Vulnerability Root Cause Mapping with CWE скачать в хорошем качестве

Vulnerability Root Cause Mapping with CWE

Vulnerability Root Cause Mapping with CWE: Challenges, Solutions, and Insights from Grounded LLM-based Analysis Alec Summers (The MITRE Corporation, US), Chris Madden (Yahoo Product Security Team , IE) Alec Summers is a principal cybersecurity engineer at the MITRE Corporation with diverse and extensive experience in software assurance and vulnerability management, as well as cyber operations, assessments, and supply chain risk management. He is MITRE’s CVE and CWE Project Leader, managing teams that support vulnerability and weakness research & analysis, content production, program coordination, infrastructure and services development, and community engagement across a global stakeholder community comprising industry, government, and academia. He also serves as the moderator for the CVE Board. Chris Madden is a software engineer and system architect building secure trustworthy software at scale for embedded and cloud for 30+ years. He likes to understand things deeply - and uses data analysis and dumb questions to build that understanding. He’s not big on titles, hierarchy or status quo. He does his best work while asleep or on a mountain bike. He works at Yahoo Product Security team. Yahoo delivers value to customers through software; Chris exists to help developers deliver high quality software efficiently and securely. His primary focus is Risk-based prioritization at scale across the DevSecOps pipeline. He led an effort with some industry thought leaders to publish a Risk-based prioritization guide: https://riskbasedprioritization.githu.... He is now applying LLMs to reduce toil and improve CVE enrichment and capturing his learnings in a guide: https://cybersecai.github.io/   / chrisamadden   -- Root cause mapping is the identification of the underlying cause(s) of a vulnerability. This is best done by correlating CVE Records and/or bug or vulnerability tickets with CWE entries. Accurate root cause mapping is valuable because it directly illuminates where investments, policy, and practices can address the root causes responsible for vulnerabilities so that they can be eliminated. This enables trend analysis where a valuable feedback loop into SDLC or architecture design planning can help remove of whole classes of vulnerabilities in organizations’ products. However, widespread adoption of root cause mapping has been elusive due to several challenges including CWE usability, completeness, the diversity of terminology interpretation, and organizational resource constraints, to name a few. This presentation touches on the value of root cause mapping and recognizes recent adoption in the CNA community, before exploring what is being done to address existing challenges and develop practical solutions. Additionally, we evaluate the performance of a grounded large language model (LLM) tool against the CWE Top 25 Most Dangerous Software Weaknesses dataset. The comparative analysis sheds light on the viability of advancements in LLM capabilities in helping to scale decentralized root cause mapping throughout the vulnerability management ecosystem, offering actionable insights for practitioners and researchers alike.