The Department of Homeland Security, together with two big names in the nonprofit cybersecurity world, released new tools Monday designed to help organizations eliminate common software vulnerabilities.
As part of its campaign to get software creators to build security into their systems from the beginning instead of patching problems after they happen, DHS, together with the MITRE Corporation and the SANS Institute, is trying to translate the wealth of knowledge the software development community already has about existing threats into actionable, to-do lists that could head-off future exploits.
The new tools build on the Common Weakness Enumeration (CWE), a project DHS and MITRE began sponsoring jointly in 2005. CWE was designed to create a global dictionary of common software vulnerabilities along with directions for fixing them, and its developers released a new 2.0 version of the dictionary Monday.
But CWE’s backers believe they can make their threat definition process more useful to individual organizations, particularly to organizational leaders who may not necessarily know all the technical ins-and-outs of writing code and designing databases.
One of the tools, the Common Weakness Scoring System (CWSS), is intended to address the fact that an individual software release might have thousands of “bugs,” but not all of them are necessarily dangerous. Rather than merely identifying the fact that a chunk of computer code could have been written more securely, it will use a community-based system to assign a “score” to the vulnerability so agencies and businesses can do a better job of setting their secure programming priorities.
“Without that, you can’t tell a programmer to do anything,” said Alan Paller, director of research at the SANS institute, which works with DHS and MITRE on the CWE project. “If you just give him a list of 860 things, he just throws the list away. If you’re ever going to change things so that writing secure software matters, this is an essential moment in making that happen.”
A second program, the Common Weakness Risk Analysis Framework (CWRAF), aims to let organizations do a better job of deciding for themselves what vulnerabilities are relevant to their own mission or business area. It lays down a model to let an agency or company make its own list of top potential vulnerabilities based on the line of work it’s involved in and what types of technology it uses.
The approach is intended to help organizations figure out more precisely what attacks they’re most vulnerable to and to address them, rather than simply instructing their programmers and vendors that they want “secure software.”
“There’s no incentive system right now that touches the programmer, because by the time the error is discovered it’s so far removed from the development process,” Paller said. “If you’re going to focus programmers on (security), you have to give them a couple things. You have to tell them what to look for, and then you have to give them a way to look for it that doesn’t consume them and take the rest of their life. And you can’t say, ‘this one really matters,’ when one person is writing embedded software on an (industrial control) system, and someone else is writing a Web application. Their values are different.”
Bob Martin, MITRE’s project director for CWE, said that framework will let organizations take the scores that are developed for software vulnerabilities and translate them into something meaningful for the mission or business area they work in. The site will include examples of lists for different business areas, but he said the success of the project will depend on organizations sharing their own “vignettes” with the rest of the community as they use the system.
“Some people have a real problem with denial-of-service issues, others with file integrity, others with ability to read memory or write memory, and different industries have different of those as the number one issue,” he said. “CWSS and CWRAF are meant to allow that difference to be communicated either to tools or to ordering of lists so you can put the right terms and conditions on contracts. You can have the right training focus, and you can have the right emphasis in your testing.”
But even if organizations all have their own cybersecurity differences, there are a lot of common threads. That was emphasized in another release from MITRE and SANS Monday, when the groups updated their list of the top 25 most dangerous software errors.
Topping the list this year is the SQL injection vulnerability the online hacker group LulzSecurity, which said it had disbanded this weekend, used in to break into several government and private sector systems.
“I would say one of the reasons is that this vulnerability is so easy to exploit and you can have automated ways of finding susceptible systems,” Martin said. “Everybody’s trying to take advantage of it before people wise up and close it. It’s this ease of exploit, ease of discovery and awareness of how widespread it is.”
MITRE and DHS are hoping businesses and agencies will use the tools to bake security into their products during the initial development process, since weak software is at the root of most successful cyber attacks.
Joe Jarzombek, director for software assurance in DHS’ national cybersecurity division said CWE projects could also help eliminate some of the excuses organizations offer up for running badly-written software.
“We’re hearing more and more about zero-day attacks. Let’s be honest. That’s a nice way of blaming somebody else for the fact that you’ve always had exploitable flaws on your network,” he said. “It’s kind of like when your home’s broken into and they came in through the back porch screen door. No one’s ever done that before, so you claim it as a zero-day attack. But that was always exploitable. What we’re doing is allowing organizations to be more proactive, and get away from the victim mentality that says ‘it’s just software, I can’t do anything about it.’ You can do something about it, and that’s the message we’re trying to change in here.”
DHS is trying to make some changes in federal agencies. This month’s update to the guidance agencies are given on complying with reporting requirements under the Federal Information Security Management Act (FISMA) includes a requirement to report the use of CWE programs. DHS has also begun circulating sample contract language to help agencies press vendors to use CWE.