Struggles at the Frontiers: Persistent Pursuit of Software Assurance in the Development and Sustainment of Defense Systems Dr. Kenneth E.
|
|
- Roy McDonald
- 5 years ago
- Views:
Transcription
1 Struggles at the Frontiers: Persistent Pursuit of Software Assurance in the Development and Sustainment of Dr. Kenneth E. Nidiffer Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Struggles Struggles at the at Frontiers: the Frontiers: Persistent Persistent Pursuit Pursuit of Software of Assurance Software in the Assurance Development in the Development and Sustainment and of Defense Sustainment Systems of [[Distribution 1
2 Copyright 2017 Carnegie Mellon University Copyright 2017 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN AS-IS BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.. Please see Copyright notice for non-us Government use and distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. Carnegie Mellon and CERT are registered marks of Carnegie Mellon University. TSP SM DM
3 Software Enabled Systems are Today s Strategic Resource Software is the building material for modern society Software Oil Dr. Bill Scherlis* Steam Manual Labor Water Source: SEI Increasing globalization 3
4 SEI Works in Several Core Technical Areas Autonomy & Counter- Autonomy C4ISR Mission Assurance Cyber Missions Data Modeling & Analytics Human- Machine Interactions Software & Information Assurance Systems Verification & Validation Combine to Provide Software and Cyber Capabilities 4
5 Context Definition*: The level of confidence that software functions as intended and is free of vulnerabilities, either intentionally or unintentionally designed or inserted as part of the software throughout the life cycle. Perspective: Persistent pursuit of software quality assurance is a constant struggle Future: Software enabled systems underpin the cyber environment, enabling explorations into new frontiers *Source: DoDI Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN), and 2013 NDAA S933 Source: SEI 5
6 Software Assurance is a Constant Purpose, and Software- Enabled Systems are Moving Targets Constant purpose Software assurance provides the required level of confidence that software functions as intended (and no more) and is free of vulnerabilities, either intentionally or unintentionally designed or inserted in software, throughout the lifecycle* Moving target The changing and expanding role that software plays in cyberspace means that the development of software-enabled systems must continue to evolve while we pursue software quality *Source: DoDI Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN), and 2013 NDAA S933 6
7 Software Assurance Struggles at the Frontiers 1. Increasing complexity of software assurance 2. Satisfying unique operational mission and business needs 3. Solving the SDLC* software tool chasm 4. Addressing limited spectrum availability 5. Handling the expanding code base 6. Understanding attack patterns, vulnerabilities, and weaknesses 7. Increasing vulnerabilities 8. Designing-in software quality over the lifecycle 9. Reducing technical debt 10. Working in the infancy of software engineering discipline * SDLC: System Development Life Cycle 7
8 Increasing Complexity of Software Assurance First Line of Defense in Software Assurance is the Application (Software) Layer 84% of breaches exploit vulnerabilities in the Application 1 Yet, funding for IT defense vs. software assurance is 23-to Clark, Tim, Most cyber Attacks Occur from this Common Vulnerability, Forbes Feiman, Joseph, Maverick Research: Stop Protecting Your Apps; It s Time for Apps to Protect Themselves, Gartner G
9 SEI Technical Themes SEI Technologies Address DoD Software Assurance Challenges In the broad sense as defined by the DoD challenges and underscored by the SEI Technical Insight. Focus Areas: the behavior as built: architecture evaluation, code analysis, security patterns, etc. the behavior during evolution: system monitoring and self-adaptation, etc. the affordability: cost estimation, sustainment work, etc. the quality: defect modeling, architectural fault modeling, requirements engineering, etc. the mission success: acquisition support, acquisition dynamics, acquisition and architecture alignment, etc. 9
10 Satisfying Unique Operational Mission and Business Needs Practical Answers for a Complicated World Intelligent Integrated Solutions Source: SEI 10
11 Addressing Limited Spectrum Availability Spectrum-based Technologies - Key to DoD Mission and Commercial Business Needs DoD Mission Increasing spectrum needs Commercial Business Increasing spectrum needs Exploding requirements for information and mobility! CAGR = compound annual growth rate Source: Kenneth R. Turner, Dep. Director, Spectrum Policy and International Engagements, DoD Chief Information Officer 11
12 Handling the Expanding Code Base Software Is Dramatically Expanding with Limited Natural Governance Size of Codebase (SLOC) Google = 2,000 MSLOC Healthcare.gov Debian 5.0 (all software in package) Software in typical new car, 2013 Mac OS X 10.4 Debian 5.0 codebase US Army's Future Combat System Facebook (without backend code) Windows Vista (2007) Microsoft Visual Studio 2012 Large Hadron Collider Microsoft Office (2013) Windows XP (2001) Windows 7 Symbian Microsoft Office for Mac (2006) Windows 2000 (2000) Microsoft Office (2001) F-35 Fighter Apache Open Office Linux 3.1 (recent version, 2013) Android (upper estimate) Boeing 787, total flight software Source: David McCandless, Information is Beautiful, 21 September 2016 web retrieval Millions of Source Lines of Code 12
13 Understanding Attack Patterns, Vulnerabilities, and Weaknesses water known threat actors flooding attack patterns (CAPEC) hatch door in sub weaknesses & vulnerabilities (CWE/CVE) close door actions* System & System Security Engineering Trades sub fills w/water technical impacts sub sinks operational impacts Attack Weakness Item Impact Asset Attack Weakness Item Impact Function Attack Weakness Impact Asset Weakness/ Vulnerability Reported Item Source: Bob Martin, MITRE Actions include architecture choices; design choices; added security functions, activities, and processes; physical decomposition choices; static and dynamic code assessments; design reviews; dynamic testing; and pen testing. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. 13
14 Increasing Vulnerabilities Reported Common Vulnerabilities and Exposures (CVE) CVE 1999 to WEAKNESSES VULNERABILITIES CVEs (reported, publicly known vulnerabilities and exposures with patches) Unreported or undiscovered Vulnerabilities Zero-Day Vulnerabilities (previously unmitigated weaknesses that are exploited with little or no warning) Uncharacterized Weaknesses CWEs (characterized, discoverable, possibly exploitable weaknesses with mitigations) Source: Dr. Robert A. Martin, MITRE Corporation, August MITRE 14
15 Designing-in System Acquisition Quality Over the Lifecycle Continuous Engineering Over The Life Cycle Understand SwA Risks Design Principles Design Inspection Secure Coding Practices Code Inspection Test Coverage Metrics Pen Test Monitor Threats/ Attacks Respond to Incidents Defects Upgrade SwA Requirements Decision Developmental RFP Decision Full Rate Production Decision Review A B C MDD Materiel Solution Analysis AOA Technology Maturation & Risk Reduction Engineering & Manufacturing Development ICD Production and Deployment Operation and Sustainment ASR SRR SFR PDR CDR TRR SVR OTRR IOT&E IOC FOC Criticality Analysis Threat Vuln Analysis SwA Counter- Measures RFP Eliminate Design Flaws Sound Arch & Design Identify Code Flaws More Secure Code Identify Test Gaps Better Test Suites Vuln Root Cause Fewer Process Vuln Effective Threat Response Cyber Situational Awareness Cyber Hardened Systems Software assurance must be baked-in throughout entire system lifecycle Source: OSD/DASD/SE Distribution Statement A Approved for public release. Distribution is unlimited. 15
16 SEI Supporting JFAC* Pilot Program Focused on Solving the SDLC Software Assurance Tool Chasm The JFAC is a federation of DoD organizations that have a shared interest in promoting software and hardware assurance in defense acquisition programs, systems, and supporting activities. SEI provides experience SEI technical staff to support the dynamic and evolving needs of the JFAC, such as the SDLC software assurance tool chasm *JFAC: D0D Joint Federated Assurance Center 16
17 Reducing Technical Debt Engineering Assurance into the Fabric of Programs Right Direction Source: PERFORMANCE OF THE DEFENSE ACQUISITION SYSTEM 2015 ANNUAL REPORT Sept 16,
18 Reducing Technical Debt Aircraft Software Development and Rework Cost Reference: U.S. Air Force Scientific Advisory Board. Sustaining Air Force Aging Aircraft into the 21st Century (SAB-TR-11-01). U.S. Air Force,
19 Working in the Infancy of the Software Engineering Discipline Integrate Software and Systems Engineering with a Focus on Cyber Physical Science Bioscience Computer/Software/Cyber Science Origins/History Begun in antiquity Begun in antiquity Mid-20th century Enduring Laws Framework of Scientific Study R&D and Launch Cycle Laws are foundational to furthering exploration in the science Four main areas: astronomy, physics, chemistry, and earth sciences Laws are foundational to furthering exploration in the science Science of dealing with health maintenance and disease prevention and treatment Only mathematical laws have proven foundational to computation Several areas of study: computer science, software/systems engineering, IT, HCI, social dynamics, AI All nodes are attached to and rely on a netted system years years Significantly compressed; solution time to market must happen very quickly HCI: human computer interaction; AI: artificial intelligence Source: SEI 19
20 Software Assurance Struggles at the Frontiers 1. Increasing Complexity of Software Assurance 2. Satisfying unique operational mission and business needs 3. Solving the SDLC Software Tool Chasm 4. Addressing limited spectrum availability 5. Handling the expanding code base 6. Understanding attack patterns, vulnerabilities, and weaknesses 7. Increasing vulnerabilities 8. Designing-in software quality over the lifecycle 9. Reducing Technical Debt 10. Working in the infancy of software engineering discipline 20
21 SEI Technologies Address DoD Software Assurance Challenges Today s Presentations of SEI s Contributions Software Vulnerabilities Track - Relationship Between Design Flaws and Software Vulnerabilities - Predicting Software Bug Closure Rates and Reliability Growth with Weibull Modeling - Using Malware Analysis to Identify Overlooked Security Requirements Modernization and Sustainment Track - Case Study - Successful Government Roadmap Modernization Project - Panel - Software Sustainment: Continuous Engineering to Deliver Warfighter Capability - Methodology for the Cost Benefit Analysis of a Large Scale Multiphasic Software Enterprise Migration 21
22 Questions? 22
23 Contact Information Dr. Kenneth E. Nidiffer, Director of Strategic Plans for Government Programs Software Engineering Institute, Carnegie Mellon University Office: Fax: nidiffer@sei.cmu.edu 23
24 References Gallagher, B.; Nidiffer, K. & Saga, R. The Ordered Process for Improving Agile Engineering Outcomes, CrossTalk, Nov/Dec 2016 JFAC Collaboration Portal SEI Training: Manage Cybersecurity Risk Across the Lifecycle - The CERT Software Assurance Framework (SAF) Assessment SEI Training: Architecture Tradeoff Analysis Method (ATAM) SEI Training: Security Requirements Engineering Using the SQUARE Method SEI Training: Team Software Process (TSP) Source Code Analysis Laboratory (SCALe), SEI Technical Note, CMU/SEI-2012-TN- 013, 2013 Quantifying Uncertainty in Early Lifecycle Cost Estimation (QUELCE), Technical Report, CMU/SEI-2011-TR-026, 2011 Alberts, C.; Woody, C.; & Dorofee, A. Evaluating Security Risks using Mission Threads(CMU/SEI-2014-TN-025),
Measurement Challenges: Engineering-In Software Quality Assurance to the System Acquisition Lifecycle
Measurement Challenges: Engineering-In Software Quality Assurance to the System Acquisition Lifecycle Eighteenth Practical Software and Systems Measurement Users Group Workshop Measurement in a Complex
More informationDynamics of Integrating Software Assurance Engineering Activities into the System Acquisition Life Cycle
Dynamics of Integrating Software Assurance Engineering Activities into the System Acquisition Life Cycle 20th Annual Systems Engineering Conference Waterford Conference Center Springfield, VA October 23
More informationAchieving DoD Software Assurance (SwA)
Achieving DoD Software Assurance (SwA) Thomas Hurt Office of the Deputy Assistant Secretary of Defense for Systems Engineering 20th Annual NDIA Systems Engineering Conference Springfield, VA October 26,
More informationSoftware, Security, and Resiliency. Paul Nielsen SEI Director and CEO
Software, Security, and Resiliency Paul Nielsen SEI Director and CEO Dr. Paul D. Nielsen is the Director and CEO of Carnegie Mellon University's Software Engineering Institute. Under Dr. Nielsen s leadership,
More informationThe Perfect Storm Cyber RDT&E
The Perfect Storm Cyber RDT&E NAVAIR Public Release 2015-87 Approved for public release; distribution unlimited Presented to: ITEA Cyber Workshop 25 February 2015 Presented by: John Ross NAVAIR 5.4H Cyberwarfare
More informationTSP and Security. PSP/TSP Community of Practice Breakout Group. December 14-15, 2016
TSP and Security PSP/TSP Community of Practice Breakout Group December 14-15, 2016 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 2016 Carnegie Mellon University Topics
More informationEngineering Improvement in Software Assurance: A Landscape Framework
Engineering Improvement in Software Assurance: A Landscape Framework Lisa Brownsword (presenter) Carol C. Woody, PhD Christopher J. Alberts Andrew P. Moore Agenda Terminology and Problem Scope Modeling
More informationDoD Joint Federated Assurance Center (JFAC) Update
DoD Joint Federated Assurance Center (JFAC) Update Thomas D. Hurt Office of the Deputy Assistant Secretary of Defense for Systems Engineering 19th Annual NDIA Systems Engineering Conference Springfield,
More informationRoles and Responsibilities on DevOps Adoption
Roles and Responsibilities on DevOps Adoption Hasan Yasar Technical Manager, Adjunct Faculty Member Secure Lifecycle Solutions CERT SEI CMU Software Engineering Institute Carnegie Mellon University Pittsburgh,
More informationDr. Kenneth E. Nidiffer Director of Strategic Plans for Government Programs
War Fighting Technologies: Enhance Advance - Modernize: -Technological/Acquisition Advances Enabling a More Responsive 24th Anniversary - Systems & Software Technology Conference April 23-26, 2012 Salt
More informationCyber Hygiene: A Baseline Set of Practices
[DISTRIBUTION STATEMENT A] Approved for public Cyber Hygiene: A Baseline Set of Practices Matt Trevors Charles M. Wallen Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Copyright
More informationEvaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure
Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure March 2015 Pamela Curtis Dr. Nader Mehravari Katie Stewart Cyber Risk and Resilience Management Team CERT
More informationJulia Allen Principal Researcher, CERT Division
Improving the Security and Resilience of U.S. Postal Service Mail Products and Services Using CERT -RMM (Case Study) Julia Allen Principal Researcher, CERT Division Julia Allen is a principal researcher
More informationSEI/CMU Efforts on Assured Systems
Unclassified//For Official Use Only SEI/CMU Efforts on Assured Systems 15 November 2018 *** Greg Shannon CERT Division Chief Scientist Software Engineering Institute Carnegie Mellon University Pittsburgh,
More informationAdvancing Cyber Intelligence Practices Through the SEI s Consortium
Advancing Cyber Intelligence Practices Through the SEI s Consortium SEI Emerging Technology Center Jay McAllister Melissa Kasan Ludwick Copyright 2015 Carnegie Mellon University This material is based
More informationT&E Workforce Development
T&E Workforce Development 2016 ITEA Cyber Security Workshop Mr. Thomas W. Simms Deputy Director, T&E Competency & Development Deputy Assistant Secretary of Defense (DT&E) March 17, 2016 Agenda Policy Overview
More informationCyber Threat Prioritization
Cyber Threat Prioritization FSSCC Threat and Vulnerability Assessment Committee Jay McAllister Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information
More informationInformation Security Is a Business
Information Security Is a Business Continuity Issue: Are You Ready? Dr. Nader Mehravari Cyber Risk and Resilience Management Team CERT Division Software Engineering Institute Carnegie Mellon University
More informationTest and Evaluation Methodology and Principles for Cybersecurity
Test and Evaluation Methodology and Principles for Cybersecurity Andrew Pahutski Deputy Director; Cyber & Information Systems Office of the Secretary of Defense (OSD) Developmental Test and Evaluation
More informationSoftware Assurance Education Overview
Software Assurance Education Overview Nancy Mead June 2011 ABSTRACT: Complex software systems affect nearly every aspect of our lives, in areas such as defense, government, energy, communication, transportation,
More informationDefining Computer Security Incident Response Teams
Defining Computer Security Incident Response Teams Robin Ruefle January 2007 ABSTRACT: A computer security incident response team (CSIRT) is a concrete organizational entity (i.e., one or more staff) that
More informationBe Like Water: Applying Analytical Adaptability to Cyber Intelligence
SESSION ID: HUM-W01 Be Like Water: Applying Analytical Adaptability to Cyber Intelligence Jay McAllister Senior Analyst Software Engineering Institute Carnegie Mellon University @sei_etc Scuttlebutt Communications
More informationThe CERT Top 10 List for Winning the Battle Against Insider Threats
The CERT Top 10 List for Winning the Battle Against Insider Threats Dawn Cappelli CERT Insider Threat Center Software Engineering Institute Carnegie Mellon University Session ID: STAR-203 Session Classification:
More informationEngineering Your Software For Attack
Engineering Your Software For Attack Robert A. Martin Senior Principal Engineer Cyber Security Center Center for National Security The MITRE Corporation 2013 The MITRE Corporation. All rights reserved.
More informationProgram Protection Implementation Considerations
Program Protection Implementation Considerations Melinda Reed Deputy Director for Program Protection Office of the Deputy Assistant Secretary of Defense for Systems Engineering NDIA Program Protection
More informationJoint Federated Assurance Center (JFAC): 2018 Update. What Is the JFAC?
21 st Annual National Defense Industrial Association Systems and Mission Engineering Conference Joint Federated Assurance Center (JFAC): 2018 Update Thomas Hurt Office of the Under Secretary of Defense
More informationUNCLASSIFIED. FY 2016 Base FY 2016 OCO
Exhibit R-2, RDT&E Budget Item Justification: PB 2016 Office of the Secretary Of Defense Date: February 2015 0400: Research, Development, Test & Evaluation, Defense-Wide / BA 2: COST ($ in Millions) Prior
More informationDepartment of Defense (DoD) Joint Federated Assurance Center (JFAC) Overview
Department of Defense (DoD) Joint Federated Assurance Center (JFAC) Overview Kristen Baldwin Principal Deputy, Office of the Deputy Assistant Secretary of Defense for Systems Engineering (DASD(SE)) 17
More informationDr. Steven J. Hutchison Principal Deputy Developmental Test and Evaluation
Nov 2012 Page-1 Dr. Steven J. Hutchison Principal Deputy Developmental Test and Evaluation November 2012 Nov 2012 Page-2 DT&E for Complex Systems Performance Reliability Interoperability Information Security
More informationProviding Information Superiority to Small Tactical Units
Providing Information Superiority to Small Tactical Units Jeff Boleng, PhD Principal Member of the Technical Staff Software Solutions Conference 2015 November 16 18, 2015 Copyright 2015 Carnegie Mellon
More informationThe Need for Operational and Cyber Resilience in Transportation Systems
The Need for Operational and Cyber Resilience in Transportation Systems January 14, 2016 Dr. Nader Mehravari, MBCP, MBCI Cyber Risk and Resilience Management Software Engineering Institute Software Carnegie
More informationResearching New Ways to Build a Cybersecurity Workforce
THE CISO ACADEMY Researching New Ways to Build a Cybersecurity Workforce Pamela D. Curtis, Summer Craze Fowler, David Tobar, and David Ulicne December 2016 Organizations across the world face the increasing
More informationUNCLASSIFIED FY 2016 OCO. FY 2016 Base
Exhibit R-2, RDT&E Budget Item Justification: PB 2016 Office of the Secretary Of Defense Date: February 2015 0400: Research, Development, Test & Evaluation, Defense-Wide / BA 3: Advanced Technology Development
More informationDenial of Service Attacks
Denial of Service Attacks CERT Division http://www.sei.cmu.edu REV-03.18.2016.0 Copyright 2017 Carnegie Mellon University. All Rights Reserved. This material is based upon work funded and supported by
More informationA Supply Chain Attack Framework to Support Department of Defense Supply Chain Security Risk Management
A Supply Chain Attack Framework to Support Department of Defense Supply Chain Security Risk Management D r. J o h n F. M i l l e r T h e M I T R E C o r p o r a t i o n P e t e r D. K e r t z n e r T h
More informationCurrent Threat Environment
Current Threat Environment Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213, PhD Technical Director, CERT mssherman@sei.cmu.edu 29-Aug-2014 Report Documentation Page Form
More informationIntegrating the Risk Management Framework (RMF) with DevOps
Integrating the Risk Management Framework (RMF) with DevOps March 2018 Timothy A. Chick Security Automation Systems Technical Manager Software Engineering Institute Carnegie Mellon University Pittsburgh,
More informationCybersecurity in Acquisition
Kristen J. Baldwin Acting Deputy Assistant Secretary of Defense for Systems Engineering (DASD(SE)) Federal Cybersecurity Summit September 15, 2016 Sep 15, 2016 Page-1 Acquisition program activities must
More informationSituational Awareness Metrics from Flow and Other Data Sources
Situational Awareness Metrics from Flow and Other Data Sources SEI CERT NetSA 2011 Carnegie Mellon University NO WARRANTY THIS MATERIAL OF CARNEGIE MELLON UNIVERSITY AND ITS SOFTWARE ENGINEERING INSTITUTE
More informationCausal Modeling of Observational Cost Data: A Ground-Breaking use of Directed Acyclic Graphs
use Causal Modeling of Observational Cost Data: A Ground-Breaking use of Directed Acyclic Graphs Bob Stoddard Mike Konrad SEMA SEMA November 17, 2015 Public Release; Distribution is Copyright 2015 Carnegie
More informationComponents and Considerations in Building an Insider Threat Program
Components and Considerations in Building an Insider Threat Program Carly Huth Insider Threat Researcher, CEWM Carly L. Huth is an insider threat researcher in the Cyber Enterprise and Workforce Management
More informationGoal-Based Assessment for the Cybersecurity of Critical Infrastructure
Goal-Based Assessment for the Cybersecurity of Critical Infrastructure IEEE HST 2010 November 10, 2010 NO WARRANTY THIS MATERIAL OF CARNEGIE MELLON UNIVERSITY AND ITS SOFTWARE ENGINEERING INSTITUTE IS
More informationUNCLASSIFIED. R-1 Program Element (Number/Name) PE D8Z / Software Engineering Institute (SEI) Applied Research. Prior Years FY 2013 FY 2014
Exhibit R-2, RDT&E Budget Item Justification: PB 2015 Office of Secretary Of Defense Date: March 2014 0400: Research, Development, Test & Evaluation, Defense-Wide / BA 2: COST ($ in Millions) Prior Years
More informationUsing CERT-RMM in a Software and System Assurance Context
Using CERT-RMM in a Software and System Assurance Context Julia Allen SEPG NA 2011 24 March 2011 Agenda What is the CERT Resilience Management Model (CERT-RMM)? Model Building Blocks CERT-RMM for Assurance
More informationUNCLASSIFIED R-1 ITEM NOMENCLATURE FY 2013 OCO
Exhibit R-2, RDT&E Budget Item Justification: PB 2013 Office of Secretary Of Defense DATE: February 2012 COST ($ in Millions) FY 2011 FY 2012 Base OCO Total FY 2014 FY 2015 FY 2016 FY 2017 Cost To Complete
More informationFall 2014 SEI Research Review FY14-03 Software Assurance Engineering
Fall 2014 SEI Research Review FY14-03 Software Assurance Engineering Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Carol Woody, Ph.D. October 28, 2014 Report Documentation
More informationARINC653 AADL Annex Update
ARINC653 AADL Annex Update Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Julien Delange AADL Meeting February 15 Report Documentation Page Form Approved OMB No. 0704-0188
More informationCERT Overview. Jeffrey J. Carpenter 2008 Carnegie Mellon University
CERT Overview Jeffrey J. Carpenter 2008 Carnegie Mellon University Software Engineering Institute Department of Defense R&D Laboratory FFRDC Created in 1984 Administered by Carnegie Mellon
More informationWhy Is R&D in the Cyber and Software Engineering Environment Different?
Why Is R&D in the Cyber and Software Engineering Environment Different? Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Terry Roberts April 28, 2010 Why Is Cyberspace Critical
More informationImplementing a Modular Open Systems Approach (MOSA) to Achieve Acquisition Agility in Defense Acquisition Programs
Implementing a Modular Open Systems Approach (MOSA) to Achieve Acquisition Agility in Defense Acquisition Programs Philomena Zimmerman Office of the Deputy Assistant Secretary of Defense for Systems Engineering
More informationUNCLASSIFIED FY 2016 OCO. FY 2016 Base
Exhibit R-2, RDT&E Budget Item Justification: PB 2016 Office of the Secretary Of Defense Date: February 2015 0400:,, Test & Evaluation, Defense-Wide / BA 3: Advanced Technology (ATD) COST ($ in Millions)
More informationIt s just software Or It s all software and it s the new normal
NSWCDD-PN-18-00055 t s just software Or t s all software and it s the new normal John Seel, Ph.D. Distinguished Engineer for Warfare s Software 540-653-4443 John.seel@navy.mil Thoughts about software We
More informationSoftware & Supply Chain Assurance: Enabling Enterprise Resilience through Security Automation, Software Assurance and Supply Chain Risk Management
Software & Supply Chain Assurance: Enabling Enterprise Resilience through Security Automation, Software Assurance and Supply Chain Risk Management Joe Jarzombek, PMP, CSSLP Director for Software & Supply
More informationMeasuring and Evaluating Cyber Risk in ICS Components, Products and Systems
Measuring and Evaluating Cyber Risk in ICS Components, Products and Systems Copyright 2018 UL LLC. All rights reserved. No portion of this material may be reprinted in any form without the express written
More informationMeasuring the Software Security Requirements Engineering Process
Measuring the Software Security Requirements Engineering Process Nancy Mead July 2012 ABSTRACT: Although there has been much research work in security requirements engineering, we do not have adequate
More informationUNCLASSIFIED R-1 ITEM NOMENCLATURE FY 2013 OCO
Exhibit R-2, RDT&E Budget Item Justification: PB 2013 Office of Secretary Of Defense DATE: February 2012 0400: Research,, Test & Evaluation, Defense-Wide BA 3: Advanced Technology (ATD) COST ($ in Millions)
More informationSupply Chain Information Exchange: Non-conforming & Authentic Components
Supply Chain Information Exchange: Non-conforming & Authentic Components Joe Jarzombek Director for Software and Supply Chain Assurance Stakeholder Engagement & Cyber Infrastructure Resilience Agenda Purpose
More informationOpen Systems: What s Old Is New Again
Open Systems: What s Old Is New Again Tricia Oberndorf & Dr. Carol Sledge NO WARRANTY THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN AS-IS" BASIS. CARNEGIE
More informationPanel: Future of Cloud Computing
Panel: Future of Cloud Computing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Grace Lewis Advanced Mobile Systems (AMS) Initiative July 9, 2014 Mobile Device Trends Smartphones
More informationPrioritizing Alerts from Static Analysis with Classification Models
Prioritizing Alerts from Static Analysis with Classification Models PI: Lori Flynn, PhD Team: Will Snavely, David Svoboda, Dr. David Zubrow, Bob Stoddard, Dr. Nathan VanHoudnos, Dr. Elli Kanal, Richard
More informationThe Confluence of Physical and Cyber Security Management
The Confluence of Physical and Cyber Security Management GOVSEC 2009 Samuel A Merrell, CISSP James F. Stevens, CISSP 2009 Carnegie Mellon University Today s Agenda: Introduction Risk Management Concepts
More informationAdvanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018
Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018 The Homeland Security Systems Engineering and Development Institute (HSSEDI ) is a trademark of the U.S. Department of Homeland
More informationInference of Memory Bounds
Research Review 2017 Will Klieber, software security researcher Joint work with Will Snavely public release and unlimited distribution. 1 Copyright 2017 Carnegie Mellon University. All Rights Reserved.
More informationSmart Grid Maturity Model
Smart Grid Maturity Model Austin Montgomery Software Engineering Institute Carnegie Mellon University Software Engineering Institute Carnegie Mellon University 2 SEI is a federally-funded research and
More informationAnalyzing 24 Years of CVD
public release and unlimited distribution. Allen Householder adh@cert.org Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Copyright. All Rights Reserved. This material is
More informationInvestigating APT1. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Deana Shick and Angela Horneman
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Deana Shick and Angela Horneman Copyright 2013 Carnegie Mellon University This material is based upon work funded and supported
More informationDATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE
DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE EXECUTIVE SUMMARY ALIGNING CYBERSECURITY WITH RISK The agility and cost efficiencies
More informationPassive Detection of Misbehaving Name Servers
Passive Detection of Misbehaving Name Servers Based on CMU/SEI-2013-TR-010 Jonathan Spring, Leigh Metcalf netsa-contact (AT) cert.org Flocon 2014, Charleston SC 2014 Carnegie Mellon University Copyright
More informationSYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security
SYMANTEC: SECURITY ADVISORY SERVICES Symantec Security Advisory Services The World Leader in Information Security Knowledge, as the saying goes, is power. At Symantec we couldn t agree more. And when it
More informationALIGNING CYBERSECURITY AND MISSION PLANNING WITH ADVANCED ANALYTICS AND HUMAN INSIGHT
THOUGHT PIECE ALIGNING CYBERSECURITY AND MISSION PLANNING WITH ADVANCED ANALYTICS AND HUMAN INSIGHT Brad Stone Vice President Stone_Brad@bah.com Brian Hogbin Distinguished Technologist Hogbin_Brian@bah.com
More informationEvolving the Security Strategy for Growth. Eric Schlesinger Global Director and CISO Polaris Alpha
Evolving the Security Strategy for Growth Eric Schlesinger Global Director and CISO Polaris Alpha Evolving the Security Strategy for Growth Where Do We Start? Our History, Making History In late 2016,
More informationUNCLASSIFIED. FY 2016 Base FY 2016 OCO
Exhibit R-2, RDT&E Budget Item Justification: PB 2016 Office of the Secretary Of Defense : February 2015 0400: Research, Development, Test & Evaluation, Defense-Wide / BA 7: Operational Systems Development
More informationThe Insider Threat Center: Thwarting the Evil Insider
The Insider Threat Center: Thwarting the Evil Insider The CERT Top 10 List for Winning the Battle Against Insider Threats Randy Trzeciak 14 June 2012 2007-2012 Carnegie Mellon University Notices 2011 Carnegie
More informationMeeting PCI DSS 3.2 Compliance with RiskSense Solutions
Meeting PCI DSS 3.2 Compliance with Solutions Platform the industry s most comprehensive, intelligent platform for managing cyber risk. 2018, Inc. What s Changing with PCI DSS? Summary of PCI Business
More informationReinvent Your 2013 Security Management Strategy
Reinvent Your 2013 Security Management Strategy Laurent Boutet 18 septembre 2013 Phone:+33 6 25 34 12 01 Email:laurent.boutet@skyboxsecurity.com www.skyboxsecurity.com What are Your Key Objectives for
More informationReport Writer and Security Requirements Finder: User and Admin Manuals
Report Writer and Security Requirements Finder: User and Admin Manuals Nancy R. Mead CMU MSE Studio Team Sankalp Anand Anurag Gupta Swati Priyam Yaobin Wen Walid El Baroni June 2016 SPECIAL REPORT CMU/SEI-2016-SR-002
More information2013 US State of Cybercrime Survey
2013 US State of Cybercrime Survey Unknown How 24 % Bad is the Insider Threat? Insiders 51% 2007-2013 Carnegie Mellon University Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting
More informationCyberspace T&E Drivers and Initiatives
Cyberspace T&E Drivers and Initiatives ITEA Cyber Security Workshop Dr. C. David Brown, PE, CTEP Deputy Assistant Secretary of Defense (DT&E) Director, Defense Test Resource Management Center Residence
More informationData to Decisions Terminate, Tolerate, Transfer, or Treat
I N S T I T U T E F O R D E F E N S E A N A L Y S E S Data to Decisions Terminate, Tolerate, Transfer, or Treat Laura A. Odell 25 July 2016 Approved for public release; distribution is unlimited. IDA Non-Standard
More informationModel-Driven Verifying Compilation of Synchronous Distributed Applications
Model-Driven Verifying Compilation of Synchronous Distributed Applications Sagar Chaki, James Edmondson October 1, 2014 MODELS 14, Valencia, Spain Copyright 2014 Carnegie Mellon University This material
More informationHP Fortify Software Security Center
HP Fortify Software Security Center Proactively Eliminate Risk in Software Trust Your Software 92% of exploitable vulnerabilities are in software National Institute for Standards and Technology (NIST)
More informationSEI Research Program. Dr. Kevin Fall Deputy Director, Research, and CTO SSC Carnegie Mellon University
Deputy Director, Research, and CTO kfall@sei.cmu.edu A DoD federally funded research and development center (FFRDC) at Carnegie Mellon University founded in 1984 Only DoD R&D center focused on software
More informationSystems Engineering and System Security Engineering Requirements Analysis and Trade-Off Roles and Responsibilities
Systems Engineering and System Security Engineering Requirements Analysis and Trade-Off Roles and Responsibilities Melinda Reed Office of the Deputy Assistant Secretary of Defense for Systems Engineering
More informationThe University of Queensland
UQ Cyber Security Strategy 2017-2020 NAME: UQ Cyber Security Strategy DATE: 21/07/2017 RELEASE:0.2 Final AUTHOR: OWNER: CLIENT: Marc Blum Chief Information Officer Strategic Information Technology Council
More informationSecuring the Internet of Things (IoT) at the U.S. Department of Veterans Affairs
Securing the Internet of Things (IoT) at the U.S. Department of Veterans Affairs Dominic Cussatt Acting Deputy Assistant Secretary / Chief Information Security Officer (CISO) February 20, 2017 The Cyber
More informationCyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS
Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS Continual disclosed and reported
More informationDefense Engineering Excellence
Defense Engineering Excellence Kristen J. Baldwin Principal Deputy Office of the Deputy Assistant Secretary of Defense for Systems Engineering, OUSD(AT&L) 18th Annual NDIA Systems Engineering Conference
More informationStatic Analysis Alert Audits Lexicon And Rules David Svoboda, CERT Lori Flynn, CERT Presenter: Will Snavely, CERT
Static Analysis Alert Audits Lexicon And Rules David Svoboda, CERT Lori Flynn, CERT Presenter: Will Snavely, CERT Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 2016 Carnegie
More informationFall 2014 SEI Research Review Verifying Evolving Software
Fall 2014 SEI Research Review Verifying Evolving Software Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Arie Gurfinkel October 28, 2014 Report Documentation Page Form Approved
More informationCybersecurity in Government
Cybersecurity in Government Executive Development Course: Digital Government Ng Lup Houh, Principal Cybersecurity Specialist Cybersecurity Group 03 April 2018 Agenda Cyber Threats & Vulnerabilities Cyber
More informationVerifying Periodic Programs with Priority Inheritance Locks
Verifying Periodic Programs with Priority Inheritance Locks Sagar Chaki, Arie Gurfinkel, Ofer Strichman FMCAD, October, 03 Software Engineering Institute, CMU Technion, Israel Institute of Technology Copyright
More informationModeling the Implementation of Stated-Based System Architectures
Modeling the Implementation of Stated-Based System Architectures Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Peter H Feiler June 2009 Are Everywhere What is a state-based
More informationThe Operational Test & Evaluation Cybersecurity Terrain
The Operational Test & Evaluation Cybersecurity Terrain William Budman Redmond AFOTEC/ED Approved for public release; distribution is unlimited. AFOTEC Public Affairs Public Release Number 2018-03 1 BLUF:
More informationSOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT
RSA ARCHER IT & SECURITY RISK MANAGEMENT INTRODUCTION Organizations battle growing security challenges by building layer upon layer of defenses: firewalls, antivirus, intrusion prevention systems, intrusion
More informationPanelists. Moderator: Dr. John H. Saunders, MITRE Corporation
SCADA/IOT Panel This panel will focus on innovative & emerging solutions and remaining challenges in the cybersecurity of industrial control systems ICS/SCADA. Representatives from government and infrastructure
More informationHQ 754 th Electronic Systems Group. Application Software Assurance Center of Excellence (ASACoE) Maj Michael Kleffman, CTO ASACoE
HQ 754 th Electronic Systems Group Application Software Assurance Center of Excellence (ASACoE) Maj Michael Kleffman, CTO ASACoE Overview Context and Mission Resources and Tempo Accomplishments Services
More informationShift Left: Putting the Process Into Action
U.S. ARMY EVALUATION CENTER Shift Left: Putting the Process Into Action March 30, 2017 Agenda The Evaluator s Motivation Where We Were Guidance and Policy Putting it into Action 2 The Evaluator s Motivation
More informationAn Accelerated Approach to Business Capability Acquisition for the Montgomery IT Summit. Presented by: Mr. Paul Ketrick May 19, 2009
An Accelerated Approach to Business Capability Acquisition for the Montgomery IT Summit Presented by: Mr. Paul Ketrick May 19, 2009 2 IT Acquisition Issues Main issue observed that DoD software programs
More informationInsider Threat Detection Including review of 2017 SolarWinds Federal Cybersecurity Survey
Insider Threat Detection Including review of 2017 SolarWinds Federal Cybersecurity Survey CyberMaryland Conference 2017 Bob Andersen, Sr. Manager Federal Sales Engineering robert.andersen@solarwinds.com
More informationCollaborative Autonomy with Group Autonomy for Mobile Systems (GAMS)
Collaborative Autonomy with Group Autonomy for Mobile Systems (GAMS) Presenter: (jredmondson@sei.cmu.edu) Date: August 19, 2014 Copyright 2014 Carnegie Mellon University This material is based upon work
More information