« More Announcements
May 24, 2010—The following technical reports and technical notes were published recently by the Software Engineering Institute. For the latest SEI technical reports and papers see http://www.sei.cmu.edu/library/reportspapers.cfm.
CERT Resilience Management Model, Version 1.0
Richard A. Caralli, Julia H. Allen, Pamela D. Curtis, David W. White, & Lisa R. Young
Organizations in every sector—industry, government, and academia—are facing increasingly complex operational environments and dynamic risk environments. These demands conspire to force organizations to rethink how they manage operational risk and the resilience of critical business processes and services.
The CERT Resilience Management Model (CERT-RMM) is an innovative and transformative way to approach the challenge of managing operational resilience in complex, risk-evolving environments. It is the result of years of research into the ways that organizations manage the security and survivability of the assets that ensure mission success. It incorporates concepts from an established process improvement community to allow organizations to holistically mature their security, business continuity, and IT operations management capabilities and improve predictability and success in sustaining operations whenever disruption occurs.
This report describes the model's key concepts, components, and process area relationships and provides guidance for applying the model to meet process improvement and other objectives. One process area is included in its entirety; the others are presented in outline form. All of the CERT-RMM process areas are available for download at www.cert.org/resilience.
Identifying Anomalous Port-Specific Network Behavior
Increasing trends in traffic volume on specific ports may indicate new interest in a vulnerability associated with that port. This activity can be a precursor to internet-wide attacks. Port-specific behavior can also arise from stealthy applications that migrate to different ports in order to evade firewalls. But detecting this subtle activity among thousands of monitored ports requires careful statistical modeling as well as methods for controlling false positives. The analysis documented in this report is a large-scale application of statistical outlier detection for determining unusual port-specific network behavior. The method uses a robust correlation measure to cluster related ports and to control for the background baseline traffic trend. A scaled, median-corrected process, called a Z-score, is calculated for the hourly volume measurements for each port. The Z-score measures how unusual each port's behavior is in comparison with the rest of the ports in its cluster. The researchers discuss lessons learned from applying the method to the hourly count of incoming flow records for a carrier-class network over a period of three weeks.
Evaluating and Mitigating Software Supply Chain Security Risks
Robert J. Ellison, John B. Goodenough, Charles B. Weinstock, & Carol Woody
The Department of Defense (DoD) is concerned that security vulnerabilities could be inserted into software that has been developed outside of the DoD's supervision or control. This report presents an initial analysis of how to evaluate and mitigate the risk that such unauthorized insertions have been made. The analysis is structured in terms of actions that should be taken in each phase of the DoD acquisition life cycle.
Managing Variation in Services in a Software Product Line Context
Sholom Cohen & Robert Krut
Software product line (SPL) and service-oriented architecture (SOA) approaches both enable an organization to reuse existing assets and capabilities rather than repeatedly redeveloping them for new systems. Organizations can capitalize on such reuse in software-reliant systems to achieve business goals such as productivity gains, decreased development costs, improved time to market, increased reliability, increased agility, and competitive advantage. Both approaches accommodate variation in the software that is being reused or the way in which it is employed. Meeting business goals through a product line or a set of service-oriented systems requires managing the variation of assets, including services. This report examines combining existing SOA and software product line approaches for variation management. This examination has two objectives: 1) for service-oriented systems development, to present an approach for managing variation by identifying and designing services explicitly targeted to multiple service-oriented systems, 2) for SPL systems, to present an approach for managing variation where services are a mechanism for variation within a product line or for expanding the product line scope.