Presentation is loading. Please wait.

Presentation is loading. Please wait.

FAA Information Technology- Information Systems Security R&D Workshop 2003 13 June 2015© 2002-3 USC-CSE Extending COCOMO II to Estimate the Cost of Developing.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "FAA Information Technology- Information Systems Security R&D Workshop 2003 13 June 2015© 2002-3 USC-CSE Extending COCOMO II to Estimate the Cost of Developing."— Presentation transcript:

1 FAA Information Technology- Information Systems Security R&D Workshop 2003 13 June 2015© 2002-3 USC-CSE Extending COCOMO II to Estimate the Cost of Developing Secure Software Edward Colbert, Murali Gangadharan, Donald Reifer, & Barry Boehm {ecolbert, murali, boehm}@cse.usc.edu, d.reifer@ieee.org

2 23 June 2015© 2002-3 USC-CSE Outline  Why Extend COCOMO II for Security?  The COCOMO II & Modeling Methodology  New Security Cost Driver & its Factors  COCOMO II Cost Driver Values  Analysis of Security Impact On Other Drivers  Next Steps & Summary

3 33 June 2015© 2002-3 USC-CSE Why Extend COCOMO II for Security  Military projects have considered security in developing software since the early 1980s  Until recently commercial projects often gave it little weight  Threat to business-critical systems & private information has grown –Security can no longer be ignored  Few cost models (including COCOMO II) include security factors –Based 1980s military perspective (Orange Book) –Developing secure systems has changed dramatically

4 43 June 2015© 2002-3 USC-CSE Adding Security to Cost Models  Several approaches for addressing security –Modernize existing models Primarily by updating definitions of cost drivers –Add new cost drivers to cost models –Develop separate security model

5 53 June 2015© 2002-3 USC-CSE Adding Security to Cost Models  USC has taken intermediate approach –Add factor that addresses security from 3 viewpoints Development Operational Physical (Development Constraints) –Include factors as appropriate to all COCOMO II family cost models –Address both commercial & military projects regardless of Size Domain Level of maturity

6 63 June 2015© 2002-3 USC-CSE Outline  Why Extend COCOMO for Security?  The COCOMO II & Modeling Methodology  New Security Cost Driver & its Factors  COCOMO II Cost Driver Values  Analysis of Security Impact On Other Drivers  Next Steps & Summary

7 73 June 2015© 2002-3 USC-CSE Project scale factors: maturity, risk, flexibility, teamwork & precedentedness Software product, process, project & personnel cost drivers COCOMO II Refresher COCOMO II Model Software size estimate Software organization’s project data Effort & duration estimates Cost, schedule distribution by phase, activity, increment COCOMO II recalibrated to organization’s data Effort in Person Month SF: Scale Factors (5) EM: Effort Multipliers(17)

8 83 June 2015© 2002-3 USC-CSE COCOMO II Family of Cost Models COCOMO II Calibration Models Risk & Tradeoff Models Allocation Models Sizing Models Reuse Models COCOTS COQUALMO CORADMO COSYSMO OTHERS

9 93 June 2015© 2002-3 USC-CSE COCOMO II Modeling Methodology Analyze Existing Literature Perform Behavioral Analysis Determine Form of model &Identify relative significance of parameters Perform expert Judgment, Delphi Assessment Gather Project Data Determine Bayesian A Posteriori update Gather more data; Refine model

10 103 June 2015© 2002-3 USC-CSE Outline  Why Extend COCOMO for Security?  The COCOMO II & Modeling Methodology  New Security Cost Driver & its Factors  COCOMO II Cost Driver Values  Analysis of Security Impact On Other Drivers  Next Steps & Summary

11 113 June 2015© 2002-3 USC-CSE COCOMO II Security Driver (SECU)  Viewpoints –Design & Development for Security –Operational Security –Physical Security (Development Constraints)  Driver Ratings –Low –Nominal –High –Very High –Extremely High

12 123 June 2015© 2002-3 USC-CSE Security Factors  Design & Development for Security –Effect of design methodologies & processes for development & validation when security is factor  Operational Security –Effect of security policies, processes, tools & facilities that: Permit identification of security events Define subsequent actions to identify key elements Report pertinent information to appropriate individual, group, or process  Development Constraints –Constraints placed on development when protecting software facilities: From outside perimeter to inside office space Includes all of information system resources

13 133 June 2015© 2002-3 USC-CSE Design & Development for Security Rating : Low & Nominal  Low –No security requirements –No protection other than provided by execution environment  Nominal Requirements  Informal security requirements formulated for system Design  Analysis of security functions using –Informal functional & interface specification –Descriptive high-level design –Informal demonstration of corresponding pairs Testing  Developer tests implementation of requirements –Black box testing Life-cycle controls  Simple Configuration Management with version numbers

14 143 June 2015© 2002-3 USC-CSE Design & Development for Security Rating : High  Nominal + Requirements  Fully defined external interfaces  Informal security policy modeling Design  High-level design enforces security  Informal low-level design description Testing  Independent testing of all functional requirements  Inspection of COTS/OSS source code if available  Developer vulnerability analysis Life-cycle controls  Detailed delivery & installation procedures –with well-defined security defaults  Developer-defined life-cycle model –with well-defined development tools

15 153 June 2015© 2002-3 USC-CSE Design & Development for Security Rating: Very High  High+ Requirements  Semi-formal functional specifications  Semi-formal security policy modeling Design  Semi-formal high-level design  Semi-formal Correspondence demonstration  Modular implementation  Dynamic analysis for COTS/OSS Testing  Evidence of coverage for all developer test results  Testing of high-level design  Independent vulnerability analysis  Independent validation of analysis Life-cycle controls  Partial automation of CM –with authorization control, problem tracking, & detection of modification  Measurable life-cycle model –with compliance to implementation standards

16 163 June 2015© 2002-3 USC-CSE Design & Development for Security Rating: Extremely High  Very High + Requirements  Formal functional specification  Formal security policy modeling Design  Formal high level explanation  Formal Correspondence Demonstration  Structured implementation with minimization of complexity  Secure container for COTS & OSS Testing  Analysis of coverage of tests  Analysis & testing for insecure states  Ordered functional testing with tests of low-level design  Covert channel analysis Life-cycle controls  Compete automation of CM –with coverage for developer tools  Measurable life-cycle model –with supporting empirical data

17 173 June 2015© 2002-3 USC-CSE Operational Security Rating: Low & Nominal  Low –No organization-wide security policies –Ad-hoc security practices –Optional firewall & virus protection  Nominal Administrative controls  Basic Security policies –inc. Password & Virus Protection policy Network access & system use policy  Guidelines for administrators & users  Guidelines for regular backups of critical data Technical Controls  Reasonable practices for –Checksum Verification –Firewalls –Operating system logging  Simple password-based authentication schemes

18 183 June 2015© 2002-3 USC-CSE Operational Security Rating: High  Nominal + Administrative Controls  Security policies include –User administration policies –Access administration policies  Documentation & logging of all security incidents  Discretionary Access Control Policies for all resources  Security Screening of all staff on project –Initial background screening Technical Controls  Media access controls –Marking, logging & Integrity verification  Strong communication security implemented with reasonable practices for –Virtual Public Networks –Wireless Access –Active systems & network monitoring  Multi-factor authentication using passwords & smart-tokens

19 193 June 2015© 2002-3 USC-CSE Operational Security Rating: Very High  High + Administrative Controls  Security policies include – Incident response policy – Data classification policy  Incident response teams formed to handle security breaches  Mandatory Access Control Policies to all resources  Project staffing process considers –Separation of duties –Access with least privilege Technical Controls  Defense-in-Depth strategy to protect system with reasonable practices for –Layered system monitoring with Intrusion Detection Systems –Write protected audit trails  Digital certificates & signatures used for –Authentication –Message integrity –Non-repudiation

20 203 June 2015© 2002-3 USC-CSE Operational Security Rating : Extremely High  Very High + Administrative Controls  Comprehensive Security policies including – Business continuity plans – Disaster recovery plans  Strong role-based access control for all resources Technical Controls  Defense-in-depth strategy for protection is implemented with reasonable practices for –Protection against insider & outsider attacks –Honeypots for proactive defense  Independent vulnerability analysis & penetration tests  All communications are encrypted  Multi-factor authentication with biometrics

21 213 June 2015© 2002-3 USC-CSE Development Constraints Rating Description  Nominal –None  High –All source materials are locked up when not in active use  Very High –High + Audited security markings in code  Extremely High –Very High+ Multi-compartment developer communication constraints

22 223 June 2015© 2002-3 USC-CSE Outline  Why Extend COCOMO for Security?  The COCOMO II Modeling & Methodology  New Security Cost Driver & its Factors  COCOMO II Cost Driver Values  Analysis of Security Impact On Other Drivers  Next Steps & Summary

23 233 June 2015© 2002-3 USC-CSE Draft Security Effort Distribution With large Standard Deviation

24 243 June 2015© 2002-3 USC-CSE Outline  Why Extend COCOMO for Security?  The COCOMO II & Modeling Methodology  New Security Cost Driver & its Factors  COCOMO II Cost Driver Values  Analysis of Security Impact On Other Drivers  Next Steps & Summary

25 253 June 2015© 2002-3 USC-CSE Existing COCOMO Drivers Affected By Security  Proposed security cost driver (SECU) constrain existing COCOMO II cost drivers  Security functions add to project’s size  Increases project risk RELYRequired software reliability CPLXProduct complexity DOCUDocumentation match to life-cycle needs SITEMulti-site development TOOLUse of software tools

26 263 June 2015© 2002-3 USC-CSE Security Effect on Risk  Projects risk is increased when –Security driver rating is >= high & –Rating of following drivers are <= low or nominal ACAP : Analyst Capability PCAP : Programmer Capability APEX : Application Experience PLEX : Platform Experience LTEX : Language Experience

27 273 June 2015© 2002-3 USC-CSE Outline  Why Extend COCOMO for Security?  The COCOMO II & Modeling Methodology  New Security Cost Driver & its Factors  COCOMO II Cost Driver Values  Analysis of Security Impact On Other Drivers  Next Steps & Summary

28 283 June 2015© 2002-3 USC-CSE Next Steps  Reach consensus on cost drivers –FAA Workshop with AS400 on security, July 03 –Delphi run & calibration of factors in works  Initiate efforts to statistically validate accuracy of model –Survey available 160+ COCOMO project data –Perform initial calibration  Create enhanced COCOMO data collection forms –Gather security related efforts  Compare actual project data to expert opinions –Calibrate the model by weighting Actual data Expert opinions using Bayesian statistical techniques

29 293 June 2015© 2002-3 USC-CSE Summary  Proposed extensions to COCOMO for development of Secure Systems –Based on Common Criteria & DITSCAP –1 Driver: SECU –3 Factors: Development for Security Operational Security Physical Security (Development Constraints) –Affects on other COCOMO II Drivers RELY, CPLX, DOCU, SITE, TOOL –Affects on Size –Affects on project risk  Hopefully stimulated your interest & motivated you to participate by sharing project data

Download ppt "FAA Information Technology- Information Systems Security R&D Workshop 2003 13 June 2015© 2002-3 USC-CSE Extending COCOMO II to Estimate the Cost of Developing."

Similar presentations

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
Software Quality Assurance Plan

Software Quality Assurance Plan
Empirical Research at USC-CSE Barry Boehm, USC-CSE ISERN Presentation October 8, 2000

Empirical Research at USC-CSE Barry Boehm, USC-CSE ISERN Presentation October 8, 2000
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Copyright 2000, Stephan Kelley1 Estimating User Interface Effort Using A Formal Method By Stephan Kelley 16 November 2000.

Copyright 2000, Stephan Kelley1 Estimating User Interface Effort Using A Formal Method By Stephan Kelley 16 November 2000.
Using UML, Patterns, and Java Object-Oriented Software Engineering Royce’s Methodology Chapter 16, Royce’ Methodology.

Using UML, Patterns, and Java Object-Oriented Software Engineering Royce’s Methodology Chapter 16, Royce’ Methodology.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.

1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
March 2002 COSYSMO: COnstructive SYStems Engineering Cost MOdel Ricardo Valerdi USC Annual Research Review March 11, 2002.

March 2002 COSYSMO: COnstructive SYStems Engineering Cost MOdel Ricardo Valerdi USC Annual Research Review March 11, 2002.
02/12/00 E-Business Architecture

02/12/00 E-Business Architecture
University of Southern California Center for Software Engineering CSE USC COSYSMO: Constructive Systems Engineering Cost Model Barry Boehm, USC CSE Annual.

University of Southern California Center for Software Engineering CSE USC COSYSMO: Constructive Systems Engineering Cost Model Barry Boehm, USC CSE Annual.
11/08/06Copyright 2006, RCI1 CONIPMO Workshop Out-brief 21 st International Forum on COCOMO and Software Cost Modeling Donald J. Reifer Reifer Consultants,

11/08/06Copyright 2006, RCI1 CONIPMO Workshop Out-brief 21 st International Forum on COCOMO and Software Cost Modeling Donald J. Reifer Reifer Consultants,
University of Southern California Center for Systems and Software Engineering ©USC-CSSE1 Ray Madachy, Barry Boehm USC Center for Systems and Software Engineering.

University of Southern California Center for Systems and Software Engineering ©USC-CSSE1 Ray Madachy, Barry Boehm USC Center for Systems and Software Engineering.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
System-of-Systems Cost Modeling: COSOSIMO July 2005 Workshop Results Jo Ann Lane University of Southern California Center for Software Engineering.

System-of-Systems Cost Modeling: COSOSIMO July 2005 Workshop Results Jo Ann Lane University of Southern California Center for Software Engineering.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
The Information Systems Audit Process

The Information Systems Audit Process

Similar presentations

Ads by Google