Index
A
access paths, 31
ACM (Association for Computing Machinery), 12
acquirers, 57
acquisition. See software acquisition
acquisition cases
acquisition of COTS software, 151–158
acquisition organization that specifies requirements as RFP, 151
acquisition organization with typical client role, 151–156
activities (BSIMM), 310, 315–318
ADM (Asset Definition and Management) process area, 66
Alberts, Christopher, 13
alert originators (AOs), 14
alerts, emergency
definition of, 14
WEA (Wireless Emergency Alerts) case study
mission thread example, 217–219
preparation for mission thread analysis, 213–215
alignment of risk, 8
Allspaw, John, 160
analysis. See gap analysis; malware analysis; risk analysis
analytics, Software Assurance Competency Model, 246
Android operating system, 175
AOs (alert originators), 14
Applications Security Advisory Board, proposed SwA competency mappings
comprehensive list of job titles, 259–277
initial list of job titles, 249–258
architecture, security measures for, 40, 326
Assessment Final Report (BSIMM)
audience, 283
comparison within vertical, 300–304
contacts, 283
data gathering, 290
list of figures, 282
practices, 293
purpose, 283
scorecard, 293
table of contents, 281
assessment of risk, 21
Asset Definition and Management (ADM) process area, 66
Association for Computing Machinery (ACM), 12
assurance. See software assurance (SwA)
assurance models, 121
attacks
attacker interest, measures of, 330
audience (BSIMM Assessment Final Report), 283
audits, 9
automation of information security standards
DevOpsSec competencies, 170–171
availability, 29
avoidance of risk, 28
B
“Balancing Software Engineering Education and Industrial Needs”, 77
Bartol, Nadya, 55
BASF (Building Assured Systems Framework), 60–62
to-be state, determining. See gap analysis
behavioral indicators (DHS competency model), 80
boards of directors, oversight of cybersecurity, 137–138
BoK (Body of Knowledge)
MSwA (Master of Software Assurance) Reference Curriculum
assurance across life cycles, 227–228
system functionality assurance, 232–233
system operational assurance, 233–234
system security assurance, 103–105, 231–232
Software Assurance Curriculum Project, 236–237
bottlenecks, minimizing, 167–168, 171
BSIMM (Building Security In Maturity Model)
BSIMM Community, 314
BSIMM6, 310
GoFast Automotive case study, 107
sample BSIMM Assessment Final Report
audience, 283
comparison within vertical, 300–304
contacts, 283
data gathering, 290
list of figures, 282
practices, 293
purpose, 283
table of contents, 281
software security initiatives, constructing, 312–314
SSF (software security framework), 50–51
when to use, 312
BSIMM Community, 314
build and integration tests, 164–165
Building Assured Systems Framework (BASF), 60–62
Building Security In Maturity Model. See BSIMM (Building Security In Maturity Model)
business processes, 29
Business Roundtable, 137
business-aligned threat modeling, 169–170
business-driven risk analysis
DevOpsSec competencies, 169–170
C
Capability Maturity Model Integration models. See CMMI® (Capability Maturity Model Integration) models
care, duty of, 140
case studies
code and design flaw vulnerabilities
Android operating system, 175
CWE (Common Weakness Enumeration), 176–177
digital certificates, 175
Fly-By-Night Airlines
GoFast Automotive
description, 15
project staffing, 95
Twitter security automation, 165–166
WEA (Wireless Emergency Alerts)
mission thread example, 217–219
preparation for mission thread analysis, 213–215
risk management, 131
CERT Resilience Management Model (CERT-RMM), 63–67
certainty versus uncertainty, 18
certificates, digital, 175
CERT-RMM (CERT Resilience Management Model), 63–67
Cigital (BSIMM sample report), 323
CMMI® (Capability Maturity Model Integration) models
CMMI assurance process reference model, 50–52
CMMI-ACQ (CMMI for Acquisition), 45–47
CMMI-DEV (CMMI for Development), 44–45
CMMI-SVC (CMMI for Services), 47–48
uses, 48
CMSPs (commercial mobile service providers), 213
code and design flaw vulnerabilities
Android operating system, 175
CWE (Common Weakness Enumeration), 176–177
digital certificates, 175
coding, security measures for, 326
commercial mobile service providers (CMSPs), 213, 214
commercial off-the-shelf (COTS) software, 4, 151–158
Common Vulnerability Enumeration (CVE), 122
Common Weakness Enumeration (CWE), 125, 176–177
communications
Microsoft SDL (Security Development Lifecycle), 59–60
SD3+C, 59
comparison within vertical (BSIMM Assessment Final Report), 300–304
competencies. See also competency models
competency attributes of effectiveness, 88
competency designations, 88–90
DevOps operational competencies
collaborative culture of, 160–161
deployment pipeline, 161
efficiency and effectiveness of, 161
practices for software assurance, 161–168
DevOpsSec competencies
business-driven risk analysis, 169–170
continuous monitoring and improvement, 171
InfoSec expert integration, 169
integration/automation of information security standards, 170–171
overview, 169
proposed mappings from (ISC)2 Application Security Advisory Board
abridged table, 98
augmented by project needs, 100–102
comprehensive list of job titles, 259–277
initial list of job titles, 249–258
Competency Lifecycle Roadmap: Toward Performance Readiness (Software Engineering Institute), 78
competency models. See also competencies
DHS Software Assurance Professional Competency Model
behavioral indicators, 80
NICE (National Initiative for Cybersecurity Education), 80–81
organization of competency areas, 79
proficiency targets, 80
SwA competency levels, 79
improvement plans, 186
Software Assurance Competency Model
advantages of, 94
competency attributes of effectiveness, 88
competency designations, 88–90, 239–248
endorsements of, 94
professional growth and career advancement and, 91–93
project staffing case study, 95
software engineering profession and, 75–77
complete mediation, 6
compliance, Software Assurance Competency Model, 243
Conclusion section (BSIMM Assessment Final Report), 305–307
confidentiality, 29
conformance (environment), enforcing, 170–171
Contacts section (BSIMM Assessment Final Report), 283
containment, 40
continuous monitoring
DevOpsSec competencies, 171
control plan development, 37–38
controlling risk, 21
CorBoK (Core Body of Knowledge) areas
Software Assurance Competency Model
competency attributes of effectiveness, 85–88
competency designations, 88–90
Software Assurance Curriculum Project, 236–237
COTS (commercial off-the-shelf) software, 4, 151–158
critical data, 31
Curriculum Architecture (MSwA), 237–238
CVE (Common Vulnerability Enumeration), 122
CWE (Common Weakness Enumeration), 125, 176–177
cyber security standards
cybercrime, increase in, 2
D
daily operations, security analysis for, 169
data gathering (BSIMM Assessment Final Report), 290
Data Security Standard (DSS), 142–143
Debois, Patrick, 160
default, security by (SD3+C), 58–59
Department of Homeland Security. See DHS (Department of Homeland Security)
Department of Labor Information Technology Competency Model, 77
dependencies, trusted, 8, 126, 330
deployment
DevOps
deployment pipeline, 161
to production, 166
streamlining, 171
Microsoft SDL (Security Development Lifecycle), 59
security in (SD3+C), 59
design, security by (SD3+C), 58
design flaw vulnerabilities
Android operating system, 175
CWE (Common Weakness Enumeration), 176–177
digital certificates, 175
development. See software development
DevOps
collaborative culture of, 160–161
dashboards, 168
deployment pipeline, 161
DevOpsSec competencies
business-driven risk analysis, 169–170
continuous monitoring and improvement, 171
InfoSec expert integration, 169
integration/automation of information security standards, 170–171
overview, 169
efficiency and effectiveness of, 161
practices for software assurance
business-driven risk analysis, 163–164
continuous monitoring and improvement, 167–168
integration of InfoSec experts, 162–163
integration/automation of information security standards, 164–166
DevOpsSec competencies
business-driven risk analysis, 169–170
continuous monitoring and improvement, 171
InfoSec expert integration, 169
integration/automation of information security standards, 170–171
overview, 169
DHS (Department of Homeland Security)
DHS S&T (Department of Homeland Security Science and Technology), 213
DHS SwA Measurement Work, 55–58
Software Assurance Professional Competency Model
behavioral indicators, 80
NICE (National Initiative for Cybersecurity Education), 80–81
organization of competency areas, 79
proficiency targets, 80
SwA competency levels, 79
SwA (Software Assurance) working group, CMMI assurance process reference model, 50–52
digital certificates, 175
directives, 145
diverse operational systems, 92, 244
documents, Software Assurance Curriculum Project, 235–236
domains (BSIMM), 311
Dorofee, Audrey, 13
doubts, role of, 12
drivers
definition of, 25
failure state, 25
success state, 25
DSS (Data Security Standard), 142–143
duty of care, 140
dynamic evidence, 330
E
economy of mechanism, 6
effectiveness
competency attributes of, 88
of DevOps, 161
efficiency of DevOps, 161
Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2), 143
emergency alerts
definition of, 14
WEA (Wireless Emergency Alerts) case study
mission thread example, 217–219
preparation for mission thread analysis, 213–215
enforcing environment conformance, 170–171
entities, 19
environment
ES-C2M2 (Electricity Subsector Cybersecurity Capability Maturity Model), 143
ethics, Software Assurance Competency Model, 93, 245
evidence
mapping between security risk focus areas and principles for software security, 125
seven principles of, 125–126, 329–331
software security questions, 125, 327–328
from standards, 127
Executive Summary section (BSIMM Assessment Final Report), 284–289
executives
decision makers, 57
oversight of cybersecurity, 137–138
exploit kits, 180
F
facilitated assessments, 33
fail-safe defaults, 6
failure, 122
failure state (drivers), 25
Fairley, Dick, 94
FakeFirm BSIMM sample report. See Assessment Final Report (BSIMM)
FCC (Federal Communication Commission), 213
FEMA (Federal Emergency Management Agency), 213
files, log, 168
Final Report (BSIMM). See Assessment Final Report (BSIMM)
Fly-By-Night Airlines case study
A Framework for PAB Competency Models, 77
BASF (Building Assured Systems Framework), 60–62
BSIMM (Building Security In Maturity Model). See BSIMM (Building Security In Maturity Model)
CMMI assurance process reference model, 50–52
DHS SwA Measurement Work, 55–58
IRPC (International Process Research Consortium) roadmap, 67–70
Microsoft SDL (Security Development Lifecycle)
overview, 58
security by design, 58
security in deployment, 59
National Cybersecurity Workforce Framework, 80–81
NIST Framework for Improving Critical Infrastructure Cybersecurity, 67–72
RTSE (Resilient Technical Solution Engineering) process area, 63–67
SAMM (Software Assurance Maturity Model), 53–55
uses, 72
functional correctness, 118
G
with BSIMM (Building Security In Maturity Model)
BSIMM Assessment Final Report, 108–113, 279–307
GoFast Automotive case study, 107
improvement plans, 186
with Software Assurance Competency Model
competency mappings from (ISC)2 Application Security Advisory Board, 98–102
Fly-By-Night Airlines case study, 105–106
GoFast Automotive case study, 102
system security assurance KA specification, 103–105
Goal-Question-Metric (GQM), 116
GoFast Automotive case study
description, 15
gap analysis
with BSIMM (Building Security In Maturity Model), 107
with Software Assurance Competency Model, 102
governance
scope of
characteristics of effective governance, 141–142
duty of care, 140
GQM (Goal-Question-Metric), 116
guidelines, 147
H
Hammond, Paul, 160
Hilburn, Tom, 14
Homeland Security. See DHS (Department of Homeland Security)
I
IaC (Infrastructure as Code), 166
identification of mission risk
mission/objective identification, 24–25
SERA (Security Engineering Risk Analysis) framework, 33–35
IEEE (Institute of Electrical and Electronics Engineers)
endorsement of frameworks, 12
A Framework for PAB Competency Models, 77
PAB (Professional Advisory Board), 94
SWICOM (Software Engineering Competency Model), 78
IGF (Internet Governance Forum), 137
impact, 20
implemented information security management system (ISMS), 120
improvement plans
engineering competencies, 186
gap analysis, 186
management and organizational models, 184–186
metrics, 186
order of implementation, 183
risk analysis, 184
special topics in cyber security engineering, 187
Improving Critical Infrastructure Cybersecurity, 67–71
Information Technology Competency Model, 77
InfoSec experts, integration of
DevOpsSec competencies, 169
Infrastructure as Code (IaC), 166
Institute of Electrical and Electronics Engineers. See IEEE (Institute of Electrical and Electronics Engineers)
build and integration tests, 164–165
DevOps integration strategy
DevOpsSec competencies, 170–171
overview, 169
of InfoSec experts, 162–163, 169
interactions, 329
International Organization for Standardization (ISO), 12
International Process Research Consortium (IRPC) roadmap, 67–70
Internet Governance Forum (IGF), 137
IPAWS (commercial mobile service providers), 214
IRPC (International Process Research Consortium) roadmap, 67–70
as-is state, documenting, 100
(ISC)2 Application Security Advisory Board, proposed SwA competency mappings
abridged table, 98
augmented by project needs, 100–102
comprehensive list of job titles, 259–277
initial list of job titles, 249–258
ISMS (implemented information security management system), 120
ISO (International Organization for Standardization), 12
J-K
job titles, proposed SwA competency mappings
comprehensive list of job titles, 259–277
initial list of job titles, 249–258
KAs (knowledge areas)
Software Assurance Competency Model
assurance across life cycles, 240
assurance assessment, 242
assurance management, 243
risk management, 241
system functionality assurance, 245–246
system operational assurance, 247–248
system security assurance, 244–245
Software Assurance Curriculum Project, 236–237
L
least common mechanism, 7
levels, maturity. See maturity levels
lifecycle, 10
lifecycle assurance
lifecycle-phase measures, 325–326
MSwA BoK (Body of Knowledge), 227–228
Software Assurance Competency Model, 89, 240–248
lifecycle-phase measures, 124, 325–326
List of Figures section (BSIMM Assessment Final Report), 282
log files (DevOps), 168
M
macrocycle, 6
code and design flaw vulnerabilities
Android operating system, 175
CWE (Common Weakness Enumeration), 176–177
digital certificates, 175
Malware Analysis Leading to Overlooked Security Requirements (MORE), 180
malware exploits, 172
management. See also models
measurement management, 132–133
ORM (operational resilience management), 134
software security frameworks
BASF (Building Assured Systems Framework), 60–62
BSIMM (Building Security In Maturity Model). See BSIMM (Building Security In Maturity Model)
CMMI assurance process reference model, 50–52
IRPC (International Process Research Consortium) roadmap, 67–70
linkages between CERT research and Microsoft SDL, 62–64
Microsoft SDL (Security Development Lifecycle), 58–60
NIST Framework for Improving Critical Infrastructure Cybersecurity, 67–72
Practical Measurement Framework, 55–58
RTSE (Resilient Technical Solution Engineering) process area, 63–67
SAMM (Software Assurance Maturity Model), 53–55
uses, 72
mappings
proposed mappings from (ISC)2 Application Security Advisory Board
abridged table, 98
augmented by project needs, 100–102
comprehensive list of job titles, 259–277
initial list of job titles, 249–258
security risk focus areas and principles for software security, 125, 328–329
Master of Software Assurance Reference Curriculum. See MSwA (Master of Software Assurance) Reference Curriculum
improvement plans and
engineering competencies, 186
gap analysis, 186
management and organizational models, 184–186
metrics, 186
risk analysis, 184
MSwA (Master of Software Assurance) Reference Curriculum
assurance across life cycles, 227–228
risk management, 228
system functionality assurance, 232–233
system operational assurance, 233–234
system security assurance, 231–232
measurable evidence, 331
measurement baselines, 132–133
measures
assurance, measuring, 9
attacker interest, 330
definition of, 115
DHS Practical Measurement Framework, 55–58
evidence
mapping between security risk focus areas and principles for software security, 125, 328–329
overview, 127
lifecycle-phase measures, 325–326
measurement baselines, 132–133
measurement management, 132–133
Measures for Managing Operational Resilience (Allen), 134
mediation, 6
metrics
characteristics of good metrics, 116–117
for cyber security engineering, 117–120
definition of, 115
deployment pipeline metrics, 167–168
DevOps, 171
evidence
mapping between security risk focus areas and principles for software security, 125, 328–329
overview, 127
questions for software security, 125, 327–328
seven principles of, 125–126, 329–331
GQM (Goal-Question-Metric), 116
importance of, 9
improvement plans, 186
measures
attacker interest, 330
definition of, 115
lifecycle-phase measures, 325–326
measurement baselines, 132–133
measurement management, 132–133
system health and resiliency metrics, 168
Microsoft
SDL (Security Development Lifecycle)
overview, 58
security by design, 58
security in deployment, 59
minimizing security bottlenecks, 167–168, 171
definition of, 23
MRD (Mission Risk Diagnostic)
mission/objective identification, 24–25
WEA (Wireless Emergency Alerts) case study
mission thread example, 217–219
preparation for mission thread analysis, 213–215
mission threads
overview, 29
WEA (Wireless Emergency Alerts) case study
mission thread example, 217–219
preparation for mission thread analysis, 213–215
misuse cases, 172
mitigation of risk, 28
CMMI (Capability Maturity Model Integration) models
CMMI-ACQ (CMMI for Acquisition), 45–47
CMMI-DEV (CMMI for Development), 44–45
CMMI-SVC (CMMI for Services), 47–48
uses, 48
DHS competency model
organization of competency areas, 79
proficiency targets, 80
SwA competency levels, 79
Information Technology Competency Model, 77
secure lifecycle models, 177
Software Assurance Competency Model
advantages of, 94
competency attributes of effectiveness, 88
competency designations, 88–90, 239–248
endorsements of, 94
professional growth and career advancement and, 91–93
project staffing case study, 95
software engineering profession and, 75–77
software security frameworks
BASF (Building Assured Systems Framework), 60–62
BSIMM (Building Security In Maturity Model). See BSIMM (Building Security In Maturity Model)
CMMI assurance process reference model, 50–52
IRPC (International Process Research Consortium) roadmap, 67–70
linkages between CERT research and Mic, 62–64
Microsoft SDL (Security Development Lifecycle), 58–60
NIST Framework for Improving Critical Infrastructure Cybersecurity, 67–72
Practical Measurement Framework, 55–58
RTSE (Resilient Technical Solution Engineering) process area, 63–67
SAMM (Software Assurance Maturity Model), 53–55
uses, 72
MON (Monitoring) process area, 66
monitoring
continuous monitoring and improvement
DevOpsSec competencies, 171
MON (Monitoring) process area, 66
Software Assurance Competency Model, 247
Monitoring (MON) process area, 66
MORE (Malware Analysis Leading to Overlooked Security Requirements), 180
More Intelligent, More Effective Cybersecurity Protection (Business Roundtable), 137
Morris worm, 7
Moss, Michelle, 55
MRD (Mission Risk Diagnostic)
mission/objective identification, 24–25
MSwA (Master of Software Assurance) Reference Curriculum
BoK (Body of Knowledge)
assurance across life cycles, 227–228
system functionality assurance, 232–233
system operational assurance, 233–234
system security assurance, 103–105, 231–232
Curriculum Architecture, 237–238
Software Assurance Curriculum Project, 237–238
MVS (Multiple Virtual Storage), 7
N
National Cybersecurity Workforce Framework, 80–81
National Initiative for Cybersecurity Careers and Studies (NICCS), 80
National Initiative for Cybersecurity Education (NICE), 80–81
National Institute of Standards and Technology. See NIST (National Institute of Standards and Technology)
NICCS (National Initiative for Cybersecurity Careers and Studies), 80
NICE (National Initiative for Cybersecurity Education), 80–81
NIST (National Institute of Standards and Technology)
endorsement of frameworks, 12
NIST Framework for Improving Critical Infrastructure Cybersecurity, 67–72, 120, 137
System Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems, 150
TACIT approach, 150
O
OODA (Observe, Orient, Decide, and Act) framework, 22
open design, 7
open source software
overview, 4
patches, 171
Open Web Application Security Project (OWASP), 53–55
OpenSSL Heartbleed vulnerability, 177
operational competencies (DevOps)
collaborative culture of, 160–161
deployment pipeline, 161
DevOpsSec competencies
business-driven risk analysis, 169–170
continuous monitoring and improvement, 171
InfoSec expert integration, 169
integration/automation of information security standards, 170–171
overview, 169
efficiency and effectiveness of, 161
practices for software assurance
business-driven risk analysis, 163–164
continuous monitoring and improvement, 167–168
integration of InfoSec experts, 162–163
integration/automation of information security standards, 164–166
operational context, establishing, 34
operational monitoring, Software Assurance Competency Model, 247
operational resilience management (ORM), 134
operational risk analysis, 38
operational system model (SERA), 31–33
organizational models. See models
ORM (operational resilience management), 134
OWASP (Open Web Application Security Project), 53–55
P
PAB (Professional Advisory Board), 77, 94
PA-DSS (Payment Application Data Security Standard), 143
patches, 171
Payment Application Data Security Standard (PA-DSS), 143
PCI (Payment Card Industry), 142–143
PDCA (Plan, Do, Check, Act) model, 21–22
People CMM (People Capability Maturity Model), 43, 76
people skills, 169
Performance Measurement Guide for Information Security (NIST), 120
performance tests, 166
Plan, Do, Check, Act (PDCA) model, 21–22
planning
importance of, 9
improvement plans
engineering competencies, 186
gap analysis, 186
management and organizational models, 184–186
metrics, 186
order of implementation, 183
risk analysis, 184
special topics in cyber security engineering, 187
risk management, 21
potential events, 19
Practical Measurement Framework, 55–58
Practical Measurement Framework for Software Assurance and Information Security (Bartol), 122, 127
BSIMM Assessment Final Report, 293, 311
characteristics of, 148
RTSE (Resilient Technical Solution Engineering), 66
practioners, 57
Predicting Software Assurance Using Quality and Reliability Measures (Woody), 123
principles
characteristics of, 145
privilege
separation of, 7
probability, 20
procedures, 148
process areas, 44. See also process models (CMMI)
process improvement, 167
process institutionalization, 171
CMMI-ACQ (CMMI for Acquisition), 45–47
CMMI-DEV (CMMI for Development), 44–45
CMMI-SVC (CMMI for Services), 47–48
uses, 48
Professional Advisory Board (PAB), 77, 94
proficiency targets, 80
program structure models, 121
project staffing case study, 95
“The Protection of Information in Computer Systems” (Saltzer and Schroeder), 3
psychological acceptability, 7
purpose of BSIMM Assessment Final Report, 283
Q-R
questions for software security, 125, 327–328
recovery, 29
reports, BSIMM Assessment Final Report
audience, 283
comparison within vertical, 300–304
contacts, 283
data gathering, 290
list of figures, 282
practices, 293
purpose, 283
scorecard, 293
table of contents, 281
requirements engineering, security measures for, 326
research in malware analysis, 179–180
Resiliency Requirements Development (RRD), 66
Resiliency Requirements Management (RRM), 66
resilient systems
overview, 40
system health and resiliency metrics, 168
Resilient Technical Solution Engineering (RTSE) process area, 63–67
resisting risk, 29
risk alignment, 8
certainty versus uncertainty, 18
definition of risk, 18
DevOps business-driven risk analysis
DevOpsSec competencies, 169–170
improvement plans, 184
mission risk. See also WEA (Wireless Emergency Alerts) case study
definition of, 23
MRD (Mission Risk Diagnostic), 23–27
operational risk, 38
risk management
MSwA BoK (Body of Knowledge), 61–62, 228
Software Assurance Competency Model, 90, 241
WEA (Wireless Emergency Alerts) case study, 131
security risk
definition of, 27
mapping between security risk focus areas and principles for software security, 125, 328–329
SERA (Security Engineering Risk Analysis) framework, 31–38
risk exposure, 20
risk management
MSwA BoK (Body of Knowledge), 61–62, 228
Software Assurance Competency Model, 90, 241
WEA (Wireless Emergency Alerts) case study, 131
roadmaps. See frameworks
RRD (Resiliency Requirements Development), 66
RRM (Resiliency Requirements Management), 66
RTSE (Resilient Technical Solution Engineering) process area, 63–67
S
SADB (Security Automation Dashboard), 165
SAFECode (Software Assurance Forum for Excellence in Code), 172
safety cases. See assurance cases
SAMM (Software Assurance Maturity Model), 53–55
satellites (BSIMM), 311
SC (Service Continuity) process area, 66
scope of governance
characteristics of effective governance, 141–142
definition of governance, 138–139
duty of care, 140
scorecard (BSIMM Assessment Final Report), 293
SDL (Security Development Lifecycle)
security by design, 58
security in deployment, 59
Secure by Design, Secure by Default, Secure in Deployment, and Communications (SD3+C), 58–60
secure coding, 63
secure lifecycle models, 177
Secure Software Development Lifecycle (SSDL), 309, 311
secure software engineering, 40–41
Security Automation Dashboard (SADB), 165
security competency models. See competency models
Security Development Lifecycle. See SDL (Security Development Lifecycle)
Security Development Lifecycle (SDL), 311
Security Engineering Risk Analysis (SERA) framework. See SERA (Security Engineering Risk Analysis) framework
Security Quality Requirements Engineering. See SQUARE process
Security Quality Requirements Engineering for Acquisition (A-SQUARE), 135–136
security requirements for acquisition overview, 150
for acquisition of COTS software, 151–158
for acquisition organization that specifies requirements as RFP, 151
for acquisition organization with typical client role, 151–156
summary, 159
security risk
definition of, 27
mapping between security risk focus areas and principles for software security, 328–329
SERA (Security Engineering Risk Analysis) framework
control plan development, 37–38
operational context, establishing, 34
operational system model, 31–33
overview, 31
risk analysis, 36
security standards
integration/automation of, 164–166
security tool automation, 170
SEI (Software Engineering Institute)
Competency Lifecycle Roadmap: Toward Performance Readiness, 78
endorsement of frameworks, 12
research in relation to Microsoft SDL, 62–64
Software Assurance Competency Model
advantages of, 94
competency attributes of effectiveness, 88
competency designations, 88–90, 239–248
endorsements of, 94
professional growth and career advancement and, 91–93
project staffing case study, 95
Software Assurance Curriculum Project
MSwA (Master in Software Assurance) Curriculum Architecture, 237–238
SwA CorBoK (Core Body of Knowledge) areas, 236–237
separation of privilege, 7
SERA (Security Engineering Risk Analysis) framework
control plan development, 37–38
operational context, establishing, 34
operational system model, 31–33
overview, 31
risk analysis, 36
Service Continuity (SC) process area, 66
seven principles of evidence, 329–331
SFIA (Skills Framework for the Information Age), 78
Shafer, Andrew “Clay”, 160
Skills Framework for the Information Age (SFIA), 78
acquisition cases
acquisition of COTS software, 151–158
acquisition organization that specifies requirements as RFP, 151
acquisition organization with typical client role, 151–156
CMMI (Capability Maturity Model Integration) models
CMMI-ACQ (CMMI for Acquisition), 45–47
CMMI-DEV (CMMI for Development), 44–45
CMMI-SVC (CMMI for Services), 47–48
uses, 48
Software Assurance Competency Model
advantages of, 94
competency attributes of effectiveness, 88
competency designations
assurance across life cycles, 240
assurance assessment, 242
assurance management, 243
risk management, 241
system functionality assurance, 245–246
system operational assurance, 247–248
system security assurance, 244–245
endorsements of, 94
gap analysis
competency mappings from (ISC)2 Application Security Advisory Board, 98–102
Fly-By-Night Airlines case study, 105–106
GoFast Automotive case study, 102
system security assurance KA specification, 103–105
professional growth and career advancement and, 91–93
project staffing case study, 95
software assurance competency models. See competency models
Software Assurance Curriculum Project
MSwA (Master in Software Assurance) Curriculum Architecture, 237–238
SwA CorBoK (Core Body of Knowledge) areas, 236–237
Software Assurance Forum for Excellence in Code (SAFECode), 172
Software Assurance Maturity Model (SAMM), 53–55
Software Assurance Professional Competency Model (DHS)
behavioral indicators, 80
NICE (National Initiative for Cybersecurity Education), 80–81
organization of competency areas, 79
proficiency targets, 80
SwA competency levels, 79
software assurance (SwA). See also competency models; software development
assurance across life cycles
MSwA BoK (Body of Knowledge), 227–228
Software Assurance Competency Model, 89, 240
assurance assessment
MSwA BoK (Body of Knowledge), 228–229
Software Assurance Competency Model, 242
assurance management
MSwA BoK (Body of Knowledge), 230–231
Software Assurance Competency Model, 243
DevOps practices for
business-driven risk analysis, 163–164
continuous monitoring and improvement, 167–168
integration of InfoSec experts, 162–163
integration/automation of information security standards, 164–166
DHS CMMI assurance process reference model, 50–52
DHS competency model
behavioral indicators, 80
NICE (National Initiative for Cybersecurity Education), 80–81
organization of competency areas, 79
overview, 78
proficiency targets, 80
SwA competency levels, 79
DHS Practical Measurement Framework, 55–58
mapping between security risk focus areas and principles for software security, 328–329
MSwA (Master of Software Assurance) Reference Curriculum BoK
assurance across life cycles, 227–228
system functionality assurance, 232–233
system operational assurance, 233–234
system security assurance, 231–232
proposed competency mappings
comprehensive list of job titles, 259–277
initial list of job titles, 249–258
Software Assurance Competency Model
advantages of, 94
competency attributes of effectiveness, 88
competency designations, 88–90, 239–248
professional growth and career advancement and, 91–93
project staffing case study, 95
Software Assurance Curriculum Project
MSwA (Master in Software Assurance) Curriculum Architecture, 237–238
SwA CorBoK (Core Body of Knowledge) areas, 236–237
software engineering profession and, 75–77
software security frameworks
BASF (Building Assured Systems Framework), 60–62
BSIMM (Building Security In Maturity Model), 49–51
CMMI assurance process reference model, 50–52
IRPC (International Process Research Consortium) roadmap, 67–70
Microsoft SDL (Security Development Lifecycle), 58–60
NIST Framework for Improving Critical Infrastructure Cybersecurity, 67–72, 120, 137
Practical Measurement Framework, 55–58
RTSE (Resilient Technical Solution Engineering) process area, 63–67
SAMM (Software Assurance Maturity Model), 53–55
SEI (Software Engineering Institute), 60–62
software development. See also software assurance (SwA)
CMMI (Capability Maturity Model Integration) models
CMMI-ACQ (CMMI for Acquisition), 45–47
CMMI-DEV (CMMI for Development), 44–45
CMMI-SVC (CMMI for Services), 47–48
uses, 48
software security frameworks
BASF (Building Assured Systems Framework), 60–62
BSIMM (Building Security In Maturity Model). See BSIMM (Building Security In Maturity Model)
CMMI assurance process reference model, 50–52
IRPC (International Process Research Consortium) roadmap, 67–70
Microsoft SDL (Security Development Lifecycle), 58–60
NIST Framework for Improving Critical Infrastructure Cybersecurity, 67–72, 120, 137
Practical Measurement Framework, 55–58
RTSE (Resilient Technical Solution Engineering) process area, 63–67
SAMM (Software Assurance Maturity Model), 53–55
SEI (Software Engineering Institute), 60–62
Software Engineering Competency Model (SWECOM), 78
Software Engineering Institute. See SEI (Software Engineering Institute)
software error detection models, 121
Software Security Engineering (Allen), 41
Software Security Framework (SSF), 311
software security frameworks
BASF (Building Assured Systems Framework), 60–62
BSIMM (Building Security In Maturity Model). See BSIMM (Building Security In Maturity Model)
CMMI assurance process reference model, 50–52
IRPC (International Process Research Consortium) roadmap, 67–70
linkages between CERT research and Mic, 62–64
Microsoft SDL (Security Development Lifecycle)
overview, 58
security by design, 58
security in deployment, 59
National Cybersecurity Workforce Framework, 80–81
NIST Framework for Improving Critical Infrastructure Cybersecurity, 67–72, 120, 137
Practical Measurement Framework, 55–58
RTSE (Resilient Technical Solution Engineering) process area, 63–67
SAMM (Software Assurance Maturity Model), 53–55
uses, 72
Software Security Group (SSG), 49, 311
software security initiatives (SSI), 108, 311, 312–314
software security questions, 125, 327–328
A-SQUARE (Security Quality Requirements Engineering for Acquisition), 135–136
for acquisition of COTS software, 151–158
for acquisition organization that specifies requirements as RFP, 151
for acquisition organization with typical client role, 151–156
summary, 159
SSDL (Secure Software Development Lifecycle), 309, 311
SSF (software security framework), 311
SSG (software security group), 49, 311
SSI (software security initiatives), 108, 311, 312–314
staging, 166
stakeholders, 30
standards
cyber security standards
integration/automation of, 164–166
evidence from, 127
states of drivers, 25
structural correctness, 118
success state (drivers), 25
SwA. See software assurance (SwA)
SwA Competency Model. See Software Assurance Competency Model
SWICOM (Software Engineering Competency Model), 78
system control, Software Assurance Competency Model, 248
system functionality assurance
MSwA BoK (Body of Knowledge), 232–233
Software Assurance Competency Model, 245–246
system health and resiliency metrics, 168
system operational assurance
MSwA BoK (Body of Knowledge), 233–234
Software Assurance Competency Model, 247–248
system security assurance
MSwA (Master of Software Assurance) Reference Curriculum, 103–105
MSwA BoK (Body of Knowledge), 231–232
Software Assurance Competency Model, 244–245
System Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems (NIST), 150
systemic risk. See mission risk
Systems Engineering Handbook (Haskins), 214
T
table of contents (BSIMM Assessment Final Report), 281
TACIT approach, 150
Technology Management (TM) process area, 66
testing
build and integration tests, 164–165
performance tests, 166
software security measures, 326
user acceptance testing, 166
Thompson, William (Lord Kelvin), 115
threats
overview, 27
time frame, 20
TM (Technology Management) process area, 66
training catalog (NICCS), 81
transfer of risk, 28
trusted dependencies, 8, 126, 330
Twitter security automation, 165–166
U
uncertainty, 18
US energy sector, 143
use cases
definition of, 172
user acceptance testing, 166
V
vertical data (BSIMM Assessment Final Report), 300–304
Visible Ops Security (Kim), 162
vulnerabilities
code and design flaw vulnerabilities
Android operating system, 175
CWE (Common Weakness Enumeration), 176–177
digital certificates, 175
CVE (Common Vulnerability Enumeration), 122
definition of, 10
OpenSSL Heartbleed vulnerability, 177
overview, 27
pervasiveness of, 2
vulnerability analysis, 63
zero-day vulnerabilities, 177
W-X-Y-Z
WEA (Wireless Emergency Alerts) case study
mission thread example, 217–219
preparation for mission thread analysis, 213–215
risk management, 131
security analysis
security risk scenario, 222–224
well planned evidence, 330
wireless emergency alerts
definition of, 14
WEA (Wireless Emergency Alerts) case study
mission thread example, 217–219
preparation for mission thread analysis, 213–215
risk management, 131
security risk scenario, 222–224
work processes, 29
workflows, 29
worms, Morris, 7
zero-day vulnerabilities, 177