Technology and Tools Working Group
Activities
Current activities
Specific goals and milestones have been set for this working group to promote the use of tools and technology in software assurance evaluations.
Common Weakness Enumeration (CWE)
A DHS sponsored project led by MITRE, CWETM "provides a unified,
measurable set of software weaknesses that will enable more effective discussion,
description, selection, and use of software security tools and services that
can find these weaknesses in source code." Currently, software assurance
tools do not use the same names and definitions of software weaknesses.
Common Attack Pattern Enumeration and Classification
(CAPEC)
A DHS sponsored project led by Cigital Inc., CAPEC is a collection of abstracted
common attack approaches derived from a set of known exploits. This formalized
representation facilitates a common way to express and understand the nature
of cyber attacks, and provides the software assurance tool community with
a common way to share these definitions.
Software
Assurance Ecosystem
An Object Management Group (OMG) standard, the Knowledge Discovery Metamodel
(KDM) specification defines a metamodel for representing information related
to existing software assets and their operational environments. KDM is an enabler
of software assurance tool interoperability through its open design. Additionally,
it is component of a larger Software Ecosystem Framework based on OMG standards
that together enable the analysis of assets to make an assurance case.
Software Assurance Metrics and Tool Evaluation Project (SAMATE)
A DHS-sponsored project led by NIST, SAMATE’s goal is the evaluation of the effectiveness of software assurance tools through testing and tool metrics. Products to date include:
- SAMATE Reference Dataset (SRD) – A repository of software artifacts that can be used to evaluate static and dynamic analysis software assurance tools
- NIST Special Publication SP 500-268, Source Code Security Analysis Tool Functional Specification
- NIST Special Publication SP 500-269, Web Application Scanner Functional Specification
New Activities
Formalization of CWE Definitions - Beyond reaching a common agreement on the names and definitions of today’s software weaknesses, the T&T Working Group (through the SAMATE project) is working to formalize those definitions. Using the Software Assurance Ecosystem as a framework for formalization, this work will serve as a pilot and testbed for software assurance tool testing and interoperability.
Automated Test Case Generation – One of the early by-products of CWE formalization will be the generation of actual source code examples of software weaknesses, used in support of the SAMATE project’s software assurance tool evaluation effort.
Software Assurance Technology and Tools Working Group Roadmap - In order to utilize existing work in software assurance and plot a path toward bringing tools and technology to the forefront in making the software assurance case, the T&T Working Group will plot out a course of activities and collaborations to reach that goal.
Comments/Additional Information
For more information or to submit comments, contact the DHS Software Assurance Office at software.assurance [at] dhs.gov.