Special Conference Session
Software Assurance Enabling Reliability, Resilience, Robustness, and Security
September 26, 2011 - Maritime Institute, Linthicum Heights, MD
For the Nation’s critical infrastructure to be reliable, resilient, robust, and secure, the software supporting it must also have the same qualities. Vulnerabilities in software can jeopardize intellectual property, consumer trust, and business operations and services. Additionally, a broad spectrum of critical applications and infrastructure, from process control systems to commercial application products, depend on secure, reliable software. It is estimated that 90 percent of reported security incidents result from exploits against defects in the design or build of software. In order to ensure system reliability, integrity, and safety, it is critical to include provisions for built-in security of the enabling software.
Until recently, the absence of a common measure for software weaknesses has limited the software industry’s ability to assess and remediate exploitable software flaws. By enabling interoperability among tools and automation of risk mitigation measures, organizations can achieve consistent measures for prioritizing risk mitigation efforts and focusing secure coding practices; enabling better informed decision-making for the development and acquisition of more resilient software products and services. Workshop participants will get the opportunity to construct one or more “vignettes” for their specific business domains.
Cloud Computing is a game-changing technology that also changes the types and management of business risks. Learn how to deal with the unique set of challenges presented by measuring and assessing these risks. Also learn how to avoid making the “Top 25 Most Dangerous Software Errors” by working with various application development teams through the SDLC. The audience will see real exploitation scenarios that were made possible by the smallest of errors that manifested themselves during testing. Find out how organizations can use these measurement tools to set priorities and make practical risk-based decisions.
This is a free “space available” workshop (with priority given to those with paid registration to the Mid-Atlantic Software Quality and Program Management Conference being held September 27-28, 2011). This workshop is being sponsored by Keane Federal Systems. Registrants must request to attend this Monday session with an understanding that those registered for the QAAM 2-day conference have a priority for attending this October 4th session. Those who request to attend will be notified at a later time whether space is available.
Contact Darrin Crittington for more information: dcrittington@qaiworldwide.org 1-866-724-6013
Back to top
One-day Workshop Program Preview:
The following are the abstracts for the individual presenters:
Software Assurance Track for QAAM – Joe Jarzombek
For the Nation's critical infrastructure to be reliable, resilient, robust, and secure, the software supporting it must also have the same qualities. Vulnerabilities in software can jeopardize intellectual property, consumer trust, and business operations and services. Additionally, a broad spectrum of critical applications and infrastructure, from process control systems to commercial application products, depend on secure, reliable software. It is estimated that 90 percent of reported security incidents result from exploits against defects in the design or build of software. Therefore, ensuring the integrity and resiliency of software is vital to protecting the infrastructure from threats which target software vulnerabilities, and reducing overall risk from cyber-attacks. In order to ensure system reliability, integrity, and safety, it is critical to include provisions for built-in security of the enabling software.
Standards and Guidance for Secure Organizational Processes - Paul Croll (CSC)
This presentation addresses standards and guidance for secure organizational processes. It begins with a discussion of the differences between System and Software Assurance and Information Assurance, and describes the system and software assurance problem. The presentation also describes the governance context for assurance, including the myriad of policy and guidance documents, and discusses governance in the engineering life cycle. It provides an overview of the commonly used standards for system and software assurance and how they might enhance organizational processes. It also describes additional guidance documents that may be obtained at no cost. These documents provide in-depth information on system and software engineering practices. Lastly, a strategy is presented for rationalizing governance, engineering practice, and engineering Economics.
Measure Software Security – Bob Martin (MITRE)
Until recently, the absence of a common measure for software weaknesses has limited the software industry's ability to assess and remediate exploitable software flaws. The Common Weakness Enumeration (CWE) is a key initiative sponsored by DHS NCSD SwA program with additional funds from the Department of Defense (primarily through the National Security Agency). CWE represents a joint effort of the US Federal Government and the software stakeholder community with MITRE providing technical leadership and project coordination. CWE is a standardized dictionary used in diagnosing exploitable software faults and reporting findings; enabling interoperability among tools and automation of risk mitigation measures. Over 840 software weaknesses have been identified and catalogued, and 49 software diagnostic tools and services offer CWE-compatible capabilities.
Risk Analysis and Measurement with Common Weakness Enumeration (CWE) – Richard Struse (DHS) and Bob Martin (MITRE)
To better enable software stakeholders to reduce risks attributable to the most significant exploitable software errors relevant to specific business/mission domains and technologies, DHS NCSD SwA program has sponsored the development of the Common Weakness Risk Analysis Framework (CWRAF) that uses the Common Weakness Scoring System (CWSS) scoring criteria with CWE to provide consistent measures for prioritizing risk mitigation efforts and focusing secure coding practices; enabling better informed decision-making for the development and acquisition of more resilient software products and services.
CWRAF enables more targeted specification of "Top-N" CWE lists that are relevant to specified technologies used within specific business domains. In the past, the Top 25 CWE lists have represented community collaboration efforts to prioritize the most exploitable constructs that make software vulnerable to attack or failure. Now, with CWRAF business domains can use the scoring criteria with CWE to identify exploitable software fault patterns that are most significant to them in specific technologies: web applications, control systems, embedded systems, end-point computing devices, operating systems, databases, storage systems, enterprise system applications, and cloud computing services. In this workshop, participants will construct one or more CWRAF "vignettes" for specific business domains. As each vignette is built and refined, we will automatically recalculate the scores for the entire CWE database, allowing participants to understand how the decisions made during vignette definition affect the assessment of risk for individual weaknesses. Input from attendees will be used to continue to refine the concepts in CWRAF and identify business domains and technology areas that would benefit from CWRAF.
SwA and the Cloud – Counting the risks - Andy Murren (Deloitte & Touche LLP)
As organizations move to Cloud Computing the types and management of business risks changes. Measuring and assessing these risks presents a unique set of challenges. This presentation will cover the basic Cloud Computing service models and examine some business risks the resulting measurement and assessment methods organizations need to address.
- What is the impact on the organization's risk exposure and responsibilities?
- Are some of the risks associated with insecure design, code, and system configuration actually decreased or just transferred to other organizations?
- What steps should the organization take to reasonably manage those risks?
- Understand features of different Cloud Computing environments
- Integrate Cloud specific considerations into their SDLC and software management governance model
- How QA and Test professionals should consider extending their roles to better address "reliability, resilience, robustness, and security."
Improve your SDLC with CAPEC and CWE - Paul Nguyen (Knowledge Consulting Group)
How can organizations improve their SDLC approaches with CAPEC and CWE? Specifically, Mr. Nguyen will share how to avoid making the "Top 25 Most Dangerous Software Errors" and lessons learned from working with various application development teams through the SDLC. He will also provide real-world examples of how organizations can use these measurement tools to set priorities and make practical risk-based decisions. The audience will see real exploitation scenarios that were made possible by the smallest of errors that were a result of translation issues early in the lifecycle but manifested themselves during in-depth application penetration testing.
Software Assurance Panel and Wrap-Up
The speakers will interact to highlight the strengths and weaknesses of the methods and practices presented today. Attendees can ask speakers to contrasts their perspectives in order to understand what lessons best apply to the attendees. Do the practitioners appreciate the benefits and products from the theoreticians and modelers? What will it take to make all this work and produce tangible results? How far are we from a Software Assurance marketplace with automated tools we can use?
Back to top
