When it comes to application security, everyone agrees that no one tool, solution, vendor or best practice can do it all. But the Object Management Group (OMG) is driving forward the notion of a Software Assurance Framework that will allow information and analysis to be shared among security-related tools and solutions. The goal being to advance software trustworthiness beyond today's more silo-based approaches.
A nascent effort, the OMG's Software Assurance Special Interest Group (SIG) is working with the Platform and Domain Task Forces within the OMG as well as with other industry groups to develop a specification for the framework. The framework will be part of a Software Assurance ecosystem, according to the SIG's co-chair Djenana Campara, CEO of KDM Analytics in Wilmington, Del.
Software Assurance is a level of confidence that software functions as intended and is free of security vulnerabilities, Campara said. The Software Assurance ecosystem will be based on ISO/OMG open standards and will have three main components: Semantics of Business Vocabulary and Rules (SBVR), which is publicly available but is not yet finalized by the OMG; the Knowledge Discovery Meta-model (KDM), which the OMG has formally adopted and is publicly available; and the Software Assurance Meta-model (SAM), a work in progress that will include the Software Assurance Framework for tooling.
The goal of the framework is to do the following:
- Improve repeatability and objectiveness of evaluations by automatically connecting evidence and claims
- Improve risk assessments through evidence correlation
- Manage claims for consistency, understanding gaps, duplication, etc.
Using today's application security vulnerability testing tools, "we're not addressing the full scale of the problem," Campara said. "Customers become more agitated, and they're refusing to use the tools because there is a high number of false positives and negatives, and it's addressing only a portion [of the problem]."
Campara cited a study on static analysis tools done by the National Security Agency that focused on five major vulnerabilities. Each tool was used to analyze the same C++ application. According to Campara, 84% of the results were non-overlapping. "That's staggering," she said.
Campara said the Software Assurance effort is in the model of the software modernization community. "You've got to share to gain more, that's how that community came together. We're now trying to get the security static and dynamic analysis [vendors] into this community."
But the Software Assurance ecosystem would cut a wide swath, she said. "The software solutions are not just static analysis or vulnerability checking, but pen tools, design tools like UMLs, tools producing cyber patches -- they all need to interoperate to produce end-to-end solutions," Campara said.
Standards could provide a scenario where a company runs an application scanning tool to find vulnerabilities. The results could then be given to another tool to determine which ones are exploitable. Then a company could use a penetration testing tool to further test the exploits, and finally have another tool that does the patching so all the vulnerabilities are covered.
The government, as well as businesses, are pushing for this ecosystem, Campara said. Unisys, KDM Analytics, MITRE, Third Brigade and NIST as a demonstration integrated their work, tools and technology components into the Software Assurance ecosystem.
"The government is pushing to formalize all vulnerabilities, so we will be using SVBR and KDM to formally express every vulnerability so every static analysis vendor can take this vulnerability and feed it to their engine. So, we all look for same thing," Campara said. "And when knowledge is extracted to a KDM analyzer, we will be able to refer to attributes in exactly the same way. You will be able to differentiate between more and less powerful analyzer engines, and people will able to focus more on the areas of these vulnerabilities."
Application security vendors not on board yet
Campara said she has been speaking with security tools vendors about the framework, but as yet none have committed or have joined the effort.
"There is a need in the marketplace for more a standardized certification of application security; today the only standard that exists is smart people doing tests of applications and telling you their opinions," said Michael Weider, founder and CTO of Watchfire Corp., an online risk management and Web application security testing provider in Waltham, Mass. "There is the OWASP Top 10, but it's not a comprehensive security standard."
The need will get greater, he said. "As people scale testing from the small amount happening today to all applications, which is where the industry is heading, people need to do it in a more repeatable way. Today it's tactical, and you can get away with three people doing it, but if you're asking hundreds of developers to do so, you need to approach it in a standard way, so it would be useful in that regard."
Weider continued, "The other area it would be useful is third-party applications. If you're buying or outsourcing an application, you need to know if it works from a security standpoint. Today the only thing to do is to test it yourself." If third parties could be certified through a software assurance process, he said, it could potentially eliminate a lot of the redundant testing going on today.
Watchfire has been talking with the Software Assurance SIG to better understand the project, but he said it is early and has a very ambitious scope. He said the company's involvement will likely depend on market demand.
"But we're looking at it. We definitely support the CWE [common weakness enumeration, developed by MITRE] which is part of this. And our product is CVE [common vulnerabilities and exposures] compliant, a common vulnerability standard that MITRE and the OMG maintain. We're definitely supporting standards, but SA is new and we're looking at it," Weider said.
Brian Chess, founder and chief scientist of Fortify Software, a Palo Alto, Calif.-based vendor of automated application security testing tools, was also contacted for this story but did not want to comment.
But Campara is hopeful that the tools vendors will get on board. "They recognize there's a problem and promise they will look into it and put it on the roadmap," she said. In the meantime, though, the development of a Software Assurance ecosystem may open opportunities for other types of vendors. "We've been approached by modernizations organizations wanting to enter this space," she said.