Assurance Cases for Design Analysis of Complex System of Systems Software



Similar documents
2012 CyberSecurity Watch Survey

Exploring the Interactions Between Network Data Analysis and Security Information/Event Management

Risk Management Framework

Overview. CMU/SEI Cyber Innovation Center. Dynamic On-Demand High-Performance Computing System. KVM and Hypervisor Security.

Monitoring Trends in Network Flow for Situational Awareness

Getting Started with Service- Oriented Architecture (SOA) Terminology

Supply-Chain Risk Management Framework

A Study of Systems Engineering Effectiveness. Building a Business Case for Systems Engineering

A Systematic Method for Big Data Technology Selection

Moving Target Reference Implementation

Architectural Implications of Cloud Computing

Applying Software Quality Models to Software Security

Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) (Case Study) James Stevens Senior Member, Technical Staff - CERT Division

Contracting Officer s Representative (COR) Interactive SharePoint Wiki

UFO: Verification with Interpolants and Abstract Interpretation

Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience

CMMI: What do we need to do in Requirements Management & Engineering?

Network Analysis with isilk

CMMI for SCAMPI SM Class A Appraisal Results 2011 End-Year Update

SOA for Healthcare: Promises and Pitfalls

How To Ensure Security In A System

Network Monitoring for Cyber Security

Arcade Game Maker Pedagogical Product Line: Marketing and Product Plan

Common Testing Problems: Pitfalls to Prevent and Mitigate

Operationally Critical Threat, Asset, and Vulnerability Evaluation SM (OCTAVE SM ) Framework, Version 1.0

An Application of an Iterative Approach to DoD Software Migration Planning

Department of Homeland Security Cyber Resilience Review (Case Study) Matthew Butkovic Technical Manager - Cybersecurity Assurance, CERT Division

Interpreting Capability Maturity Model Integration (CMMI ) for Service Organizations a Systems Engineering and Integration Services Example

Agile Development and Software Architecture: Understanding Scale and Risk

Data Management Maturity (DMM) Model Update

Buyer Beware: How To Be a Better Consumer of Security Maturity Models

How To Use Elasticsearch

Cyber Intelligence Workforce

A Framework for Categorizing Key Drivers of Risk

Sustaining Operational Resiliency: A Process Improvement Approach to Security Management

The Key to Successful Monitoring for Detection of Insider Attacks

Steve Masters (SEI) SEPG North America March Carnegie Mellon University

Introduction to the OCTAVE Approach

Penetration Testing Tools

Extending AADL for Security Design Assurance of the Internet of Things

CERT Virtual Flow Collection and Analysis

Information Asset Profiling

Service Measurement Index Framework Version 2.1

VoIP in Flow A Beginning

Building Resilient Systems: The Secure Software Development Lifecycle

Interpreting Capability Maturity Model Integration (CMMI ) for Business Development Organizations in the Government and Industrial Business Sectors

The CERT Top 10 List for Winning the Battle Against Insider Threats

Guidelines for Developing a Product Line Concept of Operations

Guidelines for Developing a Product Line Production Plan

Department of Defense INSTRUCTION

Software Acquisition Capability Maturity Model (SA-CMM ) Version 1.03

CRR Supplemental Resource Guide. Volume 5. Incident Management. Version 1.1

emontage: An Architecture for Rapid Integration of Situational Awareness Data at the Edge

Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience

SOA in an Electronic Health Record Product Line

Software Assurance Competency Model

CMM SM -Based Appraisal for Internal Process Improvement (CBA IPI): Method Description

What methods are used to conduct testing?

Testing a Software Product Line

Software Security Engineering: A Guide for Project Managers

Open Source Used In Cisco D9865 Satellite Receiver Software Version 2.20

GNU LIBRARY GENERAL PUBLIC LICENSE. Preamble

Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process

Technical Report CMU/SEI-97-TR-007 ESC-TR

Open Source Announcement

Design Document Version 0.0

Enterprise Architecture Assessment Guide

Abuse of CPE Devices and Recommended Fixes

Open Source Software used in the product

DOCUMENT MANAGEMENT SYSTEM WHITE PAPER

Software Architecture Professional Certificate

How To Protect Your Website From Copyright Infringement

Transcription:

Assurance Cases for Design Analysis of Complex System of Systems Software Presented at AIAA Infotech@Aerospace Conference Software Assurance Session 8 April 2009 Stephen Blanchette, Jr.

Problem: SoS are Common, but Difficult Huge systems of systems (SoS) development efforts Have become quite commonplace as aerospace/defense solutions The Global Earth Observation System of Systems (GEOSS) The US Army s Future Combat Systems The US Coast Guard s Deepwater Etc. Exhibit extreme complexity they're hard to underst in detail Are difficult, even impossible, to test adequately using traditional methods Use software as an enabler of SoS functionality Often, SoS elements are dispersed geographically, adding complexity making predictability of behavior difficult How can project management, stakeholders, decision makers achieve some reasonable level of confidence that software for a large-scale, dispersed SoS will meet operational needs, even before development of much of the software? 2

Recent Experience Led to Assurance Case Use An SEI team was tasked with answering this question in the face of: the software design was actually many software designs documented in many places with a tremendous volume of data the designs were not yet complete would not be complete until after many production decisions had to be made the need to relate the software to operational needs the desire to base conclusions as much as possible on actual data rather than on optimistic plans confident assertions Constraints short time frame: a project level review had a hard deadline limited availability of personnel, all with varying levels of domain knowledge 3

We Had to Relate Operational Needs to Software The top-level SoS requirements were expressed in military terms. A requirements analysis would be repeating work already done Errors in requirements traceability could skew the entire analysis We decided against re-casting the operational needs in terms of software instead analyzed the software contributions to the definitive characterization of those needs the Key Performance Parameters (KPPs). The size of the analysis space, the complexity of the task, the desire to leverage data suggested an assurance case approach The analysis was a structured decomposition of each KPP into more precise statements that could be more readily assessed in terms of evidence. Challenge: be logical consistent but avoid accumulating too much detail Use engineering judgment to leap from higher-level concepts to lower-level ones 4

An Assurance Case is a Structured Argument An assurance case is a generalization of a safety case presents an argument (similar to a legal case) that a system has or satisfies some property in a given context requires claims, evidence, an argument linking evidence to claims should be sound complete to justify belief in the main claim should be based on objective evidence Goal Structuring Notation (GSN) graphically presents the argument by showing how claims are broken down into sub-claims until arriving at a sub-claim supported by evidence. Argument Sub-claim 1 Claim Sub-claim 2 Sub-claim 3 Sub-claim 4 For our purposes, we used assurance cases to demonstrate that a SoS software design supported each of the SoS KPPs, as in the claim The SoS will satisfy KPP k Evidence Evidence Evidence 5

An Example Assume we re developing a SoS for a DoD project The SoS must exchange information with other systems Our SoS is subject to the Net Ready Key Performance Parameter (NR KPP): The system...must support Net-Centric military operations. The system must be able to enter be managed in the network, exchange data in a secure manner to enhance mission effectiveness. The system must continuously provide survivable, interoperable, secure, operationally effective information exchanges to enable a Net-Centric military capability. Chairman of the Joint Chiefs of Staff Instruction, Interoperability Supportability of Information Technology National Security Systems, CJCSI 6212.01E, 2008. 6

We Can Express the NR KPP Diagrammatically Ctx1 Source Document: CJCSI 6212.01E Clm1 The system of systems supports Net-Centric military operations Nte1 This diagram focuses on threshold level KPP satisfaction A1 It is assumed that hardware components of the network can be ignored in this analysis. A Clm2 The SoS is able to enter be managed in the network Clm6 The SoS is able to exchange data in a secure manner to enhance mission effectiveness Clm13 The SoS continuously provides survivable, interoperable, secure, operationally effective information exchanges 7

Primary Sub-claim #2 Clm2 The SoS is able to enter be managed in the network Clm3 The SoS network conforms to the relevant stards Clm5 The SoS network management software is able to establish, control, terminate connections to the network Clm4 The SoS communications software protocol stack conform to the relevant stards Ev3 documents Ev4 evaluation results Ev5 Results of preliminary field tests experiments Ev1 documents Ev2 Test plans/results related to stards compliance 8

Primary Sub-claim #6 Clm6 The SoS is able to exchange data in a secure manner to enhance mission effectiveness Clm7 The security requirements (e.g., data security, information assurance, access control) for the SoS are met Clm11 The SoS supports information exchanges Clm8 Security requirements are identified adequately across the SoS Clm9 Security components within the design are consistent across the SoS Clm10 Verification/validation of SoS security features is adequately planned resourced Clm12 Information to be exchanged is defined Ev12 Results of preliminary field tests experiments Ev6 Requirements database showing security requirements Ev7 design documents Ev8 evaluation results Ev9 Test plans descriptions Ev11 Ev10 Requirements Formally database tracked showing risks information Assurance Cases for SoS transfers Design Analysis 9

Primary Sub-claim #13 Clm13 The SoS continuously provides survivable, interoperable, secure, operationally effective information exchanges Clm11 The SoS supports information exchanges Clm14 The SoS information exchanges occur within prescribed timelines Clm12 Information to be exchanged is defined Ev12 Results of preliminary field tests experiments Clm15 Timelines are defined Ev14 Results of preliminary field tests experiments Ev15 Modeling & simulation results Ev16 Formally tracked risks Ev11 Requirements database showing information transfers Ev13 Requirements database showing applicable timelines 10

A Diagram Helps Visualize the Completed Case Ctx1 Source Document: CJCSI 6212.01E Clm1 The system of systems supports Net-Centric military operations Nte1 This diagram focuses on threshold level KPP satisfaction A1 It is assumed that hardware components of the network can be ignored in this analysis. A Clm2 The SoS is able to enter be managed in the network Clm6 The SoS is able to exchange data in a secure manner to enhance mission effectiveness Clm13 The SoS continuously provides survivable, interoperable, secure, operationally effective information exchanges Clm3 The SoS network conforms to the relevant stards Clm5 The SoS network management software is able to establish, control, terminate connections to the network Clm7 The security requirements (e.g., data security, information assurance, access control) for the SoS are met Clm11 The SoS supports information exchanges Clm14 The SoS information exchanges occur within prescribed timelines Clm4 The SoS communications software protocol stack conform to the relevant stards Ev3 documents Ev4 evaluation results Ev5 Results of preliminary field tests experiments Clm8 Security requirements are identified adequately across the SoS Clm9 Security components within the design are consistent across the SoS Clm10 Verification/validation of SoS security features is adequately planned resourced Clm12 Information to be exchanged is defined Ev12 Results of preliminary field tests experiments Clm15 Timelines are defined Ev14 Results of preliminary field tests experiments Ev15 Modeling & simulation results Ev16 Formally tracked risks Ev1 documents Ev2 Test plans/results related to stards compliance Ev6 Requirements database showing security requirements Ev7 design documents Ev8 evaluation results Ev9 Test plans descriptions Ev10 Formally tracked risks Ev11 Requirements database showing information transfers Ev13 Requirements database showing applicable timelines Logic Should Hold Even Without the Diagram 11

Scoring Can be Used to Express Risk First, Develop Scoring Rules Then, Work Upward from Evidence 12

Scored Diagram Provides a Roadmap Quality of the Evidence Drives Assessment of Claims Relative Risk 13

Assurance Cases are Helpful in the SoS Space Assurance cases gave us a way of organizing a nebulous task gave us a means of selecting among innumerable artifacts to study. They brought order to complexity. Due to time constraints we had to focus on big picture risks A more thorough analysis might have identified additional risks or strong points The assurance case technique is a powerful tool for analyzing large complex SoS software design. It provides a means of taking a crosscutting look at SoS It gives managers answers about design progress that are rooted in facts data instead of opinions based upon hope best intentions. 14

Contact Information Stephen Blanchette, Jr. Senior Member of the Technical Staff Acquisition Support Program Telephone: +1 412-268-6275 Email: sblanche@sei.cmu.edu U.S. mail: Software Engineering Institute 4500 Fifth Avenue Pittsburgh, PA 15213-2612 USA World Wide Web: www.sei.cmu.edu Customer Relations Email: customerrelations@sei.cmu.edu Telephone: +1 412-268-5800 SEI Phone: +1 412-268-5800 SEI Fax: +1 412-268-6257 15

NO WARRANTY THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. Use of any trademarks in this presentation is not intended in any way to infringe on the rights of the trademark holder. This Presentation may be reproduced in its entirety, without modification, freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. This work was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research development center. The Government of the United States has a royalty-free government-purpose license to use, duplicate, or disclose the work, in whole or in part in any manner, to have or permit others to do so, for government purposes pursuant to the copyright license under the clause at 252.227-7013. 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information