Getting to Know the Enemy Better

ARLINGTON, Va. -- Black Hat DC -- Experts agree: The best way to secure applications is to build security in during the development phase. The problem is that there are few standards or templates for doing it.

But that situation is about to change, according to speakers at the Black Hat conference here today. In fact, draft guidelines for specifying common security weaknesses and common attack patterns could be just weeks away.

In two separate presentations, experts from Mitre and Cigital -- two companies with long track records in government and industry standards -- outlined plans for the implementation of Common Weakness Enumeration (CWE) and Common Attack Pattern Enumeration and Classification (CAPEC), two specifications that could eventually help developers recognize weaknesses in their applications and anticipate common attack patterns that adversaries might use to break in.

The proposed specifications would offer common methods for describing and categorizing weaknesses and attack vectors, much as Common Vulnerability Enumeration (CVE) and Common Malware Enumeration (CME) have done for vulnerabilities and malware.

The CWE is in its fifth draft and is already delivering some benefits for software developers, according to Robert Martin, principal engineer at Mitre. It represents a "dictionary" of frequently made mistakes in software development that can lead to exploitable vulnerabilities, he said.

"It's a common body of knowledge about software assurance that will help developers to build security into their applications," Martin said. The initiative, funded largely by the U.S. Department of Homeland Security (DHS), represents some 600 entries from more than 20 vendors of tools that help to identify security weaknesses in software.

In its most recent draft, the CWE is adding several new features, including metadata tagging that will describe the language, operating systems, and time of introduction of security weaknesses found in software. The specification is expected to move past draft status "in the near future," Martin said.

CAPEC is a newer initiative, also funded by DHS, championed by Cigital. The goal of the effort is to identify common patterns of attack, giving security experts a more structured way to handicap the potential attacks on a particular application -- and work with their developers to defend against them, said Sean Barnum, managing consultant at Cigital.

"If you are building or buying software, it's important to understand how it's going to be attacked, and what the potential impact of those attacks might be," said Barnum. "If your attacker is coming at you from one direction, and you are building defenses that come from a completely different direction, you're going to have trouble."

CAPEC, which is scheduled to be issued as a draft to selected reviewers next week, outlines methods for defining and classifying attack methods. It also provides some guidance on the risks and potential impact of specific attack patterns, giving organizations some ideas on how to build and prioritize their defenses.

CAPEC, which will initially include about 100 attack patterns, outlines broader vectors than "signatures," which give detailed information on a single attack. The idea is to identify commonalities and trends among attacks, giving organizations a way of anticipating attacks they may not know about yet.

"The patterns can also be combined, to show that one pattern may precede another," Barnum said.

CAPEC, like CWE, is designed for use primarily by security staff, not application developers themselves. The standards help security people define common weaknesses and attack patterns, then apply them to their own environments and applications so they can give guidance to their development teams on what to look for -- and how to build more effective defenses into the software itself.

"This will help security people and developers to communicate more effectively," Barnum said.

— Tim Wilson, Site Editor, Dark Reading