Security Engineering (SVE) Workbench

Security Vulnerability Explorer Tool

The Security Vulnerability Explorer (SVE) is a software tool for Security Engineers involved in researching security vulnerabilities and weaknesses related to computer hardware and software. This tool can be helpful in understanding the various ways computer information systems are susceptible to attack, and th identify measures necessary to avoid or mitigate the risk of occurrence of defects and weaknesses that may be introduced in design, coding, integration or operation of computer information systems.

The tool may be used as a learning aid, as a part of a Vulnerability Assessment, as a part of planning for security testing, or as a part of followup of discovery of a vulnerability, or an investigation of a security incident.

To perform these Security Assessments Security Engineers will consult any of a number of authoritative reference documents concerned with Security Vulnerabilities and Weaknesses. The base documents for vulnerability assessments or vulnerability analysis include: Mitre Common Weakness Enumeration (CWE), Mitre Common Attack Patterns (CAPEC), the National Vulnerability Database (NVD), Mitre Common Vulnerability Enumeration (CVE), as well as other industry documents, such as Open Web Application Security Project (OWASP), and more

The SVE tool provides a convenient way for the Security Engineer to explore the information in this grouping of reference information.

Security Vulnerability Analysis Process Review

Table #1 below provides an overview of the Vulnerability analysis process and information resources. The left side of the table shows the basic process where security engineers perform a variety of tasks to identify, advise and provision remediations that map to relevant vulnerabilities and weaknesses on information systems and assets. The right side of the table calls out reference information used by security engineers.

Table #1 - Security Vulnerability Analysis

The SVE Tool Layout SVE Document Map

Tool Process Document Tree

As shown on the right side of the Table #1 above, the primary document for the SVE tool is Mitre CWE. Each entry in Mitre CWE represents a potential weakness or defect. Each weakness or defect contains detailed information about the weakness, along with direct and indirect information to other (secondary) references in the document map. Each secondary reference contains detailed information, as well as references to other secondary documents or the primary document.

SVE Tool Overview

Table #2 below provides an overview of the SVE Tool. The user interface for the tool is a web browser. The display can be divided into sections: the upper section is the header portion and the lower portion is the data portion.

Table #2 - SVE Tool Layout

The upper section of the browser window, or Header, contains information about the tool, including release specific information, notes and acknowledgements. The lower section of the browser window, or Body, is the work area of the tool. The top of the Body contains pull down menus, search field and a set of column headers on for each of the major fields in the output. Middle portion of the Body is a data table providing a tabular view of the CWE entries. The content and ordering of the data table will vary depending which if any of the operators in the Header or Footer have been activated. The bottom portion of the Body displays the number of rows available to display in each browser page, the total number of CWE entries in the current display based on active filters in the Header, as well as a way to index each page in the current output set.

Each portion of the display is described in more detail below. The primary document for the SVE tool is Mitre CWE. Each entry in Mitre CWE represents a weakness or vulnerability. Each weakness entry contains detailed information about the weakness, along with direct and indirect information to other (secondary) references in the document map. Eadh secondary reference contains detailed information, as well as references to other secondary documents or the primary document.

SVE Tool Detail

Security Vulnerability Explorer Tool - Upper Section

The upper section of the browser window, shown in Table #3 below, contains three areas of interest:

Banner Area: Identifes the tool
Information Page Toggle: provides a means to show/hide the Tool Information Table
Tool Information Table: Identifies key information about the tool, to include: tool version, revision date, contact information, general description of the tool, general usage tips, source documebts, terms of use, and disclaimers.

Table #3 - SVE Browser Window - Upper Section

The title of the tool is at the top. Information about the ownership, version and contact information is found in the left column. The left hand column also contains a basic document map associated with the tool. Basic usage instructions are located in the center column. Notes, Notices and Disclaimers about the tools, as well as terms and conditions from the owners of the information sources are located in the right column.

Security Vulnerability Explorer Tool - Lower Section

The Data Table (identifed as item 8 in Table #4) is the focus of the tool. On initialization, the Data Table contains one row for each entry in the main reference document along with related direct and indirect references. For the Security Vulnerability Explorer, the main reference document is the version of Mitre Common Weakness Enumeration listed in the Tool Information Table. The data cells are constructed with information from the primary and secondary information sources, as well as derived data. The data cells may contain single data elements, grouped data elements or composite data. Derived data elements may include links to external referencces, data that is aggregated from one or more information sources, and/or knowledge insights. The size,content and order of the data table at any time is dependent on the user-driven operation.

The Lower Section of the browser window, shown in Table #4, contains 8 areas of interest:

Page and Data Format Buttons: provide the ability to show and hide specific data columns, otions for selecting and deselecting data, and options for exporting data to the computer's clipboard, or external files in CSV, PDF or Print format.
Data Filters: provide the ability to filter the data to be displayed based on a number of predefined parameters.
Text Search Data Entry Field: provide the ability to filter the data to be displayed using operator entered text string.
Column Headers: Identifies the content in each column, also provides the ability to sort selected columns in ascending or descending order.
Tool Data Content: one or more rows of data that is grouped by column.
Row Selectors: provide the ability to select individual rows. May be use on combination with the Select Data button in #4 to select groupings of rows from filtered data
Page Footer: describes the number of visible rows
Page Navigator: provides the ability to select the page shown, if there are multiple pages of data in the active display

Table #4 - SVE Browser Window - Lower Section

SVE Data

The headings and buttons at the top of the Data Table are used to manipulate the information in the Data Table.

Data Filters (item 5 in Table #4) The Data Filters are a series of pull down menus, provide for selection and filtering of the data on the values that correspond to label on the menu.
SVE Data Filters include:

Mitre CWE ID
Mitre CWE Name
Exploit Likelihood: 1-Not Provided, 3-Low, 4-Medium, 5-High
Exploit Impact: as defined by Mitre CWE entry
Related Mitre CAPEC: as defined by Mitre CWE entry
Assurance Strategy: Design Review, Dynamic Analysis(DAST), Static Analysis(SAST), as correlated with reference sources
Reference Lists: as correlated with reference sources

Search Field (item 6 in Table #4) The search field provides for selection and filtering of the data using free form text.

Column Header Fields (item 7 in Table #4) The column headers identify the content in each column. Selected Column can be sorted in ascending or descending order.
SVE Data Columns include:

Select Checkbox
CWE Description and Reference Lists (Sortable, Default: Visible)
CWE Mitigation Guidance (Default: Visible)
Assurance Strategy (Sortable, Default: Visible)
Target Technology (Default: Not Visible)
Exploit Likelihood (Sortable, Default: Not Visible)
Related CAPEC (Default: Not Visible)

Row Selector Fields (item 9 in Table #4) The row selectors provide the ability to highlight and select rows of interest in the data portion of the display. The row selectors are used in combination with the Select Data and Export Data buttons to create custom output.

Page Footer Field (item 10 in Table #4) The footer displays the total number of rows to be displayed. The length of the display page can be adjusted by the "Show" pull down menu in the Column Header portion of the page. The options are "10", "25", "50", or "100".The right side of the footer provides navigation for the number of pages to be displayed.

SVE Tool User Operations

The SVE tool is designed to support the security engineer in evaluating and selecting security attack patterns that are relevant to a specific problem. to do that the tool provides the means for the security engineer to search, sort, select, review the available information on security attacks and export the findings for followup.

When the tool is invoked, the Data Area contains the default view or the entire security information base. The user may perform operations in any order:

Scrolling up/down to view the data elements
Setting/resetting the display page to from 10, 25, 50 or 100 entries
Sorting a column by clicking on the column header. Nested sorting is achieved by sorting the desired columns from least significant to most significant
Filtering via Text Search, for example: "buffer overflow", "javascript", etc.
Filtering via drop down menu.
Opening URL to access extended information in the cell
Highlighting / Selecting one or more rows of information using the cursor on the checkbox in the left column
Highlighting / Selecting sets of filtered data using the Select Data Button
Exporting Selected rows using the CSV, PDF, Print or Copy to Clipboard buttons within Export Data Button
Change the dispayable columns using the Column Visibility Button

SVE Export Data Function

The Export function is used to create and store a copy of some or all the data in the tool in PDF, CSV or Print formats. The export function operates on data that has been selected. There are two ways to select data: (1) clicking on the checkbox of one or more rows of data, or (2) use the filter or text search features of the tool to narrow the focus of the visible data and then use the Select Data function to either Select All Data or Select Filtered Data.

Table #5 below provides a visualization of the use of the Export function, where the user can select to "Copy Selected to Clipboard", generate a "PDF" diocument, generate a spreadsheet file in the "CSV" (Comma Separated Value) format, or create a "Print" file for local or network printing. The "Copy to Clipboard" function requires the operator to select a destimation application, such as Notepad, Word Processing Document or other. The PDF, CSV or Print options will automatically open a window to the corresponding application, assuming that the users computer system has a compatible application.