DHS unveils new programs for software security

Share this article:
A group of public and private-sector organizations have teamed up to create a new risk analysis framework and scoring system aimed at helping developers and consumers improve the security of their software.

The Common Weakness Risk Analysis Framework (CWRAF), released Monday by the U.S. Department of Homeland Security, in conjunction with the SANS Institute and nonprofit government technology research contractor Mitre, offers a way for organizations to evaluate which software weaknesses pose the greatest risk to their organization.

The companion Common Weakness Scoring System (CWSS), also released Monday, is meant to help organizations prioritize unfixed vulnerabilities in their software.

Several security vendors, including Cenzic, Fortify Software and Klocwork, have already announced plans to incorporate the scoring system into their future offerings, Bob Martin, program director of Mitre, told SCMagazineUS.com on Monday.

The hope is that the scoring system will force software companies to be more candid with customers, which will result in the creation of more secure programs and better buying decisions, Alan Paller, director of research at the SANS Institute, told SCMagazineUS.com on Friday.

"You can measure the degree to which one software package is compared to another software package," he said. "It changes the way people can buy stuff. They can say, 'Before you give me any software, I'd like to see your score on this.'"

The two programs are particularly helpful because they can be used to generate customized lists of the weaknesses most critical to a particular organization, Martin said.

Retail organizations, for example, might be highly concerned about information disclosure bugs affecting their credit card processing systems. Critical infrastructure owners and operators, on the other hand, would likely be more worried about denial-of-service flaws that affect their supervisory control and data acquisition (SCADA) systems.

“Two different pieces of software supporting two different types of business have a totally different priority order for weaknesses,” Martin said.

The release of the two programs coincided with Monday's unveiling of the third-annual Top 25 list of the most dangerous software errors, developed by Mitre and the SANS Institute in collaboration with top security experts in the United States and Europe.

SQL injection took the top spot this year -- moving up from No. 2 in 2010 -- as the most dangerous software error.

Such flaws were responsible for the compromises of a number of high profile organizations recently, such as Sony Pictures, PBS and security firm HBGary Federal.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Information sharing requires breaking down barriers, White House cyber guru says

Information sharing requires breaking down barriers, White House ...

The White House has advanced an agenda to promote and facilitate information sharing on security threats and vulnerabilities.

Worm variant of Android ransomware, Koler, spreads via SMS

Worm variant of Android ransomware, Koler, spreads via ...

Upon infection, the Koler variant will send an SMS message to all contacts in the device's address book.

Patch for Windows flaw can be bypassed, prompts temporary fix from Microsoft

Patch for Windows flaw can be bypassed, prompts ...

The Windows zero-day received a patch last week, but the fix can still be bypassed by crafty attackers.