1. ™ ™ © 2006, KDM Analytics Software Assurance Ecosystem and its Applications Djenana Campara Chief Executive Officer, KDM Analytics Board Director, Object Management Group (OMG) Co-Chair Software Assurance and Architecture Driven Modernization, OMG

2. ™ © 2007, KDM Analytics Agenda Software Assurance Definition - OMG and Government Initiative The Assurance Case Software Assurance Ecosystem Introduction and Current State Enabling Technologies ISO/OMG Tooling Standards Detailed View of the Ecosystem Software Assurance Ecosystem in Action

3. ™ © 2007, KDM Analytics Software Assurance

4. ™ © 2007, KDM Analytics Software Assurance Definition The justified confidence that the system functions as intended and is free of exploitable vulnerabilities, either intentionally or unintentionally designed or inserted as part of the system at any time during the lifecycle” [National Defense Industrial Association -NDIA]. Basic Principals For each software artifact of interest, there exist a set of claims (generally related to safety and security) about the software artifact, a set of facts (collectively called evidence) about the software artifact, and a set of assurance arguments that use the evidence to show that the software artifact does, in fact, satisfy the claims. The Justified Confidence is presented through Assurance Case: set of auditable claims, arguments and evidence created to support the contention that a defined system/service will satisfy the particular requirements through supporting arguments and evidence

5. ™ © 2007, KDM Analytics Assurance Case: Claims, Arguments & Evidence Exchanged Among SwA Participants Procurement agency Certification agency Audit agency Software Supplier Software Integrator Courts of lawLegislators Software Tool Vendor Insurance organizations Claims Arguments Evidence Consumers

6. ™ © 2007, KDM Analytics Delivering Software Assurance: Delivering System Predictability and Reducing Uncertainty Software Assurance (SwA) is 3 step process 1. Specify Assurance Case Enable supplier to make bounded assurance claims about safety, security and/or dependability of systems, product or services 2. Obtain Evidence for Assurance Case perform software assurance assessment to justify claims of meeting a set of requirements through a structure of sub-claims, arguments, and supporting evidence Collecting Evidence and verifying claims’ compliance is complex and costly process 3. Use Assurance Case to calculate and mitigate risk Exam non compliant claims and their evidence to calculate risk and identify course of actions to mitigate it Each stakeholder will have own risk assessment – e.g. security, liability, performance, compliance Currently, SwA 3 step process is informal, subjective & manual due to lack of comprehensive tooling and formalized specifications

7. ™ © 2007, KDM Analytics The Software Assurance Ecosystem – achieving more objectivity and automation

8. ™ © 2007, KDM Analytics The Software Assurance Ecosystem: Turning Challenge into Solution SwA Ecosystem is a formal framework for analysis and exchange of information related to software security and trustworthiness Provides a technical environment where formalized claims, arguments and evidence can be brought together with formalized and abstracted software system representations to support high automation and high fidelity analysis. Based entirely on ISO/OMG Open Standards Semantics of Business Vocabulary and Rules (SBVR) Knowledge Discovery Meta-model (KDM) Software Assurance Meta-model (SAM) – work in progress Software Assurance Evidence Metamodel submissions received Software Assurance Claims & Arguments Metamodel RFP in progress Architected with a focus on providing fundamental improvements in analysis

9. ™ © 2007, KDM Analytics Leveraging what we already have through SwA Ecosystem Software Assurance Ecosystem enables industry and government to leverage and connect existing policies, practices, processes and tools, in an affordable and efficient manner The key enabler is the Software Assurance (SwA) Ecosystem Infrastructure an open standard-based integrated tooling environment that dramatically reduces the cost of software assurance activities Integrates 3+1 different communities: Formal Methods, Reverse Engineering and Static Analysis, and Dynamic Analysis for a SwA solution Enables different tool types to interoperate Introduces many new vendors to ecosystem because they each leverage parts of the tool chain

10. ™ © 2007, KDM Analytics Process, People, documentation Evidence Software System / Architecture Evaluation  Many integrated & highly automated tools to assist evaluators  Claims and Evidence in Formal vocabulary  Combination of tools and ISO/OMG standards  Standardized SW System Representation In KDM  Large scope capable (system of systems)  Iterative extraction and analysis for rules Executable Specifications Formalized Specifications Software system Technical Evidence Software System Artifacts Requirements/Design Docs & Artifacts Hardware Environment Process Docs & Artifacts Process, People & Documentation Evaluation Environment Some point tools to assist evaluators but mainly manual work Claims in Formal SBVR vocabulary Evidence in Formal SBVR vocabulary Large scope requires large effort IA Controls Protection Profiles CWE Claims, Arguments and Evidence Repository - Formalized in SBVR vocabulary - Automated verification of claims against evidence - Highly automated and sophisticated risk assessments using transitive inter- evidence point relationships Software Assurance Ecosystem: The Formal Framework The value of formalization extends beyond software systems to include related software system process, people and documentation Reports Risk Analysis, etc)

11. ™ © 2007, KDM Analytics The Software Assurance Ecosystem in Action

12. ™ © 2007, KDM Analytics From CWE Taxonomy to CWE Executable Specification Taxonomy Formalized Specification Executable Specification

13. ™ © 2007, KDM Analytics Developers Automated Analysis of: Quality defects SW reliability defects Security vulnerabilities Security policies Design rules Architecture rules Security Engineering Management T&E Software Architects Development Management Information Value Chain Feedback Loop through Customized Reporting Visibility into Best Practices implementation in software lifecycle Security Analysis supporting security policies & risk management (Security Engineering and Audit) Assessment based on established Assurance Case (quality, reliability, security) Architecture understanding, architecture robustness & rules Reporting on Policies/ Rules violations Policies/Rules Creation & Administration Continuous Assurance: Integrated within SDLC control points Policy enforcement on Data  - Data discovered in context developer code System watchdog: continuous integration to verify that nothing is sneaking into the delivery software stream Executable Specifications

14. ™ © 2007, KDM Analytics The Open standard-based SwA ecosystem can be leveraged to increase deployability of tested applications. The following are workflow and steps for established “sw vulnerability assurance case”: use of software assurance tools to perform CWE-based analyzes of application increase accuracy through building and applying exploit testing where weakness identified provide virtual patches to mitigate effect of vulnerabilities package application and virtual patch into deployable solution creating WIN-WIN situation for both supplier and consumer Perform Binary extraction into KDM Perform CWE Analysis Build exploits for found vulnerabilities Test Executable using exploits Use Virtual patching to mitigate vulnerabilities Test Executable using virtual patches Package Executable with virtual patches for deployment Typical Lab Operation Report Vulnerabilities found Addition of Exploit Generation and Testing Addition of Virtual Patching Two Bad Choices for suppliers: Go back and fix vulnerabilities or, deploy and expose outstanding vulnerabilities to community Removes false positives so that more accurate info goes back to supplier & generate virtual patch Best Choice for Suppliers and consumers: Go back and fix vulnerabilities and, safe deploy with virtual patches and NOT expose outstanding vulnerabilities 3rd Party Evaluation of Applications – LAB Environment