Fall 2014 SEI Research Review FY14-03 Software Assurance Engineering
|
|
- Damon Bennett
- 5 years ago
- Views:
Transcription
1 Fall 2014 SEI Research Review FY14-03 Software Assurance Engineering Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Carol Woody, Ph.D. October 28, 2014
2 Report Documentation Page Form Approved OMB No Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. 1. REPORT DATE 18 OCT TITLE AND SUBTITLE Software Assurance Engineering 6. AUTHOR(S) Woody /Carol 2. REPORT TYPE N/A 3. DATES COVERED 5a. CONTRACT NUMBER 5b. GRANT NUMBER 5c. PROGRAM ELEMENT NUMBER 5d. PROJECT NUMBER 5e. TASK NUMBER 5f. WORK UNIT NUMBER 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) Software Engineering Institute Carnegie Mellon University Pittsburgh, PA PERFORMING ORGANIZATION REPORT NUMBER 9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR S ACRONYM(S) 12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release, distribution unlimited. 13. SUPPLEMENTARY NOTES The original document contains color images. 14. ABSTRACT 15. SUBJECT TERMS 11. SPONSOR/MONITOR S REPORT NUMBER(S) 16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF ABSTRACT SAR a. REPORT unclassified b. ABSTRACT unclassified c. THIS PAGE unclassified 18. NUMBER OF PAGES 18 19a. NAME OF RESPONSIBLE PERSON Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18
3 Copyright 2014 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense. References herein to any specific commercial product, process, or service by trade name, trade mark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Carnegie Mellon University or its Software Engineering Institute. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN AS-IS BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution except as restricted below. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. Team Software Process SM and TSP SM are service marks of Carnegie Mellon University. DM
4 Software Assurance Engineering Mission success for software-reliant systems requires software assurance Software assurance: implementing software with a level of confidence that software functions as intended and is free of vulnerabilities, either intentionally or unintentionally designed or inserted as part of the software, throughout the life cycle Section 933 of National Defense Appropriation Act 2013 Engineering software assurance into the acquisition and development life cycle Task 1: Analyzing Security Risk Early in the Software Life Cycle Task 2: Applying Software Quality Models to Software Assurance 3
5 Task 1 Analyzing Security Risk Early in the Software Life Cycle Three main causes of operational security vulnerabilities: Design weaknesses Implementation/coding vulnerabilities System configuration errors Design weaknesses are not easily addressed during operations. 379 of the 940 common weakness enumerations (CWEs) are design weaknesses ( 19 of the top 25 are linked to design weaknesses( Causes for design weaknesses: Poor security requirements Limited understanding of the impact of security risk on mission success Goal: Reduce Security Design Weaknesses With Improved Requirements 4
6 Task 1: Limitations in Current Security Design Practices Expert Knowledge System Requirements Compliance Vendor Solutions Identification techniques are ad hoc Notation for expressing a security event/risk is incomplete Approaches rely on analysts' tacit knowledge of operational context Security controls address compliance not risk Single system scope Risk analysis (if done) is focused on a single system Standalone (i.e., single system) models have been developed Risk analysis considers the exploit of an individual vulnerability within a single system Security experts need to communicate risk effectively with system and software engineers and acquisition experts Attacks frequently come from other trusted systems Complex attacks need to be included in security risk evaluation 5
7 Task 1: Security Engineering Risk Analysis (SERA) Framework Model the system, context, and attacks to determine the security risks: mission impact of security breaches sufficiency of planned security gaps for mitigation 6
8 C M Use Case Scenario Data Items involved Technology Security Controls/Relevant Step Actor and Action Standards and Regulations 1 AOS operator logs on to the AOS using account and authentication information [Note: operator log on and session auditing Authentication information AO Desktop Firewall Account information AOS Client User authentication (next step) are performed by team at start of shift] Procedures Server USB? 2 AOS logon activates auditing of the AOS operator s session Session log Session log software starting the session log. Backup of session log Server 3 AOS operator enters the approved alert message (text and Alert message optional audio/visual) including the relevant command alert, Command (which is incorporated cancel, or update message with status of actual 1 indicating into CAP-compliant message) this is an actual alert or command. [also includes the distribution channels via FEMA, of which wireless is the only relevant Alert scripts Procedures channel, and the actual geographic distribution for the alert] Session log data record of input and all the sources it went to (in addition to wireless) 4 AOS converts alert message to CAP-compliant format. Alert message (original format, AOS Database server text piece) AOS server Alert message in CAP-compliant format Backup or saved version of CAP-compliant message Session log data 5 AOS transmits alert message to the IPAWS-OPEN Gateway. Alert message (CAP-compliant format) Session log data IPAWS certificate 6 IPAWS-OPEN Gateway verifies 2 alert message using authentication information and logs the receipt of message in IPAWS Status message Alert message log. Authentication information Message validation scripts IPAWS log 7 AOS operator pulls the IPAWS receipt status from IPAWS log. IPAWS log/ipaws Receipt Status Procedures for checking IPAWS log 1 Other status values include test and system. Test will be addressed in an another use case. 2 In this table, message verification includes authenticating the message and ensuring that it is in the correct format. User System A Encrypted Data Encrypted Certificate Internal Network for System A Encrypted Data Encrypted Certificate WEA Alert Workflow (Top Level) Internet Submit alert request to local AO. Note: CMSP monitors FEMA systems for alerts and pulls data from FEMA systems when an alert is available. System B Initiator alert request If alert is not issued Alert not forwarded to Decide to issue FEMA alert. If alert is issued Process alert Monitor alert request. status. Alert message content Encrypted Data Encrypted Certificate Internal Network for System B Encrypted Data Encrypted Certificate IPAWS certificate CAP-compliant alert message Process alert. Monitor alert queue. IPAWS receipt status Process alert. Note: AO monitors FEMA systems for status information and pulls data on alert status from FEMA systems. Receive alert. Task 1: SERA Approach Threat Identification Models Consequence Analysis Models Use-Case View Data View Workflow View Stakeholder View Data Requirements Stakeholder View Data Element Form Confidentiality Integrity Availability Initiator alert request Verbal or There are no restrictions on who can The data element must be correct and This data element must be available Electronic view this data element. (public data) complete. (high data integrity) when needed. (high availability) Alert message content Verbal, There are no restrictions on who can The data element must be correct and This data element must be available Electronic, or view this data element. (public data) complete. (high data integrity) when needed. (high availability) Physical CAP-compliant alert Electronic There are no restrictions on who can The data element must be correct and This data element must be available message view this data element. (public data) complete. (high data integrity) when needed. (high availability) IPAWS certificate Electronic Only authorized people can view this The data element must be correct and This data element must be available data element. (sensitive but complete. (high data integrity) when needed. (high availability) unclassified) IPAWS receipt status Electronic There are no restrictions on who can The data element must be correct and No availability requirement for this data view this data element. (public data) complete. (high data integrity) element. Commercial Federal Mobile Service Emergency Initiator (e.g., Recipients Alert Originator (AO) Providers Management First Responder) (CMSP) Agency (FEMA) Stakeholder Mission Interest First responders Get content to the AOS operator within a required timeframe AOS operators Enter alert message into AOS in the required timeframe AO managers Maintain their organization s authority to operate, including applying for and maintaining certificate for their AOS FEMA Transmit alert messages to CMSP within a requires timeframe and maintain trust in WEA and the overall emergency alert system CMSP Get alert messages to their customers as rapidly as possible without adversely affecting customer satisfaction Recipients (residents of given area Indirectly provide funding to the AO funding source covered by WEA) Receive and act on wireless alert messages in the area where they reside Recipients (transient population Receive and act on wireless alert messages within the given area covered by the visiting an area) AO Providers and maintainers of AOS Maintain trust in the services provided and in the security of their equipment AO funding source (e.g., Provide funding to operate the WEA service government) AO community Promote the value of the WEA service. Share information related to the WE service (e.g., problems, lessons learned) Network View Threat Actor Motive Outcome Means Consequences Workflow Consequences Stakeholder Consequences Note: Information is transferred from AOS clients to AO Desktops using USB drives. AOS Client 1 AO Desktop AO Desktop AO System Administration AOS Client 2 Printer Server Firewall Router AO Off-Site Data Storage Back-Up Communications FEMA Networks Initiator Networks Vendor Off-Site Data Storage AOS Clients AOS Server AOS Database Server Internet Back-Up Communications Router AO Servers Router Firewall Vendor Desktop Firewall AO Development Physical View WebServer WebServer AO Development Server AO Desktop with AOS management capability AO Manager s Office Attack Action 1 Enablers Action 2 Enablers Action 3 Enablers Action 4 Enablers... Action N Enablers Threat Archetype Threat Sequence Step 1. The actor performs reconnaissance to determine who to target for social engineering. 2. The actor selects an appropriate target(s) for social engineering. 3. The actor conducts a social engineering attack on the targeted person (or people) to obtain the following: required data format for transaction, certificate for System A, and encryption key. 4. The targeted person (or people) provides the following to the actor: required data format for transaction, certificate for System A, and encryption key. 5. The actor creates an illegitimate data transaction in the required format. 6. The actor sends the illegitimate data transaction (encrypted) and certificate for System A (encrypted) to System B. 7. System B decrypts the data transaction and certificate. 8. System B validates the identity of the sender. 9. System B logs receipt of the data. 10. System B processes the data. Hotline with initiators. Mobile AO capability AO Operator Room Note: Keypad access is required for entry. Note: Door can be locked using physical key. AO Server Room AO System Administration Computer Defined semantics for expressing a security event/risk AO Desktops Note: The door to the server room is open during business hours. A physical key is required for entry outside of business hours. AO System Administrators Office Library of threat archetypes to support threat identification Models to support threat identification Models to support consequence analysis 7
9 AOS Client 1 FEMA Networks Initiator Networks Note: Information is transferred from AOS clients to AO Desktops using USB drives. AOS Client 2 Firewall AO Off-Site Data Storage Back-Up Communications Vendor Off-Site Data Storage AOS Server Router AOS Database Server AO Desktop Internet Back-Up Communications Router AO Desktop Router Firewall AO Development Firewall Vendor Desktop AO System Administration Printer WebServer Server WebServer AO Development Server WEA Alert Workflow (Top Level) Submit alert Initiator alert request to local request AO. Decide to issue alert. Note: CMSP monitors FEMA systems for alerts and pulls data from FEMA systems when an alert is available. If alert is issued Alert message content IPAWS certificate CAP-compliant alert message If alert is not issued Alert not forwarded to FEMA Process alert Monitor alert request. status. Process alert. Monitor alert queue. IPAWS receipt status Process alert. Note: AO monitors FEMA systems for status information and pulls data on alert status from FEMA systems. Receive alert. C M Mobile AO capability AOS Clients Note: Keypad access is required for entry. AO Desktops Hotline with initiators. AO Servers Note: Door can be locked using physical key. Note: The door to the server room is open during business hours. A physical key is required for entry outside of business hours. AO Desktop with AOS management capability AO System Administration Computer Task 1: SERA 4-Step Process Modeling Techniques 1. Establish operational context. Commercial Federal Mobile Service Emergency Initiator (e.g., Recipients Alert Originator (AO) Providers Management First Responder) (CMSP) Agency (FEMA) AO Operator Room AO Server Room AO Manager s Office AO System Administrators Office Risk Identification Worksheet 2. Identify risk. Risk Evaluation Criteria Risk Analysis Worksheet 3. Analyze risk. Control Approach Worksheet Control Plan Worksheet 4. Develop control plan. 8
10 Task 2 Applying Software Quality Models to Software Assurance The SEI has quality data for over 100 Team Software Process (TSP) development projects used to predict operational quality. Data from five projects with low defect density in system testing reported very low or zero safety critical and security defects in production use. Goal: Use Predictions of Quality to Inform Security Risk Predictions 9
11 Quality Focus on Defect Injection and Removal Early Defect Removal across Life Cycle Vulnerabilities are defects 1-5% of quality defects are vulnerabilities (confirmed) 50-70% of security vulnerabilities are quality defects (unconfirmed) 10
12 Task 2: Evidence Available for Quality Analysis The data below describe successful results of systems in operation for at least a year from three organizations that are of interest to identify patterns appropriate for security. Org. Project Type Secure or Safety Critical Defects Defect Density Size D D1 Safety Critical MLOC D D2 Safety Critical MLOC D D3 Safety Critical MLOC A A1 Secure MLOC T T1 Secure MLOC Quality Threshold With one exception, projects implemented below 20 defects per MLOC had no reported operational security or safety-critical defects. The exception utilized specialized defect removal practices for secure systems. 11
13 Task 2: How Could Quality Help Security? Good quality will ensure proper implementation of specified results Effective code checking will identify improper implementations of specifications (11 of SANS Top 25) Effective design reviews will identify missing requirements (12 of SANS Top 25) if appropriate security results are considered in the development of requirements if requirements are effectively translated into detail designs and code specifications to support the required security results SANS Top 25: SysAdmin, Audit, Network, Security Top 25 Most Dangerous Programming Errors ( Security Requirements Must be Properly Specified 12
14 Successful Projects Embed Quality and Safety/Security Inspection at Each Lifecycle Step Design Coding Des1gn Review Design Inspection Verification & Validation Code Code Review Inspection Software Engineering Institute I Carnt~git l\lellon Univt r sity 13
15 Successful Projects Use Metrics Extensively Development Metrics Incoming/week Triage rate % closed Development work for cycle Software change request per developer per week # developers Software change request per verifier & validator per week # verification persons Software Change Metrics Fixed work per cycle Deferred planned work per cycle Testing and tools are used to confirm results NOT find problems 14
16 Successful Projects Show Improved Reliability lox imp1rovement Q) I.. ::::::s co LL Q) I.. ~ Q) m rj) Q) - 0 >. (.) c:: co Q) ~ Cycle 0 Release Software Release -- Software Engineering Institute Carnt~gie 1\lellon Univt~rsity 15
17 FY Deliverables Publications: CrossTalk September/October 2014 Evaluating Security Risks Using Mission Threads provides a summary of the SERA framework with an example SEI Special Report CMU/SEI-2013-SR-018 Wireless Emergency Alerts (WEA) Cybersecurity Risk Management Strategy for Alert Originators released March Two technical notes (drafts are in review) to be released in November Conferences: Presentation: Modeling Early Life Cycle Security Risk International Conference on Conceptual Modeling 2014 (ER2014) Tutorial: Security Risk Management using the Security Engineering Risk Analysis (SERA) Method 2014 Annual Computer Security Applications Conference (ACSAC) Proposed tutorial for Ground Systems Architecture Workshop (GSAW) 2015 Abstract approved for IEEE International Symposium for Homeland Security SEI Research Review February , Carol Woody 16
18 FY14-03 Collaborations Carnegie Mellon University funded collaboration with Travis Breaux, Assistant Professor of Computer Science, and his doctoral student Hunan Hibshi for academic review and two publications: H. Hibshi, T.D. Breaux, M. Riaz, L. Williams (2014) "Towards a Framework to Measure Security Expertise in Requirements Analysis, In Proc. IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE), pp H. Hibshi, T.D. Breaux, M. Riaz, L. Williams (2014) "Discovering Decision-Making Patterns for Security Novices and Experts, In Submission: International Journal of Secure Software Engineering. SERA Framework review by Ranjit Singh Mann, PE Software Engineering IPT Lead, Indirect Fire Protection Capability Increment 2- Intercept (IFPC Inc 2-I) Product Office (PdO) Research Review Workshop, August 6, 2014 in Ballston with 16 participants from DoD, NSA, academia, and industry including the DoD Software Assurance Community of Practice (SwA COP) Metrics Team 2014 SEI Research Review February , Carol Woody 17
19 Contact Information Carol Woody, Ph.D. Technical Manager CERT/CSF/CSE Telephone: U.S. Mail Software Engineering Institute Customer Relations 4500 Fifth Avenue Pittsburgh, PA USA Web Customer Relations Telephone: SEI Phone: SEI Fax:
ARINC653 AADL Annex Update
ARINC653 AADL Annex Update Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Julien Delange AADL Meeting February 15 Report Documentation Page Form Approved OMB No. 0704-0188
More informationEarly Life Cycle Risk Analysis: Planning for Software Assurance
Early Life Cycle Risk Analysis: Planning for Software Assurance Carol Woody, Ph.D. Software Engineering Institute 2014 Carnegie Mellon University Copyright 2014 Carnegie Mellon University and IEEE This
More informationCyber Threat Prioritization
Cyber Threat Prioritization FSSCC Threat and Vulnerability Assessment Committee Jay McAllister Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information
More informationFall 2014 SEI Research Review Verifying Evolving Software
Fall 2014 SEI Research Review Verifying Evolving Software Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Arie Gurfinkel October 28, 2014 Report Documentation Page Form Approved
More information2013 US State of Cybercrime Survey
2013 US State of Cybercrime Survey Unknown How 24 % Bad is the Insider Threat? Insiders 51% 2007-2013 Carnegie Mellon University Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting
More informationCurrent Threat Environment
Current Threat Environment Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213, PhD Technical Director, CERT mssherman@sei.cmu.edu 29-Aug-2014 Report Documentation Page Form
More informationComponents and Considerations in Building an Insider Threat Program
Components and Considerations in Building an Insider Threat Program Carly Huth Insider Threat Researcher, CEWM Carly L. Huth is an insider threat researcher in the Cyber Enterprise and Workforce Management
More informationService Level Agreements: An Approach to Software Lifecycle Management. CDR Leonard Gaines Naval Supply Systems Command 29 January 2003
Service Level Agreements: An Approach to Software Lifecycle Management CDR Leonard Gaines Naval Supply Systems Command 29 January 2003 Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting
More informationModel-Driven Verifying Compilation of Synchronous Distributed Applications
Model-Driven Verifying Compilation of Synchronous Distributed Applications Sagar Chaki, James Edmondson October 1, 2014 MODELS 14, Valencia, Spain Report Documentation Page Form Approved OMB No. 0704-0188
More informationDefining Computer Security Incident Response Teams
Defining Computer Security Incident Response Teams Robin Ruefle January 2007 ABSTRACT: A computer security incident response team (CSIRT) is a concrete organizational entity (i.e., one or more staff) that
More informationCOTS Multicore Processors in Avionics Systems: Challenges and Solutions
COTS Multicore Processors in Avionics Systems: Challenges and Solutions Dionisio de Niz Bjorn Andersson and Lutz Wrage dionisio@sei.cmu.edu, baandersson@sei.cmu.edu, lwrage@sei.cmu.edu Report Documentation
More informationEmpirically Based Analysis: The DDoS Case
Empirically Based Analysis: The DDoS Case Jul 22 nd, 2004 CERT Analysis Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 The CERT Analysis Center is part of the
More informationPreventing Insider Sabotage: Lessons Learned From Actual Attacks
Preventing Insider Sabotage: Lessons Learned From Actual Attacks Dawn Cappelli November 14, 2005 2005 Carnegie Mellon University Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting
More informationArchitectural Implications of Cloud Computing
Architectural Implications of Cloud Computing Grace Lewis Research, Technology and Systems Solutions (RTSS) Program Lewis is a senior member of the technical staff at the SEI in the Research, Technology,
More informationCOMPUTATIONAL FLUID DYNAMICS (CFD) ANALYSIS AND DEVELOPMENT OF HALON- REPLACEMENT FIRE EXTINGUISHING SYSTEMS (PHASE II)
AL/EQ-TR-1997-3104 COMPUTATIONAL FLUID DYNAMICS (CFD) ANALYSIS AND DEVELOPMENT OF HALON- REPLACEMENT FIRE EXTINGUISHING SYSTEMS (PHASE II) D. Nickolaus CFD Research Corporation 215 Wynn Drive Huntsville,
More informationSoftware, Security, and Resiliency. Paul Nielsen SEI Director and CEO
Software, Security, and Resiliency Paul Nielsen SEI Director and CEO Dr. Paul D. Nielsen is the Director and CEO of Carnegie Mellon University's Software Engineering Institute. Under Dr. Nielsen s leadership,
More informationArchitecting for Resiliency Army s Common Operating Environment (COE) SERC
Architecting for Resiliency Army s Common Operating Environment (COE) SERC 5 October 2011 Mr. Terry Edwards Director, ASA(ALT) Office of the Chief Systems Engineer (OCSE) (703) 614-4540 terry.edwards@us.army.mil
More informationKathleen Fisher Program Manager, Information Innovation Office
Kathleen Fisher Program Manager, Information Innovation Office High Assurance Systems DARPA Cyber Colloquium Arlington, VA November 7, 2011 Report Documentation Page Form Approved OMB No. 0704-0188 Public
More information4. Lessons Learned in Introducing MBSE: 2009 to 2012
4. Lessons Learned in Introducing MBSE: 2009 to 2012 Abstract A. Peter Campbell University of South Australia An overview of the lessons that are emerging from recent efforts to employ MBSE in the development
More informationA Review of the 2007 Air Force Inaugural Sustainability Report
Headquarters U.S. Air Force A Review of the 2007 Air Force Inaugural Sustainability Report Lt Col Wade Weisman SAF/IEE 703-693-9544 wade.weisman@pentagon.af.mil Ms. Krista Goodale Booz Allen Hamilton 757-466-3251
More informationEngineering Improvement in Software Assurance: A Landscape Framework
Engineering Improvement in Software Assurance: A Landscape Framework Lisa Brownsword (presenter) Carol C. Woody, PhD Christopher J. Alberts Andrew P. Moore Agenda Terminology and Problem Scope Modeling
More informationAdvancing Cyber Intelligence Practices Through the SEI s Consortium
Advancing Cyber Intelligence Practices Through the SEI s Consortium SEI Emerging Technology Center Jay McAllister Melissa Kasan Ludwick Copyright 2015 Carnegie Mellon University This material is based
More informationMulti-Modal Communication
Multi-Modal Communication 14 November 2011 Victor S. Finomore, Jr., Ph.D. Research Psychologist Battlespace Acoustic Branch Air Force Research Laboratory DISTRIBUTION STATEMENT D. Distribution authorized
More informationJulia Allen Principal Researcher, CERT Division
Improving the Security and Resilience of U.S. Postal Service Mail Products and Services Using CERT -RMM (Case Study) Julia Allen Principal Researcher, CERT Division Julia Allen is a principal researcher
More informationFUDSChem. Brian Jordan With the assistance of Deb Walker. Formerly Used Defense Site Chemistry Database. USACE-Albuquerque District.
FUDSChem Formerly Used Defense Site Chemistry Database Brian Jordan With the assistance of Deb Walker USACE-Albuquerque District 31 March 2011 1 Report Documentation Page Form Approved OMB No. 0704-0188
More informationDoD Common Access Card Information Brief. Smart Card Project Managers Group
DoD Common Access Card Information Brief Smart Card Project Managers Group 12 July, 2001 REPORT DOCUMENTATION PAGE Form Approved OMB No. 0704-0188 Public reporting burder for this collection of information
More informationTechnological Advances In Emergency Management
Technological Advances In Emergency Management Closing the gap between Preparation and Recovery Will Fontan, P.E. Regional Director, ONRG Americas Office Report Documentation Page Form Approved OMB No.
More informationHeadquarters U.S. Air Force. EMS Play-by-Play: Using Air Force Playbooks to Standardize EMS
Headquarters U.S. Air Force EMS Play-by-Play: Using Air Force Playbooks to Standardize EMS Mr. Kerry Settle HQ AMC/A7AN Ms. Krista Goodale Booz Allen Hamilton 1 Report Documentation Page Form Approved
More informationVICTORY VALIDATION AN INTRODUCTION AND TECHNICAL OVERVIEW
2012 NDIA GROUND VEHICLE SYSTEMS ENGINEERING AND TECHNOLOGY SYMPOSIUM VEHICLE ELECTRONICS AND ARCHITECTURE (VEA) MINI-SYMPOSIUM AUGUST 14-16 TROY, MICHIGAN VICTORY VALIDATION AN INTRODUCTION AND TECHNICAL
More informationCausal Modeling of Observational Cost Data: A Ground-Breaking use of Directed Acyclic Graphs
use Causal Modeling of Observational Cost Data: A Ground-Breaking use of Directed Acyclic Graphs Bob Stoddard Mike Konrad SEMA SEMA November 17, 2015 Public Release; Distribution is Copyright 2015 Carnegie
More informationInformation, Decision, & Complex Networks AFOSR/RTC Overview
Information, Decision, & Complex Networks AFOSR/RTC Overview 06 MAR 2013 Integrity Service Excellence Robert J. Bonneau, Ph.D. Division Chief AFOSR/RTC Air Force Research Laboratory Report Documentation
More information75th Air Base Wing. Effective Data Stewarding Measures in Support of EESOH-MIS
75th Air Base Wing Effective Data Stewarding Measures in Support of EESOH-MIS Steve Rasmussen Hill Air Force Base (AFB) Air Quality Program Manager 75 CEG/CEVC (801) 777-0359 Steve.Rasmussen@hill.af.mil
More informationSoftware Assurance Education Overview
Software Assurance Education Overview Nancy Mead June 2011 ABSTRACT: Complex software systems affect nearly every aspect of our lives, in areas such as defense, government, energy, communication, transportation,
More informationDana Sinno MIT Lincoln Laboratory 244 Wood Street Lexington, MA phone:
Self-Organizing Networks (SONets) with Application to Target Tracking Dana Sinno 244 Wood Street Lexington, MA 02420-9108 phone: 781-981-4526 email: @ll.mit.edu Abstract The growing interest in large arrays
More informationHigh-Assurance Security/Safety on HPEC Systems: an Oxymoron?
High-Assurance Security/Safety on HPEC Systems: an Oxymoron? Bill Beckwith Objective Interface Systems, Inc. Phone: 703-295-6519 Email Address: bill.beckwith@ois.com W. Mark Vanfleet National Security
More informationVision Protection Army Technology Objective (ATO) Overview for GVSET VIP Day. Sensors from Laser Weapons Date: 17 Jul 09 UNCLASSIFIED
Vision Protection Army Technology Objective (ATO) Overview for GVSET VIP Day DISTRIBUTION STATEMENT A. Approved for public release. Vision POC: Rob Protection Goedert, ATO: TARDEC Protection ATO manager
More informationEvaluating Security Risks Using Mission Threads
Evaluating Security Risks Using Mission Threads Carol Woody, Ph.D., SEI Christopher Alberts, SEI Abstract. Mission threads describe operational process steps required to perform organizational functions.
More informationEnergy Security: A Global Challenge
A presentation from the 2009 Topical Symposium: Energy Security: A Global Challenge Hosted by: The Institute for National Strategic Studies of The National Defense University 29-30 September 2009 By SCOTT
More informationThis material has been approved for public release and unlimited distribution except as restricted below.
Copyright 2014 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the
More informationC2-Simulation Interoperability in NATO
C2-Simulation Interoperability in NATO Dr Hans Jense Chief, Capability Planning, Exercises and Training NATO UNCLASSIFIED 1 Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden
More informationENVIRONMENTAL MANAGEMENT SYSTEM WEB SITE (EMSWeb)
2010 ENGINEERING SERVICE CENTER ENVIRONMENTAL MANAGEMENT SYSTEM WEB SITE (EMSWeb) Eugene Wang NFESC -- Code 423 (805) 982-4291 eugene.wang@navy.mil Report Documentation Page Form Approved OMB No. 0704-0188
More informationSEI/CMU Efforts on Assured Systems
Unclassified//For Official Use Only SEI/CMU Efforts on Assured Systems 15 November 2018 *** Greg Shannon CERT Division Chief Scientist Software Engineering Institute Carnegie Mellon University Pittsburgh,
More informationCOUNTERING IMPROVISED EXPLOSIVE DEVICES
COUNTERING IMPROVISED EXPLOSIVE DEVICES FEBRUARY 26, 2013 Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information is estimated to average 1 hour
More informationUS Army Industry Day Conference Boeing SBIR/STTR Program Overview
US Army Industry Day Conference Boeing SBIR/STTR Program Overview Larry Pionke, DSc Associate Technical Fellow Product Standards - Technology & Services Boeing Research & Technology Ft. Leonard Wood (FLW)
More informationDefense Hotline Allegations Concerning Contractor-Invoiced Travel for U.S. Army Corps of Engineers' Contracts W912DY-10-D-0014 and W912DY-10-D-0024
Report No. DODIG-2013-056 March 15, 2013 Defense Hotline Allegations Concerning Contractor-Invoiced Travel for U.S. Army Corps of Engineers' Contracts W912DY-10-D-0014 and W912DY-10-D-0024 Report Documentation
More informationBy Derrick H. Karimi Member of the Technical Staff Emerging Technology Center. Open Architectures in the Defense Intelligence Community
Open Architectures in the Defense Intelligence Community By Derrick H. Karimi Member of the Technical Staff Emerging Technology Center This blog post is co-authored by Eric Werner. In an era of sequestration
More informationCyber Hygiene: A Baseline Set of Practices
[DISTRIBUTION STATEMENT A] Approved for public Cyber Hygiene: A Baseline Set of Practices Matt Trevors Charles M. Wallen Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Copyright
More informationSEI Webinar Series. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA January 27, Carnegie Mellon University
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information is estimated
More informationUsing Model-Theoretic Invariants for Semantic Integration. Michael Gruninger NIST / Institute for Systems Research University of Maryland
Using Model-Theoretic Invariants for Semantic Integration Michael Gruninger NIST / Institute for Systems Research University of Maryland Report Documentation Page Form Approved OMB No. 0704-0188 Public
More informationCENTER FOR ADVANCED ENERGY SYSTEM Rutgers University. Field Management for Industrial Assessment Centers Appointed By USDOE
Field Management for Industrial Assessment Centers Appointed By USDOE Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information is estimated to
More informationSecure FAST: Security Enhancement in the NATO Time Sensitive Targeting Tool
in the NATO Time Sensitive Targeting Tool Dr Orhan Cetinkaya, Dr Yakup Yildirim and Mr Michel Fortier NATO C3 Agency Oude Waalsdorperweg 61, 2597 AK The Hague NETHERLANDS {orhan.cetinkaya, yakup.yildirim,
More informationCloud Computing. Grace A. Lewis Research, Technology and Systems Solutions (RTSS) Program System of Systems Practice (SoSP) Initiative
Grace A. Lewis Research, Technology and Systems Solutions (RTSS) Program System of Systems Practice (SoSP) Initiative SEI Webinar November 12, 2009 Report Documentation Page Form Approved OMB No. 0704-0188
More informationConcept of Operations Discussion Summary
TSPG Common Dataset Standard Concept of Operations Discussion Summary Tony DalSasso 677 AESG/EN 15 May 2007 1 Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection
More informationData to Decisions Terminate, Tolerate, Transfer, or Treat
I N S T I T U T E F O R D E F E N S E A N A L Y S E S Data to Decisions Terminate, Tolerate, Transfer, or Treat Laura A. Odell 25 July 2016 Approved for public release; distribution is unlimited. IDA Non-Standard
More informationCorrosion Prevention and Control Database. Bob Barbin 07 February 2011 ASETSDefense 2011
Corrosion Prevention and Control Database Bob Barbin 07 February 2011 ASETSDefense 2011 Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information
More informationCenter for Infrastructure Assurance and Security (CIAS) Joe Sanchez AIA Liaison to CIAS
Center for Infrastructure Assurance and Security (CIAS) Joe Sanchez AIA Liaison to CIAS 1 REPORT DOCUMENTATION PAGE Form Approved OMB No. 074-0188 Public reporting burden for this collection of information
More informationThe CERT Top 10 List for Winning the Battle Against Insider Threats
The CERT Top 10 List for Winning the Battle Against Insider Threats Dawn Cappelli CERT Insider Threat Center Software Engineering Institute Carnegie Mellon University Session ID: STAR-203 Session Classification:
More informationU.S. Army Research, Development and Engineering Command (IDAS) Briefer: Jason Morse ARMED Team Leader Ground System Survivability, TARDEC
U.S. Army Research, Development and Engineering Command Integrated Defensive Aid Suites (IDAS) Briefer: Jason Morse ARMED Team Leader Ground System Survivability, TARDEC Report Documentation Page Form
More informationDynamic Information Management and Exchange for Command and Control Applications
AFRL-AFOSR-UK-TR-2015-0026 Dynamic Information Management and Exchange for Command and Control Applications Maribel Fernandez KING S COLLEGE LONDON THE STRAND LONDON WC2R 2LS UNITED KINGDOM EOARD GRANT
More informationRunning CyberCIEGE on Linux without Windows
Running CyberCIEGE on Linux without Windows May, 0 Report Documentation Page Form Approved OMB No. 070-0 Public reporting burden for the collection of information is estimated to average hour per response,
More informationRoles and Responsibilities on DevOps Adoption
Roles and Responsibilities on DevOps Adoption Hasan Yasar Technical Manager, Adjunct Faculty Member Secure Lifecycle Solutions CERT SEI CMU Software Engineering Institute Carnegie Mellon University Pittsburgh,
More information73rd MORSS CD Cover Page UNCLASSIFIED DISCLOSURE FORM CD Presentation
CD Cover Page UNCLASSIFIED DISCLOSURE FORM CD Presentation 712CD For office use only 41205 21-23 June 2005, at US Military Academy, West Point, NY Please complete this form 712CD as your cover page to
More informationIntroducing I 3 CON. The Information Interpretation and Integration Conference
Introducing I 3 CON The Information Interpretation and Integration Conference Todd Hughes, Ph.D. Senior Member, Engineering Staff Advanced Technology Laboratories 10/7/2004 LOCKHEED MARTIN 1 Report Documentation
More informationATCCIS Replication Mechanism (ARM)
ATCCIS Replication Mechanism (ARM) Fundamental Concepts Presented by Peter Angel, P.Eng. Advanced Systems Management Group 1 Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden
More informationEdwards Air Force Base Accelerates Flight Test Data Analysis Using MATLAB and Math Works. John Bourgeois EDWARDS AFB, CA. PRESENTED ON: 10 June 2010
AFFTC-PA-10058 Edwards Air Force Base Accelerates Flight Test Data Analysis Using MATLAB and Math Works A F F T C m John Bourgeois AIR FORCE FLIGHT TEST CENTER EDWARDS AFB, CA PRESENTED ON: 10 June 2010
More information73rd MORSS CD Cover Page UNCLASSIFIED DISCLOSURE FORM CD Presentation
CD Cover Page UNCLASSIFIED DISCLOSURE FORM CD Presentation 712CD For office use only 41205 21-23 June 2005, at US Military Academy, West Point, NY Please complete this form 712CD as your cover page to
More informationAn Update on CORBA Performance for HPEC Algorithms. Bill Beckwith Objective Interface Systems, Inc.
An Update on CORBA Performance for HPEC Algorithms Bill Beckwith Objective Interface Systems, Inc. Email: bill.beckwith@ois.com CORBA technology today surrounds HPEC-oriented subsystems. In recent years
More informationSafety- and Security-Related Requirements for
Engineering - and -Related for Software-Intensive t Systems Presented at SSTC 2010 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Donald Firesmith, Terry Roberts & Stephen
More informationPrioritizing Alerts from Static Analysis with Classification Models
Prioritizing Alerts from Static Analysis with Classification Models PI: Lori Flynn, PhD Team: Will Snavely, David Svoboda, Dr. David Zubrow, Bob Stoddard, Dr. Nathan VanHoudnos, Dr. Elli Kanal, Richard
More informationTopology Control from Bottom to Top
Topology Control from Bottom to Top M. Steenstrup Stow Research L.L.C. Clemson University steenie@rcn.com This work was funded in part by DARPA and by ONR MURI. Report Documentation Page Form Approved
More informationSetting the Standard for Real-Time Digital Signal Processing Pentek Seminar Series. Digital IF Standardization
Setting the Standard for Real-Time Digital Signal Processing Pentek Seminar Series Digital IF Standardization Report Documentation Page Form Approved OMB No 0704-0188 Public reporting burden for the collection
More informationGuide to Windows 2000 Kerberos Settings
Report Number: C4-018R-01 Guide to Windows 2000 Kerberos Settings Architectures and Applications Division of the Systems and Network Attack Center (SNAC) Author: David Opitz Updated: June 27, 2001 Version
More informationBe Like Water: Applying Analytical Adaptability to Cyber Intelligence
SESSION ID: HUM-W01 Be Like Water: Applying Analytical Adaptability to Cyber Intelligence Jay McAllister Senior Analyst Software Engineering Institute Carnegie Mellon University @sei_etc Scuttlebutt Communications
More informationUsing Templates to Support Crisis Action Mission Planning
Using Templates to Support Crisis Action Mission Planning Alice Mulvehill 10 Moulton Rd Cambridge, MA 02138 USA 617-873-2228 Fax: 617-873-4328 amm@bbn.com Michael Callaghan 695 Wanaao Rd Kailua, HI 96734
More informationComputer Aided Munitions Storage Planning
Computer Aided Munitions Storage Planning Robert F. Littlefield and Edward M. Jacobs Integrated Systems Analysts, Inc. (904) 862-7321 Mr. Joseph Jenus, Jr. Manager, Air Force Explosives Hazard Reduction
More informationUsing the SORASCS Prototype Web Portal
Using the SORASCS Prototype Web Portal Bradley Schmerl, Michael W. Bigrigg, David Garlan, Kathleen M. Carley September, 2010 CMU-ISR-10-123 Institute for Software Research School of Computer Science Carnegie
More informationASSESSMENT OF A BAYESIAN MODEL AND TEST VALIDATION METHOD
ASSESSMENT OF A BAYESIAN MODEL AND TEST VALIDATION METHOD Yogita Pai, Michael Kokkolaras, Greg Hulbert, Panos Papalambros, Univ. of Michigan Michael K. Pozolo, US Army RDECOM-TARDEC Yan Fu, Ren-Jye Yang,
More informationSCICEX Data Stewardship: FY2012 Report
DISTRIBUTION STATEMENT A. Approved for public release; distribution is unlimited. SCICEX Data Stewardship: FY2012 Report Florence Fetterer 449 UCB University of Colorado Boulder, CO 80309-0449 USA phone:
More informationTowards a Formal Pedigree Ontology for Level-One Sensor Fusion
Towards a Formal Pedigree Ontology for Level-One Sensor Fusion Christopher J. Matheus David Tribble Referentia Systems, Inc. Mieczyslaw M. Kokar Northeaster University Marion Ceruti and Scott McGirr Space
More informationDoD M&S Project: Standardized Documentation for Verification, Validation, and Accreditation
Department of Defense Modeling and Simulation Conference DoD M&S Project: Standardized Documentation for Verification, Validation, and Accreditation Thursday, 13 March 2008 2:30-3:00 p.m. Presented by
More informationARINC653 AADL Annex. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Julien Delange 07/08/2013
ARINC653 AADL Annex Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Julien Delange 07/08/2013 Context, Rationale ARINC653 Avionics standard Standardized API (called APEX
More informationThe C2 Workstation and Data Replication over Disadvantaged Tactical Communication Links
The C2 Workstation and Data Replication over Disadvantaged Tactical Communication Links Presentation held at the NATO RTO-IST Taskgroup 12 Workshop on September 11 th &12 th in Quebec, Canada TNO Physics
More informationSpacecraft Communications Payload (SCP) for Swampworks
Spacecraft Communications Payload (SCP) for Swampworks Joseph A. Hauser Praxis, Inc. 2550 Huntington Avenue Suite 300 Alexandria, VA 22303 phone: (703) 682-2059 fax: (703) 837-8500 email: hauserj@pxi.com
More informationUse of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme
NIST Special Publication 800-51 Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme Recommendations of the National Institute of Standards and Technology Peter Mell Tim Grance
More informationAccuracy of Computed Water Surface Profiles
US Army Corps of Engineers Hydrologic Engineering Center Accuracy of Computed Water Surface Profiles Appendix D Data Management and Processing Procedures February 1987 Approved for Public Release. Distribution
More informationOffice of Global Maritime Situational Awareness
Global Maritime Awareness Office of Global Maritime Situational Awareness Capt. George E McCarthy, USN October 27 th 2009 Office of Global Maritime Situational Awareness A National Coordination Office
More information2011 NNI Environment, Health, and Safety Research Strategy
2011 NNI Environment, Health, and Safety Research Strategy Sally S. Tinkle, Ph.D. Deputy Director National Nanotechnology Coordination Office Coordinator for NNI EHS stinkle@nnco.nano.gov 1 Report Documentation
More informationSpace and Missile Systems Center
Space and Missile Systems Center GPS Control Segment Improvements Mr. Tim McIntyre GPS Product Support Manager GPS Ops Support and Sustainment Division Peterson AFB CO 2015 04 29 _GPS Control Segment Improvements
More informationResearching New Ways to Build a Cybersecurity Workforce
THE CISO ACADEMY Researching New Ways to Build a Cybersecurity Workforce Pamela D. Curtis, Summer Craze Fowler, David Tobar, and David Ulicne December 2016 Organizations across the world face the increasing
More informationM&S Strategic Initiatives to Support Test & Evaluation
DMSC 2008 March 11, 2008 M&S Strategic Initiatives to Support Test & Evaluation Mr. Richard Lockhart Principal Deputy Director Test Resource Management Center (TRMC) OUSD(AT&L) March 11, 2008 Report Documentation
More informationArmy Research Laboratory
Army Research Laboratory Arabic Natural Language Processing System Code Library by Stephen C. Tratz ARL-TN-0609 June 2014 Approved for public release; distribution is unlimited. NOTICES Disclaimers The
More informationQuanTM Architecture for Web Services
QuanTM Architecture for Web Services Insup Lee Computer and Information Science University of Pennsylvania ONR MURI N00014-07-1-0907 Review Meeting June 10, 2010 Report Documentation Page Form Approved
More informationNationwide Automatic Identification System (NAIS) Overview. CG 939 Mr. E. G. Lockhart TEXAS II Conference 3 Sep 2008
Nationwide Automatic Identification System (NAIS) Overview CG 939 Mr. E. G. Lockhart TEXAS II Conference 3 Sep 2008 Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for
More informationHEC-FFA Flood Frequency Analysis
US Army Corps of Engineers Hydrologic Engineering Center Generalized Computer Program HEC-FFA Flood Frequency Analysis User's Manual May 1992 Approved for Public Release. Distribution Unlimited. CPD-13
More informationEvaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure
Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure March 2015 Pamela Curtis Dr. Nader Mehravari Katie Stewart Cyber Risk and Resilience Management Team CERT
More informationMonte Carlo Techniques for Estimating Power in Aircraft T&E Tests. Todd Remund Dr. William Kitto EDWARDS AFB, CA. July 2011
AFFTC-PA-11244 Monte Carlo Techniques for Estimating Power in Aircraft T&E Tests A F F T C Todd Remund Dr. William Kitto AIR FORCE FLIGHT TEST CENTER EDWARDS AFB, CA July 2011 Approved for public release
More informationA Distributed Parallel Processing System for Command and Control Imagery
A Distributed Parallel Processing System for Command and Control Imagery Dr. Scott E. Spetka[1][2], Dr. George O. Ramseyer[3], Dennis Fitzgerald[1] and Dr. Richard E. Linderman[3] [1] ITT Industries Advanced
More informationGoal-Based Assessment for the Cybersecurity of Critical Infrastructure
Goal-Based Assessment for the Cybersecurity of Critical Infrastructure IEEE HST 2010 November 10, 2010 NO WARRANTY THIS MATERIAL OF CARNEGIE MELLON UNIVERSITY AND ITS SOFTWARE ENGINEERING INSTITUTE IS
More informationUMass at TREC 2006: Enterprise Track
UMass at TREC 2006: Enterprise Track Desislava Petkova and W. Bruce Croft Center for Intelligent Information Retrieval Department of Computer Science University of Massachusetts, Amherst, MA 01003 Abstract
More informationMODELING AND SIMULATION OF LIQUID MOLDING PROCESSES. Pavel Simacek Center for Composite Materials University of Delaware
MODELING AND SIMULATION OF LIQUID MOLDING PROCESSES Pavel Simacek Center for Composite Materials University of Delaware UD-CCM 1 July 2003 Report Documentation Page Form Approved OMB No. 0704-0188 Public
More information