Explainable Vulnerabilities Descriptions with NIST BF
In 2013, Bojanova inspired the publication of “They Know Your Weaknesses - Do You?: Reintroducing Common Weakness Enumeration” on the need of a fundamentally better approach to organizing and describing software weaknesses. Then, she initiated the NIST Bugs Framework (BF) project to develop a new methodology for precisely classifying software bugs/weaknesses to allow explainable descriptions of vulnerabilities that exploit them. Please check also: "Bug, Fault, Error, or Weakness: Demystifying Software Security Vulnerabilities" and "Heartbleed Revisited: Is it just a Buffer Over-Read?.
This lecture will define key notions for BF, discuss commonly used repositories of software weaknesses and vulnerabilities (e.g. CWE and CVE), and present BF’s methodology, goals, features, and potential impacts. You will have hands-on experience on how to:
- Utilize BF’s taxonomy to precisely describe underlying weaknesses of vulnerabilities (CVEs).
- Utilize BF classes and BF vulnerabilities descriptions for ML and AI projects on software failures and risks.
- Collaborate with BF researchers to create new BF classes and mappings to CWE entrees.
The participants will learn how BF can be used to improve the communication about software vulnerabilities, increase the precision of code review tools, decrease bugs and weaknesses in software, and truly guard Cyberspace against cyber-attacks.
Instructor
Irena Bojanova
Irena Bojanova is a computer scientist at the US National Institute of Standards and Technology (NIST). She is the Primary Investigator (PI) and the Lead of the Bugs Framework (BF) project (https://samate.nist.gov/BF/). She is also Professor in Information Technology at Johns Hopkins Carey Business School. Her research interests are in formal methods, distributed systems, and computer security. Bojanova is an IEEE Senior Member and is currently the Editor of the Cybersecurity column of the IEEE IT Professional magazine, the Chair of the Magazine Operations Committee (MOC) of IEEE Computer Society (CS), an ex officio member of IEEE CS Board of Governors (BoG), and a General Chair of STC 2023. She has served as a General Co-Chair of ISSRE 2015, QRS 2017, STC 2017 & 2022; Chair of COMPSAC 2018-2022 IT in Practice Symposium, and a Co-Chair of ISoLA 2020 Software Verification track.
Publication Year: 2022