Date Published: April 2020
Planning Note (02/22/2023):
The NIST Risk Management Framework (RMF) team seeks feedback on our NIST IR 8011 series publications and their use.
See the Call for Feedback to learn more details about what we would like to know. Feedback can be sent to 8011comments@list.nist.gov; there is no closing date.
Author(s)
Kelley Dempsey (NIST), Eduardo Takamura (NIST), Paul Eavy (DHS), George Moore
The NISTIR 8011 capability-specific volumes focus on the automation of security control assessment within each individual information security capability. They add tangible detail to the more general overview given in NISTIR 8011 Volume 1, providing a template for transition to a detailed, NIST standards-compliant automated assessment. This document, Volume 4 of NISTIR 8011, addresses the management of risk created by defects present in software on the network. Software vulnerability management, in the scope of this document, focuses on known defects that have been discovered in software in use on a system. The Common Weakness Enumeration (CWE) provides identifiers for weaknesses that result from poor coding practices and have the potential to result in software vulnerabilities. The Common Vulnerabilities and Exposures (CVEs) program provides a list of many known vulnerabilities. Together, CVE and CWE are used to identify software defects and the weaknesses that caused a given defect. Vulnerable software is a key target that attackers use to initiate an attack internally and to expand control. Patching vulnerabilities discovered in existing software and improving coding practices for future releases of software are two ways to limit the success of attacks.
The NISTIR 8011 capability-specific volumes focus on the automation of security control assessment within each individual information security capability. They add tangible detail to the more general overview given in NISTIR 8011 Volume 1, providing a template for transition to a detailed, NIST...
See full abstract
The NISTIR 8011 capability-specific volumes focus on the automation of security control assessment within each individual information security capability. They add tangible detail to the more general overview given in NISTIR 8011 Volume 1, providing a template for transition to a detailed, NIST standards-compliant automated assessment. This document, Volume 4 of NISTIR 8011, addresses the management of risk created by defects present in software on the network. Software vulnerability management, in the scope of this document, focuses on known defects that have been discovered in software in use on a system. The Common Weakness Enumeration (CWE) provides identifiers for weaknesses that result from poor coding practices and have the potential to result in software vulnerabilities. The Common Vulnerabilities and Exposures (CVEs) program provides a list of many known vulnerabilities. Together, CVE and CWE are used to identify software defects and the weaknesses that caused a given defect. Vulnerable software is a key target that attackers use to initiate an attack internally and to expand control. Patching vulnerabilities discovered in existing software and improving coding practices for future releases of software are two ways to limit the success of attacks.
Hide full abstract
Keywords
actual state; assessment; authorization boundary; automation; capability; Common Vulnerability and Exposure (CVE); Common Weakness Enumeration (CWE); dashboard; defect; desired state specification; dynamic code analyzer; Information Security Continuous Monitoring (ISCM); malicious code; malware; mitigation; ongoing assessment; patch management; root cause analysis; security capability; security control item; security control; software file; Software Identification (SWID) tag; software injection; software product; software vulnerability; software weakness; software; static code analyzer
Control Families
None selected
