Joe Jarzombek is the Director for Software Assurance within the National Cyber Security Division of the Department of Homeland Security. In this role he leads government interagency efforts with industry, academia, and standards organizations in addressing security needs in work force education and training, more comprehensive diagnostic capabilities, and security-enhanced development and acquisition practices. Joe served in the U.S. Air Force as a Lieutenant Colonel in program management. After retiring from the Air Force, he worked in the cyber security industry as vice president for product and process engineering. Joe also served in two software-related positions within the Office of the Secretary of Defense prior to accepting his current DHS position. He is a Project Management Professional (PMP) and a Certified Secure Software Lifecycle Professional (CSSLP) As an active member of Toastmasters International, Joe Jarzombek has served as International Director, and he is currently serving as Region Advisor Marketing.


Risk Analysis and Measurement with CWRAF

To better enable software stakeholders to reduce risks attributable to the most significant exploitable software weaknesses relevant to specific business/mission domains and technologies, DHS NCSD SwA program sponsored the development of the Common Weakness Risk Analysis Framework (CWRAF) that uses the Common Weakness Scoring System (CWSS) scoring criteria with CWE to provide consistent measures for prioritizing risk mitigation efforts and focusing secure coding practices; enabling better informed decision-making and acquisition of more resilient software products and services. CWRAF enables targeted “Top-N” CWE lists that are relevant to the technologies used within specific business domains. Past Top 25 CWE lists have represented community collaboration efforts to prioritize the most exploitable constructs that make software vulnerable to attack or failure. Now, with CWRAF business domains can use the scoring criteria with CWE to identify the exploitable weaknesses that are most significant to them given what their software does for their business.

The Common Weakness Enumeration (CWE) defines a unified, measurable set of software weaknesses that is enabling more effective discussion, description, selection, and use of software security tools and services that detect weaknesses in software. To encourage and recognize use of CWEs, MITRE has established the CWE Compatibility and Effectiveness Program. Phases 1 and 2 of the program establish that tool warnings accurately map to CWEs. Phase 3 establishes which CWEs a tool (or capability) can identify and locate via testing. In this session, we propose (1) ideas on what constitutes acceptable fundamental and broad test sets for Phase 3, and (2) that the SAMATE Reference Dataset (SRD) be the repository and access for such test sets.

The CWE Coverage Claims Representation (CCR) is a lightweight schema that allows a software analysis tool and/or service provider to state claims as to those CWEs that their technology or process can discover. This session is targeted to tool/service vendors and tool/service consumers with the goal of refining the CCR model for public release. Issues to be addressed include the specificity of claims, “anti-claims,” and key use-cases for CCR.