Standards and organizations to work with

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Standards and organizations to work with

Kurt Seifried
Can I suggest for discussion via email/next meeting:

1) Which other standards do we want to closely work with (e.g. CVE, CVSS and CVRF comes to mind)
2) Which other organizations do we want to work closely with (e.g. NIST/NVD, various CERTS, people/orgs doing vuln classification, any suggestions here?)

Basically CWE exists as part of an ecosystem, it's a lot more useful when used with other related tools. Speaking of which is the following diagram reasonably correct? Suggestions are welcome (generated from the glossary I'm working on).
standards.png
--
Kurt Seifried
[hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Standards and organizations to work with

Bill Curtis

CISQ uses CWEs as a basis for their Automated Source Code Quality Measures (Reliability, Security, Performance Efficiency, and Maintainability).  Bob Martin has been working closely with CISQ to develop these measures as OMG standards.  They have now been sent to ISO for consideration through OMG’s fasttrack since they supplement the ISO 25000 series software quality standards.

 

  • Bill

 

Dr. Bill Curtis | SVP & Chief Scientist | CAST Research Labs | Software Intelligence | M +1.817.228.2994

 

From: Kurt Seifried <[hidden email]>
Sent: Monday, August 10, 2020 9:28 AM
To: CWE CAPEC Board <[hidden email]>
Subject: Standards and organizations to work with

 

Can I suggest for discussion via email/next meeting:

 

1) Which other standards do we want to closely work with (e.g. CVE, CVSS and CVRF comes to mind)

2) Which other organizations do we want to work closely with (e.g. NIST/NVD, various CERTS, people/orgs doing vuln classification, any suggestions here?)

 

Basically CWE exists as part of an ecosystem, it's a lot more useful when used with other related tools. Speaking of which is the following diagram reasonably correct? Suggestions are welcome (generated from the glossary I'm working on).

--

Kurt Seifried
[hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: Standards and organizations to work with

Joe Jarzombek

In addition to OMG CISQ use of CWE for Automated Source Code Quality Measures, other standards make use of CWE and related enumerations:

 

  • ITU-T Cybersecurity Information Exchange (CYBEX) 1500 series (with CVE in ITU-T X.1520, CWE in ITU-T X.1524, and CAPEC in ITU-T X.1544);
  • UL’s 2900 series for the Cybersecurity Assurance Program for Network-Connectable Devices;
  • US Government’s Security Content Automation Protocol (SCAP); 
  • SAE standards, such as the newest one from SAE G32 on Cyber Physical Systems Security, and Automotive Cyber Security Engineering 21434.
  • ISA/IEC 62443 – Security for Industrial Automation and Control Systems
  • ISO/IEC/IEEE 15206 – Systems and Software Assurance
  • OMG Systems Assurance Meta Model

 

Within CISQ, we are currently advancing the use of CWE for Data Protection, more precisely, specifying CWEs that represent source vectors for data leakage or data corruption (such as those with CWSS technical impact that enable unauthorized access to read or modify data).  I’ll provide a draft list NLT Friday.  It’s not surprising that only three of the candidate software-related CWEs for Data Protection are not already specified in the CISQ Automated Source Code Quality Measures for Reliability and/or Security.

 

At least eight additional CWEs for hardware design flaws have been identified as source vectors contributing to data leakage/corruption. 

 

With all the focus on privacy and data protection associated with GDPR, CCPA, HIPAA, and CMMC (for protection of CUI), we can advance the use of CWE and CAPEC in assisting organizations to better understand and address their risk exposures associated with weaknesses in assets that process/transmit/store data.

 

This is a long way of saying we have multiple opportunities to work with other organizations in advancing the use of CWE/CAPEC.

 

Regards,

 

   -Joe -

 

Joe Jarzombek, CSSLP 

Director for Government & Critical Infrastructure Programs

Email: [hidden email]  |  Mobile: 703 627-4644  |

https://www.synopsys.com/solutions/aerospace-defense.html

 

From: Bill Curtis <[hidden email]>
Sent: Monday, August 10, 2020 3:40 PM
To: Kurt Seifried <[hidden email]>; CWE CAPEC Board <[hidden email]>
Subject: RE: Standards and organizations to work with

 

CISQ uses CWEs as a basis for their Automated Source Code Quality Measures (Reliability, Security, Performance Efficiency, and Maintainability).  Bob Martin has been working closely with CISQ to develop these measures as OMG standards.  They have now been sent to ISO for consideration through OMG’s fasttrack since they supplement the ISO 25000 series software quality standards.

 

  • Bill

 

Dr. Bill Curtis | SVP & Chief Scientist | CAST Research Labs | Software Intelligence | M +1.817.228.2994

 

From: Kurt Seifried <[hidden email]>
Sent: Monday, August 10, 2020 9:28 AM
To: CWE CAPEC Board <[hidden email]>
Subject: Standards and organizations to work with

 

Can I suggest for discussion via email/next meeting:

 

1) Which other standards do we want to closely work with (e.g. CVE, CVSS and CVRF comes to mind)

2) Which other organizations do we want to work closely with (e.g. NIST/NVD, various CERTS, people/orgs doing vuln classification, any suggestions here?)

 

Basically CWE exists as part of an ecosystem, it's a lot more useful when used with other related tools. Speaking of which is the following diagram reasonably correct? Suggestions are welcome (generated from the glossary I'm working on).

--

Kurt Seifried
[hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: Standards and organizations to work with

Joe Jarzombek

As promised, attached is the draft list proposed for advancing the use of CWE for Data Protection, more precisely, specifying CWEs that represent source vectors for data leakage or data corruption (such as those with CWSS technical impact that enable unauthorized access to read or modify data).  It’s not surprising that only three of the candidate software-related CWEs for Data Protection are not already specified in the CISQ Automated Source Code Quality Measures for Reliability and/or Security.

 

At least eight additional CWEs for hardware design flaws have been identified as source vectors contributing to data leakage/corruption. 

 

Regards,

 

   -Joe -

 

Joe Jarzombek, CSSLP 

Director for Government & Critical Infrastructure Programs

Email: [hidden email]  |  Mobile: 703 627-4644  |

https://www.synopsys.com/solutions/aerospace-defense.html

 

From: Joe Jarzombek <[hidden email]>
Sent: Tuesday, August 11, 2020 9:25 AM
To: Kurt Seifried <[hidden email]>; CWE CAPEC Board <[hidden email]>
Cc: Bill Curtis <[hidden email]>
Subject: RE: Standards and organizations to work with

 

In addition to OMG CISQ use of CWE for Automated Source Code Quality Measures, other standards make use of CWE and related enumerations:

 

  • ITU-T Cybersecurity Information Exchange (CYBEX) 1500 series (with CVE in ITU-T X.1520, CWE in ITU-T X.1524, and CAPEC in ITU-T X.1544);
  • UL’s 2900 series for the Cybersecurity Assurance Program for Network-Connectable Devices;
  • US Government’s Security Content Automation Protocol (SCAP); 
  • SAE standards, such as the newest one from SAE G32 on Cyber Physical Systems Security, and Automotive Cyber Security Engineering 21434.
  • ISA/IEC 62443 – Security for Industrial Automation and Control Systems
  • ISO/IEC/IEEE 15206 – Systems and Software Assurance
  • OMG Systems Assurance Meta Model

 

Within CISQ, we are currently advancing the use of CWE for Data Protection, more precisely, specifying CWEs that represent source vectors for data leakage or data corruption (such as those with CWSS technical impact that enable unauthorized access to read or modify data).  I’ll provide a draft list NLT Friday.  It’s not surprising that only three of the candidate software-related CWEs for Data Protection are not already specified in the CISQ Automated Source Code Quality Measures for Reliability and/or Security.

 

At least eight additional CWEs for hardware design flaws have been identified as source vectors contributing to data leakage/corruption. 

 

With all the focus on privacy and data protection associated with GDPR, CCPA, HIPAA, and CMMC (for protection of CUI), we can advance the use of CWE and CAPEC in assisting organizations to better understand and address their risk exposures associated with weaknesses in assets that process/transmit/store data.

 

This is a long way of saying we have multiple opportunities to work with other organizations in advancing the use of CWE/CAPEC.

 

Regards,

 

   -Joe -

 

Joe Jarzombek, CSSLP 

Director for Government & Critical Infrastructure Programs

Email: [hidden email]  |  Mobile: 703 627-4644  |

https://www.synopsys.com/solutions/aerospace-defense.html

 

From: Bill Curtis <[hidden email]>
Sent: Monday, August 10, 2020 3:40 PM
To: Kurt Seifried <[hidden email]>; CWE CAPEC Board <[hidden email]>
Subject: RE: Standards and organizations to work with

 

CISQ uses CWEs as a basis for their Automated Source Code Quality Measures (Reliability, Security, Performance Efficiency, and Maintainability).  Bob Martin has been working closely with CISQ to develop these measures as OMG standards.  They have now been sent to ISO for consideration through OMG’s fasttrack since they supplement the ISO 25000 series software quality standards.

 

  • Bill

 

Dr. Bill Curtis | SVP & Chief Scientist | CAST Research Labs | Software Intelligence | M +1.817.228.2994

 

From: Kurt Seifried <[hidden email]>
Sent: Monday, August 10, 2020 9:28 AM
To: CWE CAPEC Board <[hidden email]>
Subject: Standards and organizations to work with

 

Can I suggest for discussion via email/next meeting:

 

1) Which other standards do we want to closely work with (e.g. CVE, CVSS and CVRF comes to mind)

2) Which other organizations do we want to work closely with (e.g. NIST/NVD, various CERTS, people/orgs doing vuln classification, any suggestions here?)

 

Basically CWE exists as part of an ecosystem, it's a lot more useful when used with other related tools. Speaking of which is the following diagram reasonably correct? Suggestions are welcome (generated from the glossary I'm working on).

--

Kurt Seifried
[hidden email]


CWE_DataProtectionView - draft 12Aug2020.xlsx (27K) Download Attachment