Foreword Preface Chapter 1: Why hackers know more about our systems 1.1 Operating in cyberspace involves risks 1.2 Why hackers are repeatedly successful 1.3 What are the challenges in defending cybersystems? 1.3.1 Difficulties in understanding and assessing risks 1.3.2 Complex supply chains 1.3.3 Complex system integrations 1.3.4 Limitations of system assessment practices 1.3.5 Limitations of white-box vulnerability detection 1.3.6 Limitations of black-box vulnerability detection 1.4 Where do we go from here? 1.4.1 Systematic and repeatable defense at affordable cost 1.4.2 The OMG software assurance ecosystem 1.4.3 Linguistic modeling to manage the common vocabulary 1.5 Who should read this book? Chapter 2: Confidence as a product 2.1 Are you confident that there is no black cat in the dark room? 2.2 The nature of assurance 2.2.1 Engineering, risk, and assurance 2.2.2 Assurance case 2.3 Overview of the assurance process 2.3.1 Producing confidence 2.3.2 Economics of confidence Chapter 3: How to build confidence 3.1 Assurance in the system life cycle 3.2 Activities of system assurance process 3.2.1 Project definition 3.2.2 Project preparation 3.2.3 Assurance argument development 3.2.4 Architecture security analysis 3.2.5 Evidence analysis 3.2.6 Assurance case delivery Chapter 4: Knowledge of system as an element of cybersecurity argument 4.1 What is system? 4.2 Boundaries of the system 4.3 Resolution of the system description 4.4 Conceptual commitment for system descriptions 4.5 System architecture 4.6 Example of an architecture framework 4.7 Elements of system 4.8 System knowledge involves multiple viewpoints 4.9 Concept of operations (CONOP)
System Assurance Beyond Detecting Vulnerabilities provides a comprehensive view of systematic, repeatable, and affordable cyberdefense that goes beyond knowledge of vulnerabilities and includes knowledge of the system, knowledge of risks and threats, knowledge of security safeguards, as well as knowledge of the assurance argument, together with the corresponding evidence answering the question why a system is secure. The book is organized into four parts. The first part provides an introduction to cybersecurity knowledge; the need for information exchanges for systematic, repeatable, and affordable cyberdefense; and the motivation for the Object Management Group (OMG) Software Assurance Ecosystem. It discusses the nature of system assurance and its difference for vulnerability detection, and introduces the OMG standard on Software Assurance Cases. It describes an end-to-end methodology for system assurance in the context of the OMG Software Assurance Ecosystem that brings together risk analysis, architecture analysis, and code analysis in an integrated process that is guided and planned by the assurance argument. The second part describes various aspects of cybersecurity knowledge required for building cybersecurity arguments. This knowledge includes system knowledge, knowledge related to security threats and risks, and vulnerability knowledge. The third part provides an overview of the protocols of the OMG Software Assurance Ecosystem. It covers the Common Fact Model approach; linguistic models and the OMG Semantics of Business Vocabularies and Rules (SBVR) standard; and the OMG Knowledge Discovery Metamodel (KDM). The fourth part presents a case study to illustrate some of the activities of a system assurance evaluation.
- Provides end-to-end methodology for systematic, repeatable, and affordable System Assurance.
- Includes an overview of OMG Software Assurance Ecosystem protocols that integrate risk, architecture and code analysis guided by the assurance argument.
- Case Study illustrating the steps of the System Assurance Methodology using automated tools.
Technologists from a broad range of software companies and related industries; Security Analysts; Computer Systems Analysts, Computer Software Engineers-Systems Software, Computer Software Engineers- Applications, Computer and Information Systems Managers, Network systems and Data Communication Analysts.
- No. of pages:
- © Morgan Kaufmann 2011
- 6th December 2010
- Morgan Kaufmann
- eBook ISBN:
- Paperback ISBN:
"The Object Management Group (OMG) Software Assurance Ecosystem described in this book is a significant step towards collaborative cyber security automation; it offers a standards-based solution for building security and resilience in computer systems." -Joe Jarzombek, Director for Software Assurance, Global Cyber Security Management, National Cyber Security Division, Department of Homeland Security
"System Assurance is a very complex and difficult subject. This book successfully demonstrates and describes in detail how to combine different existing tools together in order to systematically develop System Assurance documentation and justification in a practical manner for a specific domain. The book provides very useful practical guidance that can be used by technical and management practitioners for the specific domain described, and by example for others for different domains." -John P. Hopkinson, Security Strategist, Kwictech
Nikolai Mansourov is recognized worldwide for his work in the areas of automatic code generation and using formal specifications in both forward and reverse engineering. Prior to joining KDM Analytics, Dr. Mansourov was the Chief Scientist and Chief Architect at Klocwork Inc, where he significantly helped build the company’s credibility. Dr. Mansourov also was a department head at the Institute for System Programming, Russian Academy of Sciences, where he was responsible for numerous groundbreaking research projects in advanced software development for industry leaders Nortel Networks and Telelogic. Dr. Mansourov has published over 50 research papers and is a frequent speaker as well as member of program committees at various international research forums. He is a founding member of the World-Wide Institute of Software Architects WWISA. His impact on the industry continues through his participation on several standards bodies, including the ITU-T and Object Management Group. Dr. Mansourov is one of the first OMG-certified UML Advanced Professionals and a member of the UML2 standardization team. Dr. Mansourov is the Editor of the OMG Knowledge Discovery Metamodel (KDM) specification and the Chair of the OMG Revision Task Force for KDM.
Chief Technical Officer at KDM Analytics
Djenana Campara has 20+ years of experience and leadership in the software engineering field. Ms. Campara is a member of the Board of Directors of the Object Management Group (OMG). Djenana Campara chairs the OMG Architecture-Driven Modernization Task Force and Software Assurance Special Interests Group, and serves as a board member on the Canadian Consortium of Software Engineering Research (CSER). Previously, Djenana was CTO of Klocwork and chairwoman of Klocwork’s Board of Directors. Djenana founded the company in 2001 as a successful Nortel Networks spin off. She has served as Klocwork's chief executive officer, securing the company's first round of funding as well as closing its first customers. She has been awarded four US patents for her groundbreaking static analysis techniques implemented in Klocwork’s products. She has published a number of papers on software transformations, has been quoted in publications, including The Economist and Secure Computing, and has participated in Fortune Magazine's "Brainstorm 2003," an international conference of the world's most creative leaders.
President and CEO of KDM Analytics