O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Cyber Security Engineering: A Practical Approach for Systems and Software Assurance

Book Description

Cyber Security Engineering is the definitive modern reference and tutorial on the full range of capabilities associated with modern cyber security engineering. Pioneering software assurance experts Dr. Nancy R. Mead and Dr. Carol C. Woody bring together comprehensive best practices for building software systems that exhibit superior operational security, and for considering security throughout your full system development and acquisition lifecycles.

Drawing on their pioneering work at the Software Engineering Institute (SEI) and Carnegie Mellon University, Mead and Woody introduce seven core principles of software assurance, and show how to apply them coherently and systematically. Using these principles, they help you prioritize the wide range of possible security actions available to you, and justify the required investments.

Cyber Security Engineering guides you through risk analysis, planning to manage secure software development, building organizational models, identifying required and missing competencies, and defining and structuring metrics. Mead and Woody address important topics, including the use of standards, engineering security requirements for acquiring COTS software, applying DevOps, analyzing malware to anticipate future vulnerabilities, and planning ongoing improvements.

This book will be valuable to wide audiences of practitioners and managers with responsibility for systems, software, or quality engineering, reliability, security, acquisition, or operations. Whatever your role, it can help you reduce operational problems, eliminate excessive patching, and deliver software that is more resilient and secure.

Table of Contents

  1. About This E-Book
  2. Title Page
  3. Copyright Page
  4. Dedication Page
  5. Contents at a Glance
  6. Contents
  7. Acknowledgments
  8. About the Authors
  9. Foreword
  10. Preface
    1. The Goals and Purpose for This Book
    2. Audience for This Book
    3. Organization and Content
    4. Additional Content
  11. Chapter 1. Cyber Security Engineering: Lifecycle Assurance of Systems and Software
    1. 1.1 Introduction
    2. 1.2 What Do We Mean by Lifecycle Assurance?
    3. 1.3 Introducing Principles for Software Assurance
    4. 1.4 Addressing Lifecycle Assurance
    5. 1.5 Case Studies Used in This Book
      1. 1.5.1 Wireless Emergency Alerts Case Study
      2. 1.5.2 Fly-By-Night Airlines Case Study
      3. 1.5.3 GoFast Automotive Corporation Case Study
  12. Chapter 2. Risk Analysis—Identifying and Prioritizing Needs
    1. 2.1 Risk Management Concepts
    2. 2.2 Mission Risk
    3. 2.3 Mission Risk Analysis
      1. 2.3.1 Task 1: Identify the Mission and Objective(s)
      2. 2.3.2 Task 2: Identify Drivers
      3. 2.3.3 Task 3: Analyze Drivers
    4. 2.4 Security Risk
    5. 2.5 Security Risk Analysis
    6. 2.6 Operational Risk Analysis—Comparing Planned to Actual
    7. 2.7 Summary
  13. Chapter 3. Secure Software Development Management and Organizational Models
    1. 3.1 The Management Dilemma
      1. 3.1.1 Background on Assured Systems
    2. 3.2 Process Models for Software Development and Acquisition
      1. 3.2.1 CMMI Models in General
      2. 3.2.2 CMMI for Development (CMMI-DEV)
      3. 3.2.3 CMMI for Acquisition (CMMI-ACQ)
      4. 3.2.4 CMMI for Services (CMMI-SVC)
      5. 3.2.5 CMMI Process Model Uses
    3. 3.3 Software Security Frameworks, Models, and Roadmaps
      1. 3.3.1 Building Security In Maturity Model (BSIMM)
      2. 3.3.2 CMMI Assurance Process Reference Model
      3. 3.3.3 Open Web Application Security Project (OWASP) Software Assurance Maturity Model (SAMM)
      4. 3.3.4 DHS SwA Measurement Work
      5. 3.3.5 Microsoft Security Development Lifecycle (SDL)
      6. 3.3.6 SEI Framework for Building Assured Systems
      7. 3.3.7 SEI Research in Relation to the Microsoft SDL
      8. 3.3.8 CERT Resilience Management Model Resilient Technical Solution Engineering Process Area
      9. 3.3.9 International Process Research Consortium (IPRC) Roadmap
      10. 3.3.10 NIST Cyber Security Framework
      11. 3.3.11 Uses of Software Security Frameworks, Models, and Roadmaps
    4. 3.4 Summary
  14. Chapter 4. Engineering Competencies
    1. 4.1 Security Competency and the Software Engineering Profession
    2. 4.2 Software Assurance Competency Models
    3. 4.3 The DHS Competency Model
      1. 4.3.1 Purpose
      2. 4.3.2 Organization of Competency Areas
      3. 4.3.3 SwA Competency Levels
      4. 4.3.4 Behavioral Indicators
      5. 4.3.5 National Initiative for Cybersecurity Education (NICE)
    4. 4.4 The SEI Software Assurance Competency Model
      1. 4.4.1 Model Features
      2. 4.4.2 SwA Knowledge, Skills, and Effectiveness
      3. 4.4.3 Competency Designations
      4. 4.4.4 A Path to Increased Capability and Advancement
      5. 4.4.5 Examples of the Model in Practice
      6. 4.4.6 Highlights of the SEI Software Assurance Competency Model
    5. 4.5 Summary
  15. Chapter 5. Performing Gap Analysis
    1. 5.1 Introduction
    2. 5.2 Using the SEI’s SwA Competency Model
    3. 5.3 Using the BSIMM
      1. 5.3.1 BSIMM Background
      2. 5.3.2 BSIMM Sample Report
    4. 5.4 Summary
  16. Chapter 6. Metrics
    1. 6.1 How to Define and Structure Metrics to Manage Cyber Security Engineering
      1. 6.1.1 What Constitutes a Good Metric?
      2. 6.1.2 Metrics for Cyber Security Engineering
      3. 6.1.3 Models for Measurement
    2. 6.2 Ways to Gather Evidence for Cyber Security Evaluation
      1. 6.2.1 Process Evidence
      2. 6.2.2 Evidence from Standards
      3. 6.2.3 Measurement Management
  17. Chapter 7. Special Topics in Cyber Security Engineering
    1. 7.1 Introduction
    2. 7.2 Security: Not Just a Technical Issue
      1. 7.2.1 Introduction
      2. 7.2.2 Two Examples of Security Governance
      3. 7.2.3 Conclusion
    3. 7.3 Cyber Security Standards
      1. 7.3.1 The Need for More Cyber Security Standards
      2. 7.3.2 A More Optimistic View of Cyber Security Standards
    4. 7.4 Security Requirements Engineering for Acquisition
      1. 7.4.1 SQUARE for New Development
      2. 7.4.2 SQUARE for Acquisition
      3. 7.4.3 Summary
    5. 7.5 Operational Competencies (DevOps)
      1. 7.5.1 What Is DevOps?
      2. 7.5.2 DevOps Practices That Contribute to Improving Software Assurance
      3. 7.5.3 DevOpsSec Competencies
    6. 7.6 Using Malware Analysis
      1. 7.6.1 Code and Design Flaw Vulnerabilities
      2. 7.6.2 Malware-Analysis–Driven Use Cases
      3. 7.6.3 Current Status and Future Research
    7. 7.7 Summary
  18. Chapter 8. Summary and Plan for Improvements in Cyber Security Engineering Performance
    1. 8.1 Introduction
    2. 8.2 Getting Started on an Improvement Plan
    3. 8.3 Summary
  19. References
  20. Bibliography
  21. Appendix A. WEA Case Study: Evaluating Security Risks Using Mission Threads
    1. Importance of Systems of Systems
    2. WEA Mission Thread Example
    3. WEA Security Analysis
    4. Conclusion
    5. References
  22. Appendix B. The MSwA Body of Knowledge with Maturity Levels Added
    1. References
  23. Appendix C. The Software Assurance Curriculum Project
  24. Appendix D. The Software Assurance Competency Model Designations
  25. Appendix E. Proposed SwA Competency Mappings
    1. References
  26. Appendix F. BSIMM Assessment Final Report
    1. Table of Contents
    2. List of Figures
    3. Preface
      1. Purpose
      2. Audience
      3. Contacts
      4. 1 Executive Summary
      5. 2 Data Gathering
      6. 3 High-Water Mark
      7. 4 BSIMM Practices
      8. 5 BSIMM Scorecard
      9. 6 Comparison within Vertical
      10. 7 Conclusion
      11. Appendix A: BSIMM Background
      12. Appendix B: BSIMM Activities
      13. About Cigital
  27. Appendix G. Measures from Lifecycle Activities, Security Resources, and Software Assurance Principles
    1. References
  28. Index