™

™ © 2006, KDM Analytics

Software Assurance Ecosystem and its

ApplicationsDjenana Campara

Chief Executive Officer, KDM AnalyticsBoard Director, Object Management Group (OMG)

Co-Chair Software Assurance and Architecture Driven Modernization, OMG

© 2007, KDM Analytics

™

Agenda

Software Assurance Definition - OMG and Government Initiative The Assurance Case

Software Assurance Ecosystem Introduction and Current State Enabling Technologies ISO/OMG Tooling Standards Detailed View of the Ecosystem

Software Assurance Ecosystem in Action

© 2007, KDM Analytics

™

Software Assurance

© 2007, KDM Analytics

™

Software Assurance

Definition The justified confidence that the system functions as intended and is

free of exploitable vulnerabilities, either intentionally or unintentionally designed or inserted as part of the system at any time during the lifecycle”

[National Defense Industrial Association -NDIA].

Basic Principals For each software artifact of interest, there exist a set of claims

(generally related to safety and security) about the software artifact, a set of facts (collectively called evidence) about the software artifact, and a set of assurance arguments that use the evidence to show that the software artifact does, in fact, satisfy the claims.

The Justified Confidence is presented through Assurance Case: set of auditable claims, arguments and evidence created to support the

contention that a defined system/service will satisfy the particular requirements through supporting arguments and evidence

© 2007, KDM Analytics

™

Assurance Case: Claims, Arguments & Evidence Exchanged Among SwA Participants

Procurement agency

Certification agency

Audit agency

Software Supplier

Software Integrator

Courts of law Legislators

Software Tool VendorInsurance organizations

Claims

Arguments

EvidenceConsumers

© 2007, KDM Analytics

™

Delivering Software Assurance:Delivering System Predictability and Reducing Uncertainty

Software Assurance (SwA) is 3 step process1. Specify Assurance Case

Enable supplier to make bounded assurance claims about safety, security and/or dependability of systems, product or services

2. Obtain Evidence for Assurance Case perform software assurance assessment to justify claims of meeting

a set of requirements through a structure of sub-claims, arguments, and supporting evidence

Collecting Evidence and verifying claims’ compliance is complex and costly process

3. Use Assurance Case to calculate and mitigate risk Exam non compliant claims and their evidence to calculate risk and

identify course of actions to mitigate it Each stakeholder will have own risk assessment – e.g. security,

liability, performance, compliance

Currently, SwA 3 step process is informal, subjective & manual due to lack of comprehensive tooling and formalized

specifications

© 2007, KDM Analytics

™

The Software Assurance Ecosystem – achieving more objectivity and

automation

© 2007, KDM Analytics

™

The Software Assurance Ecosystem: Turning Challenge into Solution

SwA Ecosystem is a formal framework for analysis and exchange of information related to software security and trustworthiness

Provides a technical environment where formalized claims, arguments and evidence can be brought together with formalized and abstracted software system representations to support high automation and high fidelity analysis.

Based entirely on ISO/OMG Open Standards Semantics of Business Vocabulary and Rules (SBVR) Knowledge Discovery Meta-model (KDM) Software Assurance Meta-model (SAM) – work in progress

Software Assurance Evidence Metamodel submissions received Software Assurance Claims & Arguments Metamodel RFP in progress

Architected with a focus on providing fundamental improvements in analysis

© 2007, KDM Analytics

™

Leveraging what we already have through SwA Ecosystem

Software Assurance Ecosystem enables industry and government to leverage and connect existing policies, practices, processes and tools, in an affordable and efficient manner

The key enabler is the Software Assurance (SwA) Ecosystem Infrastructure

an open standard-based integrated tooling environment that dramatically reduces the cost of software assurance activities

Integrates 3+1 different communities: Formal Methods, Reverse Engineering and Static Analysis, and Dynamic Analysis for a SwA solution

Enables different tool types to interoperate Introduces many new vendors to ecosystem because they each

leverage parts of the tool chain

© 2007, KDM Analytics

™

Process, People,documentationEvidence

Software System / Architecture Evaluation Many integrated & highly automated tools to assist evaluators Claims and Evidence in Formal vocabulary Combination of tools and ISO/OMG standards Standardized SW System Representation In KDM Large scope capable (system of systems) Iterative extraction and analysis for rules

Executable Specifications

FormalizedSpecifications

Software systemTechnical Evidence

Software System Artifacts

Requirements/Design Docs & Artifacts

Hardware Environment

Process Docs & Artifacts

Process, People & Documentation Evaluation Environment Some point tools to assist evaluators but mainly manual work Claims in Formal SBVR vocabulary Evidence in Formal SBVR vocabulary Large scope requires large effort

IA Controls

Protection Profiles

CWE

Claims, Arguments and Evidence Repository

- Formalized in SBVR vocabulary- Automated verification of claims

against evidence- Highly automated and sophisticated

risk assessments using transitive inter-evidence point relationships

Software Assurance Ecosystem: The Formal FrameworkThe value of formalization extends beyond software systems to include related software system process, people and

documentation

ReportsRisk Analysis, etc)

© 2007, KDM Analytics

™

The Software Assurance Ecosystem

in Action

© 2007, KDM Analytics

™

From CWE Taxonomy to CWE Executable Specification

Taxonomy

Formalize

d

Specification Executable

Specification

© 2007, KDM Analytics

™

DevelopersAutomated Analysis of:• Quality defects• SW reliability defects• Security vulnerabilities• Security policies• Design rules • Architecture rules

Security EngineeringManagement

T&ESoftwareArchitects

DevelopmentManagement

Information Value Chain Feedback Loop through CustomizedReporting

Visibility into Best Practices

implementation in software lifecycle

Security Analysis supporting security

policies & risk management (Security Engineering and Audit)

Assessment based on established Assurance

Case(quality, reliability,

security)

Architecture understanding,

architecture robustness & rules

Reporting on Policies/

Rules violations

Policies/Rules Creation &

Administration

Continuous Assurance: Integrated within SDLC control points

Policy enforcement on Data - Data discovered in context

developer code

System watchdog: continuous integration to verify that nothing is sneaking into the delivery software stream

ExecutableSpecificatio

ns

© 2007, KDM Analytics

™

The Open standard-based SwA ecosystem can be leveraged to increase deployability of tested applications. The following are workflow and steps for established “sw vulnerability assurance case”:

use of software assurance tools to perform CWE-based analyzes of application increase accuracy through building and applying exploit testing where weakness identified provide virtual patches to mitigate effect of vulnerabilities package application and virtual patch into deployable solution creating WIN-WIN situation for both supplier and consumer

Perform Binary extraction into KDM

Perform CWE Analysis

Build exploits for found vulnerabilities

Test Executable using exploits

Use Virtual patching to mitigate vulnerabilities

Test Executable using virtual patches

Package Executable with virtual patches for deployment

Typical Lab

Operation

Report Vulnerabilities found

Report Vulnerabilities found

Addition of Exploit Generation and

Testing

Addition of Virtual Patching

Two Bad Choices for suppliers: Go back and fix vulnerabilities or, deploy and expose outstanding vulnerabilities to community

Removes false positives so that more accurate info goes back to supplier & generate virtual patch

Best Choice for Suppliers and consumers: Go back and fix vulnerabilities and, safe deploy with virtual patches and NOT expose outstanding vulnerabilities

3rd Party Evaluation of Applications – LAB Environment