News

Codenomicon announces CWE support for its test tools

September 16th, 2009

Among many other improvements, Defensics 3 introduced two new features to help prioritize security issues found in testing. The new DEFENSICS architecture and test generation engine ensure that these and other new functionalities are automatically integrated into all future protocol fuzzers from Codenomicon. CWE categorization was integrated to facilitate the identification of weakness types using industry standard naming conventions. An automatically calculated CVSS score estimates the impact of the found weaknesses. With the features now fully implemented, Codenomicon has declared Mitre its intent to provide CWE compatible solutions.

CWE (Common Weakness Enumeration) is the standard method in the industry for describing vulnerabilities. It provides a valuable source of information for root cause analysis when a failure is detected in a communication device during a fuzz test. Combined with the CVSS scoring metrics CWE facilitates failure prioritization, and the impact of the failure on the software or the device being tested is easy to analyze. The CWE database also enables testers to quickly learn more about the vulnerability at hand enabling them to better advise developers on potential causes of vulnerabilities. CWE is a community effort coordinated by Mitre.

CVSS (Common Vulnerability Scoring System) provides easy to adjust metrics for estimating the threat and impact of a specific vulnerability. For example, it can inform the testers if the interface is an open remotely exposed interface, and if there are any limiting factors making exploitation harder. The higher the CVSS score is, the more critical the found vulnerability is. CVSS was introduced by the Forum of Incident Response and Security Teams (FIRST) and the Common Vulnerability Scoring System-Special Interest Group (CVSS-SIG).

Mitre has also coordinated two other significant efforts for security related databases: CVE and CAPEC. There are currently no plans to integrate these into Codenomicon Defensics.

CVE (Common Vulnerabilities and Exposures) directory is a metric for reactive security tools, however, it has very little significance for fuzzing. CVE entries are mapped to known vulnerabilities, and they are useful for tools like security scanners and IDS systems. If mapped CVE entries are used in fuzz test cases, then the latest vulnerabilities are ignored in testing creating a false sense of confidence in the user. However, if you do find a security problem using fuzzing, it is recommended to use a CVE identifier to identify the flaw in order to help the reactive security industry to validate that the correct security measures are in place.

CAPEC (Common Attack Pattern Enumeration and Classification) is another reactive security database, and it is used to identify attacks. CAPEC is not very useful for fuzzing either, because fuzzing looks for new previously unknown flaws and does not necessarily observe the means of exploitation at all. Almost everything found with fuzzing is remotely exploitable, and therefore the actual functionality of the exploit is not limited to any single CAPEC category. CAPEC is rather a categorization for known exploit functionalities.

For more information on CWE:
http://cwe.mitre.org/

For more information on CVSS:
http://www.first.org/cvss/

For more information on CVE:
http://cve.mitre.org/

For more information on CAPEC:
http://capec.mitre.org/

Codenomicon Network Analyzer

Codenomicon DEFENSICS™ 3.0 - Free evaluation

Sign up for our newsletter

Follow us on:

Twitter Facebook