June 27, 2011

DHS unveils new programs for software security

A group of public and private-sector organizations have teamed up to create a new risk analysis framework and scoring system aimed at helping developers and consumers improve the security of their software.

The Common Weakness Risk Analysis Framework (CWRAF), released Monday by the U.S. Department of Homeland Security, in conjunction with the SANS Institute and nonprofit government technology research contractor Mitre, offers a way for organizations to evaluate which software weaknesses pose the greatest risk to their organization.

The companion Common Weakness Scoring System (CWSS), also released Monday, is meant to help organizations prioritize unfixed vulnerabilities in their software.

Several security vendors, including Cenzic, Fortify Software and Klocwork, have already announced plans to incorporate the scoring system into their future offerings, Bob Martin, program director of Mitre, told SCMagazineUS.com on Monday.

The hope is that the scoring system will force software companies to be more candid with customers, which will result in the creation of more secure programs and better buying decisions, Alan Paller, director of research at the SANS Institute, told SCMagazineUS.com on Friday.

"You can measure the degree to which one software package is compared to another software package," he said. "It changes the way people can buy stuff. They can say, 'Before you give me any software, I'd like to see your score on this.'"

The two programs are particularly helpful because they can be used to generate customized lists of the weaknesses most critical to a particular organization, Martin said.

Retail organizations, for example, might be highly concerned about information disclosure bugs affecting their credit card processing systems. Critical infrastructure owners and operators, on the other hand, would likely be more worried about denial-of-service flaws that affect their supervisory control and data acquisition (SCADA) systems.

“Two different pieces of software supporting two different types of business have a totally different priority order for weaknesses,” Martin said.

The release of the two programs coincided with Monday's unveiling of the third-annual Top 25 list of the most dangerous software errors, developed by Mitre and the SANS Institute in collaboration with top security experts in the United States and Europe.

SQL injection took the top spot this year -- moving up from No. 2 in 2010 -- as the most dangerous software error.

Such flaws were responsible for the compromises of a number of high profile organizations recently, such as Sony Pictures, PBS and security firm HBGary Federal.

Related Articles
Related Topics
Related Links

Sign up to our newsletters

More in News

House Intelligence Committee OKs amended version of controversial CISPA

Despite the 18-to-2 vote in favor of the bill proposal, privacy advocates likely will not be satisfied, considering two key amendments reportedly were shot down.

Judge rules hospital can ask ISP for help in ID'ing alleged hackers

The case stems from two incidents where at least one individual is accused of accessing the hospital's network to spread "defamatory" messages to employees.

Three LulzSec members plead guilty in London

Ryan Ackroyd, 26; Jake Davis, 20; and Mustafa al-Bassam, 18, who was not named until now because of his age, all admitted their involvement in the hacktivist gang's attack spree.