™
™ © 2006, KDM Analytics
Software Assurance Ecosystem and its
ApplicationsDjenana Campara
Chief Executive Officer, KDM AnalyticsBoard Director, Object Management Group (OMG)
Co-Chair Software Assurance and Architecture Driven Modernization, OMG
© 2007, KDM Analytics
™
Agenda
Software Assurance Definition - OMG and Government Initiative The Assurance Case
Software Assurance Ecosystem Introduction and Current State Enabling Technologies ISO/OMG Tooling Standards Detailed View of the Ecosystem
Software Assurance Ecosystem in Action
© 2007, KDM Analytics
™
Software Assurance
© 2007, KDM Analytics
™
Software Assurance
Definition The justified confidence that the system functions as intended and is
free of exploitable vulnerabilities, either intentionally or unintentionally designed or inserted as part of the system at any time during the lifecycle”
[National Defense Industrial Association -NDIA].
Basic Principals For each software artifact of interest, there exist a set of claims
(generally related to safety and security) about the software artifact, a set of facts (collectively called evidence) about the software artifact, and a set of assurance arguments that use the evidence to show that the software artifact does, in fact, satisfy the claims.
The Justified Confidence is presented through Assurance Case: set of auditable claims, arguments and evidence created to support the
contention that a defined system/service will satisfy the particular requirements through supporting arguments and evidence
© 2007, KDM Analytics
™
Assurance Case: Claims, Arguments & Evidence Exchanged Among SwA Participants
Procurement agency
Certification agency
Audit agency
Software Supplier
Software Integrator
Courts of law Legislators
Software Tool VendorInsurance organizations
Claims
Arguments
EvidenceConsumers
© 2007, KDM Analytics
™
Delivering Software Assurance:Delivering System Predictability and Reducing Uncertainty
Software Assurance (SwA) is 3 step process1. Specify Assurance Case
Enable supplier to make bounded assurance claims about safety, security and/or dependability of systems, product or services
2. Obtain Evidence for Assurance Case perform software assurance assessment to justify claims of meeting
a set of requirements through a structure of sub-claims, arguments, and supporting evidence
Collecting Evidence and verifying claims’ compliance is complex and costly process
3. Use Assurance Case to calculate and mitigate risk Exam non compliant claims and their evidence to calculate risk and
identify course of actions to mitigate it Each stakeholder will have own risk assessment – e.g. security,
liability, performance, compliance
Currently, SwA 3 step process is informal, subjective & manual due to lack of comprehensive tooling and formalized
specifications
© 2007, KDM Analytics
™
The Software Assurance Ecosystem – achieving more objectivity and
automation
© 2007, KDM Analytics
™
The Software Assurance Ecosystem: Turning Challenge into Solution
SwA Ecosystem is a formal framework for analysis and exchange of information related to software security and trustworthiness
Provides a technical environment where formalized claims, arguments and evidence can be brought together with formalized and abstracted software system representations to support high automation and high fidelity analysis.
Based entirely on ISO/OMG Open Standards Semantics of Business Vocabulary and Rules (SBVR) Knowledge Discovery Meta-model (KDM) Software Assurance Meta-model (SAM) – work in progress
Software Assurance Evidence Metamodel submissions received Software Assurance Claims & Arguments Metamodel RFP in progress
Architected with a focus on providing fundamental improvements in analysis
© 2007, KDM Analytics
™
Leveraging what we already have through SwA Ecosystem
Software Assurance Ecosystem enables industry and government to leverage and connect existing policies, practices, processes and tools, in an affordable and efficient manner
The key enabler is the Software Assurance (SwA) Ecosystem Infrastructure
an open standard-based integrated tooling environment that dramatically reduces the cost of software assurance activities
Integrates 3+1 different communities: Formal Methods, Reverse Engineering and Static Analysis, and Dynamic Analysis for a SwA solution
Enables different tool types to interoperate Introduces many new vendors to ecosystem because they each
leverage parts of the tool chain
© 2007, KDM Analytics
™
Process, People,documentationEvidence
Software System / Architecture Evaluation Many integrated & highly automated tools to assist evaluators Claims and Evidence in Formal vocabulary Combination of tools and ISO/OMG standards Standardized SW System Representation In KDM Large scope capable (system of systems) Iterative extraction and analysis for rules
Executable Specifications
FormalizedSpecifications
Software systemTechnical Evidence
Software System Artifacts
Requirements/Design Docs & Artifacts
Hardware Environment
Process Docs & Artifacts
Process, People & Documentation Evaluation Environment Some point tools to assist evaluators but mainly manual work Claims in Formal SBVR vocabulary Evidence in Formal SBVR vocabulary Large scope requires large effort
IA Controls
Protection Profiles
CWE
Claims, Arguments and Evidence Repository
- Formalized in SBVR vocabulary- Automated verification of claims
against evidence- Highly automated and sophisticated
risk assessments using transitive inter-evidence point relationships
Software Assurance Ecosystem: The Formal FrameworkThe value of formalization extends beyond software systems to include related software system process, people and
documentation
ReportsRisk Analysis, etc)
© 2007, KDM Analytics
™
The Software Assurance Ecosystem
in Action
© 2007, KDM Analytics
™
From CWE Taxonomy to CWE Executable Specification
Taxonomy
Formalize
d
Specification Executable
Specification
© 2007, KDM Analytics
™
DevelopersAutomated Analysis of:• Quality defects• SW reliability defects• Security vulnerabilities• Security policies• Design rules • Architecture rules
Security EngineeringManagement
T&ESoftwareArchitects
DevelopmentManagement
Information Value Chain Feedback Loop through CustomizedReporting
Visibility into Best Practices
implementation in software lifecycle
Security Analysis supporting security
policies & risk management (Security Engineering and Audit)
Assessment based on established Assurance
Case(quality, reliability,
security)
Architecture understanding,
architecture robustness & rules
Reporting on Policies/
Rules violations
Policies/Rules Creation &
Administration
Continuous Assurance: Integrated within SDLC control points
Policy enforcement on Data - Data discovered in context
developer code
System watchdog: continuous integration to verify that nothing is sneaking into the delivery software stream
ExecutableSpecificatio
ns
© 2007, KDM Analytics
™
The Open standard-based SwA ecosystem can be leveraged to increase deployability of tested applications. The following are workflow and steps for established “sw vulnerability assurance case”:
use of software assurance tools to perform CWE-based analyzes of application increase accuracy through building and applying exploit testing where weakness identified provide virtual patches to mitigate effect of vulnerabilities package application and virtual patch into deployable solution creating WIN-WIN situation for both supplier and consumer
Perform Binary extraction into KDM
Perform CWE Analysis
Build exploits for found vulnerabilities
Test Executable using exploits
Use Virtual patching to mitigate vulnerabilities
Test Executable using virtual patches
Package Executable with virtual patches for deployment
Typical Lab
Operation
Report Vulnerabilities found
Report Vulnerabilities found
Addition of Exploit Generation and
Testing
Addition of Virtual Patching
Two Bad Choices for suppliers: Go back and fix vulnerabilities or, deploy and expose outstanding vulnerabilities to community
Removes false positives so that more accurate info goes back to supplier & generate virtual patch
Best Choice for Suppliers and consumers: Go back and fix vulnerabilities and, safe deploy with virtual patches and NOT expose outstanding vulnerabilities
3rd Party Evaluation of Applications – LAB Environment