- 1.1 Introduction
- 1.2 What Do We Mean by Lifecycle Assurance?
- 1.3 Introducing Principles for Software Assurance
- 1.4 Addressing Lifecycle Assurance3
- 1.5 Case Studies Used in This Book
1.5 Case Studies Used in This Book
Throughout the book we use three case studies to illustrate real problems that organizations and individuals face:
Wireless Emergency Alerts (WEA)—A real system for issuing emergency alerts
Fly-By-Night Airlines—A fictitious airline with realistic problems
GoFast Automotive—A fictitious automobile manufacturer with realistic problems
Brief descriptions of each case study follow, and we recommend that you familiarize yourself with these case study descriptions to understand the context for the case study vignettes that appear.
1.5.1 Wireless Emergency Alerts Case Study5
The Wireless Emergency Alerts (WEA) service is a collaborative partnership that includes
The cellular industry
Federal Communications Commission (FCC)
Federal Emergency Management Agency (FEMA)
U.S. Department of Homeland Security (DHS) Science and Technology Directorate (S&T)
The WEA service enables local, tribal, state, territorial, and federal public safety officials to send geographically targeted emergency text alerts to the public.
An emergency alert is a message sent by an authorized organization that provides details of an occurring or pending emergency situation to designated groups of people. Alerts are initiated by many diverse organizations—for example, AMBER alerts from law enforcement and weather alerts from the National Weather Service.
Wireless emergency alerts are text messages sent to mobile devices, such as cell phones and pagers. The process of issuing this type of alert begins with a request from an initiator (such as law enforcement or the National Weather Service) to submit an alert. The request is forwarded to an organization that is called an alert originator (AO). A team from the AO receives the initiator alert request and decides whether to issue the alert. If it decides to issue the alert, it then determines the distribution channels for the alert (for example, television, radio, roadside signs, wireless technologies).
If the team decides to issue a wireless emergency alert, an operator from the AO enters the alert message into an alert originating system (AOS), which then formats the message. The AOS forwards the alert message to FEMA systems, which validate and process it. After the FEMA systems process the alert message, they then forward it to cellular service providers (for example, AT&T, Verizon). Finally, the cellular service providers send a text message to recipients with capable devices in the targeted geographic area.
1.5.2 Fly-By-Night Airlines Case Study6
Fly-Florida Airlines was a small regional passenger airline serving Florida cities. In late 2013, it merged with two other regional airlines, becoming Fly-By-Night Airlines. It now serves airports throughout the southeastern United States and is headquartered in Orlando, Florida.
At a recent meeting of the executive board of Fly-By-Night Airlines, the board discussed ways to increase business and retain and expand the number of passengers by providing higher-quality service. Also, Fly-By-Night’s chief financial officer shared with the board a report which showed that the company could save substantial labor costs by automating certain services. As a result of this discussion, the chief executive officer of Fly-By-Night decided that a web-based automated airline reservations system (ARS) for Fly-By-Night Airlines should be developed, along with a frequent flyer program.
With the web-based ARS, passengers can make reservations online. A reservation includes the passenger name, flight number, departure date and time, reservation type (first class, business, coach), a seat number, and the price of the ticket. (As designated by DOT Directive 1573, ticket prices may not change more than once in a 12-hour period.) After the system completes the reservation and verifies the credit card information, the customer can print tickets or use an e-ticket. Passengers can also use the ARS to cancel or change completed reservations and check frequent flyer mileage. In addition, anyone can check the status of a flight (on-time, delayed, canceled). An ARS system administrator can enter flight data and ticket information or get a report on reservations for an existing flight. Reports on reservations must be sent, on a daily basis, to the U.S. Department of Homeland Security.
1.5.3 GoFast Automotive Corporation Case Study
GoFast is one of the “big 4” automobile manufacturers in the United States. It produces cars, sedans, vans, SUVs, and pickup trucks. At times it also produces the Tiger sports car. The Tiger was first introduced in 1965 and saw a revival in 2010. Recently, GoFast has been a leader in incorporating self-driving car features and advanced electronics.
The Tiger dashboard is very appealing to those who are interested in high-tech features. It supports all the options that are available to the driver: front and rear window windshield wipers that can be synchronized, sensors that indicate when other cars are close, cameras that allow the driver to “see through” the blind spot, and front and rear cameras to assist in parking and backing up. Naturally, the Tiger has a sophisticated and proprietary entertainment system that gives GoFast a competitive edge compared to other sports car manufacturers.
Software supports many of the Tiger’s systems and some of the systems in GoFast’s other models. Software underlies many safety features (e.g., anti-lock braking), self-driving features, and entertainment and communication systems. GoFast develops much of its own software but also uses contractors.
In addition to its software development organization, GoFast has a specialized software security team that is responsible for activities such as security risk assessment, security requirements and architecture development, and security reviews throughout the software development process. The security team is also responsible for development and maintenance of corporate software security process documents and practices. The security team is permitted to test and perform “ethical hacking” of the completed software prior to release and to advise executive management on whether release should take place.