Index
Note: Page numbers followed by f indicate figures and t indicate tables.
A
Airport luggage screening example
191–193Architectural design process
107Assurance argument
60countermeasure argument
144layered defense argument
228security requirement argument
144–145vulnerability argument
144C
Case study
301–302building the integrated system model
319–327business vocabulary and security policy
308–319Concept of operations (CONOP)
302–308external security notes
308implementation assumptions
306interfaces with other systems
307internal security notes
308mapping cybersecurity facts to system facts
327–330Claims
38,
39assurance argument development
60,
61Common Criteria (CC)
Evaluation Assurance Levels
45Evaluation Assurance Process
45Common Fact Model
229fautomatic derivation of facts
219–220fact-oriented integration
218information exchange protocols
206–208information exchanges and assurance
217–218relations between concepts
212Common Vulnerability Scoring System (CVSS)
99Common Warehouse Metamodel (CWM)
256Common Weakness Enumeration (CWE)
174–175Computer Emergency Response Team (CERT)
Coordination Center (CERT/CC)
151Concept of operations (CONOP)
59,
60,
98Correction of vulnerability
164Creation of vulnerability
164D
Death of vulnerability
165Defense Enterprise Architecture interoperability project
119–120Defense-in-depth argument
65Department of Defense Architecture Framework (DODAF)
90–92,
90f,
91t,
93tDisclosure of vulnerability
164Discovery of vulnerability
164Documentation, out-of-date
E
Evidence
16,
103–104support for cybersecurity arguments
228tsystem life cycle evidence
103Executive summary, case study
302–303Exploitation of vulnerability
165F
Fact-oriented integration
218Failure Modes, Effects and Analysis
152Fault Tree Analysis Method
152Federal Desktop Core Configuration (FDCC)
166–167G
Goal-Structuring Notation (GSN)
41,
42tH
Hazardous element (HE)
124I
Implementation and Integration
50Implementation process
107Incident components
34,
34fInitiating mechanism (IM)
124Integration process
107fact-oriented integration
218International Security Engineering Association (ISSEA)
31–32M
Machine-readable artifacts
72–73Memory access software faults
184–185Memory management software faults
184Model Driven Architecture (MDA)
N
National Checklist Program (NCP)
166–167National Defense Industrial Association (NDIA)
16National Institute for Standards and Technology (NIST)
82Common Vulnerability Scoring System (CVSS)
99National Security Agency (NSA)
82Network Rating Methodology
82Network security testing tools
11–12O
Object Management Group (OMG)
235Off-the-shelf system components
70Off-the-shelf vulnerabilities
70OMG Software Assurance Ecosystem
17,
193–199end-to-end solution provision
198,
199fknowledge-driven integration
198,
198fprotocols
198,
202–203concrete knowledge discovery protocol
195–196content import protocol
196general knowledge protocol
195knowledge creation protocol
197knowledge delivery protocols
195knowledge refinery protocol
197knowledge sharing protocol
197system analysis protocols
195Open Source Vulnerability Database (OSVDB)
161–163,
162fOperation and maintenance process
108Operational Security Service
50Operational views and viewpoints
93,
94f,
95fP
Packet injection techniques
11Path resolution software faults
185Patterns
26,
71,
139,
140,
141,
142–143,
144,
172–173,
173f,
174–178,
175f,
250,
321Process-based assurance
25,
104Project Assurance Case development
49–50Project management processes
105,
106Prolog, representation of facts
225–226Protocols
for exchanging vocabularies
235information exchange protocols
206–208R
Rapid Application Development (RAD)
Repository, fact-based
53,
66–67,
71,
86–87,
139,
176,
191,
195,
196–197,
196,
257,
319,
324,
326,
332–335Requirements analysis process
107Resource Description Framework
254–255S
Security assessment
50,
171–174policy compliance assessment
172secure coding assessment
171security architecture assessment
172Security Content Automation Protocol (SCAP)
Security Information Provider
156Security Management Plan
50Semantics of Business Vocabularies and Business Rules (SBVR)
235–236vocabularies
for describing representation
245–247Sensitivity, of assets
116,
122Sentential form, in SBVR
246Sniffing techniques
11,
12Software Assurance Evidence Metamodel
226Software Engineering Institute (SEI)
151Software fault patterns (SFPs)
175–186Stakeholder requirements definition process
106Standards, noncompliance with
Statement of Work (SOW)
54,
57System
81–82conceptual commitment for system descriptions
85–87knowledge, multiple viewpoints and
95–98limits of resolution
84–85System architecture
87–90architectural design process
107System Security Engineering Capability Maturity Model (SSE-CMM)
33System views and viewpoints
94,
95fT
Tainted input software faults
185–186Target and Threat (T/T)
124Traceability
link, vertical
66–67,
68,
73–74,
142–143,
256–257,
258–259,
281,
294,
322,
323Transfer into operation
50U
User Interface (UI) package
256V
Validation
15–16vulnerability detection coverage
71Vulnerability assessment
13issues
8–11lack of complete system coverage
production of false positives and false negatives
10,
12W
White-box testing
8–9lack of complete system coverage
production of false positives and false negatives
10
..................Content has been hidden....................
You can't read the all page of ebook, please click
here login for view all page.