Automated Source Code Measure for Data Protection
CISQ has a Working Group to create an Automated Source Code Data Protection Measure based on a collection of relevant CWEs (software weaknesses) that would be used to support enterprise and supply chain needs in protecting data, confidential information, IP, and privacy.
In the specification, the team is including CWEs associated with enabling data leakage – those that have CWSS technical impacts that enable unauthorized access to read/modify data.
This new standard would be highly relevant to GDPR, CCPA, as well as CMMC (for CUI protection), so we would spotlight the relevance of CWE for enterprises seeking to comply with regulatory guidance associated with data protection and privacy. Many organizations will be undergoing process assessments associated with CMMC, GDPR, CCPA, ISO 27001, NIST SP 800-53 r5, NIST SP 800-171, etc. Scanning code that will run or is running in enterprises (on systems and devices that process or transmit data) would determine if the systems or devices enable data leakage. If so, then such a scan would reveal if the data protection/privacy controls associated with the process assessment were inadequately implemented.
Use cases could be developed for Software Development, Acceptance Testing of Third-Party Software, and Audit/IV&V.
As follow-on effort, CISQ seeks to get this aligned with ISO/IEC 25000 series (25010 software product quality characteristics) to specify Data Protection as a sub-characteristic of Security.
This project began in May 2020 and the team will submit a specification to OMG in November 2020.
- Dr. Bill Curtis, CISQ
- Joe Jarzombek, Synopsys
- Bob Martin, MITRE
- Paul Seay, Northrop Grumman
- Philippe-Emmanuel Douziech, CAST
- Paul Rainey, CGI
- Alec Summers, MITRE
- Steve Christey Coley, MITRE