Presentation is loading. Please wait.

Presentation is loading. Please wait.

Delivering results that endure Delivering Results that Endure Managing Risks in the Software Acquisition Process GFIRST Conference June 2007 Stan Wisseman.

Published byKristian Hopkins Modified over 8 years ago

Similar presentations

Presentation on theme: "Delivering results that endure Delivering Results that Endure Managing Risks in the Software Acquisition Process GFIRST Conference June 2007 Stan Wisseman."— Presentation transcript:

1 delivering results that endure Delivering Results that Endure Managing Risks in the Software Acquisition Process GFIRST Conference June 2007 Stan Wisseman Wisseman_stan@bah.com

2 1 Delivering Results that Endure Software vulnerabilities jeopardize infrastructure operations, business operations & services, intellectual property, and national security  System interdependence and software dependence has software as the weakest link  Outsourcing and use of an un- vetted software supply chain increases risk exposure  Reuse of software introduces other unintended consequences increasing the number of vulnerable targets

3 2 Delivering Results that Endure Must raise acquisition officials awareness of the need to exercise due diligence for software assurance  Rampant worldwide increase in exploitation of software vulnerabilities demands that software not only be checked for acceptable functionality, but also achieve acceptable software assurance  Need to convey message to acquisition officials that managing risks during acquisition increases confidence that software is trusted to perform as expected and be more resistant to attack  To that end, acquisition officials have a due diligence responsibility to factor in software assurance to reduce the risk exposure of software being passed to users

4 3 Delivering Results that Endure Need to go beyond features and require assured aoftware You may have built a perfectly functional car, but that doesn’t mean it’s gas tank won’t blow up.  Acquisition usually focus on functional requirements  But omit non-functional security requirements!  You can’t assume security will be addressed by the suppliers

5 4 Delivering Results that Endure The continual assurance of software-intensive systems in the Follow-on Phase presents some unique challenges  Many software systems are not architecturally designed for modifications  System and software engineering change control mechanisms can lack traceability, rigor, and documentation  Personnel turnover causes loss of corporate knowledge about maintaining and ensuring integrity of software  Many software support agencies are not the original software manufacturer and do not employ the same methods, tools, and processes used in development  Need to ensure that the assurance/security requirements implemented and accepted in previous contracts flow to follow-on contract efforts

6 5 Delivering Results that Endure Gathering data about software and supplier is critical to making smart software acquisitions  Does the supplier have an executive-level officer responsible for the security of their software products and/or processes?  Does the supplier have a vulnerability management and reporting policy? Is it available for review?  Has the software been measured/assessed for its resistance to identified, relevant attack patterns (CAPEC)?  Are static or dynamic software security analysis tools used to identify weaknesses in the software that can lead to exploitable vulnerabilities? If yes, which classes of weaknesses are covered (CWE)?  What policies and processes does the supplier use to verify that software components do not contain unintended, “dead,” or malicious code?  How can the integrity of an update/patch be verified to ensure that it is correct and unaltered?

7 6 Delivering Results that Endure

Download ppt "Delivering results that endure Delivering Results that Endure Managing Risks in the Software Acquisition Process GFIRST Conference June 2007 Stan Wisseman."

Similar presentations

Copyright (C) The Open Group 2014 Securing Global IT Supply Chains and IT Products by Working with Open Trusted Technology Provider™ Accredited Companies.

Copyright (C) The Open Group 2014 Securing Global IT Supply Chains and IT Products by Working with Open Trusted Technology Provider™ Accredited Companies.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
153 Brooks Road, Rome, NY | 315.336.3306 | 153 Brooks Road, Rome, NY | 315.336.3306 |

153 Brooks Road, Rome, NY | | 153 Brooks Road, Rome, NY | |
The Role of Software Engineering Brief overview of relationship of SE to managing DSD risks 1.

The Role of Software Engineering Brief overview of relationship of SE to managing DSD risks 1.
Unit 251 Implementation and Integration Implementation Unit Testing Integration Integration Approaches.

Unit 251 Implementation and Integration Implementation Unit Testing Integration Integration Approaches.
School of Computing, Dublin Institute of Technology.

School of Computing, Dublin Institute of Technology.
TEMPUS ME-TEMPUS-JPHES

TEMPUS ME-TEMPUS-JPHES
ISO 9001 Interpretation : Exclusions

ISO 9001 Interpretation : Exclusions
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
CBIIT Quality Assurance Process Preston Wood NCI CBIIT Government Quality Representative (GQR) January 2014 RS.

CBIIT Quality Assurance Process Preston Wood NCI CBIIT Government Quality Representative (GQR) January 2014 RS.
What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.

What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.
Merlin ITEA Symposium 2006. 2006Merlin Overview2 Problem domain Companies hardly develop embedded products completely on their own Embedded systems need.

Merlin ITEA Symposium Merlin Overview2 Problem domain Companies hardly develop embedded products completely on their own Embedded systems need.
Security Assessments FITSP-M Module 5. Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass.

Security Assessments FITSP-M Module 5. Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass.
Software Assurance Software Acquisition Working Group Chairs: Stan Wisseman Booz Allen Hamilton Mary L. Polydys National Defense University Information.

Software Assurance Software Acquisition Working Group Chairs: Stan Wisseman Booz Allen Hamilton Mary L. Polydys National Defense University Information.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.
Software Testing Verification and validation planning Software inspections Software Inspection vs. Testing Automated static analysis Cleanroom software.

Software Testing Verification and validation planning Software inspections Software Inspection vs. Testing Automated static analysis Cleanroom software.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Secure Software Development SW Penetration Testing Chapter 6 Rasool Jalili & M.S. Dousti Dept. of Computer Engineering Fall 2010.

Secure Software Development SW Penetration Testing Chapter 6 Rasool Jalili & M.S. Dousti Dept. of Computer Engineering Fall 2010.

Similar presentations

Ads by Google