OWASP AppSec DC 2012/Risk Analysis and Measurement with CWRAF

The Presentation
To better enable software stakeholders to reduce risks attributable to the most significant exploitable software weaknesses relevant to specific business/mission domains and technologies, DHS NCSD SwA program sponsored the development of the Common Weakness Risk Analysis Framework (CWRAF) that uses the Common Weakness Scoring System (CWSS) scoring criteria with CWE to provide consistent measures for prioritizing risk mitigation efforts and focusing secure coding practices; enabling better informed decision-making and acquisition of more resilient software products and services. CWRAF enables targeted "Top-N" CWE lists that are relevant to the technologies used within specific business domains. Past Top 25 CWE lists have represented community collaboration efforts to prioritize the most exploitable constructs that make software vulnerable to attack or failure. Now, with CWRAF business domains can use the scoring criteria with CWE to identify the exploitable weaknesses that are most significant to them given what their software does for their business. The Common Weakness Enumeration (CWE) defines a unified, measurable set of software weaknesses that is enabling more effective discussion, description, selection, and use of software security tools and services that detect weaknesses in software. To encourage and recognize use of CWEs, MITRE has established the CWE Compatibility and Effectiveness Program. Phases 1 and 2 of the program establish that tool warnings accurately map to CWEs. Phase 3 establishes which CWEs a tool (or capability) can identify and locate via testing. In this session, we propose (1) ideas on what constitutes acceptable fundamental and broad test sets for Phase 3, and (2) that the SAMATE Reference Dataset (SRD) be the repository and access for such test sets. The CWE Coverage Claims Representation (CCR) is a lightweight schema that allows a software analysis tool and/or service provider to state claims as to those CWEs that their technology or process can discover. This session is targeted to tool/service vendors and tool/service consumers with the goal of refining the CCR model for public release. Issues to be addressed include the specificity of claims, _anti-claims,' and key use-cases for CCR.