The Software Assurance Ecosystem: OMG s Approach to Systems & Software Assurance

Similar documents
System Assurance and Related Standards

Introduction to TOIF. Dr. Nikolai Mansourov CTO, KDM Analytics Liaison to OASIS. November 8, 2017 Copyright 2017 OMG. All rights reserved.

Copyright 2011, OMG. All rights reserved.

Cybersecurity & Risks Analysis

Cyber Risk and Related OMG Standards

Event Metamodel and Profile (EMP) Proposed RFP Updated Sept, 2007

System Assurance and the Internet of Things

High-Fidelity analysis of software systems

System Assurance. Beyond Detecting. Vulnerabilities. Djenana Campara. Nikolai Mansourov

Modelling in Enterprise Architecture. MSc Business Information Systems

OMG: The Home of Modelling Standards. Andrew Watson OMG Technical Director

Cloud Computing and the Cloud Standards Customer Council

UML Modeling. Sumantra Sarkar. 29 th June CIS 8090 Managing Enterprise Architecture

Engineering Practices for System Assurance

The OMG GRC GRID. High Level Overview. Object Management Group GRC Program

1 Executive Overview The Benefits and Objectives of BPDM

OMG Specifications for Enterprise Interoperability

An Introduction to SySML

Standard SOA Reference Models and Architectures

Internet of Things Security standards

Semantics-Based Integration of Embedded Systems Models

Test and Evaluation of Autonomous Systems in a Model Based Engineering Context

IIoT standards at work. Andrew Watson OMG Technical Director

Model Driven Message Interoperability (MDMI): an Object Management Group (OMG) Standard

Engineering for System Assurance Legacy, Life Cycle, Leadership

Composable Architecture & Design Applying Product Line and Systems of Systems Concepts to the Design of Unique, Complex Cyber-Physical Systems

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Executive Summary. Round Trip Engineering of Space Systems. Change Log. Executive Summary. Visas

SERES: ASEMANTICREGISTRY FOR ENTERPRISE SERVICES. Geir Jevne 9.juni 2011

Coding Standards in FACE Conformance. John Thomas, Chris Edwards, and Shan Bhattacharya

Copyright 2011 EMC Corporation. All rights reserved.

Future Directions for SysML v2 INCOSE IW MBSE Workshop January 28, 2017

Coding Standards in FACE Conformance. John Thomas, Chris Edwards, and Shan Bhattacharya

Continuous auditing certification

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

for TOGAF Practitioners Hands-on training to deliver an Architecture Project using the TOGAF Architecture Development Method

The Model-Driven Semantic Web Emerging Standards & Technologies

NIST Cloud Security Architecture Tool (CSAT) Leveraging Cyber Security Framework to Architect a FISMA-compliant Cloud Solution

Don t Be the Developer Whose Rocket Crashes on Lift off LDRA Ltd

Object Management Group Model Driven Architecture (MDA) MDA Guide rev. 2.0 OMG Document ormsc/

ASSURING DATA INTEROPERABILITY THROUGH THE USE OF FORMAL MODELS OF VISA PAYMENT MESSAGES (Category: Practice-Oriented Paper)

The Safe, Secure and Reliable Industrial Internet: A Standards Story March 2017

Integrating ITIL and COBIT 5 to optimize IT Process and service delivery. Johan Muliadi Kerta

In Accountable IoT We Trust

Introduction to AWS GoldBase

Adding Formal Requirements Modeling to SysML

Building an Assurance Foundation for 21 st Century Information Systems and Networks

Secure Technology Alliance Response: NIST IoT Security and Privacy Risk Considerations Questions

Papyrus: Advent of an Open Source IME at Eclipse (Redux)

Test Architect A Key Role defined by Siemens

Model Driven Data Interoperability (MDMI)

Module 1 Management Overview

Quality Assurance and IT Risk Management

UML 2.5: Specification Simplification

A Generic Approach for Compliance Assessment of Interoperability Artifacts

Fundamentals to Creating Architectures using ISO/IEC/IEEE Standards

Eclipse Open Source Software and OMG Open Specifications March 25 th 2012 Cory Casanave

NDIA SE Conference 2016 System Security Engineering Track Session Kickoff Holly Dunlap NDIA SSE Committee Chair Holly.

Cyber Secure Dashboard Cyber Insurance Portfolio Analysis of Risk (CIPAR) Cyber insurance Legal Analytics Database (CLAD)

Systems Modeling Language (SysML) INCOSE MDSD Review

Integrating Cyber Security and Safety Systems Engineering Disciplines with a common Code of Practice

Importance of the Data Management process in setting up the GDPR within a company CREOBIS

Integrated Modeling for Engineering Complex Heterogeneous Systems SWISSED Markus Schacher & Rolf Gubser, KnowBodies

Defining IT Security Requirements for Federal Systems and Networks

End-to-end Safety, Security and Reliability Keys for a successful I4.0 Migration

Agenda. Bibliography

Proven Integration Strategies for Government

Business Architecture Implementation Workshop

Reengineering of Distributed Middleware Systems To a Model Driven Architecture (MDA)

DoD Software Assurance (SwA) Update

An Integrated Framework for Multi-layer Certification-based Assurance

Revolution or Evolution of SCADA, EMS, MMS and DMS Systems. Definitely, Maybe. Stipe Fustar June 16, 2009

Reconciling UML and BPMN Models in UPDM

Computation Independent Model (CIM): Platform Independent Model (PIM): Platform Specific Model (PSM): Implementation Specific Model (ISM):

CLOUD RISK AND GOVERNANCE Professional services for the enterprise

Rich Hilliard 20 February 2011

A Generic Method for Defining Viewpoints in SysML

Vendor: The Open Group. Exam Code: OG Exam Name: TOGAF 9 Part 1. Version: Demo

Introduction to SysML

Proven Practical Process. Armstrong Process Group. Service and Product Portfolio APG. Armstrong Process Group, Inc.

Networking Strategy and Optimization Services (NSOS) 2010 IBM Corporation

Toward Horizon 2020: INSPIRE, PSI and other EU policies on data sharing and standardization

Joint Agile Delivery Phase 3

Security and Architecture SUZANNE GRAHAM

Model Driven Architecture Targets Middleware Interoperability Challenges

Data-Centric Architecture for Space Systems

KillTest *KIJGT 3WCNKV[ $GVVGT 5GTXKEG Q&A NZZV ]]] QORRZKYZ IUS =K ULLKX LXKK [VJGZK YKX\OIK LUX UTK _KGX

International Software & Systems Engineering Standards

HITRUST CSF Roadmap for 2018 and Beyond HITRUST Alliance.

Reducing Consumer Uncertainty

MDA & Semantic Web Services Integrating SWSF & OWL with ODM

Trustworthy Information Systems Program

METADATA INTERCHANGE IN SERVICE BASED ARCHITECTURE

Raytheon Mission Architecture Program (RayMAP) Topic 1: C2 Concepts, Theory, and Policy Paper #40

Fujitsu World Tour 2018

Global IT Services Market Size, Status and Forecast 2025

IIC World Tour - Turin: Security Working Group Briefing. Nisarg Desai Product Manager, GlobalSign

MIS Week 9 Host Hardening

Accelerate Your Enterprise Private Cloud Initiative

corso Pragmatic Roadmapping with IBM Rational System Architect and ArchiMate White Paper Executive Summary Introduction By Martin Owen, CEO, CORSO

Transcription:

The Software Assurance Ecosystem: OMG s Approach to Systems & Software Assurance Dr. Richard Mark Soley Chairman and CEO Object Management Group, Inc. With thanks to the OMG Systems Assurance Domain Task Force, especially Dr. Ben Calloni 1

OMG s Mission Develop an architecture, using appropriate technology, for modeling & distributed application integration, guaranteeing: reusability of components interoperability & portability basis in commercially available software Specifications freely available Implementations exist Member-controlled not-for-profit 2

Who Are OMG? Adaptive Fair, Isaac Microsoft OIS Atego Firestar Software MITRE Oracle Boeing Business Rules Group CA Technologies Citigroup CSC EADS EDS Energistics Fujitsu HCL Hewlett Packard Hitachi HSBC IBM Lockheed Martin MEGA International Model Driven Solutions National Archives NEC NIST No Magic NTT DoCoMo Northrop Grumman OASIS PrismTech Real-Time Innov. SAP TCS Tether s End THALES Unisys W3C 3

OMG & Modeling Best known for key standards in modeling languages: UML (broad software & systems) SysML (systems engineering) SoaML (service-oriented architectures) BPMN (business processes) CWM (data warehouses) MOF (modeling languages) 4

OMG s Focus Three key infrastructure standards foci: Modeling Middleware Real-time & other specialized systems More than 20 vertical market foci: Healthcare Financial services Robotics Etc. 5

OMG Systems Assurance Task Force The Task Force (SysA TF) is focusing across all OMG vertical applications domains Existing: healthcare, finance, military, manufacturing, telecommunications, etc. New: smart energy grid, automotive Three co-chairs Ms. Djenana Campara, KDM Analytics Dr. Ben Calloni, Lockheed Martin Mr. Paul Work, Raytheon 6

SysA TF Strategy & Focus Strategy Establish a common framework for analysis and exchange of information related to systems assurance and trustworthiness. This trustworthiness will assist in facilitating systems that better support Security, Safety, Software and Information Assurance Immediate focus of SysA TF is to complete work related to Software Assurance (SwA) Ecosystem - common framework for presenting and analyzing properties of system trustworthiness that leverages and connects existing OMG specifications and identifies new specifications that need to be developed to complete the framework provides integrated tooling environments for different tool types Is architected to improve software system analysis and achieve higher automation of risk analysis 7

Delivering System Assurance: Delivering System Predictability and Reducing Uncertainty Software Assurance (SwA) is 3 step process 1. Specify Assurance Case Enable supplier to make bounded assurance claims about safety, security and/or dependability of systems, product or services 2. Obtain Evidence for Assurance Case Perform software assurance assessment to justify claims of meeting a set of requirements through a structure of sub-claims, arguments, and supporting evidence Collecting Evidence and verifying claims compliance is complex and costly process 3. Use Assurance Case to calculate and mitigate risk Exam non compliant claims and their evidence to calculate risk and identify course of actions to mitigate it Each stakeholder will have their own risk assessment e.g. security, liability, performance, compliance Currently, SwA 3 step process is informal, subjective & manual 8

Limitations of Current Assessment Approaches There is currently a lack of formalized methodology between high level policy claims and evidence means a laborious, unrepeatable (I.e., subjective), lengthy and costly certification process Current assessment approaches resist automation 9

The SwA Process Policy & Threats Objectives Requirements Methodology Gap Claims Arguments Evidence System Artifacts 10

Improving System Assessments: Systematic, Objective and Automated Key Requirements: 1. Specified assurance compliance points through formal specification 2. Transparency of software process & systems 3. End-to-end Traceability: from code to models to evidence to arguments to security requirements to policy 4. Standards based Integrated tooling environment Together, these requirements enable the management of system knowledge and knowledge about properties, providing a high degree of transparency, traceability and automation 11

The Software Assurance Ecosystem: Turning Challenge into Solution The SwA Ecosystem is a formal framework for analysis and exchange of information related to software security and trustworthiness The SwA Ecosystem provides a technical environment in which formalized claims, arguments and evidence can be brought together with formalized and abstracted software system representations to support high automation and high fidelity analysis. The SwA Ecosystem is based entirely on ISO/OMG Open Standards: Semantics of Business Vocabulary and Rules (SBVR) Knowledge Discovery Metamodel (KDM) Structure Metrics Metamodel (SMM) Structured Assurance Case Metamodel (SACM) (Adopted June 2010) Software Assurance Evidence Metamodel (SAEM) Argumentation Metamodel (ARM) The SwA Ecosystem is architected with a focus on providing fundamental improvements in analysis 12

Leveraging what we already have through SwA Ecosystem The Software Assurance Ecosystem enables industry and government agencies to leverage and connect existing policies, practices, processes and tools, in an affordable and efficient manner The key enabler is the Software Assurance (SwA) Ecosystem Infrastructure an open standards-based integrated tooling environment that dramatically reduces the cost of software assurance activities Integrates different communities: Formal Methods, Assurance Case, Reverse Engineering and Static Analysis, and Dynamic Analysis for a System Assurance solution Enables different tools to interoperate Introduces many new vendors to ecosystem because they each leverage parts of the tool chain 13

Where We are Going: Expanding the SwA Ecosystem 14

Common Fact Model Operational Environment Assurance assets NVDB (through SCAP) Threat Model Implementation Common Fact Model Business Rules Architecture 15

Software Assurance Ecosystem: The Formal Framework for System Assessments with Focus on Automation Tools Interoperability and Unified Reporting Environment Process Docs & Artifacts Requirements/Design Docs & Artifacts Reports, Risk Analysis, etc Process, People & Documentation Evaluation Environment Some point tools to assist evaluators but mainly manual work Claims in Formal SBVR vocabulary Evidence in Formal SBVR vocabulary Large scope requires large effort Supported by The Open Group s UDEF* Software System / Architecture Evaluation Many integrated & highly automated tools to assist evaluators Claims and Evidence in Formal vocabulary Combination of tools and ISO/OMG standards Standardized SW System Representation In KDM Large scope capable (system of systems) Iterative extraction and analysis for rules Supported by ISO/IEC 19506 Process, People, documentation Evidence Formalized Specifications Software system Technical Evidence Executable Specifications Assurance Case Repository - Formalized in SBVR vocabulary - Automated verification of claims against evidence - Highly automated and sophisticated risk assessments using transitive interevidence point relationships Supported by the following standards: - ISO/IEC 15026 - ISO/TC 37 / OMG SBVR - OMG ARM - OMG SAEM - Software Fault Patterns (Target late 2011) - UML Security Policy Extensions (planned) Hardware Environment Software System Artifacts Data Structures SFP(CWE) 16 IA Controls Protection Profiles

Summary of the SwA Ecosystem Approach Normalized uniform common fact model Separation of data feeds from reasoning Standards-based Assurance case and SBVR Representation of substantive reasoning Natural language End-to-end multi-segment Traceability models Code to state diagrams Code to architecture Code to conceptual model Code to evidence determined by arguments Evidence to arguments Arguments to policy Focus on polynomial path-based properties Instead of exponential state-based properties Arguments are executable queries to the fact model 17

Key Value of the SwA The Key Value of the SwA Ecosystem Approach is End-to-end Traceability: from code to models to evidence to arguments to security requirements to policy 18

For More Information OMG Systems Assurance Domain Task Force: http://sysa.omg.org/ OMG General Information: http://www.omg.org/ Richard Soley: soley@omg.org 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback