SwA Co-Chair and Task Lead Strategy Session Agenda Technology, Tools and Product Evaluation Working Group Status Briefing Co-Chair(s) Michael Kass (NIST),

Slides:

Advertisements

Similar presentations

1 Copyright ©2007 Sandpiper Software, Inc. Vocabulary, Ontology & Specification Management at OMG Elisa Kendall Sandpiper Software

Advertisements

Copyright © 2006 Data Access Technologies, Inc. Open Source eGovernment Reference Architecture Approach to Semantic Interoperability Cory Casanave, President.

Software Assurance Metrics and Tool Evaluation (SAMATE) Michael Kass National Institute of Standards and Technology

Internal Control–Integrated Framework

2009 – E. Félix Security DSL Toward model-based security engineering: developing a security analysis DSML Véronique Normand, Edith Félix, Thales Research.

Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)

S&I Framework Provider Directories Initiative esMD Work Group October 19, 2011.

Production Rule Representation Team Response Presentation to BEIDTF OMG Montreal Aug 2004 Ruleml.org.

Presented by: Thabet Kacem Spring Outline Contributions Introduction Proposed Approach Related Work Reconception of ADLs XTEAM Tool Chain Discussion.

Asa MacWilliams Lehrstuhl für Angewandte Softwaretechnik Institut für Informatik Technische Universität München Dec Software.

1 OMG SOA SIG  To support an MDA approach to SOA that links architectural, business and technology views of services, including Business Process Management.

Amit, Keyur, Sabhay and Saleh Model Driven Architecture in the Enterprise.

A Model-Driven Framework for Architectural Evaluation of Mobile Software Systems George Edwards Dr. Nenad Medvidovic Center.

UML CASE Tool. ABSTRACT Domain analysis enables identifying families of applications and capturing their terminology in order to assist and guide system.

Model Driven Architecture (MDA) Partha Kuchana. Agenda What is MDA Modeling Approaches MDA in a NutShell MDA Models SDLC MDA Models (an Example) MDA -

Database Administration

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

TGDC Meeting, July 2011 Voting System Software Assurance: SAMATE Automated Source Code Conformance Verification Study Michael Kass Computer Scientist,

This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.

This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.

Database Administration Chapter 16. Need for Databases  Data is used by different people, in different departments, for different reasons  Interpretation.

Application Threat Modeling Workshop

ARCH-6: UML Modeling with Enterprise Architect Phillip Magnay Technical Architect.

TGDC Meeting, December 2011 Michael Kass National Institute of Standards and Technology Update on SAMATE Automated Source Code Conformance.

What is Business Analysis Planning & Monitoring?

Software Assurance Automation throughout the Lifecycle OWASP AppSec USA 2011 September 23 rd 2011.

Faculty of Informatics and Information Technologies Slovak University of Technology Peter Kajsa and Ľubomír Majtás Design.

A Framework for Automated Web Application Security Evaluation

CPIS 357 Software Quality & Testing

Integrating Security Design Into The Software Development Process For E-Commerce Systems By: M.T. Chan, L.F. Kwok (City University of Hong Kong)

Introduction to MDA (Model Driven Architecture) CYT.

1st Workshop on Intelligent and Knowledge oriented Technologies Universal Semantic Knowledge Middleware Marek Paralič,

™ ™ © 2006, KDM Analytics Software Assurance Ecosystem and its Applications Djenana Campara Chief Executive Officer, KDM Analytics Board Director, Object.

Domain Modeling In FREMA David Millard Yvonne Howard Hugh Davis Gary Wills Lester Gilbert Learning Societies Lab University of Southampton, UK.

10/18/20151 Business Process Management and Semantic Technologies B. Ramamurthy.

Information System Development Courses Figure: ISD Course Structure.

National Institute of Standards and Technology Information Technology Laboratory 1 USG Cloud Computing Technology Roadmap Next Steps NIST Mission: To promote.

CLARIN work packages. Conference Place yyyy-mm-dd

Standards Certification Education & Training Publishing Conferences & Exhibits 1Copyright © 2006 ISA ISA-SP99: Security for Industrial Automation and Control.

Chapter 8 Object Design Reuse and Patterns. Object Design Object design is the process of adding details to the requirements analysis and making implementation.

™ ™ Assurance Ecosystem Djenana Campara Chief Executive Officer, KDM Analytics Board Director, Object Management Group (OMG) Co-Chair Software Assurance.

APPLY FUNCTIONAL MODELING TO CONSEQUENCE ANALYSIS IN SUPERVISION SYSTEMS Present by Xinxin Zhang 1 Morten Lind 1, Giulio Gola 2,

Highlights from this Meeting: –Discussions on CISQ formation and how SysA PTF might contribute to this forum –Discussions related to System Assurance ISO.

Common Terminology Services 2 CTS 2 Submission Team Status Update HL7 Vocabulary Working Group May 17, 2011.

Software Architecture Evaluation Methodologies Presented By: Anthony Register.

Slide: 1 CEOS SIT Technical Workshop |Caltech, Pasadena, California, USA| September 2013 CEOS Work Plan Section 6.1 G Dyke CEOS ad hoc Working Group.

Mapping the Software Assurance Landscape: A Guide to What’s Going On In the Community Sean Barnum.

CIM LAB MEETING Presentation on UML Rakesh Mopidevi Kwangyeol Ryu.

NIST SAMATE Project and OMG Michael Kass NIST Information Technology Laboratory March 11, 2008.

® IBM Software Group © 2009 IBM Corporation Essentials of Modeling with the IBM Rational Software Architect, V7.5 Module 15: Traceability and Static Analysis.

Tuesday October 25, 2005 Preview SoBeNeT- II project.

Class Diagrams. Terms and Concepts A class diagram is a diagram that shows a set of classes, interfaces, and collaborations and their relationships.

Week 7 Lecture Part 2 Introduction to Database Administration Samuel S. ConnSamuel S. Conn, Asst Professor.

Yu, et al.’s “A Model-Driven Development Framework for Enterprise Web Services” In proceedings of the 10 th IEEE Intl Enterprise Distributed Object Computing.

Design and implementation Chapter 7 – Lecture 1. Design and implementation Software design and implementation is the stage in the software engineering.

CISC 849 : Applications in Fintech Vaishnavi Gandra Dept of Computer & Information Sciences University of Delaware Extracting Cybersecurity Related Linked.

© 2011 Kurt ConradBusiness Value Alignment1 Establishing and Maintaining Business Value Alignment to Support Ontology Development Kurt Conrad Value Metrics,

EDM Council / Object Management Group Semantic Standards Workstream Definitions and Detailed Objectives May 04, 2011.

Standards and Interoperability Framework esMD Primer of S&I Phases, Procedures, and Functions S&I F2F Thursday, April 12 th, :00 AM.

Smashing WebGoat for Fun and Research: Static Code Scanner Evaluation Josh Windsor & Dr. Josh Pauli.

Computer Scientist, Software and Systems Division, ITL

Tools for Code Review Static Analysis Handles unfinished code

Security Issues Formalization

Security SIG in MTS 05th November 2013 DEG/MTS RISK-BASED SECURITY TESTING Fraunhofer FOKUS.

Evaluating Compuware OptimalJ as an MDA tool

Constructing MDA-based Application Using Rational XDE for .NET

Metadata The metadata contains

Business Process Management and Semantic Technologies

Presentation transcript:

SwA Co-Chair and Task Lead Strategy Session Agenda Technology, Tools and Product Evaluation Working Group Status Briefing Co-Chair(s) Michael Kass (NIST), Larry Wagoner (NSA) March 31, 2008

Common Weakness Enumeration (CWE) Common Attack Pattern Enumeration (CAPEC) Software Assurance Metrics and Tool Evaluation (SAMATE) Project OMG Software Assurance Framework and Tool Test Generation TT&PE Working Group Projects

CWE Draft 8 (30 Jan 08) Added 22 CWEs

Formalizing a Schema for Weaknesses Identifying Information CWE ID Name Describing Information Description Extended Description Alternate Terms Demonstrative Examples Observed Examples Context Notes Source Taxonomy References Whitebox Definition Blackbox Definition Formal Definition Scoping & Delimiting Information Type Functional Area Likelihood of Exploit Common Consequences Enabling Factors for Exploitation Common Methods of Exploitation Applicable Platforms Time of Introduction Prescribing Information Potential Mitigations Enhancing Information Weakness Ordinality Causal Nature Affected Resource Related Attacks Detection Factors Node Relationships Research Gaps

Department of Homeland Security’s National Vulnerability Database (NVD) tags Vulnerabilities with CWEs NVD Now Maps to CWE! nvd.nist.gov

CAPEC Status

New CAPEC Status Attack Pattern multi-level abstraction tagging –Levels Meta Standard Detailed –All current authored patterns (101) as well as all potential patterns in the attack taxonomy have been tagged CAPEC description initial schema formalization –Targeted to support security test case identification –Updated schema complete –25 of the authored patterns have been fleshed-out to the new schema

The SAMATE Project

Testing the Tools SAMATE Reference Dataset (SRD) –Online repository of tool tests –Thousands of source code samples containing examples of CWE’s Discrete tests – developed by NIST, contributed by tool developers, academia and public Tests are based upon interpretation of a particular weakness definition (currently no formal white-box definitions) Tests are freely available at

Automated Test Case Generation (TCG) Funded by DHS Part of SAMATE effort to expand SRD to cover as many CWE’s as possible Based upon OMG MDA Technology (MOF, UML, XMI) –Uses formalized CWE definitions (SBVR) Contractual Formalization that is based on OMG standard, Semantics of Business Vocabulary and Rules (SBVR) and Technical Formalization that is based on OMG standard, Knowledge Discovery Metamodel (KDM) Formal CWE Definitions (SBVR/KDM) Tool Tests (code)Code Analysis Tool KDM

CWE Formalization White Box Definitions : Focus on the structure patterns of the inner components and their interactions (that determine certain observable behavior) –Provide “compliance points” that: Describe patterns of code (as they can be directly identified in code) Identify discernable properties of patterns of code Enable automation Enable direct step-by-step comparisons of the decision procedures implemented within tool

SAMATE and CWE Effectiveness Program Long-term goal : To auto-generate tool tests using formal CWE definitions in collaboration with MITRE’s CWE Effectiveness program –Provide tests “ad hoc” to tool developers –Developers run tests against their tool –Developers can publish test results

TCG: Where are we now? TCG Status: –Can generate tests for 3 CWE’s –26 CWE white-box definitions for “high priority” CWE’s are complete based upon their: –Long term, TGC will cover as many CWEs as possible With coding complexities

Other SAMATE Projects Ongoing work –Developing tests for web application scanners –Adding to existing tests for source code security analyzers –Performing tool effectiveness studies New areas –Testing binary analyzers –The static analyzer tool exposition (SATE) –Software transparency/pedigree information

NIST will be hosting SwA Forum in October 2008 Opportunity to showcase NIST’s work in SwA –NVD –SAMATE –SCADA –Trustworthy Systems Project –NVLAP (CC labs, Crypto Testing, Voting System Testing Laboratory Accredidation) –NIST Special Pubs (FIPS, SP 500 and 800 series) –Voting System Testing Project