Annual Computer Security Applications Conference (ACSAC) 2012

Full Program »

T7: Software Assurance Methods in Support of Cyber Security

Tuesday, 4 December 2012
08:30 - 12:00

Sussex

To address the need for increased capability to manage software assurance across the acquisition and development life cycles, the Cyber Security Engineering team in CERT has developed a training offering designed to address the following kinds of issues:

This half-day workshop is focused on four critical software assurance areas: security requirements, software supply chain assurance, mission thread analysis, and measurement. The purpose of this course is to expose managers, engineers, and acquirers to concepts and resources available now for their use to address software security assurance across the acquisition and development life cycles.

The introduction establishes the importance of focusing on software assurance within the current development and acquisition environment. Assurance methods relevant to each of the four critical software assurance areas are presented and participants are encouraged to discuss ways that adoption into the existing acquisition and development life cycles would improve their organizational software assurance.

The introduction establishes the importance of focusing on software assurance within the current development and acquisition environment. Assurance methods relevant to each of the four critical software assurance areas are presented and participants are encouraged to discuss ways that adoption into the existing acquisition and development life cycles would improve their organizational software assurance.

Prerequisites. None. The target audience includes software managers and technical leads, software and lead engineers, software and system acquisition experts, and program/project management who are concerned with software security assurance across the acquisition and development life cycles.

Outline:

  1. Introduction (15 minutes)

Security problem space description & discussion. Challenges unique to software assurance; Terminology challenges: security, compliance, software assurance, information assurance

  1. Mission Thread Analysis (45 minutes)

Operational Mission Drives the Need for Assurance. How do current approaches connect the technology product to the mission? Mission Thread Analysis. Making the connection of quality (security) to mission. Examples.

  1. Security Requirements (30 minutes)

How have participants addressed security requirements or seen it done?  Is compliance with controls such as NIST SP 800-53 sufficient for software assurance?  . Discussion: identify opportunities for improvement.

  1. Software Supply Chain Risk Management (45 minutes)

Sources of vulnerabilities through a software supply chain. Challenges in evaluating  assurance of products and integrated solutions. Emerging international standards.  Discussion: opportunities for improvement

  1. Software Assurance Measurement (30 minutes) 

Overview of the Mission Risk Diagnostic approach evaluating software assurance based on mission risk; Tying security guidance and practices such as NIST SP800-53 and ISO 27002 to measurement.

  1. Summary & discussion (15 minutes)

About the Instructor:

Dr. Carol Woody has been a senior member of the technical staff since 2001. Currently she is the technical manager of the cyber security engineering team (http://www.cert.org/sse/) focusing on: building capabilities in defining, acquiring, developing, measuring, managing, and sustaining secure software for highly complex networked systems as well as systems of systems. Dr. Woody has helped government agencies, higher education, and industry identify effective security risk management solutions, develop approaches to improve their ability to identify security and survivability requirements, and field software and systems with greater assurance. Further details and recent publications are available at http://www.sei.cmu.edu/about/people/profile.cfm?id=woody_13756

 

Powered by OpenConf®
Copyright©2002-2014 Zakon Group LLC