Cybersecurity engineering (CSE) research builds knowledge and capabilities that enhance acquisition and development lifecycle methods, processes, and practices. CSE reduces security weaknesses and ensures that resulting systems, software components, and compositions address software assurance, information assurance, supply chain risk management, and more.
As organizations capitalize on the opportunities for shared resources and capabilities to improve cost efficiencies and scheduling, they must address the increased cybersecurity risk that these opportunities introduce. Third-party tools and cloud capacity, for example, provide major benefits for organizations, such as quick setup and flexibility. However, these resources are built and controlled by external parties with limited understanding of the impact of security choices. As a result, patterns of operational failure, misuse, and abuse can emerge from a variety of sources, including supply chains as well as weak internal practices in software acquisition or development.
Attackers need three key elements to successfully carry out an attack: they need software to have a vulnerability, they must have access to it, and they must have the capability to exploit it. The first two elements can be directly controlled by good decisions during the acquisition and development process, and the field of cybersecurity engineering aims to ensure that the process is secure from the outset. For these reasons, mission success depends on making sure that stakeholders in the acquisition and development process make good choices.
Many organizations, however, struggle to implement effective and repeatable practices that can respond to changing technology needs, discover vulnerabilities before attackers do, and manage the growing threats stemming from weak acquisition and legacy, as well as from third party or supply chain management (SCRM) practices. These problems are of special concern when it comes to the software products that support critical infrastructure, monitor and manage our money, or control our buildings and transportation, to name just a few examples.
Building Security into Application Lifecycles
The goal of cybersecurity engineering is to ensure that the software you develop or acquire delivers the functionality you expect of it and does not allow actions that might introduce risk. To achieve this goal, the SEI helps prepare managers, engineers, developers, testers, and other groups involved in lifecycle tasks, to build and field effective cybersecurity in current and future software acquisition and development, validate and sustain cybersecurity in systems and software, and deliver the mission impact your organization expects of its software.
The SEI’s CSE team leverages expertise in system and software engineering, risk management, program management, measurement, and cybersecurity to create methods and solutions that your organization can integrate into its existing acquisition and development lifecycle practices. To these ends, the SEI offers many tools and approaches to help engineering, development, acquisition, and sustainment groups that work in or with your organization. These tools include
- the Security Quality Requirements Engineering (SQUARE) tool, which helps define quality requirements that include sufficient security for development and supports stakeholders’ review of software requirements to ensure vendors properly prepare their software for integration
- the Security Engineering Risk Analysis (SERA) approach, which helps organizations detect and remediate design weaknesses early in the development or acquisition process
- the Software Assurance Framework (SAF), a set of practices you can use to evaluate and improve your cybersecurity
The SEI continues to expand CSE research through engagements with the DoD and other federal agencies to address real-world challenges. Over the years, we have shared our findings in many notable publications, including a book on cybersecurity, a paper on assessing DoD risk in acquisition, and a program manager’s guidebook for software assurance.
In addition, the SEI can support colleges and universities as they strive to prepare students to understand the growing threat environment. We provide materials that educational institutions can use to develop curricula and course offerings, and to prepare the future workforce for addressing cybersecurity and SCRM.
What We Offer
CERT Cybersecurity Engineering and Software Assurance Professional Certificate
This program explores software-reliant systems engineering and acquisition activities to help information systems professionals improve their awareness of cybersecurity and establish an approach to identifying security requirements.
Security Requirements Engineering Using the SQUARE Method
This workshop provides an overview of security requirements engineering and covers the steps used in the SQUARE methodology in detail.
Expert support for establishing cybersecurity engineering practices
Contact us to work with experts that can help you establish sound cybersecurity engineering practices.
Software assurance curricula for graduate and undergraduate programs
You can incorporate these free curricula into existing education programs or use them to develop new courses. These curricula include materials for undergraduate and graduate programs as well as other materials for educators.
CERT SQUARE for Acquisition (A-SQUARE)
SQUARE-A is designed for stakeholders, requirements engineers, and contractors/vendors to use in acquisitions and provides documentation support for a variety of use cases.
CERT SQUARE for Privacy (P-SQUARE)
P-SQUARE was designed for stakeholders, requirements engineers, and administrators and supports the security and privacy aspects of SQUARE.
Introduction to the Security Engineering Risk Analysis (SERA) Framework
This report introduces the SERA Framework, a model-based approach for analyzing complex security risks in software-reliant systems and systems of systems early in the lifecycle.
Prototype Software Assurance Framework (SAF): Introduction and Overview
In this report, the authors discuss the Software Assurance Framework (SAF), a collection of cybersecurity practices that programs can apply across the acquisition lifecycle and supply chain.
What Is Cybersecurity Engineering and Why Do I Need It?
This webinar addresses how cybersecurity engineering knowledge, methods, and tools can reduce cyber risk and increase operational cyber resilience of software-intensive systems.
The Latest from the SEI Blog
8 Areas of Future Research in Zero Trust
April 24, 2023 • Blog Post
Matthew Nicolai, Trista Polaski, Timothy Morrow
The National Cybersecurity Strategy was released on March 1st, 2023 to improve federal cybersecurity through the implementation of a zero trust...read
Security Analytics: Using SiLK and Mothra to Identify Data Exfiltration via the Domain Name Service
April 03, 2023 • Blog Post
This post explores how the DNS protocol can be abused to exfiltrate data by adding bytes of data onto DNS...read
Our Vision for the Future of Cybersecurity Engineering
SEI researchers continue to expand available CSE options for use by practitioners. We are currently developing archetypes to support organizations in identifying cybersecurity risks and tailoring them for improved evaluation of mission impact.
To collaborate on these new projects in the field of cybersecurity engineering, contact us .