ebook img

Cyber Security Engineering A Practical Approach for Systems and Software Assurance PDF

331 Pages·2016·12.814 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Cyber Security Engineering A Practical Approach for Systems and Software Assurance

About This E-Book EPUB is an open, industry-standard format for e-books. However, support for EPUB and its many features varies across reading devices and applications. Use your device or app settings to customize the presentation to your liking. Settings that you can customize often include font, font size, single or double column, landscape or portrait mode, and figures that you can click or tap to enlarge. For additional information about the settings and features on your reading device or app, visit the device manufacturer’s Web site. Many titles include programming code or configuration examples. To optimize the presentation of these elements, view the e-book in single-column, landscape mode and adjust the font size to the smallest setting. In addition to presenting code and configurations in the reflowable text format, we have included images of the code that mimic the presentation found in the print book; therefore, where the reflowable format may compromise the presentation of the code listing, you will see a “Click here to view code image” link. Click the link to view the print-fidelity code image. To return to the previous page viewed, click the Back button on your device or app. Cyber Security Engineering A Practical Approach for Systems and Software Assurance Nancy R. Mead Carol C. Woody Boston • Columbus • Indianapolis • New York • San Francisco Amsterdam • Cape Town • Dubai • London • Madrid • Milan • Munich Paris • Montreal • Toronto • Delhi • Mexico City • São Paulo • Sydney Hong Kong • Seoul • Singapore • Taipei • Tokyo The SEI Series in Software Engineering Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations have been printed with initial capital letters or in all capitals. CMM, CMMI, Capability Maturity Model, Capability Maturity Modeling, Carnegie Mellon, CERT, and CERT Coordination Center are registered in the U.S. Patent and Trademark Office by Carnegie Mellon University. ATAM; Architecture Tradeoff Analysis Method; CMM Integration; COTS Usage-Risk Evaluation; CURE; EPIC; Evolutionary Process for Integrating COTS Based Systems; Framework for Software Product Line Practice; IDEAL; Interim Profile; OAR; OCTAVE; Operationally Critical Threat, Asset, and Vulnerability Evaluation; Options Analysis for Reengineering; Personal Software Process; PLTP; Product Line Technical Probe; PSP; SCAMPI; SCAMPI Lead Appraiser; SCAMPI Lead Assessor; SCE; SEI; SEPG; Team Software Process; and TSP are service marks of Carnegie Mellon University. Special permission to reproduce portions of Mission Risk Diagnostic (MRD) Method Description, Common Elements of Risk, Software Assurance Curriculum Project, Vol 1,Software Assurance Competency Model, and Predicting Software Assurance Using Quality and Reliability Measures © 2012, 2006, 2010, 2013, and 2014 by Carnegie Mellon University, in this book is granted by the Software Engineering Institute. The authors and publisher have taken care in the preparation of this book, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information or programs contained herein. For information about buying this title in bulk quantities, or for special sales opportunities (which may include electronic versions; custom cover designs; and content particular to your business, training goals, marketing focus, or branding interests), please contact our corporate sales department at [email protected] or (800) 382-3419. For government sales inquiries, please contact [email protected]. For questions about sales outside the U.S., please contact [email protected]. Visit us on the Web: informit.com/aw Library of Congress Control Number: 2016952029 Copyright © 2017 Pearson Education, Inc. All rights reserved. Printed in the United States of America. This publication is protected by copyright, and permission must be obtained from the publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any form or by any means, electronic, mechanical, photocopying, recording, or likewise. For information regarding permissions, request forms and the appropriate contacts within the Pearson Education Global Rights & Permissions Department, please visit www.pearsoned.com/permissions/. ISBN-13: 978-0-134-18980-2 ISBN-10: 0-134-18980-9 Text printed in the United States on recycled paper at RR Donnelley in Crawfordsville, Indiana. First printing: November 2016 Praise for Cyber Security Engineering “This book presents a wealth of extremely useful material and makes it available from a single source.” —Nadya Bartol, Vice President of Industry Affairs and Cybersecurity Strategist, Utilities Technology Council “Drawing from more than 20 years of applied research and use, CSE serves as both a comprehensive reference and a practical guide for developing assured, secure systems and software—addressing the full lifecycle; manager and practitioner perspectives; and people, process, and technology dimensions.” —Julia Allen, Principal Researcher, Software Engineering Institute For my husband Woody—he was my mentor, sounding board, and best friend —Nancy With thanks to my husband Robert for his constant love and support and in memory of my parents who taught me the value of hard work and the constant pursuit of knowledge —Carol Contents at a Glance Foreword Preface Chapter 1: Cyber Security Engineering: Lifecycle Assurance of Systems and Software Chapter 2: Risk Analysis—Identifying and Prioritizing Needs Chapter 3: Secure Software Development Management and Organizational Models Chapter 4: Engineering Competencies Chapter 5: Performing Gap Analysis Chapter 6: Metrics Chapter 7: Special Topics in Cyber Security Engineering Chapter 8: Summary and Plan for Improvements in Cyber Security Engineering Performance References Bibliography Appendix A: WEA Case Study: Evaluating Security Risks Using Mission Threads Appendix B: The MSwA Body of Knowledge with Maturity Levels Added Appendix C: The Software Assurance Curriculum Project Appendix D: The Software Assurance Competency Model Designations Appendix E: Proposed SwA Competency Mappings Appendix F: BSIMM Assessment Final Report Appendix G: Measures from Lifecycle Activities, Security Resources, and Software Assurance Principles Index Register your copy of Cyber Security Engineering at informit.com for convenient access to downloads, updates, and corrections as they become available. To start the registration process, go to informit.com/register and log in or create an account. Enter the product ISBN 9780134189802 and click Submit. Once the process is complete, you will find any available bonus content under “Registered Products.” Contents Foreword Preface Chapter 1: Cyber Security Engineering: Lifecycle Assurance of Systems and Software 1.1 Introduction 1.2 What Do We Mean by Lifecycle Assurance? 1.3 Introducing Principles for Software Assurance 1.4 Addressing Lifecycle Assurance 1.5 Case Studies Used in This Book 1.5.1 Wireless Emergency Alerts Case Study 1.5.2 Fly-By-Night Airlines Case Study 1.5.3 GoFast Automotive Corporation Case Study Chapter 2: Risk Analysis—Identifying and Prioritizing Needs 2.1 Risk Management Concepts 2.2 Mission Risk 2.3 Mission Risk Analysis 2.3.1 Task 1: Identify the Mission and Objective(s) 2.3.2 Task 2: Identify Drivers 2.3.3 Task 3: Analyze Drivers 2.4 Security Risk 2.5 Security Risk Analysis 2.6 Operational Risk Analysis—Comparing Planned to Actual 2.7 Summary Chapter 3: Secure Software Development Management and Organizational Models 3.1 The Management Dilemma 3.1.1 Background on Assured Systems 3.2 Process Models for Software Development and Acquisition 3.2.1 CMMI Models in General 3.2.2 CMMI for Development (CMMI-DEV) 3.2.3 CMMI for Acquisition (CMMI-ACQ) 3.2.4 CMMI for Services (CMMI-SVC) 3.2.5 CMMI Process Model Uses 3.3 Software Security Frameworks, Models, and Roadmaps 3.3.1 Building Security In Maturity Model (BSIMM) 3.3.2 CMMI Assurance Process Reference Model 3.3.3 Open Web Application Security Project (OWASP) Software Assurance Maturity Model (SAMM) 3.3.4 DHS SwA Measurement Work 3.3.5 Microsoft Security Development Lifecycle (SDL) 3.3.6 SEI Framework for Building Assured Systems 3.3.7 SEI Research in Relation to the Microsoft SDL 3.3.8 CERT Resilience Management Model Resilient Technical Solution Engineering Process Area 3.3.9 International Process Research Consortium (IPRC) Roadmap 3.3.10 NIST Cyber Security Framework 3.3.11 Uses of Software Security Frameworks, Models, and Roadmaps 3.4 Summary Chapter 4: Engineering Competencies 4.1 Security Competency and the Software Engineering Profession 4.2 Software Assurance Competency Models 4.3 The DHS Competency Model 4.3.1 Purpose 4.3.2 Organization of Competency Areas 4.3.3 SwA Competency Levels 4.3.4 Behavioral Indicators 4.3.5 National Initiative for Cybersecurity Education (NICE) 4.4 The SEI Software Assurance Competency Model 4.4.1 Model Features 4.4.2 SwA Knowledge, Skills, and Effectiveness 4.4.3 Competency Designations 4.4.4 A Path to Increased Capability and Advancement 4.4.5 Examples of the Model in Practice 4.4.6 Highlights of the SEI Software Assurance Competency Model 4.5 Summary Chapter 5: Performing Gap Analysis 5.1 Introduction 5.2 Using the SEI’s SwA Competency Model 5.3 Using the BSIMM 5.3.1 BSIMM Background 5.3.2 BSIMM Sample Report

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.