book

Cyber Security Engineering: A Practical Approach for Systems and Software Assurance

Name: Cyber Security Engineering: A Practical Approach for Systems and Software Assurance
ISBN: 9780134189857

by Nancy R. Mead, Carol C. Woody

October 2016

Intermediate to advanced

384 pages

8h 11m

English

Addison-Wesley Professional

Read now

Unlock full access

About This E-Book
Title Page
Copyright Page
Dedication Page
Contents at a Glance
Contents
Acknowledgments
About the Authors
Foreword
Preface
The Goals and Purpose for This BookAudience for This BookOrganization and ContentAdditional Content

Chapter 1. Cyber Security Engineering: Lifecycle Assurance of Systems and Software
1.1 Introduction1.2 What Do We Mean by Lifecycle Assurance?1.3 Introducing Principles for Software Assurance1.4 Addressing Lifecycle Assurance1.5 Case Studies Used in This Book1.5.1 Wireless Emergency Alerts Case Study1.5.2 Fly-By-Night Airlines Case Study1.5.3 GoFast Automotive Corporation Case Study
Chapter 2. Risk Analysis—Identifying and Prioritizing Needs
2.1 Risk Management Concepts2.2 Mission Risk2.3 Mission Risk Analysis2.3.1 Task 1: Identify the Mission and Objective(s)2.3.2 Task 2: Identify Drivers2.3.3 Task 3: Analyze Drivers2.4 Security Risk2.5 Security Risk Analysis2.6 Operational Risk Analysis—Comparing Planned to Actual2.7 Summary
Chapter 3. Secure Software Development Management and Organizational Models
3.1 The Management Dilemma3.1.1 Background on Assured Systems3.2 Process Models for Software Development and Acquisition3.2.1 CMMI Models in General3.2.2 CMMI for Development (CMMI-DEV)3.2.3 CMMI for Acquisition (CMMI-ACQ)3.2.4 CMMI for Services (CMMI-SVC)3.2.5 CMMI Process Model Uses3.3 Software Security Frameworks, Models, and Roadmaps3.3.1 Building Security In Maturity Model (BSIMM)3.3.2 CMMI Assurance Process Reference Model3.3.3 Open Web Application Security Project (OWASP) Software Assurance Maturity Model (SAMM)3.3.4 DHS SwA Measurement Work3.3.5 Microsoft Security Development Lifecycle (SDL)3.3.6 SEI Framework for Building Assured Systems3.3.7 SEI Research in Relation to the Microsoft SDL3.3.8 CERT Resilience Management Model Resilient Technical Solution Engineering Process Area3.3.9 International Process Research Consortium (IPRC) Roadmap3.3.10 NIST Cyber Security Framework3.3.11 Uses of Software Security Frameworks, Models, and Roadmaps3.4 Summary
Chapter 4. Engineering Competencies
4.1 Security Competency and the Software Engineering Profession4.2 Software Assurance Competency Models4.3 The DHS Competency Model4.3.1 Purpose4.3.2 Organization of Competency Areas4.3.3 SwA Competency Levels4.3.4 Behavioral Indicators4.3.5 National Initiative for Cybersecurity Education (NICE)4.4 The SEI Software Assurance Competency Model4.4.1 Model Features4.4.2 SwA Knowledge, Skills, and Effectiveness4.4.3 Competency Designations4.4.4 A Path to Increased Capability and Advancement4.4.5 Examples of the Model in Practice4.4.6 Highlights of the SEI Software Assurance Competency Model4.5 Summary
Chapter 5. Performing Gap Analysis
5.1 Introduction5.2 Using the SEI’s SwA Competency Model5.3 Using the BSIMM5.3.1 BSIMM Background5.3.2 BSIMM Sample Report5.4 Summary
Chapter 6. Metrics
6.1 How to Define and Structure Metrics to Manage Cyber Security Engineering6.1.1 What Constitutes a Good Metric?6.1.2 Metrics for Cyber Security Engineering6.1.3 Models for Measurement6.2 Ways to Gather Evidence for Cyber Security Evaluation6.2.1 Process Evidence6.2.2 Evidence from Standards6.2.3 Measurement Management
Chapter 7. Special Topics in Cyber Security Engineering
7.1 Introduction7.2 Security: Not Just a Technical Issue7.2.1 Introduction7.2.2 Two Examples of Security Governance7.2.3 Conclusion7.3 Cyber Security Standards7.3.1 The Need for More Cyber Security Standards7.3.2 A More Optimistic View of Cyber Security Standards7.4 Security Requirements Engineering for Acquisition7.4.1 SQUARE for New Development7.4.2 SQUARE for Acquisition7.4.3 Summary7.5 Operational Competencies (DevOps)7.5.1 What Is DevOps?7.5.2 DevOps Practices That Contribute to Improving Software Assurance7.5.3 DevOpsSec Competencies7.6 Using Malware Analysis7.6.1 Code and Design Flaw Vulnerabilities7.6.2 Malware-Analysis–Driven Use Cases7.6.3 Current Status and Future Research7.7 Summary
Chapter 8. Summary and Plan for Improvements in Cyber Security Engineering Performance
8.1 Introduction8.2 Getting Started on an Improvement Plan8.3 Summary
References
Bibliography
Appendix A. WEA Case Study: Evaluating Security Risks Using Mission Threads
Importance of Systems of SystemsWEA Mission Thread ExampleWEA Security AnalysisConclusionReferences
Appendix B. The MSwA Body of Knowledge with Maturity Levels Added
References
Appendix C. The Software Assurance Curriculum Project
Appendix D. The Software Assurance Competency Model Designations
Appendix E. Proposed SwA Competency Mappings
References
Appendix F. BSIMM Assessment Final Report
Table of ContentsList of FiguresPrefacePurposeAudienceContacts1 Executive Summary2 Data Gathering3 High-Water Mark4 BSIMM Practices5 BSIMM Scorecard6 Comparison within Vertical7 ConclusionAppendix A: BSIMM BackgroundAppendix B: BSIMM ActivitiesAbout Cigital
Appendix G. Measures from Lifecycle Activities, Security Resources, and Software Assurance Principles
References
Index

Overview

Cyber Security Engineering is the definitive modern reference and tutorial on the full range of capabilities associated with modern cyber security engineering. Pioneering software assurance experts Dr. Nancy R. Mead and Dr. Carol C. Woody bring together comprehensive best practices for building software systems that exhibit superior operational security, and for considering security throughout your full system development and acquisition lifecycles.

Drawing on their pioneering work at the Software Engineering Institute (SEI) and Carnegie Mellon University, Mead and Woody introduce seven core principles of software assurance, and show how to apply them coherently and systematically. Using these principles, they help you prioritize the wide range of possible security actions available to you, and justify the required investments.

Cyber Security Engineering guides you through risk analysis, planning to manage secure software development, building organizational models, identifying required and missing competencies, and defining and structuring metrics. Mead and Woody address important topics, including the use of standards, engineering security requirements for acquiring COTS software, applying DevOps, analyzing malware to anticipate future vulnerabilities, and planning ongoing improvements.

This book will be valuable to wide audiences of practitioners and managers with responsibility for systems, software, or quality engineering, reliability, security, acquisition, or operations. Whatever your role, it can help you reduce operational problems, eliminate excessive patching, and deliver software that is more resilient and secure.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9780134189857Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills