Makingsecuritymeasurable is an initiative of the U.S. non-profit organisation MITRE. The site is easy to navigate. It provides links to standard-related initiatives dealing with 15 closely interrelated security elements. I recommend visiting makingsecuritymeasurable to learn about current proposals to describe and exchange security information.
This site is based on three basic ideas:
- "We can't manage what we don't measure."
- "We need to share more information to succeed in our current challenges."
- "In order to share information, we need to use a common a language, a protocol, a mechanism of exchange."
It introduces five major themes in information security:
- Quality assurance in software development and applications.
- Threat analysis.
- Vulnerability management.
- Protection against malicious code and system & network analysis.
- Incident management and reporting.
Each of these five broad specialities presents three specific areas with useful links either to their basic principles or to current implementation initiatives. Browsing through all these pages, it is evident that, more than a common language, we need several different ones, such as those dedicated to vulnerabilities:
- The type dictionary (CVE).
- The evaluation system (CWSS).
- The vulnerability-based risk management framework (CWRAF).
- Classification of typical attack patterns (CAPEC).
Similar skeletons begin to be built for threats (eg STIX), malware (MAEC), attacks (OpenIOC) and incidents (MILE, IODEF).
In summary, the information linked from the makingsecuritymeasurable site can help formalise, measure and justify proposals to improve security for our customers and to share data between different industry players. The final question would be how many of these initiatives will mature and really become a industry standard? Time will tell.
A version in Spanish of this post will be located here in this publication. Stay tuned!
|Making security visible|