You are previewing System Assurance.
O'Reilly logo
System Assurance

Book Description

In this day of frequent acquisitions and perpetual application integrations, systems are often an amalgamation of multiple programming languages and runtime platforms using new and legacy content. Systems of such mixed origins are increasingly vulnerable to defects and subversion.

System Assurance: Beyond Detecting Vulnerabilities addresses these critical issues. As a practical resource for security analysts and engineers tasked with system assurance, the book teaches you how to use the Object Management Group’s (OMG) expertise and unique standards to obtain accurate knowledge about your existing software and compose objective metrics for system assurance. OMG’s Assurance Ecosystem provides a common framework for discovering, integrating, analyzing, and distributing facts about your existing enterprise software. Its foundation is the standard protocol for exchanging system facts, defined as the OMG Knowledge Discovery Metamodel (KDM). In addition, the Semantics of Business Vocabularies and Business Rules (SBVR) defines a standard protocol for exchanging security policy rules and assurance patterns. Using these standards together, you will learn how to leverage the knowledge of the cybersecurity community and bring automation to protect your system.



  • Provides end-to-end methodology for systematic, repeatable, and affordable System Assurance.
  • Includes an overview of OMG Software Assurance Ecosystem protocols that integrate risk, architecture and code analysis guided by the assurance argument.
  • Case Study illustrating the steps of the System Assurance Methodology using automated tools.

Table of Contents

  1. Cover Image
  2. Table of Contents
  3. Front matter
  4. Copyright
  5. Dedication
  6. Foreword
  7. Preface
  8. Chapter 1. Why hackers know more about our systems
  9. 1.1. Operating in cyberspace involves risks
  10. 1.2. Why hackers are repeatedly successful
  11. 1.3. What are the challenges in defending cybersystems?
  12. 1.4. Where do we go from here?
  13. 1.5. Who should read this book?
  14. Chapter 2. Confidence as a product
  15. 2.1. Are you confident that there is no black cat in the dark room?
  16. 2.2. The nature of assurance
  17. 2.3. Overview of the assurance process
  18. Chapter 3. How to build confidence
  19. 3.1. Assurance in the system life cycle
  20. 3.2. Activities of system assurance process
  21. Chapter 4. Knowledge of system as an element of cybersecurity argument
  22. 4.1. What is system?
  23. 4.2. Boundaries of the system
  24. 4.3. Resolution of the system description
  25. 4.4. Conceptual commitment for system descriptions
  26. 4.5. System architecture
  27. 4.6. Example of an architecture framework
  28. 4.7. Elements of a system
  29. 4.8. System knowledge involves multiple viewpoints
  30. 4.9. Concept of operations (CONOP)
  31. 4.10. Network configuration
  32. 4.11. System life cycle and assurance
  33. Chapter 5. Knowledge of risk as an element of cybersecurity argument
  34. 5.1. Introduction
  35. 5.2. Basic cybersecurity elements
  36. 5.3. Common vocabulary for threat identification
  37. 5.4. Systematic threat identification
  38. 5.5. Assurance strategies
  39. 5.6. Assurance of the threat identification
  40. Chapter 6. Knowledge of vulnerabilities as an element of cybersecurity argument
  41. 6.1. Vulnerability as a unit of Knowledge
  42. 6.2. Vulnerability databases
  43. 6.3. Vulnerability life cycle
  44. 6.4. NIST Security Content Automation Protocol (SCAP) Ecosystem
  45. Chapter 7. Vulnerability patterns as a new assurance content
  46. Keywords
  47. 7.1. Beyond current SCAP ecosystem
  48. 7.2. Vendor-neutral vulnerability patterns
  49. 7.3. Software fault patterns
  50. 7.4. Example software fault pattern
  51. Chapter 8. OMG software assurance ecosystem
  52. 8.1. Introduction
  53. 8.2. OMG assurance ecosystem: toward collaborative cybersecurity
  54. Chapter 9. Common fact model for assurance content
  55. 9.1. Assurance content
  56. 9.2. The objectives
  57. 9.3. Design criteria for information exchange protocols
  58. 9.4. Trade-offs
  59. 9.5. Information exchange protocols
  60. 9.6. The nuts and bolts of fact models
  61. 9.7. The representation of facts
  62. 9.8. The common schema
  63. 9.9. System assurance facts
  64. Chapter 10. Linguistic models
  65. 10.1. Fact models and linguistic models
  66. 10.2. Background
  67. 10.3. Overview of SBVR
  68. 10.4. How to use SBVR
  69. 10.5. SBVR vocabulary for describing elementary meanings
  70. 10.6. SBVR vocabulary for describing representations
  71. 10.7. SBVR vocabulary for describing extensions
  72. 10.8. Reference schemes
  73. 10.9. SBVR semantic formulations
  74. Chapter 11. Standard protocol for exchanging system facts
  75. 11.1. Background
  76. 11.2. Organization of the KDM Vocabulary
  77. 11.3. The Process of Discovering System Facts
  78. 11.4. Discovering the Baseline System Facts
  79. 11.5. Performing Architecture Analysis
  80. Chapter 12. Case study
  81. 12.1. Introduction
  82. 12.2. Background
  83. 12.3. Concepts of operations
  84. 12.4. Business vocabulary and security policy for Clicks2Bricks in SBVR
  85. 12.5. Building the integrated system model
  86. 12.6. Mapping cybersecurity facts to system facts
  87. 12.7. Assurance case
  88. Index