On the 7/28 Virtualization Security Podcast, we were joined by Robert Martin of Mitre to discuss Mitre’s new CWE, CWSS, and CWRAF tools to aid in software and system security evaluation. We put a decidedly cloud based discussion around these tools to determine how they would be used by those that program within a PaaS environment, make use of SaaS, or other cloud services.
We looked at three tools to determine how to use them within the cloud environment. They were:
- Common Weakness Enumeration or CWE available at cwe.mitre.org
- Common Weakness Scoring System or CWSS available at cwe.mitre.org/cwss
- Common Weakness Risk Assessment Framwork or CWRAF available at cwe.mitre.org/cwraf
These tools impact several layers of the cloud mostly from how the cloud applications will be build with security in mind, but also in a starting point to discuss cloud security with the vendors and amoungst your own organization. Unlike the
CWE and CWSS on the other hand are pure programming tools, as such they should live within PaaS environments and development processes such as DevOps. There is currently a lack of tools to programmatically use CWE and CWSS but they definitely can be used in their current state as part of a checklist for testing, QA, and security based code reviews.
These tools are a step forward and anyone involved in development should make use of these tools as well as CVE.
Does your organization’s development process include a security code review today?
* The travelogue video was produced by Lars Troen