MITRE offers recommendation-tracker software and free one-day course

* MITRE makes security tool and course available to all, for free

Application programmers need to test their software for a bewildering list of possible flaws using systematic automated testing. Today I'm presenting some useful free tools to help operations managers and programmers improve security.

As networks grow, operations management becomes increasingly complex. Operations managers need to keep track of vulnerabilities, patches, and interactions of applications software with operating systems.

See for example the NIST Special Publication (SP) SP800-40v2, “Creating a Patch and Vulnerability Management Program” by Peter Mell, Tiffany Bergeron and David Henning (November 2005).

Application programmers need to test their software for a bewildering list of possible flaws using systematic automated testing. Today I’m presenting some useful free tools to help operations managers and programmers improve security.

One of the great names in systems engineering research is MITRE Corp., which was founded in 1958. With more than 6,000 employees, the company has contributed so much to the nation that its list of honors and awards stretches for pages. One of its latest contributions is the release of Recommendation Tracker (RT) software, which is available free to all.

MITRE describes RT as “an open source program that facilitates development of automated security benchmarks. System administrators use benchmarks — essentially a set of recommendations — to securely configure an operating system or software application and then set up automatic testing to ensure proper configuration. The new edition of RT has features that support the collaborative process of benchmark creation, including taking ordinary textual input and producing output in the standardized XML-based language, XCCDF. Combined, these features make it easier and more efficient to generate and implement benchmarks.”

The press release goes on to describe the context for RT, and I have added links for readers interested in learning more about each of the MITRE contributions they enumerate:

The RT is just the latest tool developed by MITRE in the last 10 years to help the security community produce automated, standardized benchmarks. The not-for-profit organization has developed four of the six security standards which comprise the National Institute of Standards and Technology's Security Content Automation Protocol, or SCAP. The four standards are:CVE)OVAL)CPE)CCE

* Common Vulnerabilities and Exposures (

* Open Vulnerability and Assessment Language (

* Common Platform Enumeration (

* Common Configuration Enumeration (

The download page at SourceForge for RT includes links to several useful articles that will interest readers:The New School of Information SecurityCreating a Security Test Environment?Building an Effective Information Security Policy ArchitectureStepping Through the InfoSec Program 

*

*

*

*

MITRE is offering free one-day courses; one will be at its Bedford, Mass., offices on Jan. 21 with several more in McLean, Va. which will significantly lower the hurdle for generating standardized automated benchmarks for software projects using RT and other tools. Visit the MITRE Web site to register. 

The course description provides general goals for the day’s work:

You will learn:

* How to use free tools and industry standards to create security guidance that helps system administrators configure and operate systems securely.

* Why system administrators need clear, easy-to-use security guidance that applies to their enterprise systems before, during, and after deployment.

* Why system administrators must have security guidance that is easy to understand, manage, and apply in time for their planning, installation, configuration, and operation of their systems.

If all of our subscribers choose to attend the course, MITRE's Steve Boczenowski assures us that he will make arrangements for repeat sessions. He will also have the FBI arrest me under the Computer Fraud and Abuse Act of 1986 for a denial of service of a federal-interest computer if you crash MITRE servers by all accessing the course pages at once <g,d&r>. So here’s your chance to get even with me for all those puns and political remarks that some of you dislike!

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT