DHS unveils new programs for software security

Share this article:
A group of public and private-sector organizations have teamed up to create a new risk analysis framework and scoring system aimed at helping developers and consumers improve the security of their software.

The Common Weakness Risk Analysis Framework (CWRAF), released Monday by the U.S. Department of Homeland Security, in conjunction with the SANS Institute and nonprofit government technology research contractor Mitre, offers a way for organizations to evaluate which software weaknesses pose the greatest risk to their organization.

The companion Common Weakness Scoring System (CWSS), also released Monday, is meant to help organizations prioritize unfixed vulnerabilities in their software.

Several security vendors, including Cenzic, Fortify Software and Klocwork, have already announced plans to incorporate the scoring system into their future offerings, Bob Martin, program director of Mitre, told SCMagazineUS.com on Monday.

The hope is that the scoring system will force software companies to be more candid with customers, which will result in the creation of more secure programs and better buying decisions, Alan Paller, director of research at the SANS Institute, told SCMagazineUS.com on Friday.

"You can measure the degree to which one software package is compared to another software package," he said. "It changes the way people can buy stuff. They can say, 'Before you give me any software, I'd like to see your score on this.'"

The two programs are particularly helpful because they can be used to generate customized lists of the weaknesses most critical to a particular organization, Martin said.

Retail organizations, for example, might be highly concerned about information disclosure bugs affecting their credit card processing systems. Critical infrastructure owners and operators, on the other hand, would likely be more worried about denial-of-service flaws that affect their supervisory control and data acquisition (SCADA) systems.

“Two different pieces of software supporting two different types of business have a totally different priority order for weaknesses,” Martin said.

The release of the two programs coincided with Monday's unveiling of the third-annual Top 25 list of the most dangerous software errors, developed by Mitre and the SANS Institute in collaboration with top security experts in the United States and Europe.

SQL injection took the top spot this year -- moving up from No. 2 in 2010 -- as the most dangerous software error.

Such flaws were responsible for the compromises of a number of high profile organizations recently, such as Sony Pictures, PBS and security firm HBGary Federal.

Share this article:

Sign up to our newsletters

More in News

Russian hacker Seleznev ordered to remain in custody

Roman Seleznev's attorneys requested that the hacker be released on bond, but their pleas were rejected this past week.

Bug in iOS Instagram app fixed, impacts Facebook accounts

The vulnerability comes into play when Instagram users search for Facebook friends to "follow."

AP denied security docs on HealthCare.gov, a risk to private information

AP denied security docs on HealthCare.gov, a risk ...

The Associated Press was denied a request made under the Freedom of Information Act for documents that contain security information on HealthCare.gov.