On the 7/28 Virtualization Security Podcast, we were joined by Robert Martin of Mitre to discuss Mitre’s new CWE, CWSS, and CWRAF tools to aid in software and system security evaluation.  We put a decidedly cloud based discussion around these tools to determine how they would be used by those that program within a PaaS environment, make use of SaaS, or other cloud services.

We looked at three tools to determine how to use them within the cloud environment. They were:

These tools impact several layers of the cloud mostly from how the cloud applications will be build with security in mind, but also in a starting point to discuss cloud security with the vendors and amoungst your own organization. Unlike the Info Graphic on Journey to the Cloud which points out specific risks, the CWRAF is a framework which can be used to discuss risks to the code used within the project. This is at a sufficiently high level that C-Levels can also be involved in the conversation. Both the CWRAF and Info Graphic tools act as a starting point to discuss threats and weaknesses to any cloud or virtual environment. While the CWRAF does not point out possible solutions, it does raise the level of awareness; it makes a very good tool. One suggestion would be to pull CWRAF into the CloudAudit endeavor.

CWE and CWSS on the other hand are pure programming tools, as such they should live within PaaS environments and development processes such as DevOps.  There is currently a lack of tools to programmatically use CWE and CWSS but they definitely can be used in their current state as part of a checklist for testing, QA, and security based code reviews.

These tools are a step forward and anyone involved in development should make use of these tools as well as CVE.

Does your organization’s development process include a security code review today?

* The travelogue video was produced by Lars Troen

Share this Article:

Share Button
Edward Haletky (384 Posts)

Edward L. Haletky, aka Texiwill, is the author of VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment as well as VMware ESX and ESXi in the Enterprise: Planning Deployment of Virtualization Servers, 2nd Edition. Edward owns AstroArch Consulting, Inc., providing virtualization, security, network consulting and development and The Virtualization Practice where he is also an Analyst. Edward is the Moderator and Host of the Virtualization Security Podcast as well as a guru and moderator for the VMware Communities Forums, providing answers to security and configuration questions. Edward is working on new books on Virtualization.

[All Papers/Publications...]

Connect with Edward Haletky:


Related Posts:

Leave a Reply

Your email address will not be published. Required fields are marked *


seven × = 35