On the 7/28 Virtualization Security Podcast, we were joined by Robert Martin of Mitre to discuss Mitre’s new CWE, CWSS, and CWRAF tools to aid in software and system security evaluation. We put a decidedly cloud based discussion around these tools to determine how they would be used by those that program within a PaaS environment, make use of SaaS, or other cloud services.
We looked at three tools to determine how to use them within the cloud environment. They were:
- Common Weakness Enumeration or CWE available at cwe.mitre.org
- Common Weakness Scoring System or CWSS available at cwe.mitre.org/cwss
- Common Weakness Risk Assessment Framwork or CWRAF available at cwe.mitre.org/cwraf
These tools impact several layers of the cloud mostly from how the cloud applications will be build with security in mind, but also in a starting point to discuss cloud security with the vendors and amoungst your own organization. Unlike the Info Graphic on Journey to the Cloud which points out specific risks, the CWRAF is a framework which can be used to discuss risks to the code used within the project. This is at a sufficiently high level that C-Levels can also be involved in the conversation. Both the CWRAF and Info Graphic tools act as a starting point to discuss threats and weaknesses to any cloud or virtual environment. While the CWRAF does not point out possible solutions, it does raise the level of awareness; it makes a very good tool. One suggestion would be to pull CWRAF into the CloudAudit endeavor.
CWE and CWSS on the other hand are pure programming tools, as such they should live within PaaS environments and development processes such as DevOps. There is currently a lack of tools to programmatically use CWE and CWSS but they definitely can be used in their current state as part of a checklist for testing, QA, and security based code reviews.
These tools are a step forward and anyone involved in development should make use of these tools as well as CVE.
Does your organization’s development process include a security code review today?
* The travelogue video was produced by Lars Troen