Professional Documents
Culture Documents
Tagging Your Binaries With A Risk Analysis Measurement From CWE/CWRAF
Tagging Your Binaries With A Risk Analysis Measurement From CWE/CWRAF
Robert A. Martin
10 April 2013
cwe.mitre.org/compatible/
39
69
Direct Contributors to the 2011 CWE/SANS Top 25
3 years running
Latest version published in June 2011
Survey results from over 25 organizations
41 CWE entries nominated
CWSS 0.8 used to rank results
– Technical Impact, Prevalence,
Likelihood of Exploit
Published pocket guide for mitigating
the Top 25 (and other weaknesses, too)
Static Dynamic
Analysis Analysis
• SQL Injection
Application Logic Issues • Cross Site Scripting
• HTTP Response Splitting
• OS Commanding
• LDAP Injection
• …
Engineering For Attack – ISO/IEC Technical Report 20004:
Refining Software Vulnerability Analysis Under ISO/IEC 15049 and ISO/IEC 18045
Item Impact
Attack Weakness
Asset
Attack Weakness Item Impact
Function
1. Modify data
2. Read data
3. DoS: unreliable execution
4. DoS: resource consumption
5. Execute unauthorized code or
commands
6. Gain privileges / assume identity
7. Bypass protection mechanism
8. Hide activities
CWRAF/CWSS in a Nutshell
W
Wd
92 CWE-770
91 CWE-829
91 CWE-190
91 CWE-494
90 CWE-134
CWE Related CAPEC ID’s
90 CWE-772
90 CWE-476 CWE-79 CAPEC-232, CAPEC-106, CAPEC-19,
90 CWE-131 …
… CWE-78 CAPEC-108, CAPEC-15, CAPEC-43,
CAPEC-6, …
… and Classification
Common Attack Pattern Enumeration …
Scoring Weaknesses Discovered in Code using CWSS
Organizations that have declared plans to support
CWSS in their future offerings and are working with
MITRE to help evolve CWSS to meet their
customer's and the community's needs for a
scoring system for software errors.
CWE Coverage – Implemented…
Code
Review
Static
Analysis
Tool A
Most
Static Important
Analysis Weaknesses
(CWE’s)
Tool B
Pen
Testing Which static analysis
tools and Pen Testing
Services
services find the CWE’s
I care about?
Leveraging and Managing to take Advantage of
the Multiple Perspectives of Analysis
Review of Architecture
Review of Code
(2) Read Data
and Design
(3) DoS: unreliable
execution
(5) Execute
unauthorized
code or
commands
(6) Gain privileges
/ assume identity
(7) Bypass
protection
mechanism
(8) Hide activities
Vulnerability Analysis Focus By Phase and Impact
Source Automated
Architecture Design Code Binary Static Dynamic Penetration Red Team
Analysis Review Static Analysis Analysis Testing Assessment
Analysis
(1) Modify data CWE-23 CWE-23 CWE-131 CWE-131 CWE-311 CWE-311 CWE-311
Relative Path Incorrect Calculation of Missing Encryption of Sensitive Data
Traversal Buffer Size
(2) Read Data CWE-14 CWE-14 CWE-129 CWE-129 CWE-209 CWE-209 CWE-209
Compiler Removal of Improper Validation of Information Exposure Through an
Buffer Clearing Array Index Error Messages
(3) DoS: unreliable CWE-36 CWE-36 CWE-476 CWE-476 CWE-406 CWE-406 CWE-406
execution Absolute Path Null Pointer
Network Amplification
Traversal Dereference
(4) DoS: resource CWE-395 CWE-395 CWE-190 CWE-190 CWE-412 CWE-412 CWE-412
consumption Use of
Integer Overflow Unrestricted Externally Accessible Lock
NullPointerException
(8) Hide activities CWE-78 CWE-78 CWE-168 CWE-168 CWE-444 CWE-444 CWE-444
OS Command Improper Handling of HTTP Request Smuggling
Injection Inconsistent
Contact Info
cwss@mitre.org
cwe@mitre.org