Building Security into Application Lifecycles
Created September 2018
The goal of Cybersecurity Engineering (CSE) is to ensure that the software you develop or acquire operates as you expect it to. To achieve this goal, CSE integrates different methods, processes, and practices into the acquisition and development lifecycle to ensure resulting systems and software components and compositions address software assurance, information assurance, supply chain risk management, and more.
We offer training and capabilities that support the definition, measurement, and management of software risk for complex networked systems, and systems of systems, so that program managers, engineers, developers, testers, and other groups can plan for current and future software acquisition and development, validate and sustain systems and software, and deliver the operational results your organization expects of its software.
Security Threats Grow as Software Evolves
Today, with the speed at which practices are changing, software development and use can often seem to be as much of an art as they are a science. As software tools become more broadly available, there is greater opportunity to write software, but also to tamper with existing systems. Also, software is now widely shared, and new approaches for reducing the cost of development and increasing the speed of delivery are constantly growing and expanding. As organizations rely on this evolving technology, patterns of operational failure, misuse, and abuse emerge with more frequency from a variety of sources, including from supply chains, as well as from weak internal practices during software acquisition or development. These problems are of especial concern when it comes to the software products that run critical infrastructure, monitor and manage our money, or control our buildings and transportation, to name just a few examples.
Cases of software misuse occur when attackers find vulnerabilities that make software do what designers and developers did not expect it to. Many organizations have struggled to build effective practices that can discover these unexpected vulnerabilities before attackers do, let alone manage the growing threats stemming from weak acquisition and legacy, as well as from third party or supply chain management (SCRM) practices.
With all of these challenges, how can organizations best build their workforce to apply effective cyber security and SCRM practices for development-, acquisition-, and supply chain-related jobs that already exist? What are the best strategies for improving standards, processes, practices, and tools for cybersecurity and supply chain management, and what strategies are best to avoid? Who should establish cybersecurity and SCRM requirements and what should those people know? In each of these areas, how can we measure success and monitor for problems?
Cybersecurity Engineering Solutions for Practitioners, Vendors, and Educators
The Software Engineering Institute’s CSE team leverages SEI expertise in system and software engineering, risk management, program management, measurement, and cybersecurity to create methods and solutions that your organization can integrate into its existing acquisition and development lifecycle practices. Increasingly, we find that we must change how we build and buy technology by engineering security itself into the lifecycle of applications, including during the early stages in development or acquisition, as well as during validation and sustainment.
To these ends, the CSE offers many tools and approaches to help engineering, development, acquisition, and sustainment groups that work in or with your organization. For example, the Security Quality Requirements Engineering (SQUARE) tool helps organizations define quality requirements that include sufficient security for development. This tool can also help your organization’s stakeholders and requirement engineers review a vendor’s software requirements during acquisition, and it can help contractors or vendors better prepare their software for integration. We have also developed an approach called Security Engineering Risk Analysis (SERA) to help organizations detect and remediate design weaknesses early in the development or acquisition process. We also offer the Software Assurance Framework (SAF), a set of practices you can use to evaluate and improve your cybersecurity.
Based on engagements with the DoD and other federal agencies to address real-world challenges, CSE researchers continue to expand available options for use by practitioners. We are currently developing a method to measure software assurance. You can refer to the Threat Modeling White Paper to identify the best current options to meet your specific needs.
In addition, CSE can support colleges and universities as they strive to prepare students to understand the growing threat environment. We provide materials that educational institutions can use to develop curricula and course offerings, and to prepare the future workforce for addressing cybersecurity and SCRM.
Learn More

Prototype Software Assurance Framework (SAF): Introduction and Overview
April 06, 2017 Technical Note
Christopher J. AlbertsCarol Woody, PhD
In this report, the authors discuss the Software Assurance Framework (SAF), a collection of cybersecurity practices that programs can apply across the acquisition lifecycle and supply chain.
read
Cyber Security Engineering: A Practical Approach for Systems and Software Assurance
November 15, 2016 Book
Nancy R. MeadCarol Woody, PhD
Pioneering software assurance experts Dr. Nancy R. Mead and Dr. Carol C. Woody present the latest practical knowledge and case studies.
read
Wireless Emergency Alerts Commercial Mobile Service Provider (CMSP) Cybersecurity Guidelines
June 09, 2016 Special Report
Christopher J. AlbertsAudrey J. DorofeeCarol Woody, PhD
This report provides members of the Commercial Mobile Service Provider (CMSP) community with practical guidance for better managing cybersecurity risk exposure, based on an SEI study of the CMSP element of the Wireless Emergency Alert pipeline.
read
Predicting Software Assurance Using Quality and Reliability Measures
December 22, 2014 Technical Note
Carol WoodyRobert J. EllisonWilliam Nichols
In this report, the authors discuss how a combination of software development and quality techniques can improve software security.
read
Introduction to the Security Engineering Risk Analysis (SERA) Framework
December 04, 2014 Technical Note
Christopher J. AlbertsCarol WoodyAudrey J. Dorofee
This report introduces the SERA Framework, a model-based approach for analyzing complex security risks in software-reliant systems and systems of systems early in the lifecycle.
read
Software Assurance Measurement – State of the Practice
November 29, 2013 Technical Note
Dan Shoemaker (University of Detroit Mercy)Nancy R. Mead
In this report, the authors describe the current state of the practice and emerging trends in software assurance measurement.
read
Principles and Measurement Models for Software Assurance
January 01, 2013 Book Chapter
Nancy R. MeadDan Shoemaker (University of Detroit Mercy)Carol Woody
In this book chapter, the authors present a measurement model with seven principles that capture the fundamental managerial and technical concerns of development and sustainment.
read
DoD Information Assurance and Agile: Challenges and Recommendations Gathered Through Interviews with Agile Program Managers and DoD Accreditation Reviewers
November 01, 2012 Technical Note
Stephany BellomoCarol Woody
This paper discusses the natural tension between rapid fielding and response to change (characterized as agility) and DoD information assurance policy. Data for the paper was gathered through interviews with DoD project managers and IA representatives.
read
Software Supply Chain Risk Management: From Products to Systems of Systems
December 01, 2010 Technical Note
Robert J. EllisonChristopher J. AlbertsRita C. Creel
In this report, the authors consider current practices in software supply chain analysis and suggest some foundational practices.
read
Evaluating and Mitigating Software Supply Chain Security Risks
May 01, 2010 Technical Note
Robert J. EllisonJohn B. GoodenoughCharles B. Weinstock
In this 2010 report, the authors identify software supply chain security risks and specify evidence to gather to determine if these risks have been mitigated.
read