New security frameworks help users demand assurance

By on
New security frameworks help users demand assurance

Twin frameworks give power to the people.

The US Department of Homeland Security and the SANS Institute have developed a risk analysis framework and scoring system to help developers and consumers improve software security.

The Common Weakness Risk Analysis Framework, also developed by the non-profit government technology research contractor Mitre, was a benchmark to evaluate software weaknesses that pose the greatest risk to organisations.

A companion framework dubbed the Common Weakness Scoring System assisted organisations to prioritise software vulnerabilities.

Several security vendors, including Cenzic, Fortify Software and Klocwork, announced plans to incorporate the scoring system into their future offerings,.

SANS Institute director of research Alan Paller said the scoring system will force software companies to be more candid with customers ad build more secure programs.

"You can measure the degree to which one software package is compared to another software package," Paller said. "It changes the way people can buy stuff. They can say, 'before you give me any software, I'd like to see your score on this.'"

The two programs are helpful because they can be used to generate customised lists of weaknesses most critical to a particular organisation, according to Mitre program director Bob Martin.

Retail organisations, for example, might be highly concerned about information disclosure bugs affecting their credit card processing systems. Critical infrastructure owners and operators, on the other hand, would likely be more worried about denial-of-service flaws that affect their supervisory control and data acquisition systems.

“Two different pieces of software supporting two different types of business have a totally different priority order for weaknesses,” Martin said.

The release of the two programs coincided with Monday's unveiling of the third-annual Top 25 list of the most dangerous software errors, developed by Mitre and the SANS Institute.

SQL injection took the top spot this year as the most dangerous software error, moving up from second spot last year.

Such flaws were responsible for the compromises of a number of high profile organisations recently, such as Sony Pictures, PBS and security firm HBGary Federal.

This article originally appeared at

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition

Most Read Articles

Log In

  |  Forgot your password?