book

Cyber Security Engineering: A Practical Approach for Systems and Software Assurance

Name: Cyber Security Engineering: A Practical Approach for Systems and Software Assurance
ISBN: 9780134189857

by Nancy R. Mead, Carol C. Woody

October 2016

Intermediate to advanced

384 pages

8h 11m

English

Addison-Wesley Professional

Read now

Unlock full access

About This E-Book
Title Page
Copyright Page
Dedication Page
Contents at a Glance
Contents
Acknowledgments
About the Authors
Foreword
Preface
The Goals and Purpose for This BookAudience for This BookOrganization and ContentAdditional Content

Chapter 1. Cyber Security Engineering: Lifecycle Assurance of Systems and Software
1.1 Introduction1.2 What Do We Mean by Lifecycle Assurance?1.3 Introducing Principles for Software Assurance1.4 Addressing Lifecycle Assurance1.5 Case Studies Used in This Book1.5.1 Wireless Emergency Alerts Case Study1.5.2 Fly-By-Night Airlines Case Study1.5.3 GoFast Automotive Corporation Case Study
Chapter 2. Risk Analysis—Identifying and Prioritizing Needs
2.1 Risk Management Concepts2.2 Mission Risk2.3 Mission Risk Analysis2.3.1 Task 1: Identify the Mission and Objective(s)2.3.2 Task 2: Identify Drivers2.3.3 Task 3: Analyze Drivers2.4 Security Risk2.5 Security Risk Analysis2.6 Operational Risk Analysis—Comparing Planned to Actual2.7 Summary
Chapter 3. Secure Software Development Management and Organizational Models
3.1 The Management Dilemma3.1.1 Background on Assured Systems3.2 Process Models for Software Development and Acquisition3.2.1 CMMI Models in General3.2.2 CMMI for Development (CMMI-DEV)3.2.3 CMMI for Acquisition (CMMI-ACQ)3.2.4 CMMI for Services (CMMI-SVC)3.2.5 CMMI Process Model Uses3.3 Software Security Frameworks, Models, and Roadmaps3.3.1 Building Security In Maturity Model (BSIMM)3.3.2 CMMI Assurance Process Reference Model3.3.3 Open Web Application Security Project (OWASP) Software Assurance Maturity Model (SAMM)3.3.4 DHS SwA Measurement Work3.3.5 Microsoft Security Development Lifecycle (SDL)3.3.6 SEI Framework for Building Assured Systems3.3.7 SEI Research in Relation to the Microsoft SDL3.3.8 CERT Resilience Management Model Resilient Technical Solution Engineering Process Area3.3.9 International Process Research Consortium (IPRC) Roadmap3.3.10 NIST Cyber Security Framework3.3.11 Uses of Software Security Frameworks, Models, and Roadmaps3.4 Summary
Chapter 4. Engineering Competencies
4.1 Security Competency and the Software Engineering Profession4.2 Software Assurance Competency Models4.3 The DHS Competency Model4.3.1 Purpose4.3.2 Organization of Competency Areas4.3.3 SwA Competency Levels4.3.4 Behavioral Indicators4.3.5 National Initiative for Cybersecurity Education (NICE)4.4 The SEI Software Assurance Competency Model4.4.1 Model Features4.4.2 SwA Knowledge, Skills, and Effectiveness4.4.3 Competency Designations4.4.4 A Path to Increased Capability and Advancement4.4.5 Examples of the Model in Practice4.4.6 Highlights of the SEI Software Assurance Competency Model4.5 Summary
Chapter 5. Performing Gap Analysis
5.1 Introduction5.2 Using the SEI’s SwA Competency Model5.3 Using the BSIMM5.3.1 BSIMM Background5.3.2 BSIMM Sample Report5.4 Summary
Chapter 6. Metrics
6.1 How to Define and Structure Metrics to Manage Cyber Security Engineering6.1.1 What Constitutes a Good Metric?6.1.2 Metrics for Cyber Security Engineering6.1.3 Models for Measurement6.2 Ways to Gather Evidence for Cyber Security Evaluation6.2.1 Process Evidence6.2.2 Evidence from Standards6.2.3 Measurement Management
Chapter 7. Special Topics in Cyber Security Engineering
7.1 Introduction7.2 Security: Not Just a Technical Issue7.2.1 Introduction7.2.2 Two Examples of Security Governance7.2.3 Conclusion7.3 Cyber Security Standards7.3.1 The Need for More Cyber Security Standards7.3.2 A More Optimistic View of Cyber Security Standards7.4 Security Requirements Engineering for Acquisition7.4.1 SQUARE for New Development7.4.2 SQUARE for Acquisition7.4.3 Summary7.5 Operational Competencies (DevOps)7.5.1 What Is DevOps?7.5.2 DevOps Practices That Contribute to Improving Software Assurance7.5.3 DevOpsSec Competencies7.6 Using Malware Analysis7.6.1 Code and Design Flaw Vulnerabilities7.6.2 Malware-Analysis–Driven Use Cases7.6.3 Current Status and Future Research7.7 Summary
Chapter 8. Summary and Plan for Improvements in Cyber Security Engineering Performance
8.1 Introduction8.2 Getting Started on an Improvement Plan8.3 Summary
References
Bibliography
Appendix A. WEA Case Study: Evaluating Security Risks Using Mission Threads
Importance of Systems of SystemsWEA Mission Thread ExampleWEA Security AnalysisConclusionReferences
Appendix B. The MSwA Body of Knowledge with Maturity Levels Added
References
Appendix C. The Software Assurance Curriculum Project
Appendix D. The Software Assurance Competency Model Designations
Appendix E. Proposed SwA Competency Mappings
References
Appendix F. BSIMM Assessment Final Report
Table of ContentsList of FiguresPrefacePurposeAudienceContacts1 Executive Summary2 Data Gathering3 High-Water Mark4 BSIMM Practices5 BSIMM Scorecard6 Comparison within Vertical7 ConclusionAppendix A: BSIMM BackgroundAppendix B: BSIMM ActivitiesAbout Cigital
Appendix G. Measures from Lifecycle Activities, Security Resources, and Software Assurance Principles
References
Index

Content preview from Cyber Security Engineering: A Practical Approach for Systems and Software Assurance

References

[Abran 2004]

Abran, Alain, Moore, James W., Bourque, Pierre, & Tripp, Leonard L., eds. Guide to the Software Engineering Body of Knowledge. IEEE Computer Society. 2004. www.computer.org/web/swebok/index.

[Adams 2015]

Adams, Bram, Bellomo, Stephany, Bird, Christian, Marshall-Keim, Tamara, Khomh, Foutse, & Moir, Kim. The Practice and Future of Release Engineering: A Roundtable with Three Release Engineers. IEEE Software: Special Issue on Release Engineering. Volume 32. Number 2. March/April 2015. Pages 42–49.

[Adobe 2014]

Adobe Systems, Inc. Proactive Security | Adobe Security. 2014. www.adobe.com/security/proactive-efforts.html.

[Alberts 2002]

Alberts, Christopher, & Dorofee, Audrey. Managing Information Security Risks: The OCTAVE Approach ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9780134189857Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Cyber Security Engineering: A Practical Approach for Systems and Software Assurance

by Nancy R. Mead, Carol C. Woody

References

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.