The document discusses standards and specifications related to modeling assurance cases, including the Argumentation Metamodel (ARM), Software Assurance Evidence Metamodel (SAEM), and Structured Assurance Case Metamodel (SACM). ARM and SAEM were previously separate specifications that are now combined into SACM, which provides a metamodel for structured assurance cases. Other related standards include the Semantic Business Vocabulary and Rules (SBVR) and Knowledge Discovery Metamodel (KDM). The SACM specification aims to support modeling assurance arguments and evidence for demonstrating the trustworthiness of software systems.
18. I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n i o n
ITU-T X.1520
TELECOMMUNICATION
STANDARDIZATION SECTOR
OF ITU
(01/2014)
SERIES X: DATA NETWORKS, OPEN SYSTEM
COMMUNICATIONS AND SECURITY
Cybersecurity information exchange – Vulnerability/state
exchange
Common vulnerabilities and exposures
Recommendation ITU-T X.1520
x
U n i ó n I n t e r n a c i o n a l d e T e l e c o m u n i c a c i o n e s
UIT-T X.1520
SECTOR DE NORMALIZACIÓN
DE LAS TELECOMUNICACIONES
DE LA UIT
(04/2011)
SERIE X: REDES DE DATOS, COMUNICACIONES
DE SISTEMAS ABIERTOS Y SEGURIDAD
Intercambio de información de ciberseguridad –
Intercambio de estados/vulnerabilidad
Vulnerabilidades y exposiciones comunes
Recomendación UIT-T X.1520
U n i o n i n t e r n a t i o n a l e d e s t é l é c o m m u n i c a t i o n s
UIT-T X.1520
SECTEUR DE LA NORMALISATION
DES TÉLÉCOMMUNICATIONS
DE L'UIT
(04/2011)
SÉRIE X: RÉSEAUX DE DONNÉES, COMMUNICATION
ENTRE SYSTÈMES OUVERTS ET SÉCURITÉ
Echange d'informations sur la cybersécurité – Echange
concernant les vulnérabilités/les états
Vulnérabilités et expositions courantes
Recommandation UIT-T X.1520
ITU-T X.1520
(04/2011)
X
–
ITU-T X.1520
I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n i o n
ITU-T X.1521
TELECOMMUNICATION
STANDARDIZATION SECTOR
OF ITU
(03/2016)
SERIES X: DATA NETWORKS, OPEN SYSTEM
COMMUNICATIONS AND SECURITY
Cybersecurity information exchange Vulnerability/state
exchange
Common vulnerability scoring system 3.0
Recommendation ITU-T X.1521
X.1520 ITU-T
(2011/04)
X:
/
(CVE)
ITU-T X.1520
33. I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n i o n
ITU-T X.1525
TELECOMMUNICATION
STANDARDIZATION SECTOR
OF ITU
(04/2015)
SERIES X: DATA NETWORKS, OPEN SYSTEM
COMMUNICATIONS AND SECURITY
Cybersecurity information exchange Vulnerability/state
exchange
Common weakness scoring system
Recommendation ITU-T X.1525
34. I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n i o n
ITU-T X.1524
TELECOMMUNICATION
STANDARDIZATION SECTOR
OF ITU
(03/2012)
SERIES X: DATA NETWORKS, OPEN SYSTEM
COMMUNICATIONS AND SECURITY
Cybersecurity information exchange – Vulnerability/state
exchange
Common weakness enumeration
Recommendation ITU-T X.1524
I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n i o n
ITU-T X.1544
TELECOMMUNICATION
STANDARDIZATION SECTOR
OF ITU
(04/2013)
SERIES X: DATA NETWORKS, OPEN SYSTEM
COMMUNICATIONS AND SECURITY
Cybersecurity information exchange –
Event/incident/heuristics exchange
Common attack pattern enumeration and
classification
Recommendation ITU-T X.1544
I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n i o n
ITU-T X.1525
TELECOMMUNICATION
STANDARDIZATION SECTOR
OF ITU
(04/2015)
SERIES X: DATA NETWORKS, OPEN SYSTEM
COMMUNICATIONS AND SECURITY
Cybersecurity information exchange Vulnerability/state
exchange
Common weakness scoring system
Recommendation ITU-T X.1525
36. CWSS for Top 25 Ground System CWE’s
CWE ID CWE Title CWSS
23 Relative Path Traversal 23.63885
88 Argument Injection or Modification 12.369
20 Improper Input Validation 12.121
119
Improper Restriction of Operations within the Bounds of a
Memory Buffer
11.0295
73 External Control of File Name or Path 10.2465
835 Loop with Unreachable Exit Condition ('Infinite Loop') 10.135125
772 Missing Release of Resource after Effective Lifetime 10.0035
833 Deadlock 9.804375
764 Multiple Locks of a Critical Resource 9.804375
421 Race Condition During Access to Alternate Channel 9.696375
22
Improper Limitation of a Pathname to a Restricted
Directory ('Path Traversal')
9.57825
732 Incorrect Permission Assignment for Critical Resource 9.57825
77
Improper Neutralization of Special Elements used in a
Command ('Command Injection')
9.3555
251 Often Misused: String Management 9.288
788 Access of Memory Location After End of Buffer 9.288
787 Out-of-bounds Write 9.288
134 Uncontrolled Format String 9.288
131 Incorrect Calculation of Buffer Size 9.288
805 Buffer Access with Incorrect Length Value 9.288
192 Integer Coercion Error 8.68725
197 Numeric Truncation Error 8.68725
681 Incorrect Conversion between Numeric Types 8.68725
497
Exposure of System Data to an Unauthorized Control
Sphere
8.68725
290 Authentication Bypass by Spoofing 8.68725
367 Time-of-check Time-of-use (TOCTOU) Race Condition 8.5201875
CWSS for Top 25 Flight System CWE’s
CWE ID CWE Title CWSS
120
Buffer Copy without Checking Size of Input (‘Classic Buffer
Overflow’)
10.64475
772 Missing Release of Resource after Effective Lifetime 10.0035
134 Uncontrolled Format String 9.828
665 Improper Initialization 9.828
119
Improper Restriction of Operations within the Bounds of a
Memory Buffer
9.828
251 Often Misused: String Management 9.828
131 Incorrect Calculation of Buffer Size 9.828
805 Buffer Access with Incorrect Length Value 9.828
788 Access of Memory Location After End of Buffer 9.828
787 Out-of-bounds Write 9.828
764 Multiple Locks of a Critical Resource 9.804375
833 Deadlock 9.804375
20 Improper Input Validation 9.6985
835 Loop with Unreachable Exit Condition (‘Infinite Loop’) 9.244125
122 Heap-based Buffer Overflow 8.964
121 Stack-based Buffer Overflow 8.964
190 Integer Overflow or Wraparound 8.964
129 Improper Validation of Array Index 8.964
170 Improper Null Termination 8.802
197 Numeric Truncation Error 8.68725
457 Use of Uninitialized Variable 8.68725
416 Use After Free 8.68725
681 Incorrect Conversion between Numeric Types 8.68725
192 Integer Coercion Error 8.68725
468 Incorrect Pointer Scaling 8.68725
45. SW artifact SW artifact SW artifact SW artifact SW artifact
CONOPS
Requirements Architecture Design
Environment
Use of SW
Process
Code
Binary
Running Binary
OperateCodeArchitecture DesignConcept
46.
47.
48.
49.
50.
51.
52.
53.
54.
55.
56.
57.
58.
59. Date: August 2010
Argumentation Metamodel (ARM)
FTF - Beta 1
OMG Document Number: ptc/2010-08-36
Standard document URL: http://www.omg.org/spec/ARM
Associated Schema Files:
sysa/2010-03-16 -- http://www.omg.org/spec/ARM/20100301
sysa/2010-03-17 -- http://www.omg.org/spec/ARM/20100302
This OMG document replaces the submission document (sysa/2010-03-05, Alpha). It is an OMG
Adopted Beta Specification and is currently in the finalization phase. Comments on the content of
this document are welcome, and should be directed to issues@omg.org by February 1, 2011.
You may view the pending issues for this specification from the OMG revision issues web page
http://www.omg.org/issues/.
The FTF Recommendation and Report for this specification will be published on July 1, 2011. If you
are reading this after that date, please download the available specification from the OMG
Specifications Catalog.
Date: August 2010
Software Assurance Evidence Metamodel
(SAEM)
FTF - Beta 1
OMG Document Number: ptc/2010-08-37
Standard document URL: http://www.omg.org/spec/SAEM
Associated Schema Files:
sysa/2010-02-02 -- http://www.omg.org/spec/SAEM/20100201
sysa/2010-02-03 -- http://www.omg.org/spec/SAEM/20100202
sysa/2010-02-04 -- http://www.omg.org/spec/SAEM/20100203
sysa/2010-02-05 -- http://www.omg.org/spec/SAEM/20100204
This OMG document replaces the submission document (sysa/2010-03-05, Alpha). It is an OMG
Adopted Beta Specification and is currently in the finalization phase. Comments on the content of
this document are welcome, and should be directed to issues@omg.org by February 1, 2011.
You may view the pending issues for this specification from the OMG revision issues web page
http://www.omg.org/issues/.
The FTF Recommendation and Report for this specification will be published on July 1, 2011. If you
are reading this after that date, please download the available specification from the OMG
Specifications Catalog.
60. ARMetamodel
SBVR
Semantic
Business
Vocabulary
& Rules
KDM Knowledge Discovery Metamodel
SAEM Software Assurance Evidence
Metamodel
SACM
Structured Assurance
Case Metamodel
Date: April 2012
Structured Assurance Case Metamodel
(SACM)
FTF - Convenience Document 1
OMG Document Number: ptc/2012-04-04
Standard document URL: http://www.omg.org/spec/SACM
Associated Schema Files:
sysa/2010-03-16 -- http://www.omg.org/spec/ARM/20100301
sysa/2010-03-17 -- http://www.omg.org/spec/ARM/20100302
sysa/2010-02-02 -- http://www.omg.org/spec/SAEM/20100201
sysa/2010-02-03 -- http://www.omg.org/spec/SAEM/20100202
sysa/2010-02-04 -- http://www.omg.org/spec/SAEM/20100203
sysa/2010-02-05 -- http://www.omg.org/spec/SAEM/20100204
This OMG document replaces the individual adopted specifications (ptc/2010-08-36, ARM, Beta 1
and ptc/2010-08-37, SAEM, Beta 1). It is an OMG Adopted Beta Specification and is currently in the
finalization phase. Comments on the content of this document are welcome, and should be directed
to issues@omg.org by February 1, 2011.
You may view the pending issues for this specification from the OMG revision issues web page
http://www.omg.org/issues/.
The FTF Recommendation and Report for this specification will be published on July 24, 2012. If you
are reading this after that date, please download the available specification from the OMG
Specifications Catalog.