search menu icon-carat-right cmu-wordmark

Building Security into Application Lifecycles

Created September 2018

 

The goal of Cybersecurity Engineering (CSE) is to ensure that the software you develop or acquire operates as you expect it to. To achieve this goal, CSE integrates different methods, processes, and practices into the acquisition and development lifecycle to ensure resulting systems and software components and compositions address software assurance, information assurance, supply chain risk management, and more.

We offer training and capabilities that support the definition, measurement, and management of software risk for complex networked systems, and systems of systems, so that program managers, engineers, developers, testers, and other groups can plan for current and future software acquisition and development, validate and sustain systems and software, and deliver the operational results your organization expects of its software.

 

Security Threats Grow as Software Evolves

Today, with the speed at which practices are changing, software development and use can often seem to be as much of an art as they are a science. As software tools become more broadly available, there is greater opportunity to write software, but also to tamper with existing systems. Also, software is now widely shared, and new approaches for reducing the cost of development and increasing the speed of delivery are constantly growing and expanding. As organizations rely on this evolving technology, patterns of operational failure, misuse, and abuse emerge with more frequency from a variety of sources, including from supply chains, as well as from weak internal practices during software acquisition or development. These problems are of especial concern when it comes to the software products that run critical infrastruction, monitor and manage our money, or control our buildings and transportation, to name just a few examples.

Cases of software misuse occur when attackers find vulnerabilities that make software do what designers and developers did not expect it to. Many organizations have struggled to build effective practices that can discover these unexpected vulnerabilities before attackers do, let alone manage the growing threats stemming from weak acquisition and legacy, as well as from third party or supply chain management (SCRM) practices.

With all of these challenges, how can organizations best build their workforce to apply effective cyber security and SCRM practices for development-, acquisition-, and supply chain-related jobs that already exist? What are the best strategies for improving standards, processes, practices, and tools for cybersecurity and supply chain management, and what strategies are best to avoid? Who should establish cybersecurity and SCRM requirements and what should those people know? In each of these areas, how can we measure success and monitor for problems?

Cybersecurity Engineering Solutions for Practitioners, Vendors, and Educators

The Software Engineering Institute’s CSE team leverages SEI expertise in system and software engineering, risk management, program management, measurement, and cybersecurity to create methods and solutions that your organization can intergrate into its existing acquisition and development lifecycle practices. Increasingly, we find that we must change how we build and buy technology by engineering security itself into the lifecycle of applications, including during the early stages in development or acquisition, as well as during validation and sustainment.

To these ends, the CSE offers many tools and approaches to help engineering, development, acquisition, and sustainment groups that work in or with your organization. For example, the Security Quality Requirements Engineering (SQUARE) tool helps organizations define quality requirements that include sufficient security for development. This tool can also help your organization’s stakeholders and requirement engineers review a vendor’s software requirements during acquisition, and it can help contractors or vendors better prepare their software for integration. We have also developed an approach called Security Engineering Risk Analysis (SERA) to help organizations detect and remediate design weaknesses early in the development or acquisition process. We also offer the Software Assurance Framework (SAF), a set of practices you can use to evaluate and improve your cybersecurity.

Based on engagements with the DoD and other federal agencies to address real-world challenges, CSE researchers continue to expand available options for use by practitioners. We are currently developing a method to measure software assurance. You can refer to the Threat Modeling White Paper to identify the best current options to meet your specific needs.

In addition, CSE can support colleges and universities as they strive to prepare students to understand the growing theat environment. We provide materials that educational institutions can use to develop curricula and course offerings, and to prepare the future workforce for addressing cybersecurity and SCRM.

Learn More

Prototype Software Assurance Framework (SAF): Introduction and Overview

Prototype Software Assurance Framework (SAF): Introduction and Overview

April 06, 2017 Technical Note
Christopher J. AlbertsCarol Woody, PhD

In this report, the authors discuss the Software Assurance Framework (SAF), a collection of cybersecurity practices that programs can apply across the acquisition lifecycle and supply chain.

read
Cyber Security Engineering: A Practical Approach for Systems and Software Assurance

Cyber Security Engineering: A Practical Approach for Systems and Software Assurance

November 15, 2016 Book
Nancy R. MeadCarol Woody, PhD

Pioneering software assurance experts Dr. Nancy R. Mead and Dr. Carol C. Woody present the latest practical knowledge and case studies.

read
Wireless Emergency Alerts Commercial Mobile Service Provider (CMSP) Cybersecurity Guidelines

Wireless Emergency Alerts Commercial Mobile Service Provider (CMSP) Cybersecurity Guidelines

June 09, 2016 Special Report
Christopher J. AlbertsAudrey J. DorofeeCarol Woody, PhD

This report provides members of the Commercial Mobile Service Provider (CMSP) community with practical guidance for better managing cybersecurity risk exposure, based on an SEI study of the CMSP element of the Wireless Emergency Alert pipeline.

read
Predicting Software Assurance Using Quality and Reliability Measures

Predicting Software Assurance Using Quality and Reliability Measures

December 22, 2014 Technical Note
Carol WoodyRobert J. EllisonWilliam Nichols

In this report, the authors discuss how a combination of software development and quality techniques can improve software security.

read
Introduction to the Security Engineering Risk Analysis (SERA) Framework

Introduction to the Security Engineering Risk Analysis (SERA) Framework

December 04, 2014 Technical Note
Christopher J. AlbertsCarol WoodyAudrey J. Dorofee

This report introduces the SERA Framework, a model-based approach for analyzing complex security risks in software-reliant systems and systems of systems early in the lifecycle.

read
Software Assurance Measurement – State of the Practice

Software Assurance Measurement – State of the Practice

November 29, 2013 Technical Note
Dan Shoemaker (University of Detroit Mercy)Nancy R. Mead

In this report, the authors describe the current state of the practice and emerging trends in software assurance measurement.

read
Principles and Measurement Models for Software Assurance

Principles and Measurement Models for Software Assurance

January 01, 2013 Book Chapter
Nancy R. MeadDan Shoemaker (University of Detroit Mercy)Carol Woody

In this book chapter, the authors present a measurement model with seven principles that capture the fundamental managerial and technical concerns of development and sustainment.

read
DoD Information Assurance and Agile: Challenges and Recommendations Gathered Through Interviews with Agile Program Managers and DoD Accreditation Reviewers

DoD Information Assurance and Agile: Challenges and Recommendations Gathered Through Interviews with Agile Program Managers and DoD Accreditation Reviewers

November 01, 2012 Technical Note
Stephany BellomoCarol Woody

This paper discusses the natural tension between rapid fielding and response to change (characterized as agility) and DoD information assurance policy. Data for the paper was gathered through interviews with DoD project managers and IA representatives.

read
Software Supply Chain Risk Management: From Products to Systems of Systems

Software Supply Chain Risk Management: From Products to Systems of Systems

December 01, 2010 Technical Note
Robert J. EllisonChristopher J. AlbertsRita C. Creel

In this report, the authors consider current practices in software supply chain analysis and suggest some foundational practices.

read
Evaluating and Mitigating Software Supply Chain Security Risks

Evaluating and Mitigating Software Supply Chain Security Risks

May 01, 2010 Technical Note
Robert J. EllisonJohn B. GoodenoughCharles B. Weinstock

In this 2010 report, the authors identify software supply chain security risks and specify evidence to gather to determine if these risks have been mitigated.

read