References
Abran, Alain, Moore, James W., Bourque, Pierre, & Tripp, Leonard L., eds. Guide to the Software Engineering Body of Knowledge. IEEE Computer Society. 2004. www.computer.org/web/swebok/index.
Adams, Bram, Bellomo, Stephany, Bird, Christian, Marshall-Keim, Tamara, Khomh, Foutse, & Moir, Kim. The Practice and Future of Release Engineering: A Roundtable with Three Release Engineers. IEEE Software: Special Issue on Release Engineering. Volume 32. Number 2. March/April 2015. Pages 42–49.
Adobe Systems, Inc. Proactive Security | Adobe Security. 2014. www.adobe.com/security/proactive-efforts.html.
Alberts, Christopher, & Dorofee, Audrey. Managing Information Security Risks: The OCTAVE Approach. Addison-Wesley. 2002. http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=30678.
Alberts, Christopher. Common Elements of Risk. CMU/SEI-2006-TN-014. Software Engineering Institute, Carnegie Mellon University. 2006. http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=7899.
Alberts, Christopher J., Allen, Julia H., & Stoddard, Robert W. Integrated Measurement and Analysis Framework for Software Security. CMU/SEI-2010-TN-025. Software Engineering Institute, Carnegie Mellon University. 2010. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=9369.
Alberts, Christopher & Dorofee, Audrey. Mission Risk Diagnostic (MRD) Method Description. CMU/SEI-2012-TN-005. Software Engineering Institute, Carnegie Mellon University. 2012. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=10075.
Alberts, Christopher J. Allen, Julia H., & Stoddard, Robert W. Deriving Software Security Measures from Information Security Standards of Practice. Software Engineering Institute, Carnegie Mellon University. 2012. http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=28784.
Alberts, Christopher, Woody, Carol, & Dorofee, Audrey. Introduction to the Security Engineering Risk Analysis (SERA) Framework. CMU/SEI-2014-TN-025. Software Engineering Institute, Carnegie Mellon University. 2014. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=427321.
Alexander, Ian. Misuse Cases: Use Cases with Hostile Intent. IEEE Software. Volume 20. Number 1. January–February 2003. Pages 58–66.
Alice, Gregory Paul, & Mead, Nancy R. Using Malware Analysis to Tailor SQUARE for Mobile Platforms. CMU/SEI-2014-TN-018. Software Engineering Institute, Carnegie Mellon University. 2014. http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=425994.
Allen, Julia. Governing for Enterprise Security. CMU/SEI-2005-TN-023. Software Engineering Institute, Carnegie Mellon University. 2005. http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=7453.
Allen, Julia, & Westby, Jody R. Governing for Enterprise Security (GES) Implementation Guide. CMU/SEI-2007-TN-020. Software Engineering Institute, Carnegie Melon University. 2007. http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=8251.
Allen, Julia H., Barnum, Sean, Ellison, Robert J., McGraw, Gary, & Mead, Nancy R. Software Security Engineering: A Guide for Project Managers. Addison-Wesley Professional. 2008.
Allen, Julia H., & Curtis, Pamela D. Measures for Managing Operational Resilience. Software Engineering Institute, Carnegie Mellon University. CMU/SEI-2011-TR-019. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=10017.
American National Standards Institute (ANSI) & Internet Security Alliance (ISA). The Financial Impact of Cyber Risk: 50 Questions Every CFO Should Ask. 2008. www.isalliance.org/publications/.
Axelrod, C. Warren. Outsourcing Information Security. Artech House. 2004.
Axelrod, C. Warren. Engineering Safe and Secure Software Systems. Artech House. 2012.
Babylon, Ltd. Definition of Framework. June 15, 2016 [accessed]. http://dictionary.babylon-software.com/framework/.
Backus, J. W., Beeber, R. J., Best, S., Goldberg, R., Haibt, L. M., Herrick, H. L., Nelson, R. A., Sayre, D., Sheridan, P. B., Stern, H., Ziller, I., Hughes, R. A., & Nutt, R. The FORTRAN Automatic Coding System. 1957. http://archive.computerhistory.org/resources/text/Fortran/102663113.05.01.acc.pdf.
Bartol, Nadya. Practical Measurement Framework for Software Assurance and Information Security, Version 1.0. Practical Software & Systems Measurement (PSM). 2008. www.psmsc.com/Prod_TechPapers.asp.
Bartol, Nadya, Bates, Bryan, Goertzel, Karen M., & Winograd, Theodore. Measuring Cyber Security and Information Assurance, State-of-the-Art Report (SOAR). Department of Defense—Information Assurance Technology and Assurance Center (IATAC). 2009. https://buildsecurityin.us-cert.gov/sites/default/files/MeasuringCybersecurityIA.PDF.
Basili, Victor R., & Weiss, David M. A Methodology for Collecting Valid Software Engineering Data. IEEE Transactions on Software Engineering. Volume SE-10. Number 6. November 1984. Pages 728–738.
Basili, Victor R., & Rombach, H. Dieter. The TAME Project: Towards Improvement-Oriented Software Environments. IEEE Transactions on Software Engineering. Volume 14. Number 6. June 1988. Pages 758–773.
Bass, Len, Ingo Weber, & Liming Zhu. DevOps: A Software Architect’s Perspective. Addison-Wesley Professional, 2015.
Behrens, Sandra, Alberts, Christopher J., & Ruefle, Robin. Competency Lifecycle Roadmap: Toward Performance Readiness. CMU/SEI-2012-TN-020. Software Engineering Institute, Carnegie Mellon University. 2012. http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=28053.
Bellomo, Stephany, Ernst, Neil, Nord, Robert, & Kazman, Rick. Toward Design Decisions to Enable Deployability—Empirical Study of Three Projects Reaching for the Continuous Delivery Holy Grail. Dependability and Security of System Operation (DSSO) Workshop. Atlanta, Georgia. June 2014. http://resources.sei.cmu.edu/asset_files/conferencepaper/2014_021_001_424904.pdf.
Bitz, Gunter, et al. Edited by Stacy Simpson. Fundamental Practices for Secure Software Development—A Guide to the Most Effective Secure Development Practices in Use Today. SAFECode. 2008. www.safecode.org/publications/SAFECode_Dev_Practices1108.pdf.
Bosworth, Seymour, & Kabay, Michel E. Computer Security Handbook, 4th ed. John Wiley and Sons. 2002.
Business Roundtable. More Intelligent, More Effective Cybersecurity Protection. 2013. http://businessroundtable.org/resources/more-intelligent-more-effective-cybersecurity-protection.
Caralli, Richard A., Allen, Julia H., Curtis, Pamela D., White, David W., & Young, Lisa R. CERT Resilience Management Model, Version 1.0: Resilient Technical Solution Engineering (RTSE). 2011. www.cert.org/resilience/products-services/cert-rmm/index.cfm.
Caralli, Richard A., Allen, Julia H., & White, David W. CERT Resilience Management Model (CERT-RMM): A Maturity Model for Managing Operational Resilience. Addison-Wesley Professional, 2010.
Common Criteria Recognition Arrangement (CCRA). Common Criteria for Information Technology Security Evaluation—Part 1: Introduction and General Model, Version 3.1, Revision 4. CCMB-2012-09-001. 2012. www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R4_marked_changes.pdf.
European Council for Nuclear Research (CERN). Computer Security: Mandatory Security Baselines. CERN Computer Security Information. 2010. https://security.web.cern.ch/security/rules/en/baselines.shtml.
Charette, Robert N. Application Strategies for Risk Analysis. McGraw-Hill Book Company. 1990.
Chew, Elizabeth, Swanson, Marianne, Stine, Kevin, Bartol, Nadya, Brown, Anthony, & Robinson, Will. Performance Measurement Guide for Information Security. National Institute of Standards and Technology. NIST SP 800-55 Rev 1. 2008. http://csrc.nist.gov/publications/nistpubs/800-55-Rev1/SP800-55-rev1.pdf.
Chung, Lydia, Hung, Frank, Hough, Eric, Ojoko-Adams, Don, & Mead, Nancy. Security Quality Requirements Engineering (SQUARE): Case Study Phase III. CMU/SEI-2006-SR-003. Software Engineering Institute, Carnegie Mellon University. 2006. http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=7799.
CMMI Institute. CMMI Institute. July 2015 [accessed]. http://cmmiinstitute.com.
CMMI Product Team. CMMI for Acquisition, Version 1.3. CMU/SEI-2010-TR-032. Software Engineering Institute, Carnegie Mellon University. 2010. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=9657.
CMMI Product Team. CMMI for Development, Version 1.3. CMU/SEI-2010-TR-033. Software Engineering Institute, Carnegie Mellon University. 2010. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=9661.
CMMI Product Team. CMMI for Services, Version 1.3. CMU/SEI-2010-TR-034. Software Engineering Institute, Carnegie Mellon University. 2010. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=9665.
CMMI Product Team. Security by Design with CMMI® for Development, Version 1.3. (CMMI-DEV, V1.3) [SEI 2010 a]. Software Engineering Institute, Carnegie Mellon University. 2013. http://cmmiinstitute.com/resources/security-design-cmmi-development-version-13.
Committee on National Security Systems (CNSS). Committee on National Security Systems (CNSS) Glossary. CNSSI Number 4009. Revised April 2015. www.cnss.gov/CNSS/issuances/Instructions.cfm.
Coles, Robert, Barsade, Sigal, & Mehta, Sheetal. Embedding a “Culture of Security” Is the Best Defense. Knowledge@Wharton. 2015. http://knowledge.wharton.upenn.edu/article/embedding-culture-security-best-defense/.
Comella-Dorda, Santiago, Dean, John, Lewis, Grace, Morris, Edwin J., Oberndorf, Patricia, & Harper, Erin. A Process for COTS Software Product Evaluation. CMU/SEI-2003-TR-017. Software Engineering Institute, Carnegie Mellon University. 2004. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=6701.
Common Criteria. Common Criteria for Information Technology Security Evaluation. June 24, 2016 [accessed]. www.commoncriteriaportal.org.
Craig. Reverse Engineering a D-Link Backdoor [blog post]. /DEV/TTYS0. October 12, 2013. www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/.
Curtis, Bill, Hefley, William E., & Miller, Sally A. The People Capability Maturity Model: Guidelines for Improving the Workforce. Addison-Wesley Professional, 2001.
Deloitte. 2014 Board Practices Report: Perspective from the Boardroom. 2014. www2.deloitte.com/us/en/pages/regulatory/board-practices-report-perspectives-boardroom-governance.html.
U.S. Department of Homeland Security (DHS). Software Assurance (SwA) Processes and Practices Working Group—Process Reference Model for Assurance Mapping to CMMI-DEV V1.2. 2008. https://buildsecurityin.us-cert.gov/swa/procwg.html.
U.S. Department of Homeland Security (DHS). Software Assurance (SwA) Measurement Working Group. 2010. https://buildsecurityin.us-cert.gov/swa/measwg.html.
U.S. Department of Homeland Security (DHS). Software Assurance Professional Competency Model. 2012. https://buildsecurityin.us-cert.gov/sites/default/files/Competency%20Model_Software%20Assurance%20Professional_%2010_05_2012%20final.pdf.
U.S. Department of Defense (DoD). Department of Defense Instruction Number 5200.44—Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN). DoD Instruction Number 5200.44. 2012. www.dtic.mil/whs/directives/corres/pdf/520044p.pdf.
U.S. Department of Energy (DoE). Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2), Version 1.1. 2014. http://energy.gov/oe/downloads/electricity-subsector-cybersecurity-capability-maturity-model-v-11-february-2014.
U.S. Department of Energy (DoE). Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model (ONG-C2M2), Version 1.1. 2014. http://energy.gov/oe/downloads/oil-and-natural-gas-subsector-cybersecurity-capability-maturity-model-february-2014.
U.S. Department of Labor—Employment and Training Administration (DoLETA). Information Technology Competency Model. 2012. www.careeronestop.org/CompetencyModel/competency-models/information-technology.aspx.
Giorgini, Paolo, Mouratidis, Haralambos, & Zannone, Nicola. Modelling Security and Trust with Secure Tropos. Integrating Security and Software Engineering: Advances and Future Visions. IGI Global. 2006. Pages 160–189. www.igi-global.com/chapter/modelling-security-trust-secure-tropos/24055.
Google. Google’s Approach to IT Security: A Google White Paper. 2012. https://cloud.google.com/files/Google-CommonSecurity-WhitePaper-v1.4.pdf.
Hadfield, Steve, Schweitzer, Dino, Gibson, David, Fagin, Barry, Carlisle, Martin, Boleng, Jeff, & Bibighaus, Dave. Defining, Integrating, and Assessing a Purposeful Progression of Cross-Curricular Initiatives into a Computer Science Program. Frontiers in Education Conference. Rapid City, South Dakota. October 2011. http://archive.fie-conference.org/fie2011/papers/1545.pdf.
Hadfield, Steve. Integrating Software Assurance and Secure Programming Concepts and Mindsets into an Undergraduate Computer Science Program. Department of Homeland Security Semi-Annual Software Assurance Forum. McLean, Virginia. March 2012. https://buildsecurityin.us-cert.gov/sites/default/files/Integrating%20Software%20Assurance%20and%20Secure%20Programming%20Concep.pdf.
Hilburn, Thomas B., Ardis, Mark A., Johnson, Glenn, Kornecki, Andrew J., & Mead, Nancy R. Software Assurance Competency Model. CMU/SEI-2013-TN-004. Software Engineering Institute, Carnegie Mellon University. 2013. http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=47953.
Hilburn, Tom B., & Mead, Nancy R. Building Security In: A Road to Competency. IEEE Security & Privacy. Volume 11. Number 5. September/October 2013. Pages 89–92. http://ieeexplore.ieee.org/xpl/articleDetails.jsp?reload=true&arnumber=6630006.
Howard, Michael, & Lipner, Steve. The Security Development Lifecycle. Microsoft Press. 2006.
Humphrey, Watts S. Managing the Software Process. Addison-Wesley Professional. 1989.
Institute of Electrical and Electronics Engineers (IEEE). The Authoritative Dictionary of IEEE Standards Terms, 7th ed. http://ieeexplore.ieee.org/servlet/opac?punumber=4116785.
Institute of Electrical and Electronics Engineers (IEEE) Computer Society. Software Engineering Competency Model, Version 1.0 (SWECOM). 2014. www.computer.org/web/peb/swecom.
International Process Research Consortium (IPRC). A Process Research Framework. Software Engineering Institute, Carnegie Mellon University. 2006. http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=30501.
Information Systems Audit and Control Association (ISACA). Cybersecurity Fundamentals Glossary. 2014. www.isaca.org/pages/glossary.aspx.
International Organization for Standardization & International Electrotechnical Commission. Systems and Software Engineering—Measurement Process. ISO/IEC 15939. 2007.
International Organization for Standardization & International Electrotechnical Commission (ISO/IEC). Information Technology—Security Techniques—Evaluation Criteria for IT Security—Part 2: Security Functional Components. ISO/IEC 15408-2. 2008.
International Organization for Standardization & International Electrotechnical Commission (ISO/IEC). Information Technology—Security Techniques—Evaluation Criteria for IT Security—Part 3: Security Assurance Components. ISO/IEC 15408-3. 2008.
International Organization for Standardization & International Electrotechnical Commission (ISO/IEC). Information Technology—Security Techniques—Evaluation Criteria for IT Security—Part 1: Introduction and General Model. ISO/IEC 15408-1. 2009.
International Organization for Standardization & International Electrotechnical Commission (ISO/IEC). Information Technology—Security Techniques—Application Security—Part 1: Overview and Concepts. ISO/IEC 27034-1. 2011.
International Organization for Standardization & International Electrotechnical Commission (ISO/IEC). Information Technology—Security Techniques—Information Security Management Systems—Requirements. ISO/IEC 27001. 2013.
International Organization for Standardization & International Electrotechnical Commission (ISO/IEC). Information Technology—Security Techniques—Application Security—Part 2: Organization Normative Framework. ISO/IEC 27034-2. 2015.
Information Systems Security Association (ISSA). Generally Accepted Information Security Principles, GAISP V3.0, Update Draft. 2004. https://citadel-information.com/wp-content/uploads/2010/12/issa-generally-accepted-information-security-practices-v3-2004.pdf.
IT Governance Institute (ITGI). Information Security Governance: Guidance for Boards of Directors and Executive Management, 2nd ed. 2006. www.isaca.org/knowledge-center/research/documents/information-security-govenance-for-board-of-directors-and-executive-management_res_eng_0510.pdf.
Jacobson, Ivar. Object-Oriented Software Engineering: A Use Case Driven Approach. Addison-Wesley Professional, 2008.
Jaquith, Andrew. Security Metrics: Replacing Fear, Uncertainty, and Doubt. Addison-Wesley Professional, 2007.
Kelly, Tim P. Arguing Safety—A Systematic Approach to Managing Safety Cases [Doctoral Diss.]. University of York. 1998. www-users.cs.york.ac.uk/tpk/tpkthesis.pdf.
Kelly, Tim, & Weaver, Rob. The Goal Structuring Notation: A Safety Argument Notation. Proceedings of the Dependable Systems and Networks 2004 Workshop on Assurance Cases. Florence, Italy. July 2004. www-users.cs.york.ac.uk/tpk/dsn2004.pdf.
Khajenoori, S., Hilburn, T., Hirmanpour, I., Turner, R., & Qasem, A. Software Engineering Competency Study: Final Report. ERAU-FAA Project, Federal Aviation Administration. December 1998.
Kim, Gene, Love, Paul, & Spafford, George. Visible Ops Security. IT Process Institute, Inc. 2008.
Kissel, Richard, ed. Glossary of Key Information Security Terms, NISTIR 7298, Revision 2. U.S. Department of Commerce. 2013. www.nist.gov/manuscript-publication-search.cfm?pub_id=913810.
Kitten, Tracy. Digital Certificates Hide Malware—Fraudsters’ Fake Companies Fool Cert Authorities. BankInfoSecurity.com. March 11, 2013. www.bankinfosecurity.com/digital-certificates-hide-malware-a-5592/op-1.
Leveson, Nancy. A New Accident Model for Engineering Safer Systems. Safety Science. Volume 42. Number 4. April 2004. Pages 237–270. http://sunnyday.mit.edu/accidents/safetyscience-single.pdf.
Lipner, Steve, & Howard, Michael. The Trustworthy Computing Security Development Lifecycle. March 2005. http://msdn.microsoft.com/en-us/library/ms995349.aspx.
Lipner, Steven B. Privacy and Security—Security Assurance—How Can Customers Tell They Are Getting It? Communications of the ACM. Volume 58. Number 11. November 2015. Pages 24–26.
McGraw, Gary, Migues, Sammy, & West, Jacob. Building Security In Maturity Model, Version 6 (BSIMM6). 2015. www.bsimm.com/download/.
Mead, Nancy, Hough, Eric, & Stehney, Ted, II. Security Quality Requirements Engineering. Software Engineering Institute, Carnegie Mellon University. 2005. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=7657.
Mead, Nancy R., Allen, Julia H., Ardis, Mark A., Hilburn, Thomas B., Kornecki, Andrew J., Linger, Richard C., & McDonald, James. Software Assurance Curriculum Project Volume I: Master of Software Assurance Reference Curriculum. CMU/SEI-2010-TR-005. Software Engineering Institute, Carnegie Mellon University. 2010. http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=9415.
Mead, Nancy, & Allen, Julia. Building Assured Systems Framework. CMU/SEI-2010-TR-025. Software Engineering Institute, Carnegie Mellon University. 2010. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=9611.
Mead, Nancy R., Hilburn, Thomas B., & Linger, Richard C. Software Assurance Curriculum Project, Volume II: Undergraduate Course Outlines. CMU/SEI-2010-TR-019. Software Engineering Institute, Carnegie Mellon University. 2010. http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=9543.
Mead, Nancy R., Allen, Julia H., Ardis, Mark A., Hilburn, Thomas B., Kornecki, Andrew J., & Linger, Richard C. Software Assurance Curriculum Project Volume III: Master of Software Assurance Course Syllabi. CMU/SEI-2011-TR-013. Software Engineering Institute, Carnegie Mellon University. 2011.
Mead, Nancy R., Hawthorne, Elizabeth K., & Ardis, Mark A. Software Assurance Curriculum Project, Volume IV: Community College Education. CMU/SEI-2011-TR-017. Software Engineering Institute, Carnegie Mellon University. 2011.
Mead, Nancy R., & Shoemaker, Dan. The Software Assurance Competency Model: A Roadmap to Enhance Individual Professional Capability. CERT. 2013. http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=299147.
Mead, Nancy R., Shoemaker, Dan, & Woody, Carol. Principles and Measurement Models for Software Assurance. International Journal of Secure Software Engineering. Volume 4. Number 1. April 2013. www.igi-global.com/article/principles-measurement-models-software-assurance/76352.
Mead, Nancy R., & Morales, Jose Andre. Using Malware Analysis to Improve Security Requirements on Future Systems. Evolving Security & Privacy Requirements Engineering (ESPRE) Workshop, IEEE International Requirements Engineering Conference Proceedings. August 2014. Pages 37–42. http://ieeexplore.ieee.org/xpl/articleDetails.jsp?reload=true&arnumber=6890526.
Mead, Nancy R., Morales, Jose Andre, & Alice, Gregory Paul. A Method and Case Study for Using Malware Analysis to Improve Security Requirements. International Journal of Secure Software Engineering. Volume 6. Number 1. January–March 2015. Pages 1–23. www.igi-global.com/article/a-method-and-case-study-for-using-malware-analysis-to-improve-security-requirements/123452.
Mellado, Daniel, Fernández-Medina, Eduardo, & Piattini, Mario. A Common Criteria Based Security Requirements Engineering Process for the Development of Secure Information Systems. Computer Standards & Interfaces. Volume 29. Number 2. February 2007. Pages 244–253.
Microsoft. Microsoft Security Development Lifecycle. 2010. www.microsoft.com/security/sdl/about/process.aspx.
Microsoft. Microsoft Security Development Lifecycle Version 5.0. 2010. http://download.microsoft.com/download/F/2/0/F205C451-C59C-4DC7-8377-9535D0A208EC/Microsoft%20SDL_Version%205.0.docx.
National Institute of Standards and Technology (NIST). Performance Measurement Guide for Information Security. 2008. http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-55r1.pdf.
National Institute of Standards and Technology (NIST). Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. Special Publication 800-53A. December 2014. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf.
MITRE. Common Weakness Enumeration: A Community-Developed Dictionary of Software Weakness Types. 2014 [accessed]. http://cwe.mitre.org.
MITRE. Making Security Measurable. June 14, 2016 [accessed]. http://measurablesecurity.mitre.org.
Moreno, Ana M., Sanchez-Segura, Maria-Isabel, Medina-Dominguez, Fuensanta, & Carvajal, Laura. Balancing Software Engineering Education and Industrial Needs. The Journal of Systems and Software. Volume 85. Issue 7. July 2012. Pages 1607–1620.
National Aeronautics and Space Administration (NASA). Software Assurance Standard. NASA-STD-8739.8. 2004. www.hq.nasa.gov/office/codeq/doctree/87398.htm.
National Aeronautics and Space Administration (NASA). Systems Engineering Competencies. June 20, 2016 [accessed]. http://appel.nasa.gov/developmental-programs/seldp/program/se_competencies-html/.
National Defense Industrial Association Test and Evaluation Division (NDIA). Test and Evaluation Public-Private Partnership Study. 1999. www.ndia.org/resources/pages/publication_catalog.aspx.
National Institute of Standards and Technology (NIST). Recommended Security Controls for Federal Information Systems and Organizations. Special Publication 800-53, Revision 4. 2013. http://csrc.nist.gov/publications/PubsSPs.html#800-53.
National Institute of Standards and Technology (NIST). Framework for Improving Critical Infrastructure Cybersecurity Version 1.0. February 2014. www.nist.gov/cyberframework/index.cfm.
National Institute of Standards and Technology (NIST). Supply Chain Risk Management Practices for Federal Information Systems and Organizations. Special Publication 800-161. 2015. http://csrc.nist.gov/publications/PubsSPs.html#800-161.
NIST. National Vulnerability Database. June 24, 2016 [accessed]. https://nvd.nist.gov.
Nord, Robert L., Ozkaya, Ipek, & Raghvinder, S. Sangwan. Making Architecture Visible to Improve Flow Management in Lean Software Development. IEEE Software. Volume 29. Number 5. September–October 2012. Pages 33–39.
Object Management Group (OMG). How to Deliver Resilient, Secure, Efficient, and Easily Changed IT Systems in Line with CISQ Recommendations. 2013. www.omg.org/CISQ_compliant_IT_Systemsv.4-3.pdf.
Oracle. Importance of Software Security Assurance. 2014. www.oracle.com/us/support/assurance/development/secure-coding-standards/index.html.
Oracle. Security Solutions. June 6, 2016 [accessed]. www.oracle.com/us/technologies/security/overview/index.html.
OWASP. OWASP SAMM Project. Open Web Application Security Project (OWASP). 2015 [accessed]. www.owasp.org/index.php/OWASP_SAMM_Project.
Open Web Application Security Project (OWASP). OWASP Secure Software Contract Annex. March 2, 2016. www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex.
Parker, Donn B. Making the Case for Replacing Risk-Based Security. Enterprise Information Security and Privacy. Artech House. 2009. Pages 91–101.
[PCI Security Standards Council 2013]
Payment Card Industry (PCI) Security Standards Council. Payment Card Industry (PCI) Payment Application Data Security Standard, Requirements and Security Assessment Procedures, Version 3.0. 2013. www.pcisecuritystandards.org/document_library.
[PCI Security Standards Council 2015]
Payment Card Industry (PCI) Security Standards Council. Payment Card Industry (PCI) Data Security Standard, Version 3.1. 2015. www.pcisecuritystandards.org/document_library.
Regan, Colleen, Lapham, Mary Ann, Wrubel, Eileen, Beck, Stephen, & Bandor, Michael. Agile Methods in Air Force Sustainment: Status and Outlook. CMU/SEI-2014-TN-009. Software Engineering Institute, Carnegie Mellon University. 2014. http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=312754.
Royce, Winston. Managing the Development of Large Software Systems. Pages 1–9. In Proceedings, IEEE WESCON. Los Angeles, California. August 1970. Not publicly available. Reprinted in ICSE '87 Proceedings of the 9th International Conference on Software Engineering. IEEE Computer Society Press. March 1987, pp 328–338.
SAE International. Software Reliability Program Standard. JA1002_200401. 2004. http://standards.sae.org/ja1002_200401/.
SAFECode. Software Assurance Forum for Excellence in Code (SAFECode). June 15, 2016 [accessed]. www.safecode.org.
Saltzer, Jerome H., & Schroeder, Michael D. The Protection of Information in Computer Systems. Communications of the ACM. Volume 17. Issue 7. 1974.
SANS. Information Security Policy Templates. SANS Information Security Training. November 8, 2015 [accessed]. www.sans.org/security-resources/policies.
Shoemaker, Dan, & Mead, Nancy R. Software Assurance Measurement—State of the Practice. CMU/SEI-2013-TN-019. Software Engineering Institute, Carnegie Mellon University. 2013. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=72885.
Shunn, Arjuna, Woody, Carol, Seacord, Robert, & Householder, Allen. Strengths in Security Solutions. Software Engineering Institute, Carnegie Mellon University. 2013. http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=77878.
ShyWriter. SECURITY ALERT: Back Door Found in D-Link Routers. Malwarebytes Forums. October 14, 2013. https://forums.malwarebytes.org/index.php?showtopic=134875.
[Stevens Institute of Technology 2009]
Stevens Institute of Technology. Graduate Software Engineering 2009 (GSwE2009)—Curriculum Guidelines for Graduate Degree Programs in Software Engineering. 2009. www.acm.org/binaries/content/assets/education/gsew2009.pdf.
Swanson, Marianne, & Guttman, Barbara. NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems. National Institute of Standards and Technology. 1996. http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf.
TechTarget. What Is Best Practice? TechTarget SearchSoftwareQuality. November 8, 2015 [accessed]. http://searchsoftwarequality.techtarget.com/definition/best-practice.
Tippett, Peter. Viewpoint Discussion—Calculating Your Security Risk. The Washington Post. December 4, 2002. www.washingtonpost.com/wp-srv/liveonline/advertisers/viewpoint_tru120402.htm.
Trustworthy Software Initiative & British Standards Institution. Software Trustworthiness—Governance and Management—Specification. PAS 754. British Standards Institution. 2009.
Veracode. Study of Software Related Cybersecurity Risks in Public Companies, Feature Supplement of Veracode’s State of Software Security Report. 2012. https://info.veracode.com/state-of-software-security-volume-4-supplement.html.
Warner, Judy, & Epstein, Adam J. Playing for Keeps: Keeping Your Cyber Issues in Check. NACD Magazine. September 25, 2014. www.nacdonline.org/Magazine/Article.cfm?ItemNumber=11730.
Westby, Jody R. Governance of Enterprise Security Survey: CyLab 2012 Report—How Boards & Senior Executives Are Managing Cyber Risks. Carnegie Mellon University. 2012. www.cylab.cmu.edu/education/governance.html.
White House. Improving Critical Infrastructure Cybersecurity. Executive Order 13636. February 12, 2013. www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity.
Wikipedia. Morris Worm. June 2011 [accessed]. http://en.wikipedia.org/wiki/Morris_worm.
Wikipedia. IBM System/370. June 2011 [accessed]. http://en.wikipedia.org/wiki/System/370.
Wikipedia. Heartbleed. April 2014 [accessed]. http://en.wikipedia.org/wiki/Heartbleed.
Wikipedia. Zero-Day Attack. April 2014 [accessed]. http://en.wikipedia.org/wiki/Zero-day_attack.
Wood, Charles Cresson. Information Security Policies Made Easy: Version 7. Baseline Software. 1999.
Woody, Carol, Ellison, Robert J., & Nichols, William. Predicting Software Assurance Using Quality and Reliability Measures. CMU/SEI-2014-TN-026. Software Engineering Institute, Carnegie Mellon University. 2014. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=428589.
Xing, Luyi, Pan, Xiaorui, Wang, Rui, Yuan, Kan, & Wang, XiaoFeng. Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating. Presented at 2014 IEEE Symposium on Security and Privacy. May 2014. www.informatics.indiana.edu/xw7/papers/privilegescalationthroughandroidupdating.pdf.