Delivering results that endure Delivering Results that Endure Managing Risks in the Software Acquisition Process GFIRST Conference June 2007 Stan Wisseman.

Slides:

Advertisements

Similar presentations

Copyright (C) The Open Group 2014 Securing Global IT Supply Chains and IT Products by Working with Open Trusted Technology Provider™ Accredited Companies.

Advertisements

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

153 Brooks Road, Rome, NY | | 153 Brooks Road, Rome, NY | |

The Role of Software Engineering Brief overview of relationship of SE to managing DSD risks 1.

Unit 251 Implementation and Integration Implementation Unit Testing Integration Integration Approaches.

School of Computing, Dublin Institute of Technology.

TEMPUS ME-TEMPUS-JPHES

ISO 9001 Interpretation : Exclusions

Stephen S. Yau CSE , Fall Security Strategies.

CBIIT Quality Assurance Process Preston Wood NCI CBIIT Government Quality Representative (GQR) January 2014 RS.

What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.

Merlin ITEA Symposium Merlin Overview2 Problem domain Companies hardly develop embedded products completely on their own Embedded systems need.

Security Assessments FITSP-M Module 5. Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass.

Software Assurance Software Acquisition Working Group Chairs: Stan Wisseman Booz Allen Hamilton Mary L. Polydys National Defense University Information.

Website Hardening HUIT IT Security | Sep

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.

Software Testing Verification and validation planning Software inspections Software Inspection vs. Testing Automated static analysis Cleanroom software.

SEC835 Database and Web application security Information Security Architecture.

Secure Software Development SW Penetration Testing Chapter 6 Rasool Jalili & M.S. Dousti Dept. of Computer Engineering Fall 2010.

EOSC Generic Application Security Framework

Introduction to Software Quality Assurance (SQA)

Management Information Systems

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Categories of Testing.

Test Organization and Management

Software Engineering Reuse.

Information Systems Security Computer System Life Cycle Security.

Module CC3002 Post Implementation Issues Lecture for Week 6 AY 2013 Spring.

Security Assessments FITSP-A Module 5

-Nikhil Bhatia 28 th October What is RUP? Central Elements of RUP Project Lifecycle Phases Six Engineering Disciplines Three Supporting Disciplines.

Based on D. Galin, and R. Patton.  According to D. Galin  Software quality assurance is:  A systematic, planned set of actions necessary to provide.

1 Process Engineering A Systems Approach to Process Improvement Jeffrey L. Dutton Jacobs Sverdrup Advanced Systems Group Engineering Performance Improvement.

Human Resource Management Lecture 27 MGT 350. Last Lecture What is change. why do we require change. You have to be comfortable with the change before.

Architecture-Based Runtime Software Evolution Peyman Oreizy, Nenad Medvidovic & Richard N. Taylor.

Integrating Security Design Into The Software Development Process For E-Commerce Systems By: M.T. Chan, L.F. Kwok (City University of Hong Kong)

Installation and Maintenance of Health IT Systems

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

1 10/14/2015ã 2007, Spencer Rugaber The Waterfall Process Software plans and requirements Validation System feasibility Validation Product design Verification.

1 Dr. Ralph R. Young Director of Software Engineering PRC, Inc. (703) DOORS USER GROUP CONFERENCE Reston, VA September 17,

ISO 9001:2008 to ISO 9001:2015 Summary of Changes

Chapter 13: Regression Testing Omar Meqdadi SE 3860 Lecture 13 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.

University of Palestine software engineering department Testing of Software Systems Testing throughout the software life cycle instructor: Tasneem.

Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 22 Slide 1 Software Verification, Validation and Testing.

An Introduction to Software Engineering. Communication Systems.

CSCE 522 Secure Software Development Best Practices.

1 ITGD 2202 Supervision:- Assistant Professor Dr. Sana’a Wafa Al-Sayegh Dr. Sana’a Wafa Al-SayeghStudent: Anwaar Ahmed Abu-AlQumboz.

Historical Aspects Origin of software engineering –NATO study group coined the term in 1967 Software crisis –Low quality, schedule delay, and cost overrun.

Future ICT Landscapes – Security and Privacy Challenges & Requirements Simone Fischer-Hübner IVA Workshop, Stockholm 24th May 2012.

CSCE 548 Building Secure Software. CSCE Farkas2 Reading This lecture: – McGraw: Chapter 1 – Recommended: CyberInsecurity: The Cost of Monopoly,

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.

CSCE 548 Secure Software Development Security Operations.

From Information Assurance to Trusted Systems – A Strategic Shift Patricia A. Muoio Chief, NSA Trusted Systems Research (formerly known as National Information.

CSCE 201 Secure Software Development Best Practices.

Software Engineering Jon Walker. What is Software Engineering? Why do we call it Software Engineering? Why not just call it programming or software development?

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

CS526: Information Security Chris Clifton November 4, 2003 Assurance.

The common structure and ISO 9001:2015 additions

Version 02U-1 Computer Security: Art and Science1 Correctness by Construction: Developing a Commercial Secure System by Anthony Hall Roderick Chapman.

Process Asad Ur Rehman Chief Technology Officer Feditec Enterprise.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.

CNCI-SCRM STANDARDIZATION Discussion Globalization Task Force OASD-NII / DoD CIO Unclassified / FOUO.

What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.

INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.

Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.

SOFTWARE TESTING Date: 29-Dec-2016 By: Ram Karthick.

CSCE 548 Secure Software Development Risk-Based Security Testing

Security Testing Methods

Compliance with hardening standards

Presentation transcript:

delivering results that endure Delivering Results that Endure Managing Risks in the Software Acquisition Process GFIRST Conference June 2007 Stan Wisseman

1 Delivering Results that Endure Software vulnerabilities jeopardize infrastructure operations, business operations & services, intellectual property, and national security  System interdependence and software dependence has software as the weakest link  Outsourcing and use of an un- vetted software supply chain increases risk exposure  Reuse of software introduces other unintended consequences increasing the number of vulnerable targets

2 Delivering Results that Endure Must raise acquisition officials awareness of the need to exercise due diligence for software assurance  Rampant worldwide increase in exploitation of software vulnerabilities demands that software not only be checked for acceptable functionality, but also achieve acceptable software assurance  Need to convey message to acquisition officials that managing risks during acquisition increases confidence that software is trusted to perform as expected and be more resistant to attack  To that end, acquisition officials have a due diligence responsibility to factor in software assurance to reduce the risk exposure of software being passed to users

3 Delivering Results that Endure Need to go beyond features and require assured aoftware You may have built a perfectly functional car, but that doesn’t mean it’s gas tank won’t blow up.  Acquisition usually focus on functional requirements  But omit non-functional security requirements!  You can’t assume security will be addressed by the suppliers

4 Delivering Results that Endure The continual assurance of software-intensive systems in the Follow-on Phase presents some unique challenges  Many software systems are not architecturally designed for modifications  System and software engineering change control mechanisms can lack traceability, rigor, and documentation  Personnel turnover causes loss of corporate knowledge about maintaining and ensuring integrity of software  Many software support agencies are not the original software manufacturer and do not employ the same methods, tools, and processes used in development  Need to ensure that the assurance/security requirements implemented and accepted in previous contracts flow to follow-on contract efforts

5 Delivering Results that Endure Gathering data about software and supplier is critical to making smart software acquisitions  Does the supplier have an executive-level officer responsible for the security of their software products and/or processes?  Does the supplier have a vulnerability management and reporting policy? Is it available for review?  Has the software been measured/assessed for its resistance to identified, relevant attack patterns (CAPEC)?  Are static or dynamic software security analysis tools used to identify weaknesses in the software that can lead to exploitable vulnerabilities? If yes, which classes of weaknesses are covered (CWE)?  What policies and processes does the supplier use to verify that software components do not contain unintended, “dead,” or malicious code?  How can the integrity of an update/patch be verified to ensure that it is correct and unaltered?

6 Delivering Results that Endure