WFED's Jared Serbu
Click below to hear the report
By Jared Serbu
Federal News Radio
The Department of Homeland Security, together with two big names in the nonprofit cybersecurity world, released new tools Monday designed to help organizations eliminate common software vulnerabilities.
As part of its campaign to get software creators to build security into their systems from the beginning instead of patching problems after they happen, DHS, together with the MITRE Corporation and the SANS Institute, is trying to translate the wealth of knowledge the software development community already has about existing threats into actionable, to-do lists that could head-off future exploits.
The new tools build on the Common Weakness Enumeration (CWE), a project DHS and MITRE began sponsoring jointly in 2005. CWE was designed to create a global dictionary of common software vulnerabilities along with directions for fixing them, and its developers released a new 2.0 version of the dictionary Monday.
But CWE's backers believe they can make their threat definition process more useful to individual organizations, particularly to organizational leaders who may not necessarily know all the technical ins-and-outs of writing code and designing databases.
One of the tools, the Common Weakness Scoring System (CWSS), is intended to address the fact that an individual software release might have thousands of "bugs," but not all of them are necessarily dangerous. Rather than merely identifying the fact that a chunk of computer code could have been written more securely, it will use a community-based system to assign a "score" to the vulnerability so agencies and businesses can do a better job of setting their secure programming priorities.
"Without that, you can't tell a programmer to do anything," said Alan Paller, director of research at the SANS institute, which works with DHS and MITRE on the CWE project. "If you just give him a list of 860 things, he just throws the list away. If you're ever going to change things so that writing secure software matters, this is an essential moment in making that happen."
A second program, the Common Weakness Risk Analysis Framework (CWRAF), aims to let organizations do a better job of deciding for themselves what vulnerabilities are relevant to their own mission or business area. It lays down a model to let an agency or company make its own list of top potential vulnerabilities based on the line of work it's involved in and what types of technology it uses.
The approach is intended to help organizations figure out more precisely what attacks they're most vulnerable to and to address them, rather than simply instructing their programmers and vendors that they want "secure software."
"There's no incentive system right now that touches the programmer, because by the time the error is discovered it's so far removed from the development process," Paller said. "If you're going to focus programmers on (security), you have to give them a couple things. You have to tell them what to look for, and then you have to give them a way to look for it that doesn't consume them and take the rest of their life. And you can't say, 'this one really matters,' when one person is writing embedded software on an (industrial control) system, and someone else is writing a Web application. Their values are different."
Bob Martin, MITRE's project director for CWE, said that framework will let organizations take the scores that are developed for software vulnerabilities and translate them into something meaningful for the mission or business area they work in. The site will include examples of lists for different business areas, but he said the success of the project will depend on organizations sharing their own "vignettes" with the rest of the community as they use the system.
"Some people have a real problem with denial-of-service issues, others with file integrity, others with ability to read memory or write memory, and different industries have different of those as the number one issue," he said. "CWSS and CWRAF are meant to allow that difference to be communicated either to tools or to ordering of lists so you can put the right terms and conditions on contracts. You can have the right training focus, and you can have the right emphasis in your testing."
But even if organizations all have their own cybersecurity differences, there are a lot of common threads. That was emphasized in another release from MITRE and SANS Monday, when the groups updated their list of the top 25 most dangerous software errors.
Topping the list this year is the SQL injection vulnerability the online hacker group LulzSecurity, which said it had disbanded this weekend, used in to break into several government and private sector systems.