For the Nation’s critical infrastructure to be reliable, resilient, robust, and secure, the software supporting it must also have the same qualities.Vulnerabilities in software can jeopardize intellectual property, consumer trust, and business operations and services.Additionally, a broad spectrum of critical applications and infrastructure, from process control systems to commercial application products, depend on secure, reliable software. It is estimated that 90 percent of reported security incidents result from exploits against defects in the design or build of software. In order to ensure system reliability, integrity, and safety, it is critical to include provisions for built-in security of the enabling software. Until recently, the absence of a common measure for software weaknesses has limited the software industry’s ability to assess and remediate exploitable software flaws.By enabling interoperability among tools and automation of risk mitigation measures, organizations can achieve consistent measures for prioritizing risk mitigation efforts and focusing secure coding practices; enabling better informed decision-making for the development and acquisition of more resilient software products and services.Workshop participants will get the opportunity to construct one or more “vignettes” for their specific business domains.
Cloud Computing is a game-changing technology that also changes the types and management of business risks. Learn how to deal with the unique set of challenges presented by measuring and assessing these risks.Also learn how to avoid making the “Top 25 Most Dangerous Software Errors” by working with various application development teams through the SDLC.The audience will see real exploitation scenarios that were made possible by the smallest of errors that manifested themselves during testing.Find out how organizations can use these measurement tools to set priorities and make practical risk-based decisions.
The following are the abstracts for the individual presenters:
Software Assurance Track for QAAM – Joe Jarzombek (DHS) For the Nation’s critical infrastructure to be reliable, resilient, robust, and secure, the software supporting it must also have the same qualities.Vulnerabilities in software can jeopardize intellectual property, consumer trust, and business operations and services.Additionally, a broad spectrum of critical applications and infrastructure, from process control systems to commercial application products, depend on secure, reliable software. It is estimated that 90 percent of reported security incidents result from exploits against defects in the design or build of software. Therefore, ensuring the integrity and resiliency of software is vital to protecting the infrastructure from threats which target software vulnerabilities, and reducing overall risk from cyber-attacks. In order to ensure system reliability, integrity, and safety, it is critical to include provisions for built-in security of the enabling software.
Standards and Guidance for Secure Organizational Processes - Paul Croll (CSC)
This presentation addresses standards and guidance for secure organizational processes.It begins with a discussion of the differences between System and Software Assurance and Information Assurance, and describes the system and software assurance problem. The presentation also describes the governance context for assurance, including the myriad of policy and guidance documents, and discusses governance in the engineering life cycle. It provides an overview of the commonly used standards for system and software assurance and how they might enhance organizational processes.It also describes additional guidance documents that may be obtained at no cost.These documents provide in-depth information on system and software engineering practices. Lastly, a strategy is presented for rationalizing governance, engineering practice, and engineering Economics.
Measure Software Security – Bob Martin (MITRE)
Until recently, the absence of a common measure for software weaknesses has limited the software industry’s ability to assess and remediate exploitable software flaws.The Common Weakness Enumeration (CWE) is a key initiative sponsored by DHS NCSD SwA program with additional funds from the Department of Defense (primarily through the National Security Agency).CWE represents a joint effort of the US Federal Government and the software stakeholder community with MITRE providing technical leadership and project coordination.CWE is a standardized dictionary used in diagnosing exploitable software faults and reporting findings; enabling interoperability among tools and automation of risk mitigation measures.Over 840 software weaknesses have been identified and catalogued, and 49 software diagnostic tools and services offer CWE-compatible capabilities.
Risk Analysis and Measurement with Common Weakness Enumeration (CWE) – Richard Struse (DHS) and Bob Martin (MITRE)
To better enable software stakeholders to reduce risks attributable to the most significant exploitable software errors relevant to specific business/mission domains and technologies, DHS NCSD SwA program has sponsored the development of the Common Weakness Risk Analysis Framework (CWRAF) that uses the Common Weakness Scoring System (CWSS) scoring criteria with CWE to provide consistent measures for prioritizing risk mitigation efforts and focusing secure coding practices; enabling better informed decision-making for the development and acquisition of more resilient software products and services.
CWRAF enables more targeted specification of “Top-N” CWE lists that are relevant to specified technologies used within specific business domains.In the past, the Top 25 CWE lists have represented community collaboration efforts to prioritize the most exploitable constructs that make software vulnerable to attack or failure. Now, with CWRAF business domains can use the scoring criteria with CWE to identify exploitable software fault patterns that are most significant to them in specific technologies:web applications, control systems, embedded systems, end-point computing devices, operating systems, databases, storage systems, enterprise system applications, and cloud computing services.In this workshop, participants will construct one or more CWRAF “vignettes” for specific business domains.As each vignette is built and refined, we will automatically recalculate the scores for the entire CWE database, allowing participants to understand how the decisions made during vignette definition affect the assessment of risk for individual weaknesses.Input from attendees will be used to continue to refine the concepts in CWRAF and identify business domains and technology areas that would benefit from CWRAF.
SwA and the Cloud – Counting the risks - Andy Murren (Deloitte & Touche LLP) As organizations move to Cloud Computing the types and management of business risks changes. Measuring and assessing these risks presents a unique set of challenges.This presentation will cover the basic Cloud Computing service models and examine some business risks the resulting measurement and assessment methods organizations need to address.
·What is the impact on the organization’s risk exposure and responsibilities? ·Are some of the risks associated with insecure design, code, and system configuration actually decreased or just transferred to other organizations? ·What steps should the organization take to reasonably manage those risks? ·Understand features of different Cloud Computing environments ·Integrate Cloud specific considerations into their SDLC and software management governance model ·How QA and Test professionals should consider extending their roles to better address “reliability, resilience, robustness, and security.”
Improve your SDLC with CAPEC and CWE - Paul Nguyen (Knowledge Consulting Group)
How can organizations improve their SDLC approaches with CAPEC and CWE?Specifically, Mr. Nguyen will share how to avoid making the “Top 25 Most Dangerous Software Errors” and lessons learned from working with various application development teams through the SDLC.He will also provide real-world examples of how organizations can use these measurement tools to set priorities and make practical risk-based decisions.The audience will see real exploitation scenarios that were made possible by the smallest of errors that were a result of translation issues early in the lifecycle but manifested themselves during in-depth application penetration testing.
Software Assurance Panel and Wrap-Up
The speakers will interact to highlight the strengths and weaknesses of the methods and practices presented today.Attendees can ask speakers to contrasts their perspectives in order to understand what lessons best apply to the attendees.Do the practitioners appreciate the benefits and products from the theoreticians and modelers?What will it take to make all this work and produce tangible results? How far are we from a Software Assurance marketplace with automated tools we can use?
Joe Jarzombek, Director for Software Assurance, National Cyber Security Division, U.S. Department of Homeland Security The National Cyber Security Division (NCSD) of the U.S. Department of Homeland Security (DHS)
Joe works collaboratively with public, private, and international entities to secure cyberspace and America’s cyber assets.To protect the cyber infrastructure, NCSD has identified two overarching objectives:
To build and maintain an effective national cyberspace response system
To implement a cyber-risk management program for the protection of critical infrastructure
In his role as Director for Software Assurance, Joe leads government interagency public/private collaboration efforts with industry, academia, and standards organizations to shift the security paradigm away from patch management by addressing security needs in work force education and training, more comprehensive diagnostic capabilities, software security automation, and security-enhanced development and acquisition practices. Joe served in the U.S. Air Force as a Lieutenant Colonel in program management.After retiring from the Air Force, he worked in the cyber security industry as vice president for product and process engineering. Joe also served in two software-related positions within the Office of the Secretary of Defense prior to accepting his current DHS position. Paul Croll – Fellow at CSC
Paul Croll is a Fellow in CSC’s Defense Group, where he is responsible for researching, developing and deploying systems and software engineering practices for cybersecurity.Paul also serves as Chief Scientist for CSC’s Defense & Maritime Enterprise Technology Center. Paul has over thirty-five years’ experience in mission-critical systems and software engineering.His experience spans the full life cycle and includes requirements specification, architecture, design, development, verification, validation, test and evaluation, and sustainment for complex systems and systems-of-systems.He has brought his skills to high profile, cutting edge technology programs in areas as diverse as surface warfare, air traffic control, computerized adaptive testing, and nuclear power generation.
In his role as the Industry Co-Chair of the National Defense Industrial Association (NDIA) System Assurance Committee, Paul is one of the three cosponsors (along with two Department of Defense [DoD] colleagues) of the recently released NDIA/DoD guidebook on Engineering for System Assurance.He is also the co-chair of the Department of Homeland Security’s Software Assurance Forum Processes and Practices Working Group, which has produced several software assurance guidebooks and web content, and is actively engaged in the standardization of software assurance processes.In addition, Paul is a member of the Technical Advisory Panel for the U.S. National Institute of Standards and Technology (NIST) Software Assurance Metrics and Tool Evaluation (SAMATE) program.
Paul has represented CSC for over a decade through leadership positions in national and international industry and professional organizations. These positions include IEEE Computer Society Vice President for Technical and Conference Activities, overseeing the work of over sixty Technical Committees on all aspects of computing and over two hundred conferences; Chair of the IEEE Software and Systems Engineering Standards Committee; as well as Vice Chair of the ISO/IEC JTC1/SC7,(Software and Systems Engineering) U.S. Technical Advisory Group. Bob Martin - Principal Engineer at MITRE Bob is a Principal Engineer at MITRE, a company that works in partnership with the government to address issues of critical national importance. For the past 18 years, Robert's efforts focused on the interplay of risk management, cyber security, and quality assessment. The majority of this time has been spent working on the CVE, OVAL, MAEC, CAPEC and CWE security standards initiatives in addition to basic quality measurement and management. Robert is a frequent speaker on the various security and quality issues surrounding information technology systems and has published numerous papers on these topics. Robert joined MITRE in 1981 with a BS and MS in EE from RPI, later he earned an MBA from Babson College. He is a member of the ACM, AFCEA, IEEE, and the IEEE Computer Society. Richard J. Struse, Deputy Director for Software Assurance, National Cyber Security Division, U.S. Department of Homeland Security Richard is the Deputy Director for Software Assurance in the Department of Homeland Security’s National Cyber Security Division where he oversees efforts relating to the automation of Software Assurance.Prior to joining DHS, Mr. Struse was Vice President of Research and Development at VOXEM, Inc., where he was responsible for the architecture, design and development of a high-performance, extremely high-reliability communications software platform that is in use in telecommunications systems around the world.He began his technical career at Bell Laboratories where his work focused on tools to automate software development and the UNIX operating system. Andrew Murren –Manager, Deloitte & Touche LLP Andy is a Manager with Security & Privacy Services Group of Deloitte & Touche LLP. He has over 16 years of experience in the field of Information Technology, Information Systems Security and he is a Certified Information Systems Security Professional (CISSP).Andy has extensive experience in the realm of Information Security and risk management; his areas of expertise include Information Security Assurance, Application Assessment, Secure Application Development and Secure Network Architecture Design and Implementation.He specializes in security assessments and secure software lifecycle. Paul Nguyen - Vice President of Cyber Solutions for Knowledge Consulting Group Mr. Nguyen currently serves as the Vice President of Cyber Solutions for Knowledge Consulting Group where he advises federal Chief Information Officers (CIO) and CISOs on various cybersecurity issues.He is also a former software developer in a CMM Level 5 organization, former CISO of the U.S. Court Services and Supervision Agency, and attack/exploitation practitioner with renowned firms such as @stake and Neohapsis.His perspectives in these various roles provide insight into the mindset of the stakeholders who affect application security.Mr. Nguyen holds a Bachelor’s of Science in Business Administration, Finance from Carnegie Mellon University and a Master’s of Science in Information Technology Management from Carnegie Mellon University.He also holds certifications for Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), and Certified in Governance and Enterprise IT (CGEIT).