Posted on by Software and Information Assurancein
By Douglas C. Schmidt
As part of an ongoing effort to keep you informed about our latest work, this blog post summarizes some recently published books, SEI technical reports, and webinars in cybersecurity engineering, performance and dependability, cyber risk and resilience management, cyber intelligence, secure coding, and the latest requirements for chief information security offficers (CISOs).
These publications highlight the latest work of SEI technologists in these areas. This post includes a listing of each publication, author(s), and links where they can be accessed on the SEI website.
Cyber Security Engineering: A Practical Approach for Systems and Software Assurance brings together comprehensive best practices for building software systems that exhibit superior operational security and for considering security early and throughout the full lifecycles of both system development and acquisition. Pioneering software assurance experts Nancy R. Mead and Carol C. Woody present the latest practical knowledge and case studies, demonstrating strategies and techniques that have been repeatedly proven to reduce operational problems and the need for software patching. Using these methods, any software practitioner or manager can make system and software engineering decisions that are far more likely to achieve appropriate operational results.
Drawing on their pioneering work at the SEI, the authors introduce seven core principles of software assurance, and demonstrate how to apply them through all four key areas of cybersecurity engineering:
For each area, Mead and Woody present key standards, methods, services, tools, and best practices, illuminating these with relevant examples, references to research results, and additional resources. Each area's content is organized to demonstrate how all seven crucial software assurance principles can be addressed coherently and systematically. The authors complement their recommendations with deep insight into why they make sense, and practical guidance on determining whether each action is being performed successfully.
For more information.
This report describes research to define complexity measures for avionics systems to help the FAA identify when systems are too complex to assure their safety. The project selected a measure of complexity related to the number of ways that an avionics system error (fault) could propagate from element to element. Since each potential propagation requires another sub-argument in the safety case, the number of arguments should be linear with certification effort. Thus, the ability to show system safety through the certification process depends on this kind of system complexity.
Results include a formula for calculating the "error-propagation complexity" from system designs and its results for small and medium systems. The authors tested it on a second design for each system and on a larger design from a NASA report.
The complexity measurement must be matched to available review time to determine if a system is "too complex to assure safety." Review times for small cases were extrapolated to larger ones, assuming that a typical system includes small, medium, and large designs. Since many numbers and their relationships are speculative, the boundary of systems "too complex to assure safety" should be treated very cautiously. Finally, future research areas are discussed.
Download the report.
A Mapping of the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT) to the Cyber Resilience Review (CRR)
By Jeffrey L. Pinckard, Michael Rattigan, Robert A. Vrtis
This technical note describes the methodology used and the observations made while mapping the declarative statements found in the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT) to the practice questions found in the Cyber Resilience Review (CRR). This mapping enables financial organizations to use CRR results not only to gauge their cyber resilience, but to examine their current baseline with respect to the FFIEC CAT and the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). The mapping in this technical note is proposed by three senior engineers from the CERT Division of the Carnegie Mellon University Software Engineering Institute; these engineers are skilled in conducting CRRs and familiar with all practice questions and question guidance. Two also have the advantage of several years of experience in the financial sector. The team relied on their experience along with previous mappings of the CRR and FFIEC CAT to the NIST CSF to propose the mapping in this technical note.
Download the technical note.
Improving Cybersecurity Through Cyber Intelligence
By Jared Ettinger
Cyber intelligence is the acquisition of information to identify, track, or predict the cyber capabilities and actions of malicious actors to offer courses of action to decision makers charged with protecting organizations. In this podcast, Jared Ettinger of the SEI's Emerging Technology Center (ETC) talks about the ETC's latest work in cyber intelligence as well as the Cyber Intelligence Research Consortium, which brings together organizations from a variety of sectors to exchange cyber intelligence ideas, participate in hands-on training activities, and learn about emerging cyber intelligence technologies from experts in the field.
View the podcast.
From Secure Coding to Secure Software
By Mark Sherman and Robert Schiela
In this webinar, Mark Sherman and Robert Schiela discuss how to improve an organization's secure coding capabilities, workforce, processes, and tools to develop and verify the security of software before it is deployed.
View the webinar.
Becoming a CISO: Formal and Informal Requirements
By Lisa R. Young and Darrell Keeling (Parkview Health)
WThe role a CISO or CISO equivalent plays in an organization to protect and sustain the key information and technical assets needed to achieve its mission is critical in today's landscape of data breaches, nation-state adversaries, and increased threats to the business.
In this podcast, Darrell Keeling, vice president of information security and HIPAA security officer at Parkview Health, discusses the knowledge, skills, and abilities needed to become a CISO.
View the webinar.
For the latest publications on SEI research, please visit http://resources.sei.cmu.edu/library/.