
System Assurance
Beyond Detecting Vulnerabilities
Description
Key Features
- Provides end-to-end methodology for systematic, repeatable, and affordable System Assurance.
- Includes an overview of OMG Software Assurance Ecosystem protocols that integrate risk, architecture and code analysis guided by the assurance argument.
- Case Study illustrating the steps of the System Assurance Methodology using automated tools.
Readership
Technologists from a broad range of software companies and related industries; Security Analysts; Computer Systems Analysts, Computer Software Engineers-Systems Software, Computer Software Engineers- Applications, Computer and Information Systems Managers, Network systems and Data Communication Analysts.
Table of Contents
Foreword
Preface
Chapter 1: Why hackers know more about our systems
1.1 Operating in cyberspace involves risks
1.2 Why hackers are repeatedly successful
1.3 What are the challenges in defending cybersystems?
1.3.1 Difficulties in understanding and assessing risks
1.3.2 Complex supply chains
1.3.3 Complex system integrations
1.3.4 Limitations of system assessment practices
1.3.5 Limitations of white-box vulnerability detection
1.3.6 Limitations of black-box vulnerability detection
1.4 Where do we go from here?
1.4.1 Systematic and repeatable defense at affordable cost
1.4.2 The OMG software assurance ecosystem
1.4.3 Linguistic modeling to manage the common vocabulary
1.5 Who should read this book?
Chapter 2: Confidence as a product
2.1 Are you confident that there is no black cat in the dark room?
2.2 The nature of assurance
2.2.1 Engineering, risk, and assurance
2.2.2 Assurance case
2.3 Overview of the assurance process
2.3.1 Producing confidence
2.3.2 Economics of confidence
Chapter 3: How to build confidence
3.1 Assurance in the system life cycle
3.2 Activities of system assurance process
3.2.1 Project definition
3.2.2 Project preparation
3.2.3 Assurance argument development
3.2.4 Architecture security analysis
3.2.5 Evidence analysis
3.2.6 Assurance case delivery
Chapter 4: Knowledge of system as an element of cybersecurity argument
4.1 What is system?
4.2 Boundaries of the system
4.3 Resolution of the system description
4.4 Conceptual commitment for system descriptions
4.5 System architecture
4.6 Example of an architecture framework
4.7 Elements of system
4.8 System knowledge involves multiple viewpoints
4.9 Concept of operations (CONOP)
4.10 Network configuration
4.11 System life cycle and assurance
4.11.1 System life cycle stages
4.11.2 Enabling systems
4.11.3 Supply chain
4.11.4 System life cycle processes
4.11.5 The implications to the common vocabulary and the integrated system model
Chapter 5: Knowledge of risk as an element of cybersecurity argument
5.1 Introduction
5.2 Basic cybersecurity elements
5.2.1 Assets
5.2.2 Impact
5.2.3 Threats
5.2.4 Safeguards
5.2.5 Vulnerabillities
5.2.6 Risks
5.3 Common vocabulary for threat identification
5.3.1 Defining discernable vocabulary for Assets
5.3.2 Threats and hazards
5.3.3 Defining discernable vocabulary for injury and impact
5.3.4 Defining discernable vocabulary for threats
5.3.5 Threat scenarios and attacks
5.3.6 Defining discernable vocabulary for vulnerabilities
5.3.7 Defining discernable vocabulary for safeguards
5.3.8 Risk
5.4 Systematic threat identification
5.5 Assurance strategies
5.5.1 Injury argument
5.5.2 Entry point argument
5.5.3 Threat argument
5.5.4 Vulnerability argument
5.5.5 Security requirement argument
5.6 Assurance of the threat identification
Chapter 6: Knowledge of vulnerabilities as an element of cybersecurity argument
6.1 Vulnerability as a unit of knowledge
6.1.1 What is vulnerability?
6.1.2 The history of vulnerability as a unit of knowledge
6.1.3 Vulnerabilities and the phases of the system life cycle
6.1.4 Enumeration of vulnerabilities as a Knowledge product
6.2 Vulnerability databases
6.2.1 US-CERT
6.2.2 Open source vulnerability database
6.3 Vulnerability life cycle
6.4 NIST Security content automation protocol (SCAP) ecosystem
6.4.1 Overview of SCAP ecosystem
6.4.2 Information exchanges in SCAP ecosystem
Chapter 7: Vulnerability patterns as a new assurance content
7.1 Beyond current SCAP ecosystem
7.2 Vendor-neutral vulnerability patterns
7.3 Software fault patterns
7.3.1 Safeguard clusters and corresponding SFPs
7.3.2 Direct injury clusters and corresponding SFPs
7.4 Example software fault pattern
Chapter 8: OMG software assurance ecosystem
8.1 Introduction
8.2 OMG assurance ecosystem: toward collaborative cybersecurity
Chapter 9: Common fact model for assurance content
9.1 Assurance content
9.2 The objectives
9.3 Design criteria for information exchange protocols
9.4 Trade-offs
9.5 Information exchange protocols
9.6 The nuts and bolts of fact models
9.6.1 Objects
9.6.2 Noun concepts
9.6.3 Facts about existence of objects
9.6.4 Individual concepts
9.6.5 Relations between concepts
9.6.6 Verb concepts
9.6.7 Characteristics
9.6.8 Situational concepts
9.6.9 Viewpoints and views
9.6.10 Information exchanges and assurance
9.6.11 Fact-oriented integration
9.6.12 Automatic derivation of facts
9.7 The representation of facts
9.7.1 Representing facts in XML
9.7.2 Representing facts and schemes in Prolog
9.8 The common schema
9.9 System assurance facts
Chapter 10: Linguistic models
10.1 Fact models and linguistic models
10.2 Background
10.3 Overview of SBVR
10.4 How to use SBVR
10.4.1 Simple vocabulary
10.4.2 Vocabulary entries
10.4.3 Statements
10.4.4 Statements as formal definitions of new concepts
10.5 SBVR vocabulary for describing elementary meanings
10.6 SBVR vocabulary for describing representations
10.7 SBVR vocabulary for describing extensions
10.8 Reference schemes
10.9 SBVR semantic formulations
10.9.1 Defining new terms and facts types using SBVR
Chapter 11: Standard protocol for exchanging system facts
11.1 Background
11.2 Organization of the KDM vocabulary
11.2.1 Infrastructure layer
11.2.2 Program elements layer
11.2.3 Resource layer
11.2.4 Abstractions layer
11.3 The process of discovering system facts
11.4 Discovering the baseline system facts
11.4.1 Inventory views
11.4.2 Build views
11.4.3 Data views
11.4.4 UI views
11.4.5 Code views
11.4.6 Platform views
11.4.7 Event views
11.5 Performing architecture analysis
11.5.1 Structure views
11.5.2 Conceptual views
Chapter 12: Case study
12.1 Introduction
12.2 Background
12.3 Concepts of operations
12.3.1 Executive summary
12.3.2 Purpose
12.3.3 Locations
12.3.4 Operational authority
12.3.5 System architecture
12.4 Business vocabulary and security policy for Clicks2Bricks in SBVR
12.5 Building the integrated system model
12.5.1 Building the baseline system model
12.5.2 Enhancing the baseline model with the system architecture facts
12.6 Mapping cybersecurity facts to system facts
12.7 Assurance case
Index
Product details
- No. of pages: 368
- Language: English
- Copyright: © Morgan Kaufmann 2010
- Published: December 6, 2010
- Imprint: Morgan Kaufmann
- eBook ISBN: 9780123814159
- Paperback ISBN: 9780123814142
About the Authors
Nikolai Mansourov
Affiliations and Expertise
Djenana Campara
She has been awarded four US patents for her groundbreaking static analysis techniques implemented in Klocwork’s products. She has published a number of papers on software transformations, has been quoted in publications, including The Economist and Secure Computing, and has participated in Fortune Magazine's "Brainstorm 2003," an international conference of the world's most creative leaders.