Cyber Security Engineering: Lifecycle Assurance of Systems and Software
Software Engineering Institute (SEI) members Nancy Mead and Carol Woody lay the groundwork for why a lifecycle approach to cyber security engineering is critical for ensuring system and software security.
with Warren Axelrod and Dan Shoemaker
Everything we do these days involves system and software technology: Cars, planes, banks, restaurants, stores, telephones, appliances, and entertainment rely extensively on technology. The operational security of these software-intensive systems depends on the practices and techniques used during their design and development. Many decisions made during acquisition and development have an impact on the options for security once systems are deployed. Quality is important, but simply reducing software defects is not sufficient for effective operational security. Lifecycle processes must consider the security-related risks inherent in the operational environments where systems are deployed. Increased consideration of operational security risk earlier in the acquisition and development processes provides an opportunity to tune decisions to address security risk and reduce the total cost of operational security. This book provides key operational management approaches, methodologies, and practices for assuring a greater level of software and system security throughout the development and acquisition lifecycle.
This book contains recommendations to guide software professionals in creating a comprehensive lifecycle process for system and software security. That process allows organizations to incorporate widely accepted and well-defined assurance approaches into their own specific methods for ensuring operational security of their software and system assets. It’s worth pointing out that the material in this book is applicable to many different types of systems. Although many of our recommendations originated from our work in information systems security, the recommendations are equally applicable to systems used to support critical infrastructure, such as industrial control systems and SCADA (supervisory control and data acquisition) systems. The same can be said for other hardware/software systems that are not primarily information systems but exist to support other missions.
This book also provides a learning tool for those not familiar with the means and methods needed in acquisition and development to address operational security. Today’s tools and existing products allow almost anyone to create a software-based system that meets its functional requirements, but critical skills and practices are needed to ensure secure deployment results.
The exponential increase in cybercrime is a perfect example of how rapidly change is happening in cyberspace and why operational security is a critical need. In the 1990s, computer crime was usually nothing more than simple trespasses. Twenty-five years later, computer crime has become a vast criminal enterprise, with profits estimated at $1 trillion annually. And one of the primary contributors to this astonishing success is the vulnerability of America’s software to exploitation through defects. How pervasive is the problem of vulnerability? Veracode, a major software security firm, found that “58 percent of all software applications across supplier types [failed] to meet acceptable levels of security in 2010” [Veracode 2012].
Increased system complexity, pervasive interconnectivity, and widely distributed access have increased the challenges for building and acquiring operationally secure capabilities. Therefore, the aim of this book is to show you how to create and ensure persistent operational assurance practice across all of the typical activities that take place across the system and software lifecycle.