Abstract: CWE released 4.0 on February 24 this year, including hardware security vulnerabilities in CWE for the first time. 4.1 was released on June 25, and 4.2 was released on August 20.
#1. As usual, tell the story first
Let’s start with MITRE[1], the boss behind CWE. MITRE describes itself as a “nonprofit organization” that operates through a Federally Funded R&D Centers(FFRDC). The goal is to solve problems for a safer world.
1.1. Origin of MITRE
MITRE’s history can be traced back to the Cold War period after the SECOND World War between the US and the Soviet Union. In the late 1950s, faced with the threat of a Soviet nuclear strike, the U.S. Air Force called on MIT to help it build an air defense system that would help it detect incoming bombers. The institute proposes a semi-automatic Ground Environment (SAGE) system that combines radar, radio and network communications to detect enemy aircraft, alert and update nearby air bases, whose aircraft are launched in time to intercept the impending threat. SAGE was also the first modern air defense system in the United States [6]. The first three letters of MITRE are short for Massachusetts Institute of Technology. I remember a French film “Snake” (1973), which tells a story under this historical background. The personnel found that the surplus materials of strategic bombers manufactured by the Soviet Union were made into hangers, which were used in civil aviation. The personnel tried every means to steal them and handed them to the laboratory for analysis. Calculated the full range of a bomber made of this material. Interested friends can turn out to have a look, that era is very classic spy movie.
1.2. Famous ATT&CK
For the name MITRE, perhaps more people will first think of the ATT&CK attack framework of MITRE which is quite popular in these years. This security technology and tactics knowledge base framework leads the trend of global network security attack and defense. On October 27th MITER just released version 8.1 of ATT&CK. It is a tactical intellectual framework because ATT&CK breaks down what might happen during an intrusion into 14 strategic stages: reconnaissance, resource development, initial intrusion, execution, persistence, elevation of authority, defense evasion, credential access, discovery, lateral movement, collection, command and control, penetration, and influence. Then, the technology and tools used by the attacker in each stage are summarized and classified into a knowledge base, so as to help us understand the capabilities of the attacker. Currently ATT&CK is divided into:
- Enterprise: traditional Enterprise network and cloud environment;
- Mobile: Mobile communication equipment;
- ICS: Idustrial Control System
1.3. Operation Model: Skunk Work
MITRE runs some of the most secretive, low-key science and technology LABS, like the M16 in the James Bond movie. Because MITRE is a non-profit organization, it operates seven “Skunk Works-level” R&D centers through federally funded RESEARCH and Development Centers (FFDRC).
You may be unfamiliar with the skunk Works model, but here’s a little explanation. In 1943, to compete with aircraft built by The German aircraft manufacturing company Messerschmitt, Lockheed established a top-secret research and production facility called Skunk Works with the explicit mission of developing a high-speed fighter in 180 days. The project gives a great deal of autonomy in decision making and encourages disregard of standard procedures. As a result, the program developed and delivered Lockheed’s P-80 shooter, the first U.S. Army Aviation jet fighter, in a record 143 days. U2, F22 and F35 were all developed by these studios. Skunk Works became a model of innovation that has been used to this day, with apple, Google and other big companies having similar studios. Below is a 2014 pitch for Lockheed at Skunk Works 70 years old.
1.4. Research and development
MITRE’s research and development fields cover advanced aviation systems, enterprise modernization technology, judicial engineering, healthcare, national cyber security and more. Products also range from airborne early Warning communication systems (AWACS) to military satellite communication systems; To the FBI’s social media image fingerprinting program and associated human anatomy and criminal history databases; Helping the US Department of Homeland Security (DHS) develop intrusion and detection systems for the Internet of Things (including smartphones, fitness trackers, smart home products, etc.); It is also said to be working on a technology to detect lies through changes in body odor…… . Mitre has attracted a large number of top network security talents, trans-boundary technology experts and scientists, and also created a lot of legendary stories. For example, former MITRE engineer Matt Edman(bald, bearded, crisp baritone) worked with the FBI and used his hacking skills to help the agency bring down the Silk Road, a notorious underground online marketplace for du goods.
During this year’s coronavirus pandemic, U.S. health agencies asked Mitre Corp. to create a surveillance system called Sara Alert. Through the Sara Alert system, public health officials can register and monitor individuals and families who are sick or at risk of infection, and enrollees are asked to enter their symptoms daily via text message, email, phone or website. This will help health care providers determine who needs care and who needs to be isolated. The US Centers for Disease Control and Prevention is now relying on Sara Alert to rescue COVID-19 surveillance efforts in the country. It feels like our health code.
#2. Introduction to CWE
2.1. The birth of CWE
Returning to today’s theme, MITRE began publishing a list of defects for Cves (Common Vulnerabilities and Exposures)[2] in 1999. As part of CVE, MITRE’s CVE team developed a preliminary classification of vulnerabilities, attacks, failures, and other concepts to help define common software vulnerabilities. However, these classifications are too crude to be used for code security assessment of the need to identify and classify defects presented in industry products. To this end, MITRE participated in the National Institute of Standards and Technology (NIST) Software Assurance Measurement and Tool Evaluation (SAMATE) project sponsored by the U.S. Department of Homeland Security (DHS), and modified the internal CVE category work for the first time in 2005 for the code evaluation industry. Thus, CWE(Common Weakness Enumeration)[3] is generated. CWE is used for the following purposes:
- Describe and discuss software and hardware weaknesses in a common language;
- Check for weaknesses in existing software and hardware products;
- Assess the coverage of tools to address these vulnerabilities;
- Identify, mitigate and prevent vulnerabilities using common benchmarking standards;
- Preventing software and hardware vulnerabilities prior to deployment;
Therefore, as an important standard of software defect classification, CWE plays an important role in security research, safety standards and defect management. CWE enables researchers in different fields of code defects to use the same definition when communicating security issues, reducing ambiguity.
2.2. CWE number type
At present, CWE classifies and describes software and hardware defects. Each category has a unique CWE number, and forms a multi-level classification system of defect types according to the types of CWE numbers (class defects, basic defects and variant defects, etc.).
#3. New views for CWE 4.2
In recent years, as software security issues have become more and more important factors for risk prevention and control of software application systems, the update speed of CWE has been significantly accelerated.
In particular, hardware security vulnerabilities were included in CWE for the first time with the release of 4.0 on 2/24 of this year, 4.1 on 6/25 and 4.2 on 8/20.
- CWE-1350: Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses
- CWE-1305: CISQ Quality Measures (2020)
Cwe-1350: CWE/SANS Top 25
This view is the National Vulnerability (NVD) managed by CWE according to the National Institute of Standards and Technology (NIST) The defects in Database)[3], Common Vulnerabilities and Exposures, According to the severity and prevalence of defects given by Common Vulnerability Scoring System (CVSS[4]), the ranking is given by the score calculated by the formula. This shows the reliability of the data, which can reflect the major security defects found in 2020, and has important guidance for tools, testing, and security research.
CWE and SANS institute jointly released the TOP 25 for three times from 2009,2010,2011 [5]. However, for unknown reasons, it was not until 2019 that the TOP 25 was released again, which was another update after CWE 2019 TOP 25. CWE 2020 TOP 25 counted approximately 27,000 CVE vulnerabilities from 2018 to 2019. Here are the Top 25 changes from 2020 to 2019.
CWE 2020 TOP 25 vs CWE 2019 TOP 25
-
The fastest rising are:
-
CWE-787 (Out-of-bounds Write): from #12 to #2;
-
CWE-522 (Insufficiently Protected Credentials): from #27 to #18
-
CWE-306 (Missing Authentication for Critical Function): from #36 to #24
-
CWE-862 (Missing Authorization): from #34 to #25
-
Cwe-863 (Incorrect Authorization): FROM #33 to #29 it can be seen from here that except 787 is the buffer problem, other problems that rose rapidly are related to authority control.
-
The rapid decline is:
-
CWE-426 (Untrusted Search Path): from #22 to #26
-
CWE-295 (Improper Certificate Validation): from #25 to #28
-
CWE-835 (Loop with Unreachable Exit Condition): from #26 to #36
-
CWE-704 (Incorrect Type Conversion or Cast): from #28 to #37
3.1.2. CWE 2020 TOP 25 Changes Table
3.1.3. Ranking algorithm
Due to the ranking scoring algorithm, two parameters, occurrence frequency and severity, are taken into account to ensure that the defects with low frequency and low hazard are not easy to appear in the ranking, but the defects with high frequency and severity are allowed to appear in the ranking. This algorithm can only eliminate the data bias from the perspective of statistics, but the deviation in understanding the problem of which CWE the defect belongs to will still cause some errors when the defect classification in CVE is mapped to CWE. These persistent problems at the CWE classification level can only be gradually resolved in later CWE releases.
-
Calculation formula:
-
Freq = {count(CWE_X’ ∈ NVD) for each CWE_X’ in NVD}
-
Fr (CWE_X) = (count (CWE_X ∈ NVD) – min (Freq))/(Max (Freq) – min (Freq))
-
Sv(CWE_X) = (average_CVSS_for_CWE_X – min(CVSS)) / (max(CVSS) – min(CVSS))
-
Score(CWE_X) = Fr(CWE_X) * Sv(CWE_X) * 100
3.2. CWE-1305: CISQ Quality Measures (2020)
3.2.1. CISQ background
CISQ is the Consortium for Information & Software Quality(CISQ) to measure Software Quality based on automated Quality characteristic metrics. This quality standard originated from Object Management Group (OMG) [7]. The Object Management Group (OMG) is an international, open-membership, non-profit technology standards consortium. OMG standards are driven by suppliers, users, and academic institutions. The OMG working group sets enterprise integration standards for a variety of technologies and broader industries. The familiar Unified Modeling Language (UML) and Model Driven Architecture (MDA) were developed by this organization.
-
CISQ CISQ was founded in 2010 by the Software Engineering Institute (SEI) at Carnegie Mellon University and the Object Management Organization (OMG). Both organizations were invited by system integrators and asked to develop standards for measuring software reliability and security attributes. Establishing global standards is an important step in comparing vendors’ IT applications in benchmarking applications.
-
Founders and Sponsors
-
- www.omg.org/
- www.castsoftware.com/
- www.cgi.com/en
- www.cognizant.com/
- ishpi.net/
- www.northropgrumman.com/Pages/defau…
- www.synopsys.com/
- www.techmahindra.com/CWCE.html
- www.it-cisq.org/index.htm#
-
More than 1500 software organizations are members of CISQ, and CISQ is also used by many top systems integration or software developers, such as: Cognizant, CGI, Tech Mahindra, GSA, BNY Mellon, U.S. Air Force, Generali, BMW.
-
ISO/IEC is initiating the integration of CISQ into ISO/IEC DIS 5055 Automated Source Code Quality Measures standard. The standard is expected to be officially released next year.
3.2.2. How does CISQ evaluate software quality
- CISQ brings together world-renowned software experts to define a set of best practices to ensure software: reliability, performance efficiency, security and maintainability;
- For the four dimensions of the assessment, CISQ sorted out more than 800 known software vulnerabilities in CWE. CISQ identified the most critical and high-impact CWE and standardized them for each quality characteristic to automate;
- At each quality measure point of view, automated evaluation can be done at both the code level and the architecture level through static analysis.
- An overview of CISQ’s four features
3.2.3. CISQ 2020 vs CISQ 2016
CWE’s Version 3.2, released in March 2019, introduces CISQ’s draft version 0.9, released in 2016. This is the 1.0 version of CISQ, which was released in January.
# 4. Summary
- From the perspective of 2020 TOP 25, 2019,2020 buffer overflow, input verification problems (injection, CSRF) are still the main problems that software security and tools need to face; At the same time, the problem of setting permissions is on the rise.
- CISQ uses static analysis to automatically measure software quality, and uses CWE problem detection to refine the measurement criteria. This provides an idea for the automatic measurement of application software quality through tools, and also provides an important basis for establishing a unified standard for software quality evaluation.
# 5. Reference
[1] MITRE: www.mitre.org/ [2] CVE: cve.mitre.org/cve/ [3] CWE: cwe.mitre.org/ [4] NVD: nvd.nist.gov/ [5] CVSS: NVD. Nist. Gov/vuln – metric… [6] Inside americas secretive 2billion research hub collecting fingerprints from facebook hacking smartwatches and Fighting COVID-19 [7] OMG: www.omg.org/about/index… [8] List of Weaknesses Included in the CISQ Automated Source Code Quality Measures June 2019 [8] List of Weaknesses Included in the CISQ Automated Source Code Quality Measures June 2019
This article is shared by Uncle_Tom from The new View of CWE 4.2.
Click to follow, the first time to learn about Huawei cloud fresh technology ~