Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Getting to Know the Enemy Better

Industry players propose standards for describing vulnerabilities, attack patterns

ARLINGTON, Va. -- Black Hat DC -- Experts agree: The best way to secure applications is to build security in during the development phase. The problem is that there are few standards or templates for doing it.

But that situation is about to change, according to speakers at the Black Hat conference here today. In fact, draft guidelines for specifying common security weaknesses and common attack patterns could be just weeks away.

In two separate presentations, experts from Mitre and Cigital -- two companies with long track records in government and industry standards -- outlined plans for the implementation of Common Weakness Enumeration (CWE) and Common Attack Pattern Enumeration and Classification (CAPEC), two specifications that could eventually help developers recognize weaknesses in their applications and anticipate common attack patterns that adversaries might use to break in.

The proposed specifications would offer common methods for describing and categorizing weaknesses and attack vectors, much as Common Vulnerability Enumeration (CVE) and Common Malware Enumeration (CME) have done for vulnerabilities and malware.

The CWE is in its fifth draft and is already delivering some benefits for software developers, according to Robert Martin, principal engineer at Mitre. It represents a "dictionary" of frequently made mistakes in software development that can lead to exploitable vulnerabilities, he said.

"It's a common body of knowledge about software assurance that will help developers to build security into their applications," Martin said. The initiative, funded largely by the U.S. Department of Homeland Security (DHS), represents some 600 entries from more than 20 vendors of tools that help to identify security weaknesses in software.

In its most recent draft, the CWE is adding several new features, including metadata tagging that will describe the language, operating systems, and time of introduction of security weaknesses found in software. The specification is expected to move past draft status "in the near future," Martin said.

CAPEC is a newer initiative, also funded by DHS, championed by Cigital. The goal of the effort is to identify common patterns of attack, giving security experts a more structured way to handicap the potential attacks on a particular application -- and work with their developers to defend against them, said Sean Barnum, managing consultant at Cigital.

"If you are building or buying software, it's important to understand how it's going to be attacked, and what the potential impact of those attacks might be," said Barnum. "If your attacker is coming at you from one direction, and you are building defenses that come from a completely different direction, you're going to have trouble."

CAPEC, which is scheduled to be issued as a draft to selected reviewers next week, outlines methods for defining and classifying attack methods. It also provides some guidance on the risks and potential impact of specific attack patterns, giving organizations some ideas on how to build and prioritize their defenses.

CAPEC, which will initially include about 100 attack patterns, outlines broader vectors than "signatures," which give detailed information on a single attack. The idea is to identify commonalities and trends among attacks, giving organizations a way of anticipating attacks they may not know about yet.

"The patterns can also be combined, to show that one pattern may precede another," Barnum said.

CAPEC, like CWE, is designed for use primarily by security staff, not application developers themselves. The standards help security people define common weaknesses and attack patterns, then apply them to their own environments and applications so they can give guidance to their development teams on what to look for -- and how to build more effective defenses into the software itself.

"This will help security people and developers to communicate more effectively," Barnum said.

— Tim Wilson, Site Editor, Dark Reading

  • Cigital Inc.
  • Mitre Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    How to Better Secure Your Microsoft 365 Environment
    Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
    Attackers Leave Stolen Credentials Searchable on Google
    Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win an Amazon Gift Card! Click Here
    Latest Comment: This comment is waiting for review by our moderators.
    Current Issue
    2020: The Year in Security
    Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
    Flash Poll
    Assessing Cybersecurity Risk in Today's Enterprises
    Assessing Cybersecurity Risk in Today's Enterprises
    COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-01-28
    ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-35128. Reason: This candidate is a reservation duplicate of CVE-2020-35128. Notes: All CVE users should reference CVE-2020-35128 instead of this candidate. All references and descriptions in this candidate have been removed to preve...
    PUBLISHED: 2021-01-28
    A cross-site scripting (XSS) vulnerability in the assets component of Mautic before 3.2.4 allows remote attackers to inject executable JavaScript through the Referer header of asset downloads.
    PUBLISHED: 2021-01-28
    An issue was discovered on Accfly Wireless Security IR Camera 720P System with software versions v3.10.73 through v4.15.77. There is an unauthenticated stack-based buffer overflow in the function CNetClientManage::ServerIP_Proto_Set during incoming message handling.
    PUBLISHED: 2021-01-28
    An issue was discovered on Accfly Wireless Security IR Camera System 720P with software versions v3.10.73 through v4.15.77. There is an unauthenticated heap-based buffer overflow in the function CNetClientTalk::OprMsg during incoming message handling.
    PUBLISHED: 2021-01-28
    An issue was discovered on Accfly Wireless Security IR Camera System 720P with software versions v3.10.73 through v4.15.77. There is an unauthenticated stack-based buffer overflow in the function CNetClientGuard::SubOprMsg during incoming message handling.