Making Security Measurable (a.k.a., Architecting for Measurable Security)

1. Making Security Measurable (a.k.a., Architecting for Measurable Security) Robert A. Martin Presentation 2.3 ARO Workshop on Cyber Situational Awareness 14 November 2007

2. 2007 InformationWeek/Accenture Global Information Security Survey Published July 16, 2007

3. 2007 InformationWeek/Accenture Global Information Security Survey • Many Types of Attacks… • known vulns in OS & packaged apps; misconfigured systems; unknown vulns in own apps; aimed at DB, applications, and web sites • Need to Master Many Technologies… • firewalls; anti-virus; anti-spyware; app firewalls; IDS; SIMS; vulnerability scans; patching • More Vulnerable Because of… • exposed backend & homegrown apps; increased sophistication & volume of attacks; more malicious intent; lack of senior attention; incompatible security products; unable to adapt policies/configuration rules; outsourcing Published July 16, 2007

4. Cyber security, tools, practices and technology have evolved dramatically over the last 10 years The result has been that most enterprises have been buying each new tool & training their people on it & integrating it as they realize they need to address a new area of Cyber Security… Then they buy another tool & train their people on that one too & integrate it with the other tools… Repeat for each “type” of security tool/challenge that appears… Result - each organization has a different tapestry of tools/processes integrated together trying to do the Cyber Security job… Assets, Configuration, Vulnerabilities, Patches, Intrusions, Malware, Malicious Code, etc. Instead we should be architecting our security measurement and management method and get tools to implement and support it. Today Every Organization Has a Different Way of Doing Cyber Security…

5. Standard ways for enumerating “things we care about” Languages/Formats for encoding/carrying high fidelity content about the “things we care about” Repositories of this content for use in communities or individual organizations Adoption/branding and vetting programs to encourage adoption by tools and services What Do The Building Blocks for “Architecting Security” Look Like?

6. Enumerations Catalog the fundamental entities in IA, Cyber Security, and Software Assurance Vulnerabilities (CVE), misconfigurations (CCE), software packages (CPE), malware (CME), attack patterns (CAPEC), weaknesses in code/design/architecture (CWE) Languages/Formats Support the creation of machine-readable state assertions, assessment results, and messages Configuration/vulnerability/patch/asset patterns (XCCDF & OVAL), results from standards-based assessments (CRF), software security patterns (SBVR), event patterns (CEE), malware patterns (MAEC), risk of a vulnerability (CVSS), information messages (CAIF & *DEF) Knowledge Repositories Packages of assertions supporting a specific application Vulnerability advisories & alerts, (US-CERT Advisories/IAVAs), configuration assessment (NIST Checklists, CIS Benchmarks, NSA Configuration Guides, DISA STIGS), asset inventory (NIST/DHS NVD), code assessment & certification (NIST SAMATE, DoD DIACAP & eMASS) Tools Interpret IA, Cyber Security, and SwA content in context of enterprise network Methods for assessing compliance to languages, formats, and enumerations CPE CVE CCE XCCDF & OVAL NIST Checklists, CIS Benchmarks, NSA Configuration Guides, DISA STIGS NIST/DHS NVD The Building Blocks Are:

7. CPE CVE CCE XCCDF & OVAL NIST Checklists, CIS Benchmarks, NSA Configuration Guides, DISA STIGS NIST/DHS NVD Configuration Guidance Knowledge Repository The Building Blocks Are: Benchmark

8. Knowledge Repositories Configuration Guidance Operations Security Management Processes Configuration Guidance Analysis Operational Enterprise Networks Enterprise IT Asset Management Enterprise IT Change Management Centralized Reporting

9. Knowledge Repositories Benchmark Results Benchmark Results Benchmark Results Benchmark Results Benchmark Results Benchmark Results Configuration Guidance Benchmark Benchmark Operations Security Management Processes Configuration Guidance Analysis Benchmark Benchmark Benchmark Operational Enterprise Networks Benchmark Benchmark Benchmark Benchmark Benchmark Benchmark Benchmark Benchmark Results Benchmark Results Benchmark Benchmark Benchmark Results Enterprise IT Asset Management Enterprise IT Change Management Centralized Reporting

10. Asset Inventory Configuration Guidance Analysis Vulnerability Analysis Threat Analysis Intrusion Detection Incident Management Assessment of System Development, Integration, & Sustainment Activities and Certification & Accreditation Development & Sustainment Security Management Processes Enterprise IT Change Management Centralized Reporting Operations Security Management Processes Operational Enterprise Networks Enterprise IT Asset Management

11. CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC CVE/CWE/ CVSS/CRF/. CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC/CEE CVE/CWE/ CVSS/CRF/ CCE/CRF/ OVAL/ XCCDF/ CPE CPE/ OVAL/ CRF CCE/ OVAL/ CRF/ XCCDF/ CPE CVE/CWE/CVSS/CCE/OVAL/XCCDF/ CPE/CME/CAPEC/MAEC/CEE/CRF CVE/CWE/CVSS/CCE/OVAL/XCCDF/ CPE/CME/CAPEC/MAEC/CEE/CRF Asset Inventory Configuration Guidance Analysis Vulnerability Analysis Threat Analysis Intrusion Detection Incident Management Operations Security Management Processes Assessment of System Development, Integration, & Sustainment Activities and Certification & Accreditation Operational Enterprise Networks Development & Sustainment Security Management Processes Enterprise IT Change Management Centralized Reporting Enterprise IT Asset Management

12. CVE/CWE/CVSS/CCE/OVAL/XCCDF/ CPE/CME/CAPEC/MAEC/CEE/CRF CVE/CWE/CVSS/CCE/OVAL/XCCDF/ CPE/CME/CAPEC/MAEC/CEE/CRF Asset Inventory Configuration Guidance Analysis Vulnerability Analysis Threat Analysis Intrusion Detection Incident Management CCE/ OVAL/ CRF/ XCCDF/ CPE CPE/ OVAL/ CRF CVE/CWE/ CVSS/CRF/ CCE/ OVAL/ XCCDF/ CPE CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC/CEE Operations Security Management Processes Assessment of System Development, Integration, & Sustainment Activities and Certification & Accreditation Operational Enterprise Networks Enterprise IT Change Management Centralized Reporting Development & Sustainment Security Management Processes Enterprise IT Asset Management

13. Knowledge Repositories Asset Definition Configuration Guidance Vulnerability Alert Threat Alert Incident Report OVAL/XCCDF/ CCE/CPE/CRF System & Software Assurance Guidance/ Requirements CWE/CAPEC/ SBVR/MAEC CVE/CWE/CVSS/CCE/OVAL/XCCDF/ CPE/CME/CAPEC/MAEC/CEE/CRF CVE/CWE/CVSS/CCE/OVAL/XCCDF/ CPE/CME/CAPEC/MAEC/CEE/CRF Mitigating Risk Exposures Responding to Security Threats CAIF/VEDEF/SIDEF/SCDEF/SFDEF/ IDMEF/IODEF/FIDEF/CVE/CWE/ OVAL/CPE/CME/MAEC/CE/CRFE CPE/OVAL XCCDF/OVAL/ CCE CVE/CWE/ OVAL/CVSS CVSS/CME/ CAPEC/MAEC Asset Inventory Configuration Guidance Analysis Vulnerability Analysis Threat Analysis Intrusion Detection Incident Management CCE/ OVAL/ CRF/ XCCDF/ CPE CPE/ OVAL/ CRF CVE/CWE/ CVSS/CRF/ CCE/ OVAL/ XCCDF/ CPE CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC/CEE Operations Security Management Processes Assessment of System Development, Integration, & Sustainment Activities and Certification & Accreditation Operational Enterprise Networks Enterprise IT Change Management Centralized Reporting Development & Sustainment Security Management Processes Enterprise IT Asset Management

14. Knowledge Repositories Asset Definition Configuration Guidance Vulnerability Alert Threat Alert Incident Report OVAL/XCCDF/ CCE/CPE/CRF System & Software Assurance Guidance/ Requirements CWE/CAPEC/ SBVR/MAEC CVE/CWE/CVSS/CCE/OVAL/XCCDF/ CPE/CME/CAPEC/MAEC/CEE/CRF CVE/CWE/CVSS/CCE/OVAL/XCCDF/ CPE/CME/CAPEC/MAEC/CEE/CRF CVE CVE CAIF/VEDEF/SIDEF/SCDEF/SFDEF/ IDMEF/IODEF/FIDEF/CVE/CWE/ OVAL/CPE/CME/MAEC/CE/CRFE CPE/OVAL XCCDF/OVAL/ CCE CVE/CWE/ OVAL/CVSS CVSS/CME/ CAPEC/MAEC CVE CVE Asset Inventory Configuration Guidance Analysis Vulnerability Analysis Threat Analysis Intrusion Detection Incident Management CVE CVE CVE CCE/ OVAL/ CRF/ XCCDF/ CPE CPE/ OVAL/ CRF CVE/CWE/ CVSS/CRF/ CCE/ OVAL/ XCCDF/ CPE CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC/CEE Operations Security Management Processes CVE Assessment of System Development, Integration, & Sustainment Activities and Certification & Accreditation Operational Enterprise Networks Enterprise IT Change Management Centralized Reporting Development & Sustainment Security Management Processes Enterprise IT Asset Management

15. Knowledge Repositories Asset Definition Configuration Guidance Vulnerability Alert Threat Alert Incident Report OVAL OVAL OVAL OVAL OVAL OVAL OVAL OVAL OVAL/XCCDF/ CCE/CPE/CRF OVAL System & Software Assurance Guidance/ Requirements OVAL OVAL OVAL OVAL CWE/CAPEC/ SBVR/MAEC CVE/CWE/CVSS/CCE/OVAL/XCCDF/ CPE/CME/CAPEC/MAEC/CEE/CRF CVE/CWE/CVSS/CCE/OVAL/XCCDF/ CPE/CME/CAPEC/MAEC/CEE/CRF OVAL OVAL CAIF/VEDEF/SIDEF/SCDEF/SFDEF/ IDMEF/IODEF/FIDEF/CVE/CWE/ OVAL/CPE/CME/MAEC/CE/CRFE CPE/OVAL XCCDF/OVAL/ CCE CVE/CWE/ OVAL/CVSS CVSS/CME/ CAPEC/MAEC Asset Inventory Configuration Guidance Analysis Vulnerability Analysis Threat Analysis Intrusion Detection Incident Management CCE/ OVAL/ CRF/ XCCDF/ CPE CPE/ OVAL/ CRF CVE/CWE/ CVSS/CRF/ CCE/ OVAL/ XCCDF/ CPE CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC/CEE Operations Security Management Processes Assessment of System Development, Integration, & Sustainment Activities and Certification & Accreditation Operational Enterprise Networks Enterprise IT Change Management Centralized Reporting Development & Sustainment Security Management Processes Enterprise IT Asset Management

16. Knowledge Repositories Asset Definition Configuration Guidance Vulnerability Alert Threat Alert Incident Report OVAL/XCCDF/ CCE/CPE/CRF System & Software Assurance Guidance/ Requirements CWE/CAPEC/ SBVR/MAEC CVE/CWE/CVSS/CCE/OVAL/XCCDF/ CPE/CME/CAPEC/MAEC/CEE/CRF CVE/CWE/CVSS/CCE/OVAL/XCCDF/ CPE/CME/CAPEC/MAEC/CEE/CRF CRF CRF CAIF/VEDEF/SIDEF/SCDEF/SFDEF/ IDMEF/IODEF/FIDEF/CVE/CWE/ OVAL/CPE/CME/MAEC/CE/CRFE CPE/OVAL XCCDF/OVAL/ CCE CVE/CWE/ OVAL/CVSS CVSS/CME/ CAPEC/MAEC CRF Asset Inventory Configuration Guidance Analysis Vulnerability Analysis Threat Analysis Intrusion Detection Incident Management CRF CRF CRF CRF CRF CCE/ OVAL/ CRF/ XCCDF/ CPE CPE/ OVAL/ CRF CVE/CWE/ CVSS/CRF/ CCE/ OVAL/ XCCDF/ CPE CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC/CEE CRF Operations Security Management Processes CRF CRF CRF CRF Assessment of System Development, Integration, & Sustainment Activities and Certification & Accreditation CRF Operational Enterprise Networks Enterprise IT Change Management Centralized Reporting Development & Sustainment Security Management Processes Enterprise IT Asset Management

17. Knowledge Repositories Asset Definition Configuration Guidance Vulnerability Alert Threat Alert Incident Report XCCDF XCCDF XCCDF XCCDF XCCDF XCCDF OVAL/XCCDF/ CCE/CPE/CRF XCCDF System & Software Assurance Guidance/ Requirements CWE/CAPEC/ SBVR/MAEC CVE/CWE/CVSS/CCE/OVAL/XCCDF/ CPE/CME/CAPEC/MAEC/CEE/CRF CVE/CWE/CVSS/CCE/OVAL/XCCDF/ CPE/CME/CAPEC/MAEC/CEE/CRF XCCDF XCCDF CAIF/VEDEF/SIDEF/SCDEF/SFDEF/ IDMEF/IODEF/FIDEF/CVE/CWE/ OVAL/CPE/CME/MAEC/CE/CRFE CPE/OVAL XCCDF/OVAL/ CCE CVE/CWE/ OVAL/CVSS CVSS/CME/ CAPEC/MAEC Asset Inventory Configuration Guidance Analysis Vulnerability Analysis Threat Analysis Intrusion Detection Incident Management CCE/ OVAL/ CRF/ XCCDF/ CPE CPE/ OVAL/ CRF CVE/CWE/ CVSS/CRF/ CCE/ OVAL/ XCCDF/ CPE CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC/CEE Operations Security Management Processes Assessment of System Development, Integration, & Sustainment Activities and Certification & Accreditation Operational Enterprise Networks Enterprise IT Change Management Centralized Reporting Development & Sustainment Security Management Processes Enterprise IT Asset Management

18. Knowledge Repositories Asset Definition Configuration Guidance Vulnerability Alert Threat Alert Incident Report CCE CCE CCE CCE CCE CCE OVAL/XCCDF/ CCE/CPE/CRF CCE CCE System & Software Assurance Guidance/ Requirements CWE/CAPEC/ SBVR/MAEC CVE/CWE/CVSS/CCE/OVAL/XCCDF/ CPE/CME/CAPEC/MAEC/CEE/CRF CVE/CWE/CVSS/CCE/OVAL/XCCDF/ CPE/CME/CAPEC/MAEC/CEE/CRF CCE CCE CAIF/VEDEF/SIDEF/SCDEF/SFDEF/ IDMEF/IODEF/FIDEF/CVE/CWE/ OVAL/CPE/CME/MAEC/CE/CRFE CPE/OVAL XCCDF/OVAL/ CCE CVE/CWE/ OVAL/CVSS CVSS/CME/ CAPEC/MAEC Asset Inventory Configuration Guidance Analysis Vulnerability Analysis Threat Analysis Intrusion Detection Incident Management CCE/ OVAL/ CRF/ XCCDF/ CPE CPE/ OVAL/ CRF CVE/CWE/ CVSS/CRF/ CCE/ OVAL/ XCCDF/ CPE CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC/CEE Operations Security Management Processes Assessment of System Development, Integration, & Sustainment Activities and Certification & Accreditation Operational Enterprise Networks Enterprise IT Change Management Centralized Reporting Development & Sustainment Security Management Processes Enterprise IT Asset Management

19. Knowledge Repositories Asset Definition Configuration Guidance Vulnerability Alert Threat Alert Incident Report CPE CPE CPE CPE CPE CPE CPE OVAL/XCCDF/ CCE/CPE/CRF CPE CPE System & Software Assurance Guidance/ Requirements CWE/CAPEC/ SBVR/MAEC CVE/CWE/CVSS/CCE/OVAL/XCCDF/ CPE/CME/CAPEC/MAEC/CEE/CRF CVE/CWE/CVSS/CCE/OVAL/XCCDF/ CPE/CME/CAPEC/MAEC/CEE/CRF CPE CPE CAIF/VEDEF/SIDEF/SCDEF/SFDEF/ IDMEF/IODEF/FIDEF/CVE/CWE/ OVAL/CPE/CME/MAEC/CE/CRFE CPE/OVAL XCCDF/OVAL/ CCE CVE/CWE/ OVAL/CVSS CVSS/CME/ CAPEC/MAEC Asset Inventory Configuration Guidance Analysis Vulnerability Analysis Threat Analysis Intrusion Detection Incident Management CCE/ OVAL/ CRF/ XCCDF/ CPE CPE/ OVAL/ CRF CVE/CWE/ CVSS/CRF/ CCE/ OVAL/ XCCDF/ CPE CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC/CEE Operations Security Management Processes Assessment of System Development, Integration, & Sustainment Activities and Certification & Accreditation Operational Enterprise Networks Enterprise IT Change Management Centralized Reporting Development & Sustainment Security Management Processes Enterprise IT Asset Management

20. Knowledge Repositories Asset Definition Configuration Guidance Vulnerability Alert Threat Alert Incident Report CVSS CVSS CVSS CVSS CVSS CVSS OVAL/XCCDF/ CCE/CPE/CRF System & Software Assurance Guidance/ Requirements CWE/CAPEC/ SBVR/MAEC CVE/CWE/CVSS/CCE/OVAL/XCCDF/ CPE/CME/CAPEC/MAEC/CEE/CRF CVE/CWE/CVSS/CCE/OVAL/XCCDF/ CPE/CME/CAPEC/MAEC/CEE/CRF CVSS CVSS CAIF/VEDEF/SIDEF/SCDEF/SFDEF/ IDMEF/IODEF/FIDEF/CVE/CWE/ OVAL/CPE/CME/MAEC/CE/CRFE CPE/OVAL XCCDF/OVAL/ CCE CVE/CWE/ OVAL/CVSS CVSS/CME/ CAPEC/MAEC Asset Inventory Configuration Guidance Analysis Vulnerability Analysis Threat Analysis Intrusion Detection Incident Management CCE/ OVAL/ CRF/ XCCDF/ CPE CPE/ OVAL/ CRF CVE/CWE/ CVSS/CRF/ CCE/ OVAL/ XCCDF/ CPE CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC/CEE Operations Security Management Processes Assessment of System Development, Integration, & Sustainment Activities and Certification & Accreditation Operational Enterprise Networks Enterprise IT Change Management Centralized Reporting Development & Sustainment Security Management Processes Enterprise IT Asset Management

21. Knowledge Repositories Asset Definition Configuration Guidance Vulnerability Alert Threat Alert Incident Report CME CME CME CME OVAL/XCCDF/ CCE/CPE/CRF CME CME System & Software Assurance Guidance/ Requirements CWE/CAPEC/ SBVR/MAEC CVE/CWE/CVSS/CCE/OVAL/XCCDF/ CPE/CME/CAPEC/MAEC/CEE/CRF CVE/CWE/CVSS/CCE/OVAL/XCCDF/ CPE/CME/CAPEC/MAEC/CEE/CRF CME CME CAIF/VEDEF/SIDEF/SCDEF/SFDEF/ IDMEF/IODEF/FIDEF/CVE/CWE/ OVAL/CPE/CME/MAEC/CE/CRFE CPE/OVAL XCCDF/OVAL/ CCE CVE/CWE/ OVAL/CVSS CVSS/CME/ CAPEC/MAEC Asset Inventory Configuration Guidance Analysis Vulnerability Analysis Threat Analysis Intrusion Detection Incident Management CCE/ OVAL/ CRF/ XCCDF/ CPE CPE/ OVAL/ CRF CVE/CWE/ CVSS/CRF/ CCE/ OVAL/ XCCDF/ CPE CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC/CEE Operations Security Management Processes Assessment of System Development, Integration, & Sustainment Activities and Certification & Accreditation Operational Enterprise Networks Enterprise IT Change Management Centralized Reporting Development & Sustainment Security Management Processes Enterprise IT Asset Management

22. Knowledge Repositories Asset Definition Configuration Guidance Vulnerability Alert Threat Alert Incident Report MAEC MAEC MAEC MAEC OVAL/XCCDF/ CCE/CPE/CRF MAEC MAEC System & Software Assurance Guidance/ Requirements MAEC CWE/CAPEC/ SBVR/MAEC CVE/CWE/CVSS/CCE/OVAL/XCCDF/ CPE/CME/CAPEC/MAEC/CEE/CRF CVE/CWE/CVSS/CCE/OVAL/XCCDF/ CPE/CME/CAPEC/MAEC/CEE/CRF MAEC MAEC CAIF/VEDEF/SIDEF/SCDEF/SFDEF/ IDMEF/IODEF/FIDEF/CVE/CWE/ OVAL/CPE/CME/MAEC/CE/CRFE CPE/OVAL XCCDF/OVAL/ CCE CVE/CWE/ OVAL/CVSS CVSS/CME/ CAPEC/MAEC Asset Inventory Configuration Guidance Analysis Vulnerability Analysis Threat Analysis Intrusion Detection Incident Management CCE/ OVAL/ CRF/ XCCDF/ CPE CPE/ OVAL/ CRF CVE/CWE/ CVSS/CRF/ CCE/ OVAL/ XCCDF/ CPE CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC/CEE Operations Security Management Processes Assessment of System Development, Integration, & Sustainment Activities and Certification & Accreditation Operational Enterprise Networks Enterprise IT Change Management Centralized Reporting Development & Sustainment Security Management Processes Enterprise IT Asset Management

23. Knowledge Repositories Asset Definition Configuration Guidance Vulnerability Alert Threat Alert Incident Report CAPEC CAPEC CAPEC CAPEC OVAL/XCCDF/ CCE/CPE/CRF CAPEC CAPEC System & Software Assurance Guidance/ Requirements CAPEC CWE/CAPEC/ SBVR/MAEC CVE/CWE/CVSS/CCE/OVAL/XCCDF/ CPE/CME/CAPEC/MAEC/CEE/CRF CVE/CWE/CVSS/CCE/OVAL/XCCDF/ CPE/CME/CAPEC/MAEC/CEE/CRF CAPEC CAPEC CAIF/VEDEF/SIDEF/SCDEF/SFDEF/ IDMEF/IODEF/FIDEF/CVE/CWE/ OVAL/CPE/CME/MAEC/CE/CRFE CPE/OVAL XCCDF/OVAL/ CCE CVE/CWE/ OVAL/CVSS CVSS/CME/ CAPEC/MAEC Asset Inventory Configuration Guidance Analysis Vulnerability Analysis Threat Analysis Intrusion Detection Incident Management CCE/ OVAL/ CRF/ XCCDF/ CPE CPE/ OVAL/ CRF CVE/CWE/ CVSS/CRF/ CCE/ OVAL/ XCCDF/ CPE CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC/CEE Operations Security Management Processes Assessment of System Development, Integration, & Sustainment Activities and Certification & Accreditation Operational Enterprise Networks Enterprise IT Change Management Centralized Reporting Development & Sustainment Security Management Processes Enterprise IT Asset Management

24. Knowledge Repositories Asset Definition Configuration Guidance Vulnerability Alert Threat Alert Incident Report CEE CEE OVAL/XCCDF/ CCE/CPE/CRF CEE System & Software Assurance Guidance/ Requirements CWE/CAPEC/ SBVR/MAEC CVE/CWE/CVSS/CCE/OVAL/XCCDF/ CPE/CME/CAPEC/MAEC/CEE/CRF CVE/CWE/CVSS/CCE/OVAL/XCCDF/ CPE/CME/CAPEC/MAEC/CEE/CRF CEE CEE CAIF/VEDEF/SIDEF/SCDEF/SFDEF/ IDMEF/IODEF/FIDEF/CVE/CWE/ OVAL/CPE/CME/MAEC/CE/CRFE CPE/OVAL XCCDF/OVAL/ CCE CVE/CWE/ OVAL/CVSS CVSS/CME/ CAPEC/MAEC Asset Inventory Configuration Guidance Analysis Vulnerability Analysis Threat Analysis Intrusion Detection Incident Management CCE/ OVAL/ CRF/ XCCDF/ CPE CPE/ OVAL/ CRF CVE/CWE/ CVSS/CRF/ CCE/ OVAL/ XCCDF/ CPE CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC/CEE Operations Security Management Processes Assessment of System Development, Integration, & Sustainment Activities and Certification & Accreditation Operational Enterprise Networks Enterprise IT Change Management Centralized Reporting Development & Sustainment Security Management Processes Enterprise IT Asset Management

25. Knowledge Repositories Asset Definition Configuration Guidance Vulnerability Alert Threat Alert Incident Report OVAL/XCCDF/ CCE/CPE/CRF System & Software Assurance Guidance/ Requirements CWE/CAPEC/ SBVR/MAEC CVE/CWE/CVSS/CCE/OVAL/XCCDF/ CPE/CME/CAPEC/MAEC/CEE/CRF CVE/CWE/CVSS/CCE/OVAL/XCCDF/ CPE/CME/CAPEC/MAEC/CEE/CRF CAIF/VEDEF/SIDEF/SCDEF/SFDEF/ IDMEF/IODEF/FIDEF/CVE/CWE/ OVAL/CPE/CME/MAEC/CE/CRFE CPE/OVAL XCCDF/OVAL/ CCE CVE/CWE/ OVAL/CVSS CVSS/CME/ CAPEC/MAEC Asset Inventory Configuration Guidance Analysis Vulnerability Analysis Threat Analysis Intrusion Detection Incident Management CCE/ OVAL/ CRF/ XCCDF/ CPE CPE/ OVAL/ CRF CVE/CWE/ CVSS/CRF/ CCE/ OVAL/ XCCDF/ CPE CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC/CEE Operations Security Management Processes Assessment of System Development, Integration, & Sustainment Activities and Certification & Accreditation SBVR Operational Enterprise Networks Enterprise IT Change Management Centralized Reporting Development & Sustainment Security Management Processes Enterprise IT Asset Management

26. Knowledge Repositories Asset Definition Configuration Guidance Vulnerability Alert Threat Alert Incident Report CWE CWE CWE CWE CWE OVAL/XCCDF/ CCE/CPE/CRF CWE System & Software Assurance Guidance/ Requirements CWE CWE/CAPEC/ SBVR/MAEC CVE/CWE/CVSS/CCE/OVAL/XCCDF/ CPE/CME/CAPEC/MAEC/CEE/CRF CVE/CWE/CVSS/CCE/OVAL/XCCDF/ CPE/CME/CAPEC/MAEC/CEE/CRF CWE CWE CAIF/VEDEF/SIDEF/SCDEF/SFDEF/ IDMEF/IODEF/FIDEF/CVE/CWE/ OVAL/CPE/CME/MAEC/CE/CRFE CPE/OVAL XCCDF/OVAL/ CCE CVE/CWE/ OVAL/CVSS CVSS/CME/ CAPEC/MAEC Asset Inventory Configuration Guidance Analysis Vulnerability Analysis Threat Analysis Intrusion Detection Incident Management CCE/ OVAL/ CRF/ XCCDF/ CPE CPE/ OVAL/ CRF CVE/CWE/ CVSS/CRF/ CCE/ OVAL/ XCCDF/ CPE CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC/CEE Operations Security Management Processes Assessment of System Development, Integration, & Sustainment Activities and Certification & Accreditation Operational Enterprise Networks Enterprise IT Change Management Centralized Reporting Development & Sustainment Security Management Processes Enterprise IT Asset Management

27. Knowledge Repositories Asset Definition Configuration Guidance Vulnerability Alert Threat Alert Incident Report OVAL/XCCDF/ CCE/CPE/CRF System & Software Assurance Guidance/ Requirements CWE/CAPEC/ SBVR/MAEC CVE/CWE/CVSS/CCE/OVAL/XCCDF/ CPE/CME/CAPEC/MAEC/CEE/CRF CVE/CWE/CVSS/CCE/OVAL/XCCDF/ CPE/CME/CAPEC/MAEC/CEE/CRF CAIF/VEDEF/SIDEF/SCDEF/SFDEF/ IDMEF/IODEF/FIDEF/CVE/CWE/ OVAL/CPE/CME/MAEC/CE/CRFE CPE/OVAL XCCDF/OVAL/ CCE CVE/CWE/ OVAL/CVSS CVSS/CME/ CAPEC/MAEC Asset Inventory Configuration Guidance Analysis Vulnerability Analysis Threat Analysis Intrusion Detection Incident Management CCE/ OVAL/ CRF/ XCCDF/ CPE CPE/ OVAL/ CRF CVE/CWE/ CVSS/CRF/ CCE/ OVAL/ XCCDF/ CPE CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC/CEE Operations Security Management Processes Assessment of System Development, Integration, & Sustainment Activities and Certification & Accreditation Operational Enterprise Networks Enterprise IT Change Management Centralized Reporting Development & Sustainment Security Management Processes Enterprise IT Asset Management

28. Vulnerability Alert CVE/CWE OVAL/CVSS Vulnerability Analysis CVE/CWE/ CVSS/CCE/ OVAL/CRF/ XCCDF/ CPE CCE/ OVAL/ CRF/ XCCDF/ CPE

29. Knowledge Repositories Asset Definition Configuration Guidance Vulnerability Alert Threat Alert Incident Report OVAL/XCCDF/ CCE/CPE/CRF System & Software Assurance Guidance/ Requirements CWE/CAPEC/ SBVR/MAEC CVE/CWE/CVSS/CCE/OVAL/XCCDF/ CPE/CME/CAPEC/MAEC/CEE/CRF CVE/CWE/CVSS/CCE/OVAL/XCCDF/ CPE/CME/CAPEC/MAEC/CEE/CRF CAIF/VEDEF/SIDEF/SCDEF/SFDEF/ IDMEF/IODEF/FIDEF/CVE/CWE/ OVAL/CPE/CME/MAEC/CE/CRFE CPE/OVAL XCCDF/OVAL/ CCE CVE/CWE/ OVAL/CVSS CVSS/CME/ CAPEC/MAEC Asset Inventory Configuration Guidance Analysis Vulnerability Analysis Threat Analysis Intrusion Detection Incident Management CCE/ OVAL/ CRF/ XCCDF/ CPE CPE/ OVAL/ CRF CVE/CWE/ CVSS/CRF/ CCE/ OVAL/ XCCDF/ CPE CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC/CEE Operations Security Management Processes Assessment of System Development, Integration, & Sustainment Activities and Certification & Accreditation Operational Enterprise Networks Enterprise IT Change Management Centralized Reporting Development & Sustainment Security Management Processes Enterprise IT Asset Management

30. Configuration Guidance XCCDF/OVAL/ CCE Configuration Guidance Analysis CCE/ OVAL/ CRF/ XCCDF/ CPE CPE/ OVAL/ CRF

31. Knowledge Repositories Asset Definition Configuration Guidance Vulnerability Alert Threat Alert Incident Report OVAL/XCCDF/ CCE/CPE/CRF System & Software Assurance Guidance/ Requirements CWE/CAPEC/ SBVR/MAEC CVE/CWE/CVSS/CCE/OVAL/XCCDF/ CPE/CME/CAPEC/MAEC/CEE/CRF CVE/CWE/CVSS/CCE/OVAL/XCCDF/ CPE/CME/CAPEC/MAEC/CEE/CRF CAIF/VEDEF/SIDEF/SCDEF/SFDEF/ IDMEF/IODEF/FIDEF/CVE/CWE/ OVAL/CPE/CME/MAEC/CE/CRFE CPE/OVAL XCCDF/OVAL/ CCE CVE/CWE/ OVAL/CVSS CVSS/CME/ CAPEC/MAEC Asset Inventory Configuration Guidance Analysis Vulnerability Analysis Threat Analysis Intrusion Detection Incident Management CCE/ OVAL/ CRF/ XCCDF/ CPE CPE/ OVAL/ CRF CVE/CWE/ CVSS/CRF/ CCE/ OVAL/ XCCDF/ CPE CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC/CEE Operations Security Management Processes Assessment of System Development, Integration, & Sustainment Activities and Certification & Accreditation Operational Enterprise Networks Enterprise IT Change Management Centralized Reporting Development & Sustainment Security Management Processes Enterprise IT Asset Management

32. OVAL/XCCDF/ CCE/CPE/CRF System Assurance Guidance/ Mandates/ Requirements Assessment of System Development, Integration, & Sustainment Activities and Certification & Accreditation CWE/CAPEC/ SBVR

34. Knowledge Repositories Asset Definition Configuration Guidance Vulnerability Alert Threat Alert Incident Report OVAL/XCCDF/ CCE/CPE System & Software Assurance Guidance/ Requirements CWE/CAPEC/ SBVR/MAEC CVE/CWE/CVSS/CCE/OVAL/XCCDF/ CPE/CME/CAPEC/MAEC/CEE/CRF CVE/CWE/CVSS/CCE/OVAL/XCCDF/ CPE/CME/CAPEC/MAEC/CEE/CRF CAIF/VEDEF/SIDEF/SCDEF/SFDEF/ IDMEF/IODEF/FIDEF/CVE/CWE/ OVAL/CPE/CME/MAEC/CE/CRFE CPE/OVAL XCCDF/OVAL/ CCE CVE/CWE/ OVAL/CVSS CVSS/CME/ CAPEC/MAEC Asset Inventory Configuration Guidance Analysis Vulnerability Analysis Threat Analysis Intrusion Detection Incident Management CCE/ OVAL/ CRF/ XCCDF/ CPE CPE/ OVAL/ CRF CVE/CWE/ CVSS/CRF/ CCE/ OVAL/ XCCDF/ CPE CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC/CEE Operations Security Management Processes Assessment of System Development, Integration, & Sustainment Activities and Certification & Accreditation Operational Enterprise Networks Enterprise IT Change Management Centralized Reporting Development & Sustainment Security Management Processes Enterprise IT Asset Management

35. Threat Alert CVSS/CME/ CAPEC/MAEC Threat Analysis CVE/CWE/ CVSS/CRF/ CCE/OVAL/ XCCDF/CPE/ CME/CAPEC/ MAEC

36. [makingsecuritymeasurable.mitre.org] Robert A. Martin ramartin@mitre.org

37. ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Difficult to Integrate Information on Vulnerabilities and Exposures Security Advisories Priority Lists Software Vendor Patches Vulnerability Scanners Intrusion Detection Systems Research Incident Response & Reporting Vulnerability Web Sites & Databases

38. Unique CVE Names CVE Growth Status (as of Nov 6, 2007) • 27,663 unique CVE names

39. Vulnerability Type Trends:A Look at the CVE List (2001 - 2006)

40. Cross-site scripting (XSS) (79) • Basic XSS (80) • XSS in error pages (81) • Script in IMG tags (82) • XSS using Script in Attributes (83) • XSS using Script Via Encoded URI Schemes (84) • Doubled character XSS manipulations, e.g. '<<script’ (85) • Invalid Characters in Identifiers (86) • Alternate XSS syntax (87) • Mobile Code: Invoking untrusted mobile code (494) • Buffer Errors (119) • Unbounded Transfer (classic overflow) (120) • Write-what-where condition (123) • Boundary beginning violation ('buffer underwrite') (124) • Out-of-bounds Read (125) • Wrap-around error (128) • Unchecked array indexing (129) • Length Parameter Inconsistency (130) • Other length calculation error (131) • Miscalculated null termination (132) • String Errors (133) • Often Misused: Path Manipulation (249) • Relative Path Traversal (22) • Path Issue - dot dot slash - '../filedir’ (24) • Path Issue - leading dot dot slash - '/../filedir’ (25) • Path Issue - leading directory dot dot slash - '/directory/../filename’ (26) • Path Issue - directory doubled dot dot slash - 'directory/../../filename’ (27) • Path Issue - dot dot backslash - '..\filename’ (28) • Path Issue - leading dot dot backslash - '\..\filename’ (29) • Path Issue - leading directory dot dot backslash - '\directory\..\filename’ (30) • Path Issue - directory doubled dot dot backslash - 'directory\..\..\filename’ (31) • Path Issue - triple dot - '...’ (32) • Path Issue - multiple dot - '....’ (33) • Path Issue - doubled dot dot slash - '....//’ (34) • Path Issue - doubled triple dot slash - '.../...//’ (35) Removing and Preventing the Vulnerabilities Requires More Specific Definitions…CWEs

41. PLOVER Microsoft Aslam OWASP CLASP Protection Analysis 7 Kingdoms RISOS Weber Tool B Bishop WASC Landwehr Tool A

42. Purpose: Sharing the proprietary/company confidential information contained in the underlying Knowledge Repository of the Knowledge Owner’s Capability for the sole purpose of establishing a public Common Weakness Enumeration (CWE) dictionary that can be used by vendors, customers, and researchers to describe software, design, and architecture related weaknesses that have security ramifications. The individual contributions from numerous organizations, based on their proprietary/company-confidential information, will be combined into a consolidated collection of weakness descriptions and definitions with the resultant collection being shared publicly. The consolidated collection of knowledge about weaknesses in software, design, and architecture will make no reference to the source of the information used to describe, define, and explain the individual weaknesses. Coverity Using A Unilateral NDA with MITRE to Bring in Info

43. Current Community Contributing to the Common Weakness Enumeration • AppSIC • Aspect Security • Booz Allen Hamilton Inc. • Cenzic • CERIAS/Purdue University • CERT/CC • Cigital • CodescanLabs • Core Security • Coverity • Fortify • Gramma Tech • IBM • Interoperability Clearing House • JHU/APL • JMU • Kestrel Technology • KDM Analytics • Klocwork • McAfee • Microsoft • MIT Lincoln Labs • MITRE • North Carolina State University • NIST • NSA • OMG • Oracle • Ounce Labs • OWASP • Palamida • Parasoft • PolySpace Technologies • proServices Corporation • SANS Institute • SecurityInnovation • Secure Software • Security University • Semantic Designs • SofCheck • SPI Dynamics • SureLogic, Inc. • Symantec • UNISYS • VERACODE • Watchfire • WASC • Whitehat Security, Inc. • Tim Newsham To join send e-mail to cwe@mitre.org

44. CWE draft 5 CWE draft 7 627 nodes 500 nodes 2006 2007 PLOVER 300 nodes 2005

45. # of Identified Items Incorporate weakness definitions from contributing organizations draft 7 draft 6 # of “fully” Defined Items draft 5 draft 8 draft 4 draft 2 draft 3 Added in CLASP, 7 Kingdoms, Landwehr, OWASP, WASC, et. al. draft 1 Started w/PLOVER Come to agreement on what the different aspects of a weakness need to be captured in the definition -- re-baseline “fully” Timeline of Items Enumerated and Defined in CWE • # of items • time

46. To subscribe, see: http://cwe.mitre.org/community/registration.html or just send an email to listserv@lists.mitre.org with the command: subscribe CWE-RESEARCH-LIST

47. Symbolic Link Following (composition) Symlink Following CWE-41 Symlink Following - CWE 61 Predictability CWE-340 Race Condition CWE-362 Path Equivalence CWE-41 Insecure directory permissions CWE-275

48. ‘Loose’ Directory Permissions Predictability Race Condition Path Equivalence CWE-340 CWE-362 CWE-275 CWE-41 Symbolic Link Following (composite) CWE-61: Symlink Following • Filename can be predicted • File can be created by other party before it is opened for writing • File created in a shared directory with writable permissions • Equivalence: a symlink can act an alternate name for a critical file