Tagging Your Code with a Useful Assurance Label

Presented at AppSec USA 2013, Nov. 20, 2013, 4 p.m. (50 minutes).

Video of session: https://www.youtube.com/watch?v=FCyUwyjIoBE&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=14 With so many ways for software to be vulnerable, businesses needs a way to focus their assurance efforts on those potential vulnerabilities that are most dangerous to them and their software.  This talk will offer a new way to focus and organize your software vulnerability assessment and assurance efforts across the entire life-cycle of a project so that you target the most impactful weaknesses when they are most visible.  The approach can be done consistently across your enterprise and will have you looking for specific weaknesses at the point where you can gain the most assurance that you have dealt with them successfully. Matched to the activities of your development effort, this approach will have your team looking for those security weaknesses (CWEs) that are most discernable/findable in each of the different stages of a software development effort.  For example, when you have a live exemplar system available you should look for the weaknesses in design, configuration, code, or architecture that are findable through dynamic analysis, pen testing, or red teaming of that living system. Similarly, in the coding phase you want the emphasis to be looking for weaknesses that are findable by static analysis tools. The follow-on step to this approach is to use what you found and what you did to create "An Assurance Tag for Binaries", basically an assurance "food label" for the code of that project.  This talk will conclude with a discussion of what such a tag could look like, what it could capture, how the information could be obtained, whom would/could create them, and how they could be represented for humans and machines to use.

Presenters:

  • Robert Martin - Sr. Prin. Engineer - MITRE Corporation
    Robert joined the MITRE Corporation in 1981 after earning a bachelor's degree and a master's degree in electrical engineering from Rensselaer Polytechnic Institute, subsequently he earned a master's of business degree from Babson College. He is a member of the ACM, AFCEA, IEEE, and the IEEE Computer Society. He is an avid kayaker, photographer, and scuba diver.
  • Sean Barnum - Cyber Security Principal - MITRE
    Sean Barnum is a Principal and Cyber Threat Intelligence Community Lead at The MITRE Corporation where he acts as a thought leader and senior advisor on information security topics to a wide variety of players within the US government, commercial industry and the international community. He has over 25 years of experience in the software industry in the areas of architecture, development, software quality assurance, quality management, process architecture & improvement, knowledge management and security. He is a frequent contributor, speaker and trainer for regional, national and international information security and software quality publications, conferences & events. He is very active in the Information Security community and acts as a community leader and technical architect for numerous knowledge standards-defining efforts including the Structured Threat Information eXpression (STIX), the Cyber Observable eXpression (CybOX), the Common Attack Pattern Enumeration and Classification (CAPEC), the Malware Attribute Enumeration and Characterization (MAEC), the Common Weakness Enumeration (CWE), the Software Assurance Findings Expression Schema (SAFES). He is coauthor of the book "Software Security Engineering: A Guide for Project Managers", published by Addison-Wesley. He is involved in the information security related standards efforts of ISO, OMG and IETF, among other international standards bodies. He also acted as the lead technical subject matter expert for design and implementation of the Air Force Application Software Assurance Center of Excellence (ASACoE).

Links:

Similar Presentations: