Presentation is loading. Please wait.

Presentation is loading. Please wait.

23 October 2006Copyright 2006, RCI1 CONIPMO Overview Center for Systems and Software Engineering Convocation 2006 Donald J. Reifer Reifer Consultants,

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "23 October 2006Copyright 2006, RCI1 CONIPMO Overview Center for Systems and Software Engineering Convocation 2006 Donald J. Reifer Reifer Consultants,"— Presentation transcript:

1 23 October 2006Copyright 2006, RCI1 CONIPMO Overview Center for Systems and Software Engineering Convocation 2006 Donald J. Reifer Reifer Consultants, Inc. P.O. Box 4046 Torrance, CA 90510-4046 Phone: 310-530-4493 Email: dreifer@earthlink.netdreifer@earthlink.net CONIPMO

2 23 October 2006Copyright 2006, RCI2 Introduction to CONIPMO Parametric model to estimate engineering effort for developing network defenses –Anti-tamper is a subsidiary model Sponsored by MDA and the Army under a Phase I SBIR –Phase II follow-on effort applied for - decision pending Builds on COSYSMO effort (primarily sizing) –Includes 4 size and 12 cost drivers –Covers the full system engineering life cycle Security experts from nine firms were involved in its development Developed with USC-CSSE participation

3 23 October 2006Copyright 2006, RCI3 COSECMO/CONIPMO Differences COSECMO Security extensions to COCOMO II Entire life cycle 4 years old Variable granularity Size increased, existing drivers adjusted and a new SECU driver added Implementation guided by Common Criteria, Orange Book, etc. Size is driven by SLOC CONIPMO Security engineering Entire life cycle 1 year old ~ 2 data points 16 drivers Fixed granularity No anchor points Size of network defense model is driven by equivalent no. of security requirements

4 23 October 2006Copyright 2006, RCI4 Network Security –At What Cost? DMZ Firewall Router SQL Server Intrusion Prevention System Proxy Server Gateway Sniffer Servers Defense-in-depth is a necessary, but expensive proposition requiring additional equipment and software to provide layers of protection against intruders, both insiders and outsiders. Costs need to be justified by the protection provided.

5 23 October 2006Copyright 2006, RCI5 Security Impact on Engineering Effort For software developers: –Source lines of code increases –Effort to generate software increases Security functional requirements Security assurance requirements –Effort to transition also increases More documentation Additional certification and accreditation costs For systems engineers: –Effort to develop system increases Network defense requirements Network defense operational concepts Program protection requirements Anti-tamper implementation –Effort to transition also increases DITSCAP and red teaming Being addressed by COSECMOBeing addressed by CONIPMO

6 23 October 2006Copyright 2006, RCI6 Goals Established for CONIPMO Three primary goals for the effort were established using the GQM approach –Be able to generate an accurate estimate of the time and effort needed to secure the network infrastructure defenses –Be able to validate the estimate using actuals –Be able to predict the effort involved should anti-tamper be a requirement Expert Collaborators Group Formed

7 23 October 2006Copyright 2006, RCI7 CONIPMO Life Cycle Framework ConceptualizeDevelopOT&ETransition to Operations Operate, Maintain or Enhance Replace (or Dismantle) 1. Requirements specification 2. Architecture development 3. Project planning 4. Product assessments 5. HW and SW acquisitions 6. Software development, integration & test 7. OT&E8. Transition and turnover 9. DIACAP 10. Operations 11. Maintenance 12. Replace (or destroy) Program Protection Tasks (if required) 13. Program protection planning 14. HW and SW acquisitions 15. HW and SW modifications/ enhancements 16. Red teaming 17. Independent T&E 18. DIACAP 19. Maintenance20. Destroy Heuristics Parametric Heuristic modelmodel model Heuristic model

8 23 October 2006Copyright 2006, RCI8 EIA/ANSI 632 EIA/ANSI 632 - Provide an integrated set of fundamental processes to aid a developer in the engineering or re-engineering of a system Relationship to Key SE Standards System life ISO/IEC 15288 Level of detail ConceptualizeDevelop Transition to Operation Operate, Maintain, or Enhance Replace or Dismantle Process description High level practices Detailed practices ISO/IEC 15288 - Establish a common framework for describing the life cycle of systems Purpose of the Standards: IEEE 1220 IEEE 1220 - Provide a standard for managing systems engineering Source : Draft Report ISO Study Group May 2, 2000 OT&E -------------

9 23 October 2006Copyright 2006, RCI9 WBS-Based Network Defense Model PM = Person Month CM = Calendar Month Network Defense Infrastructure Estimating Model ConceptualizeSee Slide 13 DevelopmentSee Slide 13 Operational Test & Evaluation Effort OT&E (PM) = Effort function (no. of test scenarios required for acceptance) (PM) Duration OT&E (CM)= function (effort and available schedule time) Transition to Operations Effort Turnover (PM) = Effort Transition (PM) + Effort DITSCAP (PM) Where: Effort Transition = Estimated Level-of-Effort based on available manpower Effort DITSCAP = Estimated Level-of-Effort based on past experience Duration Turnover (CM) = Fixed at one year for transition and eighteen months for DIACAP Operate & Maintain Effort O&M (PM) = Effort Ops (PM) + Effort Maintenance (PM) Where: Effort Ops = Estimated Level-of-Effort based on budgeted manpower Effort Maintenance = Estimated using code fragment changed model + additional inputs to accommodate COTS packages + hardware repairs, updates and replacement + recertification costs Duration O&M (CM) = Fixed on a annual basis for operations and release plans for maintenance Replace (or Destroy) Effort Replace (PM) = Effort function (system size) (PM) + Effort Recertify (PM) Where: Effort Recertify = Estimated Level-of-Effort based on no. of requirements and availability of regression tests and test scripts Duration Replace (CM) = function (effort) and upgrade plans

10 23 October 2006Copyright 2006, RCI10 Rules of Thumb for Network Defense Model for Effort Estimation Life Cycle PhaseParameter Computed Rules of Thumb Operational Test & Evaluation Effort OT&E (PM) Effort Range = function (difficulty) Small Moderate Large 1 to 10 scenarios 11 to 25 scenarios Over 25 scenarios (assume that operational test & evaluation is highly automated) 4 to 6 PM 8 to 12 PM 18 to 24 PM Transition to Operations Effort DITSCAP (PM) Effort Range = function (difficulty) Limited Average Extensive Self contained, little Some external Lots of external external agency coordination, coordination, tests coordination, informal formal test and witnessed by customer test and acceptance acceptance and very formal 8 to 12 PM 24 to 36 PM 48 to 60 PM Replace (or Destroy)Effort f (system size) (PM) Effort Range = function (difficulty) Small Moderate Large 10K requirements system requirements 6 to 8 PM 12 to 18 PM 18 to 24 PM Effort Recertify (PM) Effort Range = function (difficulty) Small Moderate Large < 10 tests 10 to 50 tests More than 50 tests (assume that recertification testing is highly automated) 4 to 6 PM 8 to 12 PM 18 to 24 PM

11 23 October 2006Copyright 2006, RCI11 Network Defense Early Phase Cost Model 12 Effort = A (B) ∏ D i (Size) C i = 1 Size -No of requirements -No. of interfaces -No. of operational scenarios -No. of critical algorithms -No. of false alarms -+ Volatility Factor Effort (PM) Duration (CM) Calibration Where Effort = All hours to perform engineering tasks (requirements, architecture, development, test and integration; includes task management, in PM (152 hours/month)) A = Calibration constant B = Architecture constant (see Page 13) C = Power law D i = Cost Drivers Where: ∏ D i = product of their ratings Size = No. of weighted predictors scaled for a given false alarm rate Note: The model takes the form of a regression model. We are currently working with our collaborators to reduce the number of cost drivers to the set that captures the variations in effort as noted by our experts. The size drivers are taken from the COSYSMO model as representative of systems comprised of both hardware and software components. Acquisitions are excluded and their costs must be added to the estimates generated. See descriptions for cost drivers on following pages Duration = Function (Effort)

12 23 October 2006Copyright 2006, RCI12 Architectural Constant ArchitectureDescriptionValue No defensesMaybe a firewall, but that is it1.22/1.25 Basic defensesHardware firewall; router authorization; OS patches up-to-date; local authentication 1.11/1.10 Standard defenses Basic plus IDS; network scanner to identify intrusions; log files analyzed ; system swept to identify vulnerabilities 1.00 Advanced defenses Standard plus DMZ configuration; IPS; layered defenses aimed at identifying and recovering from insider & outsider attacks 0.91/0.90 State-of-the-art defenses Advanced plus proxy server configuration; defense-in- depth with active alerts on situation displays; honeypots for forensics 0.84/0.80 Architecture Constant (B): A constant used to adjust the model to reflect the following range of network defense requirements/architectures.

13 23 October 2006Copyright 2006, RCI13 Size Drivers (Network Defense) No. of System Requirements –Represents the weighted number of network defense requirements in system- of-interest at a specific level of design. Requirements may be functional, performance, feature or service-oriented in nature depending on specification methodology. No. of Major Interfaces –Represents the weighted number of shared major physical and logical boundaries between network defense system components or functions (internal interfaces) and those external to the system (external interfaces). No. of Operational Scenarios –Represents the weighted number of operational scenarios that the network defense system must satisfy. Such threads typically result in end-to-end tests that are developed to validate the system satisfies all of its requirements. No. of Critical Algorithms –Represents the weighted number of newly defined or significantly altered functions that require unique mathematical algorithms to be derived to achieve the network defense system performance requirements.

14 23 October 2006Copyright 2006, RCI14 Number of False Alarms No. of False Alarms (quality normalization factor) –Sets the false alarm goal for the network defense system. This is the cumulative number of false alarms per day that are displayed on situational awareness consoles. –False alarm rate used as a weighting factor for the size driver summation. Number of False Alarms DescriptionWeighting Factor Very LowNo. of false alarms less than one per day on average0.75 LowNo. of false alarms less than two per day on average0.87/0.90 NominalNo. of false alarms between two and five per day during nominal traffic load on the network 1.00 HighNo. of false alarms between five and eight per day on average1.35/1.30 Very HighNo. of false alarms greater than eight per day1.56/1.70 Size = (Weighting Factor) ∑ w i SD i

15 23 October 2006Copyright 2006, RCI15 Driver Definitions (Continued) Number and Diversity of Vendor Products & Platforms/ Installations –Rates the ability to mount defenses based on the number of vendors products being used and platforms/installations that need to be defended. –Effort tends to increase non-linearly as number of vendors/platforms increases. Personnel/Team Experience –Rates the capabilities and experience of the security team when implementing defenses similar to those being proposed for the network. Process Capability –Rates the effectiveness and robustness of the processes used by the security team in establishing the network infrastructure defenses. Requirements Complexity –Rates the precedentedness, difficulty and volatility of the overarching requirements established for network defense (common criteria assurance and functional levels, etc.).

16 23 October 2006Copyright 2006, RCI16 Driver Definitions (Completed) Secure Facility Constraints –Rates the difficulty of performing work as a function of physical security constraints placed on the team implementing network security (cipher locks, guards, security processes, etc.). Stakeholder Team Cohesion –Rates the degree of shared vision and cooperation exhibited by the different organizations working on security the network infrastructure (customer, developer, auditor, etc.). Technology Maturity –Rates the relative maturity of the technology selected for use in the defense of the network using NASA’s Technology Readiness Levels. Tools Support –Rates the coverage, integration and maturity of the tools used, both hardware and software, to mount network defenses (includes test automation for revalidating defenses once they are changed).

17 23 October 2006Copyright 2006, RCI17 EMR Results (Collaborator Group) Level of Service Requirements------------------------------------------------------- 2.72 Technology Maturity---------------------------------------------------- 2.50 Personnel/Team Experience--------------------------------------------- 2.07 Stakeholder Team Cohesion-------------------------------------------- 2.06 Tools Support------------------------------------------ 1.87 Requirements Complexity------------------------------------------ 1.93 Process Capability----------------------------------------- 1.78 Architecture Understanding------------------------------------------- 2.00 Migration Complexity-------------------------------------- 1.65 Degree of Innovation------------------------------------ 1.52 Secure Facility Constraints-------------------------------------- 1.65 No. and Diversity of Installations---------------------------------------- 1.70 0.0 1.0 2.0 3.0 EMR

18 23 October 2006Copyright 2006, RCI18 EMR Results (Delphi Round 1) Level of Service Requirements------------------------------------------------------------ 2.87 Technology Maturity------------------------------------- 1.65 Personnel/Team Experience------------------------------------------------------------- 2.92 Stakeholder Team Cohesion------------------------------------------- 1.94 Tools Support-------------------------------------- 1.75 Requirements Complexity--------------------------------------------- 2.04 Process Capability------------------------------------------- 1.93 Architecture Understanding------------------------------------------- 1.95 Migration Complexity--------------------------------------- 1.83 Degree of Innovation---------------------------------- 1.49 No. and Diversity of Installations------------------------------------ 1.60 0.0 1.0 2.0 3.0 EMR Secure Facility Constraints----------------------------- 1.27

19 23 October 2006Copyright 2006, RCI19 Anti-Tamper Early Phase Cost Model 11 Effort = A ∏ D i (Size) C i =1 Size - No. of function or feature points (see IFPUG for definitions) Effort (PM) Duration (CM) Calibration Where Effort = all hours to perform engineering tasks in PM (152 hours/month) A = calibration constant C = power law ∏ D i = product of their ratings D i = cost drivers (see amplifying description for each of the drivers) Size = effective size of the application being protected

20 23 October 2006Copyright 2006, RCI20 Candidate Cost Drivers for Anti- Tamper Early Phase Cost Model Cost Drivers Architecture Complexity Process Capability Degree of Ceremony Requirements Complexity Depth and Breadth of Protection Requirements (in PPP) Stakeholder Team Cohesion Level of Service Requirements Technology Maturity Number and Diversity of Platforms/ Installations Tools Support (for protection) Personnel/Team Experience

21 23 October 2006Copyright 2006, RCI21 AT Unique Cost Drivers Degree of Ceremony –Rates the formality in which the team operates during development, testing, red teaming and DITSCAP certification. Ratings are a function of support that needs to be provided along with documentation. Depth and Breadth of Protection Requirements –Rates the breadth and depth of protection required in terms of how much protection, both hardware and software, must be mechanized to satisfy the requirements in the Program Protection Plan. Tool Support (for protection) –Rates the degree of coverage, integration and maturity of the tools used, both hardware and software, to mechanize protection (includes the test automation available for revalidating protection once the defenses are changed for whatever reason).

22 23 October 2006Copyright 2006, RCI22 EMR Results (Collaborators Group) Level of Service Requirements--------------------------------------------------------- 2.85 Technology Maturity---------------------------------------------------- 2.50 Personnel/Team Experience------------------------------------------------- 2.37 Stakeholder Team Cohesion--------------------------------------------- 2.06 Tools Support------------------------------------------ 1.90 Requirements Complexity------------------------------------------ 1.93 Process Capability----------------------------------------- 1.78 Architecture Understanding------------------------------------------- 2.00 Migration Complexity-------------------------------------- 1.65 Depth & Breadth of Requirements-------------------------------------------- 2.05 Degree of Ceremony---------------------------------------------- 2.17 0.0 1.0 2.0 3.0 EMR EMR values differ slightly for AT Early Estimation Model

23 23 October 2006Copyright 2006, RCI23 EMR Results (Round 1 Delphi) Level of Service Requirements--------------------------------------------------------- 2.67 Technology Maturity------------------------------------------------- 2.20 Personnel/Team Experience-------------------------------------------------------------------------- 3.25 Stakeholder Team Cohesion-------------------------------------------------- 2.33 Tools Support--------------------------------------- 1.77 Requirements Complexity------------------------------------------ 1.89 Process Capability----------------------------------------- 1.79 Architecture Understanding-------------------------------------------- 2.13 No. and Diversity of Platforms--------------------------------------- 1.70 Depth & Breadth of Requirements------------------------------------------------------------------------- 3.25 Degree of Ceremony--------------------------------------------- 2.13 0.0 1.0 2.0 3.0 EMR EMR values differ slightly for AT Early Estimation Model

24 23 October 2006Copyright 2006, RCI24 USC CONIPMO USC CS577 project –Two semester course –Six person software development team –Two person IV&V team located remotely –Visual Basic package with “touch & feel” of the current USC COCOMO II package –Will have lots of features including a self-calibration mode

25 23 October 2006Copyright 2006, RCI25 Next Steps – CY2006-7 Schedule Task3 rd Quarter4th Quarter1st Quarter2 nd Quarter Model Development 1. Define drivers 2. Rate drivers via DelphiUpdate 3. Develop counting rules 4. Develop model definition manual 5. Build prototype model 6. Calibrate prototype model Data Collection 1. Develop data collection questionnaire 2. Test questionnaire utility via trial use 3. Capture data 4. Build Excel database 5. Statistically analyze data 6. Calibrate model and its parameters NOW START PHASE II CONTRACT

26 23 October 2006Copyright 2006, RCI26 Issues Raised in Delphi Many security products used commercially are COTS –Security must be included as an integral part of the COTS selection, tailoring and integration processes Security team part of systems effort and not separable –Only separable effort the security certification and accreditation (C&A) activity (normally part of DIACAP) –May need to look at different teams doing security work (e.g., engineering, operational and certification teams) –Hard to determine percent effort and schedule Number of platforms a function of number of sites the system deployed –May want to consider this a size rather than cost driver

27 23 October 2006Copyright 2006, RCI27 More Issues Raised in Delphi Process capability should address the certification and accreditation team as well as systems engineering personnel –Must report pass/fail status of each of 110+ MAC-1 controls Technology maturity is viewed negatively for security because maturity infers vulnerabilities Size driver definitions need to be clearer especially in terms of the impacts of interfaces and operational scenarios False alarms is a good normalization factor to use for the model Anti-tamper model should be kept separate because it is addressed by different teams –Typically driven by protection and not security requirements –Trying to protect loss of intellectual property via reverse engineering

28 23 October 2006Copyright 2006, RCI28 Past and Present CONIPMO Players Delphi participants –Aerospace –Galorath, Inc. –General Dynamics –Lockheed Martin –MIT –Northrop Grumman –Sentar, Inc. –Teledyne Solutions, Inc. –USC Letters of endorsement –Army Space & Missile Defense Future Warfare Center (SMDC/FWC) –Naval Underwater Warfare Center (NUWC) –Net-Centric Certification Office (DISA) –MDA/Ground Midcourse Defense (GMD) Element –Galorath, Inc. –Lockheed Martin

29 23 October 2006Copyright 2006, RCI29 Future Needs/Challenges Getting people to talk, share ideas, provide data and collaborate –Often close-mouthed due to classification issues Access to real data for use in validating model Winning a Phase II support –Must acquire a steady stream of funds for several years of data collection

30 23 October 2006Copyright 2006, RCI30 Questions or Comments Donald J. Reifer dreifer@earthlink.net Phone: 310-530-4493 When eating an elephant take one bite at a time. ………Creighton Adams An elephant is a mouse built to Mil-Spec. ……….Sayings Galore

Download ppt "23 October 2006Copyright 2006, RCI1 CONIPMO Overview Center for Systems and Software Engineering Convocation 2006 Donald J. Reifer Reifer Consultants,"

Similar presentations

Ninth Lecture Hour 8:30 – 9:20 pm, Thursday, September 13

Ninth Lecture Hour 8:30 – 9:20 pm, Thursday, September 13
Printed by www.postersession.com CONIPMO (Constructive Infrastructure Protection Model): ACCURATELY ESTIMATING HOW MUCH IT WILL COST TO SET UP NETWORK.

Printed by CONIPMO (Constructive Infrastructure Protection Model): ACCURATELY ESTIMATING HOW MUCH IT WILL COST TO SET UP NETWORK.
On Representing Uncertainty In Some COCOMO Model Family Parameters October 27, 2004 John Gaffney 301-240-7038 Fellow, Software & Systems.

On Representing Uncertainty In Some COCOMO Model Family Parameters October 27, 2004 John Gaffney Fellow, Software & Systems.
ITIL: Service Transition

ITIL: Service Transition
Sixth Hour Lecture 10:30 – 11:20 am, September 9 Framework for a Software Management Process – Artifacts of the Process (Part II, Chapter 6 of Royce’ book)

Sixth Hour Lecture 10:30 – 11:20 am, September 9 Framework for a Software Management Process – Artifacts of the Process (Part II, Chapter 6 of Royce’ book)
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Rational Unified Process

Rational Unified Process
March 2002 COSYSMO: COnstructive SYStems Engineering Cost MOdel Ricardo Valerdi USC Annual Research Review March 11, 2002.

March 2002 COSYSMO: COnstructive SYStems Engineering Cost MOdel Ricardo Valerdi USC Annual Research Review March 11, 2002.
11/08/06Copyright 2006, RCI1 CONIPMO Workshop Out-brief 21 st International Forum on COCOMO and Software Cost Modeling Donald J. Reifer Reifer Consultants,

11/08/06Copyright 2006, RCI1 CONIPMO Workshop Out-brief 21 st International Forum on COCOMO and Software Cost Modeling Donald J. Reifer Reifer Consultants,
Some Experience With COSYSMOR At Lockheed Martin

Some Experience With COSYSMOR At Lockheed Martin
University of Southern California Center for Software Engineering CSE USC ©USC-CSE 10/23/01 1 COSYSMO Portion The COCOMO II Suite of Software Cost Estimation.

University of Southern California Center for Software Engineering CSE USC ©USC-CSE 10/23/01 1 COSYSMO Portion The COCOMO II Suite of Software Cost Estimation.
Costs of Security in a COTS-Based Software System True Program Success TM Costs of Security in a COTS-Based Software System Arlene Minkiewicz, Chief Scientist.

Costs of Security in a COTS-Based Software System True Program Success TM Costs of Security in a COTS-Based Software System Arlene Minkiewicz, Chief Scientist.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Ch8: Management of Software Engineering. 1 Management of software engineering  Traditional engineering practice is to define a project around the product.

Ch8: Management of Software Engineering. 1 Management of software engineering  Traditional engineering practice is to define a project around the product.
7 November 2006Copyright 2006, RCI1 CONIPMO Workshop 21 st International Forum on COCOMO and Software Cost Modeling Donald J. Reifer Reifer Consultants,

7 November 2006Copyright 2006, RCI1 CONIPMO Workshop 21 st International Forum on COCOMO and Software Cost Modeling Donald J. Reifer Reifer Consultants,
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Fundamentals of Information Systems, Second Edition

Fundamentals of Information Systems, Second Edition
System-of-Systems Cost Modeling: COSOSIMO July 2005 Workshop Results Jo Ann Lane University of Southern California Center for Software Engineering.

System-of-Systems Cost Modeling: COSOSIMO July 2005 Workshop Results Jo Ann Lane University of Southern California Center for Software Engineering.
SQM - 1DCS - ANULECTURE 11-2005 Software Quality Management Software Quality Management Processes V & V of Critical Software & Systems Ian Hirst.

SQM - 1DCS - ANULECTURE Software Quality Management Software Quality Management Processes V & V of Critical Software & Systems Ian Hirst.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Similar presentations

Ads by Google