysis CCE/ CCSS/ OVAL/ARF/ XCCDF/CPE CPE/ OVAL/ ARF CCE CCE Configuration Guidance Analysis Asset Inventory OVAL/XCCDF/ CCE/CCSS/ CPE/ARF CCE Incident Management CVE/CWE/ CVSS/ARF/. CCE/OVAL/ CCSS/ XCCDF/CPE/ CAPEC/CWSS/ MAEC/CEE Operations Security Management Processes Assessment of System Development, Integration, & Sustainment Activities and Certification & Accreditation CCE CVE/CWE/ CVSS/CCE/ CCSS/OVAL/ XCCDF/ CPE/CAPEC/ MAEC/CWSS/ CEE/ARF CWE/CAPEC/ CWSS/MAEC/ OVAL/OCIL/ XCCDF/CCE/ CPE/ARF/ SAFES/SACM Development & Sustainment Security Management Processes Operational Enterprise Networks CCECVE/CWE/CVSS/CCE/CCSS/OVAL/XCCDF/ CCE Trust Management Enterprise IT Change Management CPE/CAPEC/MAEC/CWSS/CEE/ARF Identity Management Centralized Reporting Enterprise IT Asset Management Knowledge Repositories Asset Definition Configuration Guidance CPE/OVAL Vulnerability Alert XCCDF/OVAL/ CCE/CCSS Threat Alert CVE/CWE/OVAL/ CVSS/CWSS Incident Report CVE/CWE/CVSS/ CPE/CWSS/ CAPEC/MAEC CAIF/IDMEF/IODEF/CVE/CWE/ OVAL/CPE/MAEC/CCSS/CWSS/ CEE/ARF CPE OVAL/XCCDF/ CCE/CCSS/ CPE/ARF System & Software Assurance Guidance/ Requirements CWE/CAPEC/ SBVR/CWSS/ MAEC CPE CPE CCE/ CCSS/ OVAL/ARF/ XCCDF/CPE CPE/ OVAL/ ARF CVE/CWE/ CVSS/ARF/ CCE/CCSS/ ARF/CWSS/ OVAL/CPE/ XCCDF Intrusion Detection CVE/CWE/ CVSS/ARF/ CCE/CCSS/ OVAL/CWSS/ XCCDF/CPE/ CAPEC/MAEC CPE Threat Analysis CPE Vulnerability Analysis CPE Configuration Guidance Analysis CPE CPE Asset Inventory CPE Incident Management CVE/CWE/ CVSS/ARF/. CCE/OVAL/ CCSS/ XCCDF/CPE/ CAPEC/CWSS/ MAEC/CEE Operations Security Management Processes Assessment of System Development, Integration, & Sustainment Activities and Certification & Accreditation CPE CVE/CWE/ CVSS/CCE/ CCSS/OVAL/ XCCDF/ CPE/CAPEC/ MAEC/CWSS/ CEE/ARF CWE/CAPEC/ CWSS/MAEC/ OVAL/OCIL/ XCCDF/CCE/ CPE/ARF/ SAFES/SACM Development & Sustainment Security Management Processes Operational Enterprise Networks CPE CPE Trust Management Enterprise IT Change Management Identity Management CVE/CWE/CVSS/CCE/CCSS/OVAL/XCCDF/ CPE/CAPEC/MAEC/CWSS/CEE/ARF Centralized Reporting Enterprise IT Asset Management Knowledge Repositories XCCDF/OVAL/ CCE/CCSS Configuration Guidance Analysis Asset Inventory OVAL/XCCDF/ CCE/CCSS/ CPE/ARF System & Software Assurance Guidance/ Requirements CWE/CAPEC/ SBVR/CWSS/ MAEC CVE/CWE/OVAL/ CVSS/CWSS Incident Report CVE/CWE/CVSS/ CPE/CWSS/ CAPEC/MAEC CVSS CVSS Vulnerability Analysis Threat Analysis CCE/ CCSS/ OVAL/ARF/ XCCDF/CPE CPE/ OVAL/ ARF Threat Alert CVE/CWE/ CVSS/ARF/ CCE/CCSS/ ARF/CWSS/ OVAL/CPE/ XCCDF CAIF/IDMEF/IODEF/CVE/CWE/ OVAL/CPE/MAEC/CCSS/CWSS/ CEE/ARF CVSS Intrusion Detection CVE/CWE/ CVSS/ARF/ CCE/CCSS/ OVAL/CWSS/ XCCDF/CPE/ CAPEC/MAEC CVSS CPE/OVAL Vulnerability Alert CVSS Configuration Guidance CVSS Asset Definition Incident Management CVE/CWE/ CVSS/ARF/. CCE/OVAL/ CCSS/ XCCDF/CPE/ CAPEC/CWSS/ MAEC/CEE Operations Security Management Processes Assessment of System Development, Integration, & Sustainment Activities and Certification & Accreditation CVE/CWE/ CVSS/CCE/ CCSS/OVAL/ XCCDF/ CPE/CAPEC/ MAEC/CWSS/ CEE/ARF CWE/CAPEC/ CWSS/MAEC/ OVAL/OCIL/ XCCDF/CCE/ CPE/ARF/ SAFES/SACM Development & Sustainment Security Management Processes Operational Enterprise Networks CVSSCVE/CWE/CVSS/CCE/CCSS/OVAL/XCCDF/ CVSS Trust Management Enterprise IT Change Management CPE/CAPEC/MAEC/CWSS/CEE/ARF Identity Management Centralized Reporting Enterprise IT Asset Management Knowledge Repositories XCCDF/OVAL/ CCE/CCSS Configuration Guidance Analysis Asset Inventory OVAL/XCCDF/ CCE/CCSS/ CPE/ARF System & Software Assurance Guidance/ Requirements CWSS CWE/CAPEC/ SBVR/CWSS/ MAEC CVE/CWE/OVAL/ CVSS/CWSS Incident Report CVE/CWE/CVSS/ CPE/CWSS/ CAPEC/MAEC CWSS CWSS Vulnerability Analysis Threat Analysis CCE/ CCSS/ OVAL/ARF/ XCCDF/CPE CPE/ OVAL/ ARF Threat Alert CVE/CWE/ CVSS/ARF/ CCE/CCSS/ ARF/CWSS/ OVAL/CPE/ XCCDF CAIF/IDMEF/IODEF/CVE/CWE/ OVAL/CPE/MAEC/CCSS/CWSS/ CEE/ARF CWSS Intrusion Detection CVE/CWE/ CVSS/ARF/ CCE/CCSS/ OVAL/CWSS/ XCCDF/CPE/ CAPEC/MAEC CWSS CPE/OVAL Vulnerability Alert CWSS Configuration Guidance CWSS Asset Definition Incident Management CVE/CWE/ CVSS/ARF/. CCE/OVAL/ CCSS/ XCCDF/CPE/ CAPEC/CWSS/ MAEC/CEE Operations Security Management Processes Assessment of System Development, Integration, & Sustainment Activities and Certification & Accreditation CWSS CVE/CWE/ CVSS/CCE/ CCSS/OVAL/ XCCDF/ CPE/CAPEC/ MAEC/CWSS/ CEE/ARF CWE/CAPEC/ CWSS/MAEC/ OVAL/OCIL/ XCCDF/CCE/ CPE/ARF/ SAFES/SACM Development & Sustainment Security Management Processes Operational Enterprise Networks CWSSCVE/CWE/CVSS/CCE/CCSS/OVAL/XCCDF/ CWSS Trust Management Enterprise IT Change Management CPE/CAPEC/MAEC/CWSS/CEE/ARF Identity Management Centralized Reporting Enterprise IT Asset Management Knowledge Repositories Asset Definition Configuration Guidance CPE/OVAL XCCDF/OVAL/ CCE/CCSS Configuration Guidance Analysis Asset Inventory OVAL/XCCDF/ CCE/CCSS/ CPE/ARF System & Software Assurance Guidance/ Requirements SAFES CWE/CAPEC/ SBVR/CWSS/ MAEC Vulnerability Alert CVE/CWE/OVAL/ CVSS/CWSS Vulnerability Analysis CCE/ CCSS/ OVAL/ARF/ XCCDF/CPE CPE/ OVAL/ ARF Threat Alert Incident Report CVE/CWE/CVSS/ CPE/CWSS/ CAPEC/MAEC Threat Analysis CVE/CWE/ CVSS/ARF/ CCE/CCSS/ ARF/CWSS/ OVAL/CPE/ XCCDF CAIF/IDMEF/IODEF/CVE/CWE/ OVAL/CPE/MAEC/CCSS/CWSS/ CEE/ARF Intrusion Detection CVE/CWE/ CVSS/ARF/ CCE/CCSS/ OVAL/CWSS/ XCCDF/CPE/ CAPEC/MAEC Incident Management CVE/CWE/ CVSS/ARF/. CCE/OVAL/ CCSS/ XCCDF/CPE/ CAPEC/CWSS/ MAEC/CEE Operations Security Management Processes Assessment of System Development, Integration, & Sustainment Activities and Certification & Accreditation SAFES CVE/CWE/ CVSS/CCE/ CCSS/OVAL/ XCCDF/ CPE/CAPEC/ MAEC/CWSS/ CEE/ARF CWE/CAPEC/ CWSS/MAEC/ OVAL/OCIL/ XCCDF/CCE/ CPE/ARF/ SAFES/SACM Development & Sustainment Security Management Processes Operational Enterprise Networks SAFESCVE/CWE/CVSS/CCE/CCSS/OVAL/XCCDF/ SAFES Trust Management Enterprise IT Change Management CPE/CAPEC/MAEC/CWSS/CEE/ARF Identity Management Centralized Reporting Enterprise IT Asset Management Knowledge Repositories Asset Definition Configuration Guidance CPE/OVAL XCCDF/OVAL/ CCE/CCSS Configuration Guidance Analysis Asset Inventory OVAL/XCCDF/ CCE/CCSS/ CPE/ARF System & Software Assurance Guidance/ Requirements SACM CWE/CAPEC/ SBVR/CWSS/ MAEC Vulnerability Alert CVE/CWE/OVAL/ CVSS/CWSS Vulnerability Analysis CCE/ CCSS/ OVAL/ARF/ XCCDF/CPE CPE/ OVAL/ ARF Threat Alert CVE/CWE/CVSS/ CPE/CWSS/ CAPEC/MAEC Threat Analysis CVE/CWE/ CVSS/ARF/ CCE/CCSS/ ARF/CWSS/ OVAL/CPE/ XCCDF Incident Report CAIF/IDMEF/IODEF/CVE/CWE/ OVAL/CPE/MAEC/CCSS/CWSS/ CEE/ARF Intrusion Detection CVE/CWE/ CVSS/ARF/ CCE/CCSS/ OVAL/CWSS/ XCCDF/CPE/ CAPEC/MAEC Incident Management CVE/CWE/ CVSS/ARF/. CCE/OVAL/ CCSS/ XCCDF/CPE/ CAPEC/CWSS/ MAEC/CEE Operations Security Management Processes Assessment of System Development, Integration, & Sustainment Activities and Certification & Accreditation SACM CVE/CWE/ CVSS/CCE/ CCSS/OVAL/ XCCDF/ CPE/CAPEC/ MAEC/CWSS/ CEE/ARF CWE/CAPEC/ CWSS/MAEC/ OVAL/OCIL/ XCCDF/CCE/ CPE/ARF/ SAFES/SACM Development & Sustainment Security Management Processes Operational Enterprise Networks SACM CVE/CWE/CVSS/CCE/CCSS/OVAL/XCCDF/ SACM Trust Management Enterprise IT Change Management CPE/CAPEC/MAEC/CWSS/CEE/ARF Identity Management Centralized Reporting Enterprise IT Asset Management Knowledge Repositories Asset Definition Configuration Guidance CPE/OVAL Vulnerability Alert XCCDF/OVAL/ CCE/CCSS Threat Alert CVE/CWE/OVAL/ CVSS/CWSS Incident Report CVE/CWE/CVSS/ CPE/CWSS/ CAPEC/MAEC CAIF/IDMEF/IODEF/CVE/CWE/ OVAL/CPE/MAEC/CCSS/CWSS/ CEE/ARF CAPEC OVAL/XCCDF/ CCE/CCSS/ CPE/ARF System & Software Assurance Guidance/ Requirements CAPEC CWE/CAPEC/ SBVR/CWSS/ MAEC CCE/ CCSS/ OVAL/ARF/ XCCDF/CPE CPE/ OVAL/ ARF Threat Analysis CVE/CWE/ CVSS/ARF/ CCE/CCSS/ ARF/CWSS/ OVAL/CPE/ XCCDF CAPEC Intrusion Detection CVE/CWE/ CVSS/ARF/ CCE/CCSS/ OVAL/CWSS/ XCCDF/CPE/ CAPEC/MAEC CAPEC CAPEC Vulnerability Analysis CAPEC Configuration Guidance Analysis Asset Inventory CAPEC Incident Management CVE/CWE/ CVSS/ARF/. CCE/OVAL/ CCSS/ XCCDF/CPE/ CAPEC/CWSS/ MAEC/CEE Operations Security Management Processes Assessment of System Development, Integration, & Sustainment Activities and Certification & Accreditation CAPEC CVE/CWE/ CVSS/CCE/ CCSS/OVAL/ XCCDF/ CPE/CAPEC/ MAEC/CWSS/ CEE/ARF CWE/CAPEC/ CWSS/MAEC/ OVAL/OCIL/ XCCDF/CCE/ CPE/ARF/ SAFES/SACM Development & Sustainment Security Management Processes Operational Enterprise Networks CAPECCVE/CWE/CVSS/CCE/CCSS/OVAL/XCCDF/ CAPEC Trust Management Enterprise IT Change Management CPE/CAPEC/MAEC/CWSS/CEE/ARF Identity Management Centralized Reporting Enterprise IT Asset Management Knowledge Repositories Asset Definition Configuration Guidance CPE/OVAL Vulnerability Alert XCCDF/OVAL/ CCE/CCSS Threat Alert CVE/CWE/OVAL/ CVSS/CWSS Incident Report CVE/CWE/CVSS/ CPE/CWSS/ CAPEC/MAEC CAIF/IDMEF/IODEF/CVE/CWE/ OVAL/CPE/MAEC/CCSS/CWSS/ CEE/ARF CEE OVAL/XCCDF/ CCE/CCSS/ CPE/ARF System & Software Assurance Guidance/ Requirements CWE/CAPEC/ SBVR/CWSS/ MAEC Vulnerability Analysis CCE/ CCSS/ OVAL/ARF/ XCCDF/CPE CPE/ OVAL/ ARF Threat Analysis CVE/CWE/ CVSS/ARF/ CCE/CCSS/ ARF/CWSS/ OVAL/CPE/ XCCDF Intrusion Detection CVE/CWE/ CVSS/ARF/ CCE/CCSS/ OVAL/CWSS/ XCCDF/CPE/ CAPEC/MAEC CEE CEE Configuration Guidance Analysis Asset Inventory CEE Incident Management CVE/CWE/ CVSS/ARF/. CCE/OVAL/ CCSS/ XCCDF/CPE/ CAPEC/CWSS/ MAEC/CEE Operations Security Management Processes Assessment of System Development, Integration, & Sustainment Activities and Certification & Accreditation CVE/CWE/ CVSS/CCE/ CCSS/OVAL/ XCCDF/ CPE/CAPEC/ MAEC/CWSS/ CEE/ARF CWE/CAPEC/ CWSS/MAEC/ OVAL/OCIL/ XCCDF/CCE/ CPE/ARF/ SAFES/SACM Development & Sustainment Security Management Processes Operational Enterprise Networks CEE CVE/CWE/CVSS/CCE/CCSS/OVAL/XCCDF/ CEE Trust Management Enterprise IT Change Management CPE/CAPEC/MAEC/CWSS/CEE/ARF Identity Management Centralized Reporting Enterprise IT Asset Management Knowledge Repositories XCCDF/OVAL/ CCE/CCSS Configuration Guidance Analysis Asset Inventory OVAL/XCCDF/ CCE/CCSS/ CPE/ARF CVE/CWE/OVAL/ CVSS/CWSS CWE Vulnerability Analysis Threat Analysis CWE System & Software Assurance Guidance/ Requirements CWE CWE/CAPEC/ SBVR/CWSS/ MAEC Assessment of System Development, Integration, & Sustainment Activities and Certification & Accreditation CAIF/IDMEF/IODEF/CVE/CWE/ OVAL/CPE/MAEC/CCSS/CWSS/ CEE/ARF CWE Intrusion Detection CVE/CWE/ CVSS/ARF/ CCE/CCSS/ OVAL/CWSS/ XCCDF/CPE/ CAPEC/MAEC Incident Management CVE/CWE/ CVSS/ARF/. CCE/OVAL/ CCSS/ XCCDF/CPE/ CAPEC/CWSS/ MAEC/CEE Operations Security Management Processes CWE CVE/CWE/ CVSS/CCE/ CCSS/OVAL/ XCCDF/ CPE/CAPEC/ MAEC/CWSS/ CEE/ARF CWE/CAPEC/ CWSS/MAEC/ OVAL/OCIL/ XCCDF/CCE/ CPE/ARF/ SAFES/SACM Development & Sustainment Security Management Processes CVE/CWE/ CVSS/ARF/ CCE/CCSS/ ARF/CWSS/ OVAL/CPE/ XCCDF Incident Report CVE/CWE/CVSS/ CPE/CWSS/ CAPEC/MAEC CWE CCE/ CCSS/ OVAL/ARF/ XCCDF/CPE CPE/ OVAL/ ARF Threat Alert CWE CPE/OVAL Vulnerability Alert CWE Configuration Guidance CWE Asset Definition Operational Enterprise Networks CWECVE/CWE/CVSS/CCE/CCSS/OVAL/XCCDF/ CWE Trust Management Enterprise IT Change Management CPE/CAPEC/MAEC/CWSS/CEE/ARF Identity Management Centralized Reporting Enterprise IT Asset Management Knowledge Repositories Asset Definition Configuration Guidance CPE/OVAL XCCDF/OVAL/ CCE/CCSS Configuration Guidance Analysis Asset Inventory OVAL/XCCDF/ CCE/CCSS/ CPE/ARF System & Software Assurance Guidance/ Requirements CWE/CAPEC/ SBVR/CWSS/ MAEC Vulnerability Alert CPE/ OVAL/ ARF Threat Alert CVE/CWE/OVAL/ CVSS/CWSS Vulnerability Analysis CCE/ CCSS/ OVAL/ARF/ XCCDF/CPE CVE/CWE/CVSS/ CPE/CWSS/ CAPEC/MAEC Threat Analysis CVE/CWE/ CVSS/ARF/ CCE/CCSS/ ARF/CWSS/ OVAL/CPE/ XCCDF Incident Report CAIF/IDMEF/IODEF/CVE/CWE/ OVAL/CPE/MAEC/CCSS/CWSS/ CEE/ARF Intrusion Detection CVE/CWE/ CVSS/ARF/ CCE/CCSS/ OVAL/CWSS/ XCCDF/CPE/ CAPEC/MAEC Incident Management CVE/CWE/ CVSS/ARF/. CCE/OVAL/ CCSS/ XCCDF/CPE/ CAPEC/CWSS/ MAEC/CEE Operations Security Management Processes Assessment of System Development, Integration, & Sustainment Activities and Certification & Accreditation CVE/CWE/ CVSS/CCE/ CCSS/OVAL/ XCCDF/ CPE/CAPEC/ MAEC/CWSS/ CEE/ARF CWE/CAPEC/ CWSS/MAEC/ OVAL/OCIL/ XCCDF/CCE/ CPE/ARF/ SAFES/SACM Development & Sustainment Security Management Processes Trust Management Enterprise IT Change Management Operational Enterprise Networks CVE/CWE/CVSS/CCE/CCSS/OVAL/XCCDF/ CPE/CAPEC/MAEC/CWSS/CEE/ARF Identity Management Centralized Reporting Enterprise IT Asset Management Linkage with Fundamental Changes in Enterprise Security Initiatives © 2011 MITRE “Enabling Distributed Security in Cyberspace: Building a Healthy and Resilient Cyber Ecosystem with Automated Collective Action” Testing, attestation, and assurance Software Assurance Collaborative threat Malware intelligence Analysis Engineering Remote Assessment Design Architecture Vulnerability Assessment Network Device Assessment Configuration Assessment Remediation Supply Chain Assurance Asset Inventory Compliance Management Event Management Modeling and Simulation Sensing and Warning Structured Threat Information Response Incident Reporting Enterprise Reporting Forensics and Damage Assessment Recovery Reconstitution 3 © 2011 MITRE Ecosystem Areas Directly Enabled/Supported by Enumerations/Languages Testing, attestation, and assurance Collaborative threat intelligence MAEC, CAPEC, OVAL, CybOX CVE, OVAL, CWE, CAPEC, MAEC, CybOX, CWRAF, Engineering CWSS, CCR, SAFES, SACM, ISO 15026-2, OVAL, CVE, CVSS, ISO TR 20004, CPE, XCCDF, SCAP, SWID, SWAAP CWE, CVRF, SWID Sensing and Warning MAEC, OVAL, CPE, OVAL, AI, SWID Design CVE, OVAL, TNC Architecture CCE, OVAL, CPE, CCSS, XCCDF, OCIL, SCAP, CVE, OVAL, SWID TNC ERAP, CRE, ERI, RCL, RPL, CWE Supply Chain Assurance CVE, CVSS, CCE, OVAL, CPE, CCSS, XCCDF, OCIL, SCAP, SWID CAPEC, CybOX, CVE CYBEX, IODEF, RID, TLP, MAEC, CybOX, CVE, Forensics CWE, CAPEC AI, ARF, ASR, PLARR CEE, CLS, CLT, CELR, CybOX, EMAP Modeling and Simulation Response and Damage Assessment Recovery Reconstitution © 2011 MITRE Status of ITU-T Recommendations xseries Title ITU-T Status Planned Determination x.1500 Cybersecurity Information Exchange (CYBEX) Techniques Final Dec 2010 x.1520 Common Vulnerabilities and Exposures Final Dec 2010 x.1521 Common Vulnerability Scoring System Final Dec 2010 x.cwe Common Weakness Enumeration Draft Aug 2011 x.oval Open Vulnerability and Assessment Language Draft Aug 2011 x.cce Common Configuration Enumeration Draft Aug 2011 x.capec Common Attack Pattern Enumeration and Classification Draft Feb 2012 x.maec Malware Attribute Enumeration and Classification Draft 2012 x.cwss Common Weakness Scoring System Draft 2012 x.cee Common Event Expression Draft 2012 x.cpe Common Platform Enumeration Draft 2012 x.arf Asset Reporting Format Draft 2012 x.xccdf Extensible Configuration Checklist Description Format Draft 2012 © 2011 MITRE Vulnerability Type Trends: A Look at the CVE List (2001 - 2007) © 2011 MITRE Removing and Preventing the Vulnerabilities Requires More Specific Definitions …CWEs Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting’) (79) • Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (80) • Improper Neutralization of Script in an Error Message Web Page (81) • Improper Neutralization of Script in Attributes of IMG Tags in a Web Page (82) • Improper Neutralization of Script in Attributes in a Web Page (83) • Improper Neutralization of Encoded URI Schemes in a Web Page (84) • Doubled Character XSS Manipulations (85) • Improper Neutralization of Invalid Characters in Identifiers in Web Pages (86) • Improper Neutralization of Alternate XSS Syntax (87) 9 14 19 Improper Restriction of Operations within the Bounds of a Memory Buffer (119) • Buffer Copy without Checking Size of Input ('Classic Buffer Overflow’) (120) • Write-what-where Condition (123) • Out-of-bounds Read (125) • Improper Handling of Length Parameter Inconsistency (130) • Improper Validation of Array Index (129) • Return of Pointer Value Outside of Expected Range (466) • Access of Memory Location Before Start of Buffer (786) • Access of Memory Location After End of Buffer (788) • Buffer Access with Incorrect Length Value 805 • Untrusted Pointer Dereference (822) • Use of Out-of-range Pointer Offset (823) • Access of Uninitialized Pointer (824) • Expired Pointer Dereference (825) Path Traversal (22) • Relative Path Traversal (23) • Path Traversal: '../filedir' (24) • Path Traversal: '/../filedir' (25) • <------------8 more here --------------> • Path Traversal: '....//' (34) • Path Traversal: '.../...//' (35) • Absolute Path Traversal (36) • • • • Path Traversal: '/absolute/pathname/here’ (37) Path Traversal: '\absolute\pathname\here’ (38) Path Traversal: 'C:dirname’ (39) Path Traversal: '\\UNC\share\name\' (Windows UNC Share) (40) © 2011 MITRE Wouldn’t it beisnice What wrong if the weaknesses in software were as easy to spot and their impact as easy to understand as a screen door in a submarine … with this picture? © 2011 MITRE Linkage with Fundamental Changes in Enterprise Security Initiatives © 2011 MITRE Status of ITU-T Recommendations xseries Title ITU-T Status Planned Determination x.1500 Cybersecurity Information Exchange (CYBEX) Techniques Final Dec 2010 x.1520 Common Vulnerabilities and Exposures Final Dec 2010 x.1521 Common Vulnerability Scoring System Final Dec 2010 x.cwe Common Weakness Enumeration Draft Aug 2011 x.oval Open Vulnerability and Assessment Language Draft Aug 2011 x.cce Common Configuration Enumeration Draft Aug 2011 x.capec Common Attack Pattern Enumeration and Classification Draft Feb 2012 x.maec Malware Attribute Enumeration and Classification Draft 2012 x.cwss Common Weakness Scoring System Draft 2012 x.cee Common Event Expression Draft 2012 x.cpe Common Platform Enumeration Draft 2012 x.arf Asset Reporting Format Draft 2012 x.xccdf Extensible Configuration Checklist Description Format Draft 2012 © 2011 MITRE © 2011 MITRE But you also needed to deal with the people that are out there trying to take advantage of vulnerabilities and weaknesses in your technologies, processes, or practices … …with defensive and offensive security capabilities. © 2009 The MITRE Corporation. All rights reserved. Security Feature XSS (CWE-79) Exploit (CAPEC-86) SQL Injection (CWE-89) Exploit (CAPEC-66) © 2011 MITRE © 2011 MITRE © 2011 MITRE © 2011 MITRE CWE web site visitors by City © 2011 MITRE © 2011 MITRE © 2011 MITRE 16 July 2010 © 2011 MITRE © 2011 MITRE Industry Uptake CWE © 2011 MITRE © 2011 MITRE © 2011 MITRE ISO/IEC JTC 1/SC 27/WG 3, NWP © 2011 MITRE CWE Compatibility & Effectiveness Program ( launched Feb 2007) cwe.mitre.org/compatible/ 53 31 © 2011 MITRE © 2011 MITRE Korean Japanese © 2011 MITRE CWE Coverage – Implemented … CWE IDs mapped to Klocwork Java issue types - current http://www.klocwork.com/products/documentation/curren... CWE IDs mapped to Klocwork Java issue types From current CWE IDs mapped to Klocwork Java issue types See also Detected Java Issues. CWE ID Klocwork Checker Code and Description CWE IDs mapped to Klocwork C and C++ issue types/ja20 -...(http://cwe.mitre.org http://www.klocwork.com/products/documentation/curren... SV.TAINT Tainted data /data/definitions/20.html) 73 (http://cwe.mitre.org /data/definitions/73.html) 79 (http://cwe.mitre.org /data/definitions/79.html) < CWE IDs mapped to Klocwork C and C++ issue types 80 (http://cwe.mitre.org CWE IDs mapped to Klocwork C and C++ issue types/ja /data/definitions/80.html) ?; Detected C and C++ Issues. From current Cenzic Product Suite is CWE Compatible Cenzic Hailstorm Enterprise ARC, Cenzic Hailstorm Professional and Cenzic ClickToSecure are compatible with the CWE standard or Common Weakness Enumeration as maintained by Mitre Corporation. Web security assessment results from the Hailstorm product suite are mapped to the relevant CWE ID's providing users with additional information to classify and describe common weaknesses found in Web applications. CWE ID For additional details on CWE, please visit: http://cwe.mitre.org/index.html 20 (http://cwe.mitre.org /data/definitions /20.html) The following is a mapping between Cenzic’s SmartAttacks and CWE ID's: 13 Check HTTP Methods SV.TMPFILE Temporary file path tampering SV.PATH Path and file name injection CWE IDs mapped to Klocwork C and C++File injection SV.PATH.INJ 77 (http://cwe.mitre.org SV.EXEC Process Injection issue types/ja /data/definitions/77.html) SV.EXEC.DIR Process Injection. Working Directory www.cenzic.com | (866) 4-CENZIC (866-423-6942) Cenzic SmartAttack Name Application 1 Exception Application 2 Exception (WS) Application Path 3 Disclosure Authentication 4 Bypass Authorization 5 Boundary Blind SQL 6 Injection Blind SQL 7 Injection (WS) Browse HTTP 8 from HTTPS List 9 Brute Force Login 10 Buffer Overflow Buffer Overflow 11 (WS) Check Basic Auth 12 over HTTP SV.TAINT_NATIVE Tainted data goes to native code CWE ID/s 22 (http://cwe.mitre.org /data/definitions /22.html) CWE-388: Error Handling CWE-388: Error Handling 73 (http://cwe.mitre.org /data/definitions /73.html) CWE-200: Information Leak (rough match) CWE-89: Failure to Sanitize Data into SQL Queries (aka 'SQL Injection') (rough match) CWE-285: Missing or Inconsistent Access Control, CWE-425: Direct Request ('Forced Browsing') CWE-89: Failure to Sanitize Data into SQL Queries (aka 'SQL Injection') CWE-89: Failure to Sanitize Data into SQL Queries (aka 'SQL Injection') CWE-200: Information Leak CWE-521: Weak Password Requirements CWE-120: Unbounded Transfer ('Classic Buffer Overflow') CWE-120: Unbounded Transfer ('Classic Buffer Overflow') CWE-200: Information Leak SV.XSS.DB Cross Site Scripting (Stored XSS) SV.DATA.DB Data injection SV.XSS.REF Cross Site Scripting (Reflected XSS) SV.XSS.DB Cross Site Scripting (Stored XSS) SV.XSS.REF Cross Site Scripting (Reflected XSS) SV.SQL Sql Injection 89 (http://cwe.mitre.org SV.SQL.DBSOURCE Unchecked information from the /data/definitions/89.html) database is used in SQL statements SV.DATA.DB Data injection ABV.TAINTED @E<8"$ .".$,. SV.TAINTED.GENERIC @EAH9 .=D 103 (http://cwe.mitre.org SV.STRUTS.VALIDMET Struts Forms: validate method SV.TAINTED.ALLOC_SIZE &'*41 @EG> /data/definitions/103.html) =D 105 (http://cwe.mitre.org SV.TAINTED.CALL.INDEX_ACCESS =I>50@E SV.STRUTS.NOTVALID Struts Forms: inconsistent validate G>:9-/data/definitions/105.html) =D 113 (http://cwe.mitre.org SV.HTTP_SPLIT HTTP Response Splitting /data/definitions/113.html) $+,.!7 SV.CUDS.MISSING_ABSOLUTE_PATH #/=D 117 (http://cwe.mitre.org SV.LOG_FORGING Log Forging /data/definitions/117.html) 129 (http://cwe.mitre.org SV.DOS.ARRINDEX Tainted index used for array access SV.CUDS.MISSING_ABSOLUTE_PATH /data/definitions/129.html)$+,.!7 #/=D 74 (http://cwe.mitre.org /data/definitions /74.html) SV.TAINTED.INJECTION %-! -)1 of 4 77 (http://cwe.mitre.org /data/definitions /77.html) SV.CODE_INJECTION.SHELL_EXEC +B%-! )- 78 (http://cwe.mitre.org /data/definitions /78.html) NNTS.TAINTED @E(.<8FC"$ .".$,. - 3 NULL 62AH9 SV.TAINTED.INJECTION %-! -)- 88 (http://cwe.mitre.org SV.TAINTED.INJECTION %-! -)NNTS.TAINTED @E(.<8FC"$ .".$,. 2/26/11 10:35 AM CWE-650: Trusting HTTP Permission Methods on the Server Side Cenzic CWE Brochure | October 2009 Company Confidential Cenzic®, Hailstorm® and ClickToSecure® are registered trademarks of Cenzic, Inc. The Cenzic logo, Hailstorm Enterprise ARC, and GovShield are trademarks of Cenzic, Inc. © 2009 Cenzic, Inc. All rights reserved. 1 of 7 2/26/11 10:34 AM 1 © 2011 MITRE The Software Supply Chain * Legacy Software Reuse Program Office ? Other Programs ? ? US Global Supplier ? Foreign Develop In-house Acquire ? Contractor Outsource Prime Contractor ? Contractor Off-shore Supplier Foreign Location Software COTS US Foreign Developers Supplier Reuse Acquire Develop In-house ? ? * Outsource ? ? ? “Scope of Supplier Expansion and Foreign Involvement” graphic in DACS www.softwaretechnews.com Secure Software Engineering, July 2005 article “Software Development Security: A Risk Management Perspective” synopsis of May 2004 GAO-04-678 report “Defense Acquisition: Knowledge of Software Suppliers Needed to Manage Risks” © 2011 MITRE Recreation Use Industrial Use Power Use Agricultural Use Home Use Recreation Use Agricultural © 2011 Use MITRE Scoring Weaknesses Based on Context Archetypes: • Web Browser User Interface • Web Servers • Application Servers • Database Systems • Desktop Systems • SSL Vignettes: 1. Web-based Retail Provider 2. Intranet resident health records management system of hospital Web Browser Web Browser Web Browser 2 1 Web Browser Web Browser Web Browser Web Browser © 2011 MITRE © 2011 MITRE © 2011 MITRE Vignettes – Technology Groups & Business/Mission Domains Common Weakness Risk Assessment Framework uses Vignettes with Archetypes to identify top CWEs in respective Domain/Technology Groups © 2011 MITRE CWRAF-Level Technical Impacts 1. Modify data 2. Read data 3. DoS: unreliable execution 4. DoS: resource consumption 5. Execute unauthorized code or commands 6. Gain privileges / assume identity 7. Bypass protection mechanism 8. Hide activities © 2011 MITRE Technical Impact Scorecard Links business value with the technical impact of weakness exploitation Stays away from technical details of individual weaknesses Operates within the context of a vignette © 2011 MITRE Calculating CWSS Impact Weights © 2011 MITRE Scoring Relevant Weaknesses using CWSS © 2011 MITRE Scoring Weaknesses Discovered in Code using CWSS © 2011 MITRE CWSS for a Technology Group 50% 10% 10% 10% 15% 15% Web Vignette 1 … TI(1), TI(2), TI(3), … Web Vignette 2 … TI(1), TI(2), TI(3), … Web Vignette 3 … TI(1), TI(2), TI(3), … Web Vignette 4 … TI(1), TI(2), TI(3), … Web Vignette 5 … TI(1), TI(2), TI(3), … Web Vignette 6 … TI(1), TI(2), TI(3), … Web Application Technology Group Top N List 1 Top N List 2 Top N List 3 Top N List 4 Top N List 5 Top N List 6 Top 10 List CWE Top 10 List for Web Applications can be used to: • Identify skill and training needs for your web team • Include in T’s & C’s for contracting for web development • Identify tool capability needs to support web assessment © 2011 MITRE Relationships between CWRAF, CWSS, and CWE © 2011 MITRE Contact Info cwe@mitre.org capec@mitre.org © 2011 MITRE