Contents
Chapter 1: Cyber Security Engineering: Lifecycle Assurance of Systems and Software
1.2 What Do We Mean by Lifecycle Assurance?
1.3 Introducing Principles for Software Assurance
1.4 Addressing Lifecycle Assurance
1.5 Case Studies Used in This Book
1.5.1 Wireless Emergency Alerts Case Study
1.5.2 Fly-By-Night Airlines Case Study
1.5.3 GoFast Automotive Corporation Case Study
Chapter 2: Risk Analysis—Identifying and Prioritizing Needs
2.3.1 Task 1: Identify the Mission and Objective(s)
2.3.2 Task 2: Identify Drivers
2.6 Operational Risk Analysis—Comparing Planned to Actual
Chapter 3: Secure Software Development Management and Organizational Models
3.1.1 Background on Assured Systems
3.2 Process Models for Software Development and Acquisition
3.2.2 CMMI for Development (CMMI-DEV)
3.2.3 CMMI for Acquisition (CMMI-ACQ)
3.2.4 CMMI for Services (CMMI-SVC)
3.3 Software Security Frameworks, Models, and Roadmaps
3.3.1 Building Security In Maturity Model (BSIMM)
3.3.2 CMMI Assurance Process Reference Model
3.3.3 Open Web Application Security Project (OWASP) Software Assurance Maturity Model (SAMM)
3.3.4 DHS SwA Measurement Work
3.3.5 Microsoft Security Development Lifecycle (SDL)
3.3.6 SEI Framework for Building Assured Systems
3.3.7 SEI Research in Relation to the Microsoft SDL
3.3.8 CERT Resilience Management Model Resilient Technical Solution Engineering Process Area
3.3.9 International Process Research Consortium (IPRC) Roadmap
3.3.10 NIST Cyber Security Framework
3.3.11 Uses of Software Security Frameworks, Models, and Roadmaps
Chapter 4: Engineering Competencies
4.1 Security Competency and the Software Engineering Profession
4.2 Software Assurance Competency Models
4.3.2 Organization of Competency Areas
4.3.5 National Initiative for Cybersecurity Education (NICE)
4.4 The SEI Software Assurance Competency Model
4.4.2 SwA Knowledge, Skills, and Effectiveness
4.4.4 A Path to Increased Capability and Advancement
4.4.5 Examples of the Model in Practice
4.4.6 Highlights of the SEI Software Assurance Competency Model
Chapter 5: Performing Gap Analysis
5.2 Using the SEI’s SwA Competency Model
6.1 How to Define and Structure Metrics to Manage Cyber Security Engineering
6.1.1 What Constitutes a Good Metric?
6.1.2 Metrics for Cyber Security Engineering
6.2 Ways to Gather Evidence for Cyber Security Evaluation
Chapter 7: Special Topics in Cyber Security Engineering
7.2 Security: Not Just a Technical Issue
7.2.2 Two Examples of Security Governance
7.3.1 The Need for More Cyber Security Standards
7.3.2 A More Optimistic View of Cyber Security Standards
7.4 Security Requirements Engineering for Acquisition
7.4.1 SQUARE for New Development
7.5 Operational Competencies (DevOps)
7.5.2 DevOps Practices That Contribute to Improving Software Assurance
7.6.1 Code and Design Flaw Vulnerabilities
7.6.2 Malware-Analysis–Driven Use Cases
7.6.3 Current Status and Future Research
Chapter 8: Summary and Plan for Improvements in Cyber Security Engineering Performance
8.2 Getting Started on an Improvement Plan
Appendix A: WEA Case Study: Evaluating Security Risks Using Mission Threads
Appendix B: The MSwA Body of Knowledge with Maturity Levels Added
Appendix C: The Software Assurance Curriculum Project
Appendix D: The Software Assurance Competency Model Designations
Appendix E: Proposed SwA Competency Mappings