New security frameworks help users demand assurance

By on
New security frameworks help users demand assurance

Twin frameworks give power to the people.

The US Department of Homeland Security and the SANS Institute have developed a risk analysis framework and scoring system to help developers and consumers improve software security.

The Common Weakness Risk Analysis Framework, also developed by the non-profit government technology research contractor Mitre, was a benchmark to evaluate software weaknesses that pose the greatest risk to organisations.

A companion framework dubbed the Common Weakness Scoring System assisted organisations to prioritise software vulnerabilities.

Several security vendors, including Cenzic, Fortify Software and Klocwork, announced plans to incorporate the scoring system into their future offerings,.

SANS Institute director of research Alan Paller said the scoring system will force software companies to be more candid with customers ad build more secure programs.

"You can measure the degree to which one software package is compared to another software package," Paller said. "It changes the way people can buy stuff. They can say, 'before you give me any software, I'd like to see your score on this.'"

The two programs are helpful because they can be used to generate customised lists of weaknesses most critical to a particular organisation, according to Mitre program director Bob Martin.

Retail organisations, for example, might be highly concerned about information disclosure bugs affecting their credit card processing systems. Critical infrastructure owners and operators, on the other hand, would likely be more worried about denial-of-service flaws that affect their supervisory control and data acquisition systems.

“Two different pieces of software supporting two different types of business have a totally different priority order for weaknesses,” Martin said.

The release of the two programs coincided with Monday's unveiling of the third-annual Top 25 list of the most dangerous software errors, developed by Mitre and the SANS Institute.

SQL injection took the top spot this year as the most dangerous software error, moving up from second spot last year.

Such flaws were responsible for the compromises of a number of high profile organisations recently, such as Sony Pictures, PBS and security firm HBGary Federal.

This article originally appeared at scmagazineus.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:
department of homeland securityexploitsframeworksans institutesecurityvulnerabilities

Sponsored Whitepapers

Responding To Industry Trends And Our 5m+ Users
Responding To Industry Trends And Our 5m+ Users
The Future of Digital Identity in Government
The Future of Digital Identity in Government
Secure Public Services for Every Australian
Secure Public Services for Every Australian
7½ Questions for Aged Care's Digital Decisions
7½ Questions for Aged Care's Digital Decisions
Creating the Sustainable IT Department
Creating the Sustainable IT Department

Most Read Articles

Australia appoints first cyber security coordinator

Australia appoints first cyber security coordinator
Apple rushes out patches for exploited zero day bugs

Apple rushes out patches for exploited zero day bugs
Perpetual 'extended outage' caused by security incident at third-party

Perpetual 'extended outage' caused by security incident at third-party
Exploit emerges for Cisco VPN client vulnerability

Exploit emerges for Cisco VPN client vulnerability

Digital Nation

More than half of loyalty members concerned about their data
More than half of loyalty members concerned about their data
DeepAI founder on the risks of artificial intelligence
DeepAI founder on the risks of artificial intelligence
Health tech startup Kismet raises $4m in pre-seed funding
Health tech startup Kismet raises $4m in pre-seed funding
COVER STORY: The opportunities and risks of cybersecurity insurance in Australia
COVER STORY: The opportunities and risks of cybersecurity insurance in Australia
How eBay uses interaction analytics to improve CX
How eBay uses interaction analytics to improve CX

Log In

  |  Forgot your password?