Presentation is loading. Please wait.

Presentation is loading. Please wait.

SwA Co-Chair and Task Lead Strategy Session Agenda Technology, Tools and Product Evaluation Working Group Status Briefing Co-Chair(s) Michael Kass (NIST),

Published byDina Reeves Modified over 8 years ago

Similar presentations

Presentation on theme: "SwA Co-Chair and Task Lead Strategy Session Agenda Technology, Tools and Product Evaluation Working Group Status Briefing Co-Chair(s) Michael Kass (NIST),"— Presentation transcript:

1 SwA Co-Chair and Task Lead Strategy Session Agenda Technology, Tools and Product Evaluation Working Group Status Briefing Co-Chair(s) Michael Kass (NIST), Larry Wagoner (NSA) March 31, 2008

2 Common Weakness Enumeration (CWE) Common Attack Pattern Enumeration (CAPEC) Software Assurance Metrics and Tool Evaluation (SAMATE) Project OMG Software Assurance Framework and Tool Test Generation TT&PE Working Group Projects

3 CWE Draft 8 (30 Jan 08) Added 22 CWEs

4 Formalizing a Schema for Weaknesses Identifying Information CWE ID Name Describing Information Description Extended Description Alternate Terms Demonstrative Examples Observed Examples Context Notes Source Taxonomy References Whitebox Definition Blackbox Definition Formal Definition Scoping & Delimiting Information Type Functional Area Likelihood of Exploit Common Consequences Enabling Factors for Exploitation Common Methods of Exploitation Applicable Platforms Time of Introduction Prescribing Information Potential Mitigations Enhancing Information Weakness Ordinality Causal Nature Affected Resource Related Attacks Detection Factors Node Relationships Research Gaps

5 Department of Homeland Security’s National Vulnerability Database (NVD) tags Vulnerabilities with CWEs NVD Now Maps to CWE! nvd.nist.gov

6 CAPEC Status http://capec.mitre.org

7 New CAPEC Status Attack Pattern multi-level abstraction tagging –Levels Meta Standard Detailed –All current authored patterns (101) as well as all potential patterns in the attack taxonomy have been tagged CAPEC description initial schema formalization –Targeted to support security test case identification –Updated schema complete –25 of the authored patterns have been fleshed-out to the new schema

8 The SAMATE Project http://samate.nist.gov

9 Testing the Tools SAMATE Reference Dataset (SRD) –Online repository of tool tests –Thousands of source code samples containing examples of CWE’s Discrete tests – developed by NIST, contributed by tool developers, academia and public Tests are based upon interpretation of a particular weakness definition (currently no formal white-box definitions) Tests are freely available at http://samate.nist.gov/SRD

10 Automated Test Case Generation (TCG) Funded by DHS Part of SAMATE effort to expand SRD to cover as many CWE’s as possible Based upon OMG MDA Technology (MOF, UML, XMI) –Uses formalized CWE definitions (SBVR) Contractual Formalization that is based on OMG standard, Semantics of Business Vocabulary and Rules (SBVR) and Technical Formalization that is based on OMG standard, Knowledge Discovery Metamodel (KDM) Formal CWE Definitions (SBVR/KDM) Tool Tests (code)Code Analysis Tool KDM

11 CWE Formalization White Box Definitions : Focus on the structure patterns of the inner components and their interactions (that determine certain observable behavior) –Provide “compliance points” that: Describe patterns of code (as they can be directly identified in code) Identify discernable properties of patterns of code Enable automation Enable direct step-by-step comparisons of the decision procedures implemented within tool

12 SAMATE and CWE Effectiveness Program Long-term goal : To auto-generate tool tests using formal CWE definitions in collaboration with MITRE’s CWE Effectiveness program –Provide tests “ad hoc” to tool developers –Developers run tests against their tool –Developers can publish test results

13 TCG: Where are we now? TCG Status: –Can generate tests for 3 CWE’s –26 CWE white-box definitions for “high priority” CWE’s are complete based upon their: –Long term, TGC will cover as many CWEs as possible With coding complexities

14 Other SAMATE Projects Ongoing work –Developing tests for web application scanners –Adding to existing tests for source code security analyzers –Performing tool effectiveness studies New areas –Testing binary analyzers –The static analyzer tool exposition (SATE) –Software transparency/pedigree information

15 NIST will be hosting SwA Forum in October 2008 Opportunity to showcase NIST’s work in SwA –NVD –SAMATE –SCADA –Trustworthy Systems Project –NVLAP (CC labs, Crypto Testing, Voting System Testing Laboratory Accredidation) –NIST Special Pubs (FIPS, SP 500 and 800 series) –Voting System Testing Project

Download ppt "SwA Co-Chair and Task Lead Strategy Session Agenda Technology, Tools and Product Evaluation Working Group Status Briefing Co-Chair(s) Michael Kass (NIST),"

Similar presentations

1 Copyright ©2007 Sandpiper Software, Inc. Vocabulary, Ontology & Specification Management at OMG Elisa Kendall Sandpiper Software

1 Copyright ©2007 Sandpiper Software, Inc. Vocabulary, Ontology & Specification Management at OMG Elisa Kendall Sandpiper Software
Copyright © 2006 Data Access Technologies, Inc. Open Source eGovernment Reference Architecture Approach to Semantic Interoperability Cory Casanave, President.

Copyright © 2006 Data Access Technologies, Inc. Open Source eGovernment Reference Architecture Approach to Semantic Interoperability Cory Casanave, President.
Software Assurance Metrics and Tool Evaluation (SAMATE) Michael Kass National Institute of Standards and Technology

Software Assurance Metrics and Tool Evaluation (SAMATE) Michael Kass National Institute of Standards and Technology
Internal Control–Integrated Framework

Internal Control–Integrated Framework
2009 – E. Félix Security DSL Toward model-based security engineering: developing a security analysis DSML Véronique Normand, Edith Félix, Thales Research.

2009 – E. Félix Security DSL Toward model-based security engineering: developing a security analysis DSML Véronique Normand, Edith Félix, Thales Research.
Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)

Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)
S&I Framework Provider Directories Initiative esMD Work Group October 19, 2011.

S&I Framework Provider Directories Initiative esMD Work Group October 19, 2011.
Production Rule Representation Team Response Presentation to BEIDTF OMG Montreal Aug 2004 Ruleml.org.

Production Rule Representation Team Response Presentation to BEIDTF OMG Montreal Aug 2004 Ruleml.org.
Presented by: Thabet Kacem Spring 2010. Outline Contributions Introduction Proposed Approach Related Work Reconception of ADLs XTEAM Tool Chain Discussion.

Presented by: Thabet Kacem Spring Outline Contributions Introduction Proposed Approach Related Work Reconception of ADLs XTEAM Tool Chain Discussion.
Asa MacWilliams Lehrstuhl für Angewandte Softwaretechnik Institut für Informatik Technische Universität München Dec 19 2003 Software.

Asa MacWilliams Lehrstuhl für Angewandte Softwaretechnik Institut für Informatik Technische Universität München Dec Software.
1 OMG SOA SIG  To support an MDA approach to SOA that links architectural, business and technology views of services, including Business Process Management.

1 OMG SOA SIG  To support an MDA approach to SOA that links architectural, business and technology views of services, including Business Process Management.
Amit, Keyur, Sabhay and Saleh Model Driven Architecture in the Enterprise.

Amit, Keyur, Sabhay and Saleh Model Driven Architecture in the Enterprise.
A Model-Driven Framework for Architectural Evaluation of Mobile Software Systems George Edwards Dr. Nenad Medvidovic Center.

A Model-Driven Framework for Architectural Evaluation of Mobile Software Systems George Edwards Dr. Nenad Medvidovic Center.
UML CASE Tool. ABSTRACT Domain analysis enables identifying families of applications and capturing their terminology in order to assist and guide system.

UML CASE Tool. ABSTRACT Domain analysis enables identifying families of applications and capturing their terminology in order to assist and guide system.
Model Driven Architecture (MDA) Partha Kuchana. Agenda What is MDA Modeling Approaches MDA in a NutShell MDA Models SDLC MDA Models (an Example) MDA -

Model Driven Architecture (MDA) Partha Kuchana. Agenda What is MDA Modeling Approaches MDA in a NutShell MDA Models SDLC MDA Models (an Example) MDA -
Database Administration

Database Administration
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
TGDC Meeting, July 2011 Voting System Software Assurance: SAMATE Automated Source Code Conformance Verification Study Michael Kass Computer Scientist,

TGDC Meeting, July 2011 Voting System Software Assurance: SAMATE Automated Source Code Conformance Verification Study Michael Kass Computer Scientist,
This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.

This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.
This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.

This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.

Similar presentations

Ads by Google