Date Published: November 2019
Comments Due:
Email Questions to:
Author(s)
Kelley Dempsey (NIST), Eduardo Takamura (NIST), Paul Eavy (DHS), George Moore
Announcement
When known software vulnerabilities are unmanaged, uncorrected, or undetected, attack vectors are left open to exploit the software. As a result, vulnerable software becomes a key target that attackers can use to initiate an attack on an organization’s network and expand control to attack other components on the network. By managing these vulnerabilities, the level of effort needed to initiate such an attack and expand control to other components on the network is greatly increased. Automated assessment of known software vulnerabilities and weaknesses helps verify that the software vulnerability management capability is working. To facilitate this effort, NIST and DHS researchers have developed an automated process to assess the effectiveness of the security controls that provide the information security capability known as Software Vulnerability Management (VULN), the focus of which is to manage risk created by defects present in software on the network.
This is the initial public draft release of NIST Internal Report (NISTIR) 8011 Volume 4, Automation Support for Security Control Assessments: Software Vulnerability Management. This NISTIR provides an operational approach for automating security control assessments to manage vulnerabilities in software. This approach is consistent with the NIST Risk Management Framework as described in NIST Special Publication (SP) 800-37 and the guidance in NIST SPs 800-53 and 800-53A, in particular. A total of 13 volumes are planned for NISTIR 8011. Volumes 1 and 2 were published in 2017, and Volume 3 was published in 2018. Volume 4 provides details specific to the software vulnerability management security capability. Subsequent volumes will provide details specific to each capability and will be organized similarly to Volumes 2 through 4.
NOTE: A call for patent claims is included on page iv of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.
The NISTIR 8011 capability-specific volumes focus on the automation of security control assessment within each individual information security capability. They add tangible detail to the more general overview given in NISTIR 8011 Volume 1, providing a template for transition to a detailed, NIST standards-compliant automated assessment. This document, Volume 4 of NISTIR 8011, addresses the management of risk created by defects present in software on the network. Software vulnerability management, in the scope of this document, focuses on known defects that have been discovered in software in use on a system. The Common Weakness Enumeration (CWE) provides identifiers for weaknesses that result from poor coding practices and have the potential to result in software vulnerabilities. The Common Vulnerabilities and Exposures (CVEs) program provides a list of many known vulnerabilities. Together, CVE and CWE are used to identify software defects and the weaknesses that cause a given defect. Vulnerable software is a key target that attackers use to initiate an attack internally and to expand control. Patching vulnerabilities discovered in existing software and improving coding practices for future releases of software are two ways to limit the success of attacks.
The NISTIR 8011 capability-specific volumes focus on the automation of security control assessment within each individual information security capability. They add tangible detail to the more general overview given in NISTIR 8011 Volume 1, providing a template for transition to a detailed, NIST...
See full abstract
The NISTIR 8011 capability-specific volumes focus on the automation of security control assessment within each individual information security capability. They add tangible detail to the more general overview given in NISTIR 8011 Volume 1, providing a template for transition to a detailed, NIST standards-compliant automated assessment. This document, Volume 4 of NISTIR 8011, addresses the management of risk created by defects present in software on the network. Software vulnerability management, in the scope of this document, focuses on known defects that have been discovered in software in use on a system. The Common Weakness Enumeration (CWE) provides identifiers for weaknesses that result from poor coding practices and have the potential to result in software vulnerabilities. The Common Vulnerabilities and Exposures (CVEs) program provides a list of many known vulnerabilities. Together, CVE and CWE are used to identify software defects and the weaknesses that cause a given defect. Vulnerable software is a key target that attackers use to initiate an attack internally and to expand control. Patching vulnerabilities discovered in existing software and improving coding practices for future releases of software are two ways to limit the success of attacks.
Hide full abstract
Keywords
actual state; assessment; authorization boundary; automation; capability; Common Vulnerability and Exposure (CVE); Common Weakness Enumeration (CWE); dashboard; defect; desired state specification; dynamic code analyzer; Information Security Continuous Monitoring (ISCM); malicious code; malware; mitigation; ongoing assessment; patch management; root cause analysis; security capability; security control item; security control; software file; Software Identification (SWID) tag; software injection; software product; software vulnerability; software weakness; software; static code analyzer
Control Families
None selected
) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)
