• SwA Communities
• SwA Forums & Working Groups
• Workforce Education & Training
•     - Activities
•     - Resources
•     - Collaborations
•     - Licensing and Certification
• Processes & Practices
•     - Activities
•     - Resources
•     - Collaborations
• Technology & Tools
•     - Activities
•     - Resources
•     - Collaborations & Research
• Acquisition & Outsourcing
•     - Activities
•     - Resources
•     - Collaborations
• Measurement & Business Case
•     - Activities
•     - Resources
•     - Business Case
•     - Collaborations & Examples
•     - Resources
• Malware & Cyber Observables
•     - Activities
•     - Resources
• Resilient Software
• SwA Market Place
• SwA Landscape
• SwA Ecosystem
• Security Automation & Measurement
• Build Security In

Technology and Tools Working Group

Activities

Current activities

Specific goals and milestones have been set for this working group to promote the use of tools and technology in software assurance evaluations.

Common Weakness Enumeration (CWE)
A DHS sponsored project led by MITRE, CWE^TM "provides a unified, measurable set of software weaknesses that will enable more effective discussion, description, selection, and use of software security tools and services that can find these weaknesses in source code." Currently, software assurance tools do not use the same names and definitions of software weaknesses.

Common Attack Pattern Enumeration and Classification (CAPEC)
A DHS sponsored project led by Cigital Inc., CAPEC is a collection of abstracted common attack approaches derived from a set of known exploits. This formalized representation facilitates a common way to express and understand the nature of cyber attacks, and provides the software assurance tool community with a common way to share these definitions.

Software Assurance Ecosystem
An Object Management Group (OMG) standard, the Knowledge Discovery Metamodel (KDM) specification defines a metamodel for representing information related to existing software assets and their operational environments. KDM is an enabler of software assurance tool interoperability through its open design. Additionally, it is component of a larger Software Ecosystem Framework based on OMG standards that together enable the analysis of assets to make an assurance case.

Software Assurance Metrics and Tool Evaluation Project (SAMATE)

A DHS-sponsored project led by NIST, SAMATE’s goal is the evaluation of the effectiveness of software assurance tools through testing and tool metrics. Products to date include:

• SAMATE Reference Dataset (SRD) – A repository of software artifacts that can be used to evaluate static and dynamic analysis software assurance tools
• NIST Special Publication SP 500-268, Source Code Security Analysis Tool Functional Specification
• NIST Special Publication SP 500-269, Web Application Scanner Functional Specification

New Activities

Formalization of CWE Definitions - Beyond reaching a common agreement on the names and definitions of today’s software weaknesses, the T&T Working Group (through the SAMATE project) is working to formalize those definitions. Using the Software Assurance Ecosystem as a framework for formalization, this work will serve as a pilot and testbed for software assurance tool testing and interoperability.

Automated Test Case Generation – One of the early by-products of CWE formalization will be the generation of actual source code examples of software weaknesses, used in support of the SAMATE project’s software assurance tool evaluation effort.

Software Assurance Technology and Tools Working Group Roadmap - In order to utilize existing work in software assurance and plot a path toward bringing tools and technology to the forefront in making the software assurance case, the T&T Working Group will plot out a course of activities and collaborations to reach that goal.

Comments/Additional Information

For more information or to submit comments, contact the DHS Software Assurance Office at software.assurance [at] dhs.gov.

 

Contact Us Terms of Use Privacy Policy Sitemap Get a PDF Reader ©2013 Department of Homeland Security