Understanding How They Attack Your Weaknesses: CAPEC



Registration | Hotel | Walter E. Washington Convention Center

The presentation
By learning to think more like attackers, we gain a better understanding of how to defeat their methods. The Common Attack Pattern Enumeration and Classification (CAPEC™) initiative is a community-driven software security effort to create a publicly available catalog of attack patterns. At the core of CAPEC is the concept of an "Attack Pattern," a powerful mechanism for capturing and codifying various approaches to cyber attack including the detailed action-oriented attack execution flow, the capability and motivation of the attacker, the context within which the attack is possible, the weaknesses being targeted by the attack, characterization of the typical impact of a successful attack, and recommended mitigations to prevent or decrease the impact of the attack. This talk will serve as an overview of the CAPEC project to-date and showcase the various uses cases for CAPEC in software development, testing, architecture analysis, and secure operations.

Sean Barnum
Sean Barnum is a Software Assurance Principal at The MITRE Corporation where he acts as a thought leader and senior advisor on software assurance and cyber security topics to a wide variety of government sponsors throughout the national security, intelligence community and civil domains. He has over 24 years of experience in the software industry in the areas of development, software quality assurance, quality management, process architecture & improvement, knowledge management and security. He is a frequent contributor, speaker and trainer for regional and national software security and software quality publications, conferences & events. He is very active in the software assurance community and is involved in numerous knowledge standards-defining efforts including the Common Weakness Enumeration (CWE), the Common Attack Pattern Enumeration and Classification (CAPEC), the Software Assurance Findings Expression Schema (SAFES), the Malware Attribute Enumeration and Characterization (MAEC) and other elements of the Software Assurance Programs of the Department of Homeland Security, Department of Defense and NIST. He is coauthor of the book "Software Security Engineering: A Guide for Project Managers", published by Addison-Wesley. He serves as the official liaison between ISO/IEC JTC 1/SC 27/WG 3 and the Cyber-Security Naming & Information Structures Group. He also acted as the lead technical subject matter expert for design and implementation of the Air Force Application Software Assurance Center of Excellence (ASACoE).