Applying Software Quality Models to Software Security

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Applying Software Quality Models to Software Security"

Transcription

1 Applying Software Quality Models to Software Security Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Carol Woody, Ph.D. April 21, 2015

2 Copyright 2015 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN AS-IS BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution except as restricted below. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at Team Software Process SM and TSP SM are service marks of Carnegie Mellon University. DM

3 Cyber Security Engineering (CSE) Team Mission: Build Security In Address security, software assurance, and survivability throughout the development and acquisition lifecycle by creating methods, solutions, and training that can be integrated into existing practices. CSE Focus Areas Education and Competencies Measurement and Analysis Lifecycle Management Engineering Carnegie Carnegie Mellon Mellon University 3 3

4 CSE Portfolio Software Assurance Education and Competencies Masters of Software Assurance Curriculum Model endorsed by IEEE and ACM Software Assurance Competency Model Software Assurance Course Delivery and Material Development Security & Software Assurance Measurement and Analysis Predictive Analytics Research Researching the use of Quality Models to Support Software Assurance Security & Software Assurance Management Mission Risk Diagnostic (MRD) Survivability Analysis Framework (SAF) Security & Software Assurance Engineering Security Quality Requirements Engineering (SQUARE) Security Engineering Risk Analysis (SERA) Risk in the Software Supply Chain Focus of today's presentation Carnegie Carnegie Mellon Mellon University 4 4

5 Cyber Security is a Lifecycle Challenge Mission thread (Business process) Design Weaknesses Coding Weaknesses Implementation Weaknesses 5

6 Can Predictions of Quality Inform Security Risk Predictions? The SEI has quality data for over 100 Team Software Process (TSP) development projects used to predict operational quality. Data from five projects with low defect density in system testing reported very low or zero safety critical and security defects in production use. 6

7 Semantic Gaps Quality tracks defects/faults (engineering and testing) Defect: non-fulfilment of intended usage requirements (ISO/IEC 9126) [essentially nonconformity to a specified requirement, missing or incorrect requirements] Software fault: accidental condition that causes a functional unit to fail to perform its required function (IEEE Standard Dictionary of Measures to produce reliable software 982.1, 1988) Security cares about vulnerabilities (operations) Information security vulnerability: mistake in software that can be exploited by a hacker to gain access to a system or network ( Software vulnerability: instance of an error in the specification, development, or configuration of software such that its execution can violate a security policy (Shin and Williams, 2010) 7

8 Vulnerabilities are Defects 1-5% of defects are vulnerabilities Analysis of defects for five versions of Microsoft windows operating systems and two versions of Red Hat Linux systems) (Alhazmi, et.al., 2007) Win 95 (14.5 MLOC) and Win 98 (18 MLOC) vulnerabilities are 1.00% and 0.84% respectively of identified defects Red Hat Linux 6.2 (1.8 MLOC) and 7.1 (6.4 MLOC) vulnerabilities are 5.63% and 4.34% respectively of identified defects. Tom Longstaff asserted that vulnerabilities might represent 5% of total defects ( Ross Anderson: it's reasonable to expect a 35,000,000 line program like Windows 2000 to have 1,000,000 bugs, only 1% of them are security-critical. (Anderson, 2001) 8

9 Data: Five Projects from Three Organizations Projects Types: Legacy system replacement, Medical devices Successful security/safety critical results in operation for at least a year Org. Project Type Secure or Safety Critical Defects Defect Density Size D D1 Safety Critical MLOC D D2 Safety Critical MLOC D D3 Safety Critical MLOC A A1 Secure MLOC T T1 Secure MLOC Quality Threshold With one exception, projects implemented below 20 defects per MLOC had no reported operational security or safety-critical defects. The exception utilized specialized defect removal practices for secure systems. 9

10 Quality Focuses on Defect Injection and Removal Early Defect Removal across Life Cycle Poor quality does predict poor security: 1-5% of the defects are vulnerabilities Cost to fix substantially increases the later a defect is discovered 10

11 Software Faults: Introduction, Discovery, and Cost Faults account for 30 50% percent of total software project costs. Most faults are introduced before coding (~70%). Most faults are discovered at system integration or later (~80%)

12 Successful Projects Embed Quality and Safety/Security Inspection at Each Lifecycle Step 12

13 Successful Projects Use Metrics Extensively Development Metrics Incoming/week Triage rate % closed Development work for cycle Software change request per developer per week # developers Software change request per verifier & validator per week # verification persons Software Change Metrics Fixed work per cycle Deferred planned work per cycle Measure constantly from many dimensions to identify problems early 13

14 Successful Projects Show Improved Reliability 14

15 How Will Quality Help Security? Good quality will ensure proper implementation of specified results Effective code checking will identify improper implementations of specifications (11 of SANS Top 25) Effective design reviews will identify missing requirements (12 of SANS Top 25) if appropriate security results are considered in the development of requirements if requirements are effectively translated into detail designs and code specifications to support the required security results SANS Top 25: SysAdmin, Audit, Network, Security Top 25 Most Dangerous Programming Errors ( Security Requirements Must be Properly Specified 15

16 Poor Quality Predicts Poor Security If you have a quality problem then you have a security problem Quality does not happen by accident and neither does security Neither quality nor security can be tested in Quality approaches such as TSP focus on personal accountability at each stage of the life cycle Effective results require clearly define what right looks like measuring and rewarding the right behaviors reinforcement by training, tracking and independent review 16

17 Linking Security and Quality Measures If defects are measured, from 1-5% of these should be considered to be security vulnerabilities. It is also feasible that when security vulnerabilities are measured then code quality can be estimated by considering these to be 1-5% of the expected defects. Reducing Defects Reduces Vulnerabilities 8-10 Feb 2011 International Conference on Software Quality - ICSQ

18 Challenges for Applicability Metrics are not collected about vulnerabilities specific to each product release Open Source products National Vulnerability Database Data about vulnerabilities are not collected in a form that can be parsed and analyzed using quality tools and measurements Update history does not report product vulnerability data Difficulty in evaluating size of products (lines of code or function points) Life cycles such as Agile do not typically collect defects until integration 18

19 Contact Information Carol Woody, Ph.D. Technical Manager CERT/CSF/CSE Telephone: U.S. Mail Software Engineering Institute Customer Relations 4500 Fifth Avenue Pittsburgh, PA USA Web Customer Relations Telephone: SEI Phone: SEI Fax:

Evaluating the Quality of Software Engineering Performance Data

Evaluating the Quality of Software Engineering Performance Data Evaluating the Quality of Software Engineering Performance Data James Over Software Engineering Institute Carnegie Mellon University July 2014 Copyright 2014 Carnegie Mellon University This material is

More information

Moving Target Reference Implementation

Moving Target Reference Implementation CYBER SECURITY DIVISION 2014 R&D SHOWCASE AND TECHNICAL WORKSHOP Moving Target Reference Implementation Software Engineering Institute, Carnegie Mellon University Andrew O. Mellinger December 17, 2014

More information

Merging Network Configuration and Network Traffic Data in ISP-Level Analyses

Merging Network Configuration and Network Traffic Data in ISP-Level Analyses Merging Network Configuration and Network Traffic Data in ISP-Level Analyses Timothy J. Shimeall, Ph.D. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Presentation Title

More information

Supply-Chain Risk Management Framework

Supply-Chain Risk Management Framework Supply-Chain Risk Management Framework Carol Woody March 2010 Scope of SEI Work Context Significantly reduce the risk (any where in the supply chain) that an unauthorized party can change the behavior

More information

Model Checking Distributed Software

Model Checking Distributed Software Model Checking Distributed Software Sagar Chaki September 19, 2014 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Model Checking and Me 1997 : Ed visits IIT Kharagpur Just

More information

Contracting Officer s Representative (COR) Interactive SharePoint Wiki

Contracting Officer s Representative (COR) Interactive SharePoint Wiki Contracting Officer s Representative (COR) Interactive SharePoint Wiki James Smith Andy Boyd Software Solutions Conference 2015 November 16 18, 2015 Copyright 2015 Carnegie Mellon University This material

More information

Building Resilient Systems: The Secure Software Development Lifecycle

Building Resilient Systems: The Secure Software Development Lifecycle Building Resilient Systems: The Secure Software Development Lifecycle Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213, PhD Technical Director, CERT mssherman@sei.cmu.edu

More information

Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) (Case Study) James Stevens Senior Member, Technical Staff - CERT Division

Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) (Case Study) James Stevens Senior Member, Technical Staff - CERT Division Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) (Case Study) James Stevens Senior Member, Technical Staff - CERT Division James Stevens is a senior member of the technical staff

More information

Resolving Chaos Arising from Agile Software Development

Resolving Chaos Arising from Agile Software Development Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 523 Author Date High Level Alternatives Approach. Blame the Agile development process, fire the folks who are controlling it and

More information

Cyber Intelligence Workforce

Cyber Intelligence Workforce Cyber Intelligence Workforce Troy Townsend Melissa Kasan Ludwick September 17, 2013 Agenda Project Background Research Methodology Findings Training and Education Project Findings Workshop Results Objectives

More information

Software Assurance vs. Security Compliance: Why is Compliance Not Enough? Carol Woody, Ph.D.

Software Assurance vs. Security Compliance: Why is Compliance Not Enough? Carol Woody, Ph.D. Software Assurance vs. Security Compliance: Why is Compliance Not Enough? Carol Woody, Ph.D. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 2012 Carnegie Mellon University

More information

Extending AADL for Security Design Assurance of the Internet of Things

Extending AADL for Security Design Assurance of the Internet of Things Extending AADL for Security Design Assurance of the Internet of Things Presented by Rick Kazman, PhD Team: Carol Woody (PI), Rick Kazman, Robert Ellison, John Hudak, Allen Householder Software Engineering

More information

Assurance in Service-Oriented Environments

Assurance in Service-Oriented Environments Assurance in Service-Oriented Environments Soumya Simanta Research, Technology, and System Solutions (RTSS) Program Software Engineering Institute Carnegie Mellon University Pittsburgh 15232 28 th October,

More information

2012 CyberSecurity Watch Survey

2012 CyberSecurity Watch Survey 2012 CyberSecurity Watch Survey Unknown How 24 % Bad is the Insider Threat? 51% 2007-2013 Carnegie Mellon University 2012 Carnegie Mellon University NO WARRANTY THIS MATERIAL OF CARNEGIE MELLON UNIVERSITY

More information

A Systematic Method for Big Data Technology Selection

A Systematic Method for Big Data Technology Selection A Systematic Method for Big Data Technology Selection John Klein Software Solutions Conference 2015 November 16 18, 2015 Copyright 2015 Carnegie Mellon University This material is based upon work funded

More information

Data Management Maturity (DMM) Model Update

Data Management Maturity (DMM) Model Update Data Management Maturity (DMM) Model Update Rawdon Young November 2012 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Contents / Agenda The DMM SEI Observations on Core

More information

Getting Started with Service- Oriented Architecture (SOA) Terminology

Getting Started with Service- Oriented Architecture (SOA) Terminology Getting Started with - Oriented Architecture (SOA) Terminology Grace Lewis September 2010 -Oriented Architecture (SOA) is a way of designing, developing, deploying, and managing systems it is neither a

More information

Kurt Wallnau Senior Member of Technical Staff

Kurt Wallnau Senior Member of Technical Staff Engineering Realistic Synthetic Insider Threat (Cyber-Social) Test Data Kurt Wallnau Senior Member of Technical Staff Dr. Kurt Wallnau joined the SEI in 1993. He joined CERT Science of Cyber-Security (SoCS)

More information

Assurance Cases for Design Analysis of Complex System of Systems Software

Assurance Cases for Design Analysis of Complex System of Systems Software Assurance Cases for Design Analysis of Complex System of Systems Software Presented at AIAA Infotech@Aerospace Conference Software Assurance Session 8 April 2009 Stephen Blanchette, Jr. Problem: SoS are

More information

Exploring the Interactions Between Network Data Analysis and Security Information/Event Management

Exploring the Interactions Between Network Data Analysis and Security Information/Event Management Exploring the Interactions Between Network Data Analysis and Security Information/Event Management Timothy J. Shimeall CERT Network Situational Awareness (NetSA) Group January 2011 2011 Carnegie Mellon

More information

Building a Body of Knowledge for ICT Supply Chain Risk Management

Building a Body of Knowledge for ICT Supply Chain Risk Management Building a Body of Knowledge for ICT Supply Chain Risk Management Dan Shoemaker Nancy Mead May 2013 ABSTRACT: This paper proposes a set of Supply Chain Risk Management (SCRM) activities and practices for

More information

Automated Provisioning of Cloud and Cloudlet Applications

Automated Provisioning of Cloud and Cloudlet Applications Automated Provisioning of Cloud and Cloudlet Applications Secure and Assured Mobile Computing Components Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Jeff Boleng, PhD

More information

Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience

Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience Management Model (CERT-RMM), both developed at Carnegie

More information

Elasticsearch, Logstash, and Kibana (ELK)

Elasticsearch, Logstash, and Kibana (ELK) Elasticsearch, Logstash, and Kibana (ELK) Dwight Beaver dsbeaver@cert.org Sean Hutchison shutchison@cert.org January 2015 2014 Carnegie Mellon University This material is based upon work funded and supported

More information

Penetration Testing Tools

Penetration Testing Tools Penetration Testing Tools Ken van Wyk January 2007 ABSTRACT: This article provides a primer on the most commonly used tools for traditional penetration testing. (A related article provides an overview

More information

Overview. CMU/SEI Cyber Innovation Center. Dynamic On-Demand High-Performance Computing System. KVM and Hypervisor Security.

Overview. CMU/SEI Cyber Innovation Center. Dynamic On-Demand High-Performance Computing System. KVM and Hypervisor Security. KVM and Hypervisor Security David Shepard and Matt Gaston CMU/SEI Cyber Innovation Center February 2012 2012 by Carnegie Mellon University. Published SEI PROPRIETARY INFORMATION. Distribution: Director

More information

VoIP in Flow A Beginning

VoIP in Flow A Beginning VoIP in Flow A Beginning Nathan Dell CERT/NetSA 2013 Carnegie Mellon University Legal Copyright 2013 Carnegie Mellon University This material is based upon work funded and supported by the Department of

More information

Experiences in Migrations of Legacy Systems

Experiences in Migrations of Legacy Systems Experiences in Migrations of Legacy Systems Bill Wood, Mike Gagliardi, and Phil Bianco Software Solutions Conference 2015 November 16 18, 2015 Copyright 2015 Carnegie Mellon University This material is

More information

Agile Development and Software Architecture: Understanding Scale and Risk

Agile Development and Software Architecture: Understanding Scale and Risk Agile Development and Software Architecture: Understanding Scale and Risk Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Robert L. Nord SSTC, April 2012 In collaboration

More information

Buyer Beware: How To Be a Better Consumer of Security Maturity Models

Buyer Beware: How To Be a Better Consumer of Security Maturity Models Buyer Beware: How To Be a Better Consumer of Security Maturity Models SESSION ID: GRC-R01 Julia Allen Software Engineering Institute Carnegie Mellon University jha@sei.cmu.edu Nader Mehravari Software

More information

Common Testing Problems: Pitfalls to Prevent and Mitigate

Common Testing Problems: Pitfalls to Prevent and Mitigate : Pitfalls to Prevent and Mitigate AIAA Case Conference 12 September 2012 Donald Firesmith Software Engineering Institute (SEI) Carnegie Mellon University Pittsburgh, PA 15213 Clarification and Caveat

More information

Monitoring Trends in Network Flow for Situational Awareness

Monitoring Trends in Network Flow for Situational Awareness Monitoring Trends in Network Flow for Situational Awareness SEI CERT NetSA 2011 Carnegie Mellon University NO WARRANTY THIS MATERIAL OF CARNEGIE MELLON UNIVERSITY AND ITS SOFTWARE ENGINEERING INSTITUTE

More information

Software Assurance Competency Model

Software Assurance Competency Model Software Assurance Competency Model Thomas Hilburn, Embry-Riddle Aeronautical University Mark Ardis, Stevens Institute of Technology Glenn Johnson, (ISC) 2 Andrew Kornecki, Embry-Riddle Aeronautical University

More information

Risk Management Framework

Risk Management Framework Risk Management Framework Christopher J. Alberts Audrey J. Dorofee August 2010 TECHNICAL REPORT CMU/SEI-2010-TR-017 ESC-TR-2010-017 Acquisition Support Program Unlimited distribution subject to the copyright.

More information

Software Security Engineering: A Guide for Project Managers

Software Security Engineering: A Guide for Project Managers Software Security Engineering: A Guide for Project Managers Gary McGraw Julia H. Allen Nancy Mead Robert J. Ellison Sean Barnum May 2013 ABSTRACT: Software is ubiquitous. Many of the products, services,

More information

SOA for Healthcare: Promises and Pitfalls

SOA for Healthcare: Promises and Pitfalls SOA for Healthcare: Promises and Pitfalls Dennis B. Smith dbs@sei.cmu.edu SOA in Health Care Conference: Value in a Time of Change Chicago, IL USA June 3, 2009 Agenda Healthcare IT Challenges SOA: The

More information

Department of Homeland Security Cyber Resilience Review (Case Study) Matthew Butkovic Technical Manager - Cybersecurity Assurance, CERT Division

Department of Homeland Security Cyber Resilience Review (Case Study) Matthew Butkovic Technical Manager - Cybersecurity Assurance, CERT Division Department of Homeland Security Cyber Resilience Review (Case Study) Matthew Butkovic Technical Manager - Cybersecurity Assurance, CERT Division Matthew Butkovic is a Technical Manager Cybersecurity Assurance

More information

emontage: An Architecture for Rapid Integration of Situational Awareness Data at the Edge

emontage: An Architecture for Rapid Integration of Situational Awareness Data at the Edge emontage: An Architecture for Rapid Integration of Situational Awareness Data at the Edge Soumya Simanta Gene Cahill Ed Morris Motivation Situational Awareness First responders and others operating in

More information

Abuse of CPE Devices and Recommended Fixes

Abuse of CPE Devices and Recommended Fixes Abuse of CPE Devices and Recommended Fixes Dr. Paul Vixie (Farsight Security, Inc.) Chris Hallenbeck (US-CERT, DHS) Jonathan Spring (CERT/CC, Carnegie Mellon) August 7, 2014 Black Hat USA 2014 2014 Carnegie

More information

CMMI for SCAMPI SM Class A Appraisal Results 2011 End-Year Update

CMMI for SCAMPI SM Class A Appraisal Results 2011 End-Year Update CMMI for SCAMPI SM Class A 2011 End-Year Update Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 1 Outline Introduction Current Status Community Trends Organizational Trends

More information

Architectural Implications of Cloud Computing

Architectural Implications of Cloud Computing Architectural Implications of Cloud Computing Grace Lewis Research, Technology and Systems Solutions (RTSS) Program Lewis is a senior member of the technical staff at the SEI in the Research, Technology,

More information

UFO: Verification with Interpolants and Abstract Interpretation

UFO: Verification with Interpolants and Abstract Interpretation : Verification with Interpolants and Abstract Interpretation and Sagar Chaki Software Engineering Institute Carnegie Mellon University Aws Albarghouthi, Yi i and Marsha Chechik University of Toronto A

More information

Operationally Critical Threat, Asset, and Vulnerability Evaluation SM (OCTAVE SM ) Framework, Version 1.0

Operationally Critical Threat, Asset, and Vulnerability Evaluation SM (OCTAVE SM ) Framework, Version 1.0 Operationally Critical Threat, Asset, and Vulnerability Evaluation SM (OCTAVE SM ) Framework, Version 1.0 Christopher J. Alberts Sandra G. Behrens Richard D. Pethia William R. Wilson June 1999 TECHNICAL

More information

Network Analysis with isilk

Network Analysis with isilk Network Analysis with isilk Presented at FloCon 2011 Ron Bandes CERT Network Situational Awareness (NetSA) Group 2011 Carnegie Mellon University 2011 Carnegie Mellon University NO WARRANTY THIS MATERIAL

More information

Understanding High Maturity Organizations

Understanding High Maturity Organizations Understanding High Maturity Organizations Donna K. Dunaway, Charles V. Weber, Mark C. Paulk, Will Hayes, and Mary Beth Chrissis Carnegie Mellon University Pittsburgh, PA 15213-3890 Capability Maturity

More information

Service Measurement Index Framework Version 2.1

Service Measurement Index Framework Version 2.1 Service Measurement Index Framework Version 2.1 July 2014 CSMIC Carnegie Mellon University Silicon Valley Moffett Field, CA USA Introducing the Service Measurement Index (SMI) The Service Measurement Index

More information

Software Architecture for Big Data Systems. Ian Gorton Senior Member of the Technical Staff - Architecture Practices

Software Architecture for Big Data Systems. Ian Gorton Senior Member of the Technical Staff - Architecture Practices Software Architecture for Big Data Systems Ian Gorton Senior Member of the Technical Staff - Architecture Practices Ian Gorton is investigating issues related to software architecture at scale. This includes

More information

A Study of Systems Engineering Effectiveness. Building a Business Case for Systems Engineering

A Study of Systems Engineering Effectiveness. Building a Business Case for Systems Engineering Building a Business Case for Systems Engineering NO WARRANTY THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES

More information

Network Monitoring for Cyber Security

Network Monitoring for Cyber Security Network Monitoring for Cyber Security Paul Krystosek, PhD CERT Network Situational Awareness 2006 Carnegie Mellon University What s Coming Up The scope of network monitoring Cast of characters Descriptions

More information

Sustaining Operational Resiliency: A Process Improvement Approach to Security Management

Sustaining Operational Resiliency: A Process Improvement Approach to Security Management Sustaining Operational Resiliency: A Process Improvement Approach to Security Management Author Richard A. Caralli Principle Contributors James F. Stevens Charles M. Wallen, Financial Services Technology

More information

Using Domain Name Registrant Information To Identify Malicious Domains

Using Domain Name Registrant Information To Identify Malicious Domains Using Domain Name Registrant Information To Identify Malicious Domains Mark Langston Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Do Bad Actors Use Fake Addresses? Copyright

More information

$100 SiLK Network Flow Sensor

$100 SiLK Network Flow Sensor $100 SiLK Network Flow Sensor Ron Bandes John Badertscher Dwight Beaver 1 Copyright 2014 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under

More information

Deriving Software Security Measures from Information Security Standards of Practice

Deriving Software Security Measures from Information Security Standards of Practice Deriving Software Measures from Standards of Practice Julia Allen Christopher Alberts Robert Stoddard February 2012 2012 Carnegie Mellon University Copyright 2012 Carnegie Mellon University. This material

More information

The CERT Top 10 List for Winning the Battle Against Insider Threats

The CERT Top 10 List for Winning the Battle Against Insider Threats The CERT Top 10 List for Winning the Battle Against Insider Threats Dawn Cappelli CERT Insider Threat Center Software Engineering Institute Carnegie Mellon University Session ID: STAR-203 Session Classification:

More information

Trends and New Directions in Software Architecture

Trends and New Directions in Software Architecture Trends and New Directions in Software Architecture Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Chief Scientist, Software Solutions Division SEI Fellow Copyright 2015

More information

Insider Threat Control: Using a SIEM signature to detect potential precursors to IT Sabotage. CERT Insider Threat Center

Insider Threat Control: Using a SIEM signature to detect potential precursors to IT Sabotage. CERT Insider Threat Center Insider Threat Control: Using a SIEM signature to detect potential precursors to IT Sabotage CERT Insider Threat Center April 2011 NOTICE: THIS TECHNICAL DATA IS PROVIDED PURSUANT TO GOVERNMENT CONTRACT

More information

Individual Certification of Security Proficiency for Software Professionals: Where Are We? Where Are We Going?

Individual Certification of Security Proficiency for Software Professionals: Where Are We? Where Are We Going? Individual Certification of Security Proficiency for Software Professionals: Where Are We? Where Are We Going? Dan Shoemaker January 2009 ABSTRACT: The software industry needs a universally acknowledged

More information

Introduction to the OCTAVE Approach

Introduction to the OCTAVE Approach Introduction to the OCTAVE Approach Christopher Alberts Audrey Dorofee James Stevens Carol Woody August 2003 Pittsburgh, PA 15213-3890 Introduction to the OCTAVE Approach Christopher Alberts Audree Dorofee

More information

Introduction to the Security Engineering Risk Analysis (SERA) Framework

Introduction to the Security Engineering Risk Analysis (SERA) Framework Introduction to the Security Engineering Risk Analysis (SERA) Framework Christopher Alberts Carol Woody Audrey Dorofee November 2014 TECHNICAL NOTE CMU/SEI-2014-TN-025 CERT Division http://www.sei.cmu.edu

More information

ZIMPERIUM, INC. END USER LICENSE TERMS

ZIMPERIUM, INC. END USER LICENSE TERMS ZIMPERIUM, INC. END USER LICENSE TERMS THIS DOCUMENT IS A LEGAL CONTRACT. PLEASE READ IT CAREFULLY. These End User License Terms ( Terms ) govern your access to and use of the zanti and zips client- side

More information

Secure Software Development Life Cycle Processes: A Technology Scouting Report

Secure Software Development Life Cycle Processes: A Technology Scouting Report Secure Software Development Life Cycle Processes: A Technology Scouting Report Noopur Davis December 2005 Software Engineering Process Management Unlimited distribution subject to the copyright. Technical

More information

The Key to Successful Monitoring for Detection of Insider Attacks

The Key to Successful Monitoring for Detection of Insider Attacks The Key to Successful Monitoring for Detection of Insider Attacks Dawn M. Cappelli Randall F. Trzeciak Robert Floodeen Software Engineering Institute CERT Program Session ID: GRC-302 Session Classification:

More information

An Application of an Iterative Approach to DoD Software Migration Planning

An Application of an Iterative Approach to DoD Software Migration Planning An Application of an Iterative Approach to DoD Software Migration Planning John Bergey Liam O Brien Dennis Smith September 2002 Product Line Practice Initiative Unlimited distribution subject to the copyright.

More information

The Personal Software Process SM (PSP SM )

The Personal Software Process SM (PSP SM ) The Personal Software Process SM (PSP SM ) Watts S. Humphrey November 2000 TECHNICAL REPORT CMU/SEI-2000-TR-022 ESC-TR-2000-022 Pittsburgh, PA 15213-3890 The Personal Software Process SM (PSP SM ) CMU/SEI-2000-TR-022

More information

CMMI: What do we need to do in Requirements Management & Engineering?

CMMI: What do we need to do in Requirements Management & Engineering? Colin Hood Page 1 of 11 : What do we need to do in Requirements Management & Engineering? Colin Hood HOOD Group February 2003 : What do we need to do in Requirements Management & Engineering?... 1 1 Abstract...

More information

Management (CSM) Capability

Management (CSM) Capability CDM Configuration Settings Management (CSM) Capability Department of Homeland Security National Cyber Security Division Federal Network Security Network & Infrastructure Security Table of Contents 1 PURPOSE

More information

CA Automation Suite for Data Centers

CA Automation Suite for Data Centers PRODUCT SHEET CA Automation Suite for Data Centers agility made possible Technology has outpaced the ability to manage it manually in every large enterprise and many smaller ones. Failure to build and

More information

Protect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance

Protect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance Protect Your Organization With the Certification That Maps to a Master s-level Education in Software Assurance Sponsored by the U.S. Department of Homeland Security (DHS), the Software Engineering Institute

More information

Incident Management Capability Metrics Version 0.1

Incident Management Capability Metrics Version 0.1 Incident Management Capability Metrics Version 0.1 Audrey Dorofee Georgia Killcrece Robin Ruefle Mark Zajicek April 2007 TECHNICAL REPORT CMU/SEI-2007-TR-008 ESC-TR-2007-008 CERT Program Unlimited distribution

More information

Edge Analytics: Analysis of Social Media to Support Tactical Users

Edge Analytics: Analysis of Social Media to Support Tactical Users Edge Analytics: Analysis of Social Media to Support Tactical Users Bill Anderson & Keegan Williams Software Solutions Conference 2015 November 16 18, 2015 Copyright 2015 Carnegie Mellon University This

More information

Certification Report

Certification Report Certification Report EAL 3+ Evaluation of Rapid7 Nexpose Vulnerability Management and Penetration Testing System V5.1 Issued by: Communications Security Establishment Canada Certification Body Canadian

More information

CRR Supplemental Resource Guide. Volume 3. Configuration and Change Management. Version 1.1

CRR Supplemental Resource Guide. Volume 3. Configuration and Change Management. Version 1.1 CRR Supplemental Resource Guide Volume 3 Configuration and Change Management Version 1.1 Copyright 2016 Carnegie Mellon University This material is based upon work funded and supported by Department of

More information

Preventive Approach for Web Applications Security Testing OWASP 10/30/2009. The OWASP Foundation http://www.owasp.org

Preventive Approach for Web Applications Security Testing OWASP 10/30/2009. The OWASP Foundation http://www.owasp.org Preventive Approach for Web Applications Security Testing 10/30/2009 Luiz Otávio Duarte Ferrucio de Franco Rosa Walcir M. Cardoso Jr. Renato Archer Information Technology Center Brazilian Ministry of Science

More information

Advance the state of the practice. Exercise your skills with other top software engineering professionals.

Advance the state of the practice. Exercise your skills with other top software engineering professionals. Carnegie Mellon Advance the state of the practice. AFFILIATE PROGRAM Join research projects on the leading edge. Exercise your skills with other top software engineering professionals. OUR MISSION is to

More information

APPLICATION SECURITY RESPONSE: WHEN HACKERS COME A-KNOCKING

APPLICATION SECURITY RESPONSE: WHEN HACKERS COME A-KNOCKING APPLICATION SECURITY RESPONSE: WHEN HACKERS COME A-KNOCKING Katie Moussouris Senior Security Strategist Microsoft Security Response Center http://twitter.com/k8em0 (that s a zero) Session ID: ASEC-T18

More information

CRR Supplemental Resource Guide. Volume 5. Incident Management. Version 1.1

CRR Supplemental Resource Guide. Volume 5. Incident Management. Version 1.1 CRR Supplemental Resource Guide Volume 5 Incident Management Version 1.1 Copyright 2016 Carnegie Mellon University This material is based upon work funded and supported by Department of Homeland Security

More information

Intel Service Assurance Administrator. Product Overview

Intel Service Assurance Administrator. Product Overview Intel Service Assurance Administrator Product Overview Running Enterprise Workloads in the Cloud Enterprise IT wants to Start a private cloud initiative to service internal enterprise customers Find an

More information

CMMI Version 1.2. SCAMPI SM A Appraisal Method Changes

CMMI Version 1.2. SCAMPI SM A Appraisal Method Changes Pittsburgh, PA 15213-3890 CMMI Version 1.2 SCAMPI SM A Appraisal Method Changes SM CMM Integration, IDEAL, and SCAMPI are service marks of Carnegie Mellon University. Capability Maturity Model, Capability

More information

Steve Masters (SEI) SEPG North America March 2011. 2011 Carnegie Mellon University

Steve Masters (SEI) SEPG North America March 2011. 2011 Carnegie Mellon University Using Organizational Business Objectives to Guide a Process Improvement Program Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 (SEI) SEPG North America March 2011 Agenda

More information

Explorations of Science in Cyber Security

Explorations of Science in Cyber Security Explorations of cience in Cyber ecurity Dr. Greg hannon@cert.org Chief cientist October, 2012 +1 (412) 268-8545 www.sei.cmu.edu/about/people/shannon.cfm 2011 Carnegie Mellon University My cience of Cyber

More information

SECURE SOFTWARE DEVELOPMENT PROCESS FOR EMBEDDED SYSTEMS CONTROL

SECURE SOFTWARE DEVELOPMENT PROCESS FOR EMBEDDED SYSTEMS CONTROL SECURE SOFTWARE DEVELOPMENT PROCESS FOR EMBEDDED SYSTEMS CONTROL Sanjai Gupta 1, Md Faisal 2, Mohammed Hussain 3 1 Department of Computer Science & Engineering, CMJ University, Meghalaya, India 1 guptasanjay3@gmail.com

More information

Third Party Software Used In PLEK500 (Utility for Win) v1.x.xx.xxx

Third Party Software Used In PLEK500 (Utility for Win) v1.x.xx.xxx Third Party Software Used In PLEK500 (Utility for Win) v1.x.xx.xxx March 2013 This document contains the licenses and notices for open source software used in this product. With respect to the free/open

More information

Trends in SwA Practice: Education and Adoption

Trends in SwA Practice: Education and Adoption Trends in SwA Practice: Education and Adoption Carol Woody, Ph.D. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 March 9, 2010 Academia Contributes to Software Assurance

More information

BladeLogic Software-as-a- Service (SaaS) Solution. Help reduce operating cost, improve security compliance, strengthen cybersecurity posture

BladeLogic Software-as-a- Service (SaaS) Solution. Help reduce operating cost, improve security compliance, strengthen cybersecurity posture BladeLogic Software-as-a- Service (SaaS) Solution Help reduce operating cost, improve security compliance, strengthen cybersecurity posture February 20, 2014 Contents The Configuration Security Compliance

More information

IBM Tivoli Netcool network management solutions for enterprise

IBM Tivoli Netcool network management solutions for enterprise IBM Netcool network management solutions for enterprise The big picture view that focuses on optimizing complex enterprise environments Highlights Enhance network functions in support of business goals

More information

IBM Tivoli Endpoint Manager for Security and Compliance

IBM Tivoli Endpoint Manager for Security and Compliance IBM Endpoint Manager for Security and Compliance A single solution for managing endpoint security across the organization Highlights Provide up-to-date visibility and control from a single management console

More information

DUAL MONITOR DRIVER AND VBIOS UPDATE

DUAL MONITOR DRIVER AND VBIOS UPDATE DUAL MONITOR DRIVER AND VBIOS UPDATE RN-07046-001_v01 September 2013 Release Notes DOCUMENT CHANGE HISTORY RN-07046-001_v01 Version Date Authors Description of Change 01 September 30, 2013 MD, SM Initial

More information

Website Hosting Agreement

Website Hosting Agreement Website Hosting Agreement 6 oak grove avenue This Hosting Contract governs your purchase and use, in any manner, of all Web site hosting services, including the Shared Hosting Services, (collectively,

More information

Configuring and Monitoring Event Logs

Configuring and Monitoring Event Logs Configuring and Monitoring Event Logs eg Enterprise v5.6 Restricted Rights Legend The information contained in this document is confidential and subject to change without notice. No part of this document

More information

Apache: Analyze Logs for Malicious Activities & Monitor Server Performance

Apache: Analyze Logs for Malicious Activities & Monitor Server Performance Apache: Analyze Logs for Malicious Activities & Monitor Server Performance EventTracker v7.6 Publication Date: Feb 12, 2015 EventTracker 8815 Centre Park Drive Columbia MD 21045 www.eventtracker.com About

More information

A Framework for Categorizing Key Drivers of Risk

A Framework for Categorizing Key Drivers of Risk A Framework for Categorizing Key Drivers of Risk Christopher J. Alberts Audrey J. Dorofee April 2009 TECHNICAL REPORT CMU/SEI-2009-TR-007 ESC-TR-2009-007 Acquisition Support Program Unlimited distribution

More information

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus Information Technology Engineers Examination Information Security Specialist Examination (Level 4) Syllabus Details of Knowledge and Skills Required for the Information Technology Engineers Examination

More information

Evaluating and Mitigating Software Supply Chain Security Risks

Evaluating and Mitigating Software Supply Chain Security Risks Evaluating and Mitigating Software Supply Chain Security Risks Robert J. Ellison John B. Goodenough Charles B. Weinstock Carol Woody May 2010 TECHNICAL NOTE CMU/SEI-2010-TN-016 Research, Technology, and

More information

CA Virtual Assurance for Infrastructure Managers

CA Virtual Assurance for Infrastructure Managers DATA SHEET CA Virtual Assurance for Infrastructure Managers (Includes CA Systems Performance for Infrastructure Managers) CA Virtual Assurance for Infrastructure Managers (formerly CA Virtual Performance

More information

Ipek Ozkaya Senior Researcher

Ipek Ozkaya Senior Researcher Strategic Management of Architectural Technical Debt Ipek Ozkaya Senior Researcher A senior member of the SEI technical staff, Ipek Ozkaya is the co-organizer of the Third International Workshop on Managing

More information

Software Supply Chain Risk Management: From Products to Systems of Systems

Software Supply Chain Risk Management: From Products to Systems of Systems Software Supply Chain Risk Management: From Products to Systems of Systems Robert J. Ellison Christopher Alberts Rita Creel Audrey Dorofee Carol Woody December 2010 TECHNICAL NOTE CMU/SEI-2010-TN-026 CERT

More information

Idea: Measuring the Effect of Code Complexity on Static Analysis Results

Idea: Measuring the Effect of Code Complexity on Static Analysis Results Idea: Measuring the Effect of Code Complexity on Static Analysis Results James Walden, Adam Messer, and Alex Kuhl Department of Computer Science Northern Kentucky University Highland Heights, KY 41099

More information

Open Data Center Alliance Usage: Infrastructure as a Service (IaaS) Privileged User Access rev. 1.0

Open Data Center Alliance Usage: Infrastructure as a Service (IaaS) Privileged User Access rev. 1.0 sm Open Data Center Alliance Usage: Infrastructure as a Service (IaaS) Privileged User Access rev. 1.0 Table of Contents Legal Notice... 3 Executive Summary... 4 Related Usage Models... 5 Reference Framework...

More information

CERT Resilience Management Model (CERT -RMM) V1.1: NIST Special Publication 800-66 Crosswalk

CERT Resilience Management Model (CERT -RMM) V1.1: NIST Special Publication 800-66 Crosswalk CERT Resilience Management Model (CERT -RMM) V1.1: NIST Special Publication 800-66 Crosswalk Lisa R. Young, Software Engineering Institute Ma-Nyahn Kromah, SunGard Availability Services October 2013 TECHNICAL

More information

Quantitative Vulnerability Assessment of Systems Software

Quantitative Vulnerability Assessment of Systems Software Quantitative Vulnerability Assessment of Systems Software Omar H. Alhazmi, Colorado State University Yashwant K. Malaiya, Ph. D., Colorado State University Key Words: security, operating systems, vulnerability,

More information