Blog Posts
An Acquisition Security Framework for Supply Chain Risk Management
This post introduces the Acquisition Security Framework (ASF), which helps organizations identify the critical touchpoints needed for effective supply chain risk management.
• By Carol Woody
In Cybersecurity Engineering
A Cybersecurity Engineering Strategy for DevSecOps that Integrates with the Software Supply Chain
Reused code contains defects unknown to the new user, which, in turn, propagate vulnerabilities into new systems. Organizations must develop a cybersecurity engineering strategy that addresses the integration of DevSecOps …
• By Carol Woody
In Cybersecurity Engineering
Six Key Cybersecurity Engineering Activities for Building a Cybersecurity Strategy
This post, which augments a recent webcast and a forthcoming white paper, highlights the importance of the cybersecurity strategy in defining how the technology from an acquisition will be designed, …
• By Carol Woody, Rita Creel
In Cybersecurity Engineering
Selecting Measurement Data for Software Assurance Practices
Measuring the software assurance of a product as it is developed and delivered to function in a specific system context involves assembling carefully chosen metrics....
• By Carol Woody
Three Pilots of the CERT Software Assurance Framework
Software is a growing component of business and mission-critical systems. As organizations become more dependent on software, security-related risks to their organizational missions also increase. We recently published a technical …
• By Christopher Alberts, Carol Woody
Using Quality Metrics and Security Methods to Predict Software Assurance
To ensure software will function as intended and is free of vulnerabilities (aka software assurance), software engineers must consider security early in the lifecycle, when the system is being designed …
• By Carol Woody, Nancy Mead
In Artificial Intelligence Engineering
A Tool to Address Cybersecurity Vulnerabilities Through Design
Increasingly, software development organizations are finding that a large number of their vulnerabilities stem from design weaknesses and not coding vulnerabilities. In this blog post, the first in a series, …
• By Rick Kazman, Carol Woody
In Software Architecture
Heartbleed and Goto Fail: Two Case Studies for Predicting Software Assurance Using Quality and Reliability Measures
Mitre's Top 25 Most Dangerous Software Errors is a list that details quality problems, as well as security problems. This list aims to help software developers "prevent the kinds of …
• By Carol Woody, Bill Nichols
Establishing Trust in the Wireless Emergency Alerts Service
The Wireless Emergency Alerts (WEA) service went online in April 2012, giving emergency management agencies such as the National Weather Service or a city's hazardous materials team a way to …