Critical Infrastructure Security, Threat Management, Vulnerability Management

DHS unveils new programs for software security

A group of public and private-sector organizations have teamed up to create a new risk analysis framework and scoring system aimed at helping developers and consumers improve the security of their software.

The Common Weakness Risk Analysis Framework (CWRAF), released Monday by the U.S. Department of Homeland Security, in conjunction with the SANS Institute and nonprofit government technology research contractor Mitre, offers a way for organizations to evaluate which software weaknesses pose the greatest risk to their organization.

The companion Common Weakness Scoring System (CWSS), also released Monday, is meant to help organizations prioritize unfixed vulnerabilities in their software.

Several security vendors, including Cenzic, Fortify Software and Klocwork, have already announced plans to incorporate the scoring system into their future offerings, Bob Martin, program director of Mitre, told SCMagazineUS.com on Monday.

The hope is that the scoring system will force software companies to be more candid with customers, which will result in the creation of more secure programs and better buying decisions, Alan Paller, director of research at the SANS Institute, told SCMagazineUS.com on Friday.

"You can measure the degree to which one software package is compared to another software package," he said. "It changes the way people can buy stuff. They can say, 'Before you give me any software, I'd like to see your score on this.'"

The two programs are particularly helpful because they can be used to generate customized lists of the weaknesses most critical to a particular organization, Martin said.

Retail organizations, for example, might be highly concerned about information disclosure bugs affecting their credit card processing systems. Critical infrastructure owners and operators, on the other hand, would likely be more worried about denial-of-service flaws that affect their supervisory control and data acquisition (SCADA) systems.

“Two different pieces of software supporting two different types of business have a totally different priority order for weaknesses,” Martin said.

The release of the two programs coincided with Monday's unveiling of the third-annual Top 25 list of the most dangerous software errors, developed by Mitre and the SANS Institute in collaboration with top security experts in the United States and Europe.

SQL injection took the top spot this year -- moving up from No. 2 in 2010 -- as the most dangerous software error.

Such flaws were responsible for the compromises of a number of high profile organizations recently, such as Sony Pictures, PBS and security firm HBGary Federal.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds