On the 7/28 Virtualization Security Podcast, we were joined by Robert Martin of Mitre to discuss Mitre’s new CWE, CWSS, and CWRAF tools to aid in software and system security evaluation. We put a decidedly cloud based discussion around these tools to determine how they would be used by those that program within a PaaS environment, make use of SaaS, or other cloud services.
Articles Tagged with CWE
We’ve recently been asked to look at the way that the Cloud is increasingly being used to provide external security testing services (such as AVS, Application Vulnerability Scanning). The argument of the proponents of such services is that security threats come from the cloud, and thus it makes most sense to embed the AVS in the cloud. However after very detailed examination of the options we have come to the conclusion that the Cloud it isn’t necessarily the right answer for many enterprises, and that the AVS service may best be delivered inside the datacenter.
Application Vulnerability Scanning is the process of exercising the external interfaces to applications (typically public-facing web applications) so as to make sure that there are no exploitable or potentially-exploitable security weaknesses. So, for example, you might want to log on to a system and check that the credentials aren’t just sent back to you in plain text in a cookie.