Mitre – Two New Tools to Help with PaaS and Risk Assessment

On the 7/28 Virtualization Security Podcast, we were joined by Robert Martin of Mitre to discuss Mitre’s new CWE, CWSS, and CWRAF tools to aid in software and system security evaluation.  We put a decidedly cloud based discussion around these tools to determine how they would be used by those that program within a PaaS environment, make use of SaaS, or other cloud services.

We looked at three tools to determine how to use them within the cloud environment. They were:

These tools impact several layers of the cloud mostly from how the cloud applications will be build with security in mind, but also in a starting point to discuss cloud security with the vendors and amoungst your own organization. Unlike the Info Graphic on Journey to the Cloud which points out specific risks, the CWRAF is a framework which can be used to discuss risks to the code used within the project. This is at a sufficiently high level that C-Levels can also be involved in the conversation. Both the CWRAF and Info Graphic tools act as a starting point to discuss threats and weaknesses to any cloud or virtual environment. While the CWRAF does not point out possible solutions, it does raise the level of awareness; it makes a very good tool. One suggestion would be to pull CWRAF into the CloudAudit endeavor.

CWE and CWSS on the other hand are pure programming tools, as such they should live within PaaS environments and development processes such as DevOps.  There is currently a lack of tools to programmatically use CWE and CWSS but they definitely can be used in their current state as part of a checklist for testing, QA, and security based code reviews.

These tools are a step forward and anyone involved in development should make use of these tools as well as CVE.

Does your organization’s development process include a security code review today?

* The travelogue video was produced by Lars Troen

Share this Article:

The following two tabs change content below.
Edward Haletky
Edward L. Haletky aka Texiwill is an analyst, author, architect, technologist, and out of the box thinker. As an analyst, Edward looks at all things IoT, Big Data, Cloud, Security, and DevOps. As an architect, Edward creates peer-reviewed reference architectures for hybrid cloud, cloud native applications, and many other aspects of the modern business. As an author he has written about virtualization and security. As a technologist, Edward creates code prototypes for parts of those architectures. Edward is solving today's problems in an implementable fashion.
Edward Haletky

Latest posts by Edward Haletky (see all)

Related Posts:

Leave a Reply

Be the First to Comment!

wpDiscuz