Assuring the secure adoption of a new technology, assessing your software supply chain for risks, hunting for vulnerabilities in your infrastructure are all complex and challenging tasks – but ones that are critical to securing your business or government agency. Having specialized, automated tools that are seamlessly integrated using standard methods and interfaces can significantly reduce the complexity of these activities while increasing speed to capability. In particular, leveraging a software assurance ecosystem of integrated tools has proven to be an effective approach to managing security needs at an industrial scale. One example of a standards-based software assurance ecosystem effort can be found at the Open Management Group in the form of the System Assurance Platform Level Task Force. Headed by Djenana Campara of KDM Analytics, the Task Force aims to establish a common framework for analysis and exchange of information related to system assurance and trustworthiness. Ms. Campara has incorporated the work of this Task Force into her company’s products that provide risk analytics. I was intrigued by how she combined risk analytics and model-based systems engineering to provide enterprise level risk assessments and thought the subject was worth exploring, especially given how risk management approaches are really moving to the forefront of needs given the software supply chain problems that seem to be coming up on a regular basis. So check out this Active Cyber™ interview with Ms. Campara below. You can also learn more by listening to this Active Cyber™ podcast or visiting the Spotlight article found here. Or just click the ad and be taken to the KDM Analytics web site to learn more.

Spotlight on Ms. Djenana Campara

» Title: President & Chief Executive Officer, KDM Analytics

» Website: https://www.kdmanalytics.com

» LinkedIn: https://www.linkedin.com/in/djenana-campara-4610252

Read her bio below.

Chris Daly, Active Cyber™: It seems that the industry has moved away from Common Criteria and similar software evaluation approaches. It also seems that the industry has moved from one-time tech evaluations of security targets to operational evaluations of systems and continuous assessment solutions like RMF, devsecops, zero trust, XDR. What standards and approaches do you see playing a key role today in improving software assurance and assessing the risk of software systems?

Djenana Campara, President & Chief Executive Officer, KDM Analytics: These solutions all have one thing in common: the need to assess a system’s security posture and determine appropriate safeguards. This is complicated by the evolution of software in IT and now OT systems, which are vastly complex – as well as the evolution of the prescribed security management frameworks. There are some key issues with all the frameworks: they are high-level and descriptive in nature, and therefore open to interpretations, and subjective. Software Assurance, and later System Assurance, are put together to bring more detailed structure and formalism to parts of these frameworks for the purposes of objectivity and automation. We have moved beyond software assurance, into system assurance. In my opinion, one really cannot fully understand the security posture of a system by assessing software vulnerabilities only. Vulnerabilities need to be further evaluated in the context of the system’s operational, logical, and physical architecture and overall security requirements, and connected to the risks identified by performing a top-down risk assessment. Put another way, it calls for integration between risk assessment and system/software assurance methodologies. That is what we, at the Object Management Group (OMG) System Assurance Task Force, are currently working on – unfortunately, the pandemic did slow us down.

Active Cyber™: Architecture driven modernization is something listed in your past history. What is architecture driven modernization (ADM) and how does it help software assurance?

Ms. Campara: That’s a blast from the past – ADM is a Task Force (TF) established almost 20 years ago. For the first 10 years, I co-chaired the TF. In the early 2000s, there was not much of an appetite for security investment outside of Government. So, in order to do any work related to security, we needed to find common ground with some other discipline, and we found that common ground with the modernization of legacy systems. In both cases – either identifying software patterns for transformation or software vulnerabilities for mitigation – we needed language-agnostic, intermediate representation of software, and that is how our first standard Knowledge Discovery Metamodel (KDM) was born. We had 12 companies collaborating (including IBM, MicroFocus, EDS …) and 30 organizations contributing to the spec. Later, KDM was fast-tracked into ISO and became the ISO/IEC 19506 standard.

Active Cyber™: What is the OMG’s knowledge discovery metamodel (KDM)? What role does it play in ADM and how can it help drive better software assurance?

Ms. Campara: KDM was the foundation for building reverse engineering tools needed for vulnerability analysis in software assurance or for identification of software patterns to modernize legacy systems. It also served as the foundation for additional specifications in the areas of software metrics and software patterns. Companies used those specs to build tools for software security metrics and identification of Software Fault Patterns.

Active Cyber™: What is the software assurance (SwA) ecosystem and how can it help improve software security? What is its key value proposition? How does the SwA approach work with testing web APIs? Does SwA work with DAST tools?

Ms. Campara: The term is actually System Software Assurance Ecosystem, however it was mouthful, so we shortened it to Software Assurance Ecosystem. I’ve been working in the cybersecurity space for more than 20 years. From the very beginning, I realized the complexity and challenges involved in addressing the space – not one organization or silo of products could address it alone. The only chance I saw to produce an integrated solution was through collaboration among multiple security products that extend and/or build on each other’s knowledge to address some of the complexity and challenges of the cybersecurity space. That realization drove me to standard organizations like OMG to start working on the set of standards that would help with seamless integration of silo products. The Software Assurance Ecosystem addresses that need. It integrates a set of standards based on the same technology, and any tools supporting these standards could be integrated seamlessly almost out-of-the-box – that includes DAST tools.

Active Cyber™: What you said in 2007 seems to still apply today – i.e., the tooling industry which provides enabling technologies to build secure software systems has not kept pace with the software system evolution – is there hope that this will change in the next 5-10 years?

Ms. Campara: My short answer would be NO! For the last 20 years, I was waiting for some miracle that would drastically change the attitudes of consumers and producers of cybersecurity technology. Here is the reality: cyber space is a constant battle between Defenders and Offenders. The Defenders need defences 100% right at all times. Defenders include consumers and producers of cybersecurity. Most consumers still see cybersecurity as a cost and approach it more from checkmark position – they still think that firewall and encryption are good enough: check! Meanwhile, the producers of cybersecurity products are not interested in collaboration to create a more beneficial solution for consumers; they are focused on monetizing their silos. They are also not encouraged by consumers to collaborate among themselves through standards. On the other side, are the Offenders, who need to be right only once to break the Defence! They achieve success by sharing knowledge among themselves and building on each other’s knowledge. So, we defenders have a lot catching up to do in terms of collaboration.

Active Cyber™: Recent Executive Orders on cybersecurity and supply chain assurance reflect attempts to fix long-standing problems that have come to roost in dramatic fashion in 2020-2021. How can a software assurance ecosystem and KDM-based approach help to remedy some of the issues identified in the Executive Orders and how do they fulfill some of the initiatives identified in the Orders?

Ms. Campara: An Executive Order is a step in right direction, especially calls for information and data sharing, and Enhancing Software Supply Chain Security. As I previously stated, the SwA Ecosystem is all about data sharing among tools that play in cybersecurity space, extending and/or building on each other’s strength and knowledge to produce data for system’s risk evaluation in automated fashion. Most of that ecosystem is implemented in our (KDM Analytics) Blade Risk Analytics Solution, which works with a system’s operational, logical, and physical architecture, including automated risk assessment of third-party components and prioritizing the focus of safeguarding efforts.

Active Cyber™: How can we reduce the costs of system assurance while also addressing the complexity of modern systems which tends to drive up evaluation costs? At a certain point is it just too hard to do?

Ms. Campara: Automation, automation, and automation! I can’t stress it enough: automation brings the scale, objectivity, and repeatability necessary to get this right. It is not too hard to do – we have done it, we continue to develop automated solutions.

Active Cyber™: How does the KDM Analytics offering – The Blade Risk Analytics Suite – help produce more secure software and improve system risk assessments? Is it based on a particular standard?

Ms. Campara: The Blade Solution comprises two products, Blade OneReport (BOR) and Blade RiskManager (BRM). It is based on several standards that are part of, and integrated through the Software Assurance Ecosystem. That means both products are integrated with other products, some from digital engineering and some from software assurance, to produce an effective, AUTOMATED cybersecurity assessment solution. I’ll give you an example: BRM can consume system models expressed in OMG standards such as SysML or UAF. These models are created utilizing tools from different organizations like MagicDraw from NoMagic, Enterprise Architect from Sparx, and so on. Once consumed, these models are assessed for completeness and correctness from the perspective of a cause-and-effect story to determine the level of confidence in the resulting risk assessment outcome (part of the System Assurance standard). BRM continues to utilize these models to perform automated risk analysis and suggest the mitigations based on NIST 800-53 Security Control standards. It also produces a prioritized list of vulnerability conditions related to the identified risks. These vulnerability conditions are automatically mapped through a Software Fault Patterns standard to Common Weakness Enumerations (CWEs) and given to code scanners to hunt for them for the purpose of elimination. This method of top-down risk assessment produces a targeted list for bottom-up vulnerability analysis for the purpose of risk mitigation. In this way, the solution assists a system’s stakeholders in the decision making process by identifying where they should focus their mitigation efforts, budget, and resources.

Active Cyber™: What is the intended audience for KDM Analytics’ Blade RiskManager? What type of training or scope of need and understanding is needed to fully leverage the product? Is it primarily a tool for cyber assessment vendors?

Ms. Campara: BRM’s “sweet spot” is to take part in digital engineering throughout a system’s entire lifecycle – meaning from the time an organization starts designing the system and defining security requirements, through performing what-if scenarios to identify the most optimal mitigation options, assess effectiveness of them; performing residual and compliance assessments to determine readiness for deployment; re-assessing the risk during operations when new threats are identified or when the security architecture needs change; and so on …. BRM can be involved at every step and applied at any point in a system’s lifecycle. The value of this kind of automation is that you don’t need Subject Matter Experts (SME) doing all the work, all the time. An organization can deploy cybersecurity SMEs to tailor the solution’s cybersecurity knowledge base for their family of systems and less-senior assessors can operate the tool to produce the reports. We have Computer Based Training (CBT) with video-demonstration of the tasks that is deployed with product. So far, we have had great feedback related to the quick learning curve of the solution.

Active Cyber™: How do you apply AI and ML in your products to improve the quality and timeliness of Software Assurance assessments?

Ms. Campara: Well, until now, risk assessment has been one of the manual activities performed only by experts. Figuring out how system can be attacked requires a lot of interpretation and understanding to determine how a given system can be attacked and to identify conditions for direct and multi-stage attacks targeting critical assets. In other words, it’s a very complex and specialized task to construct a risk model for a given system. This is where we applied AI to automate, prioritize, and quantify cyber security risk.  

Thank you Djenana for providing some really interesting insight on how KDM Analytics is approaching the security marketplace and how your risk management products can really help enterprises and government agencies to better identify and mitigate risks through a digital engineering approach. It seems to me that the engineering approach you take is really the optimal approach to handling software supply chain risk which is a critical threat vector in today’s global world. My subscribers and visitors can find more information about KDM Analytics by listening to the podcast here or checking out this Active Cyber™ Spotlight article on the Blade Risk Analytics Suite.

And thanks to my subscribers and visitors to my site for checking out ActiveCyber.net! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, authenticity, PQ cryptography, risk assessment and modeling, autonomous security, digital forensics, securing OT / IIoT and IoT systems, Augmented Reality, or other emerging technology topics. Also, email chrisdaly@activecyber.net if you’re interested in interviewing or advertising with us at Active Cyber™.