Tagging Your Code with a Useful Assurance Label
Tagging Your Code with a Useful Assurance Label
Wednesday, November 20 • 4:00 pm - 4:50 pm
With so many ways for software to be vulnerable, businesses needs a way to focus their assurance efforts on those potential vulnerabilities that are most dangerous to them and their software. This talk will offer a new way to focus and organize your software vulnerability assessment and assurance efforts across the entire life-cycle of a project so that you target the most impactful weaknesses when they are most visible. The approach can be done consistently across your enterprise and will have you looking for specific weaknesses at the point where you can gain the most assurance that you have dealt with them successfully. Matched to the activities of your development effort, this approach will have your team looking for those security weaknesses (CWEs) that are most discernable/findable in each of the different stages of a software development effort. For example, when you have a live exemplar system available you should look for the weaknesses in design, configuration, code, or architecture that are findable through dynamic analysis, pen testing, or red teaming of that living system. Similarly, in the coding phase you want the emphasis to be looking for weaknesses that are findable by static analysis tools. The follow-on step to this approach is to use what you found and what you did to create “An Assurance Tag for Binaries", basically an assurance "food label" for the code of that project. This talk will conclude with a discussion of what such a tag could look like, what it could capture, how the information could be obtained, whom would/could create them, and how they could be represented for humans and machines to use.
Speaker:
Robert Martin
Robert joined the MITRE Corporation in 1981 after earning a bachelor's degree and a master's degree in electrical engineering from Rensselaer Polytechnic Institute, subsequently he earned a master's of business degree from Babson College. He is a member of the ACM, AFCEA, IEEE, and the IEEE Computer Society. He is an avid kayaker, photographer, and scuba diver.
Robert is the primary point of contact for industry engagement for MITRE’s various information security standardization efforts, collectively referred to as “Making Security Measurable”, including CVE, OVAL, CWE, CAPEC, CybOX, STIX, and MAEC. He is the project leader for CWE and CAPEC along with being responsible for coordinating the Compatibility and Adoption efforts for the full set. For the past 22 years, Robert's efforts have been focused on the interplay of risk management, cyber security, quality assessment and the use of software-based technologies.
The Common Vulnerabilities and Exposures (CVE) and Open Vulnerability Assessment Language (OVAL) Initiatives, which Robert has helped lead for the last 14 years, are two international, community-based efforts amongst industry, government, and academia that form two of the foundational elements of the US Government’s Security Content Automation Protocol (SCAP). These initiatives are transforming the way enterprises deal with securing their infrastructure and work with vendors.
More recently Robert started industry-wide efforts to bring the same type of standardization of names and definitions to the world of software security issues in software source code, software design, and software architecture, as well as in understanding and sharing how software systems are attacked and how we can better discuss, describe and share information about malware. The Common Weakness Enumeration (CWE), Common Attack Pattern Enumeration and Characterization (CAPEC), and Malware Attribute Enumeration and Characterization (MAEC) efforts are part of the Department of Homeland Security and Department of Defense Software Assurance initiative and are being adopted by the bulk of the tool industry and educational providers working this topic as well as being the foundation for work at NIST, DHS, NSA, and OSD. These recent efforts, along with the previous work are being adopted throughout industry and government as well as being adopted internationally and incorporated into OpenGroup, OMG, ITU and ISO standards efforts.