COVID-19 Update: We are currently shipping orders daily. However, due to transit disruptions in some geographies, deliveries may be delayed. To provide all customers with timely access to content, we are offering 50% off Science and Technology Print & eBook bundle options. Terms & conditions.
System Assurance - 1st Edition - ISBN: 9780123814142, 9780123814159

System Assurance

1st Edition

Beyond Detecting Vulnerabilities

Authors: Nikolai Mansourov Djenana Campara
Paperback ISBN: 9780123814142
eBook ISBN: 9780123814159
Imprint: Morgan Kaufmann
Published Date: 6th December 2010
Page Count: 368
Sales tax will be calculated at check-out Price includes VAT/GST
Price includes VAT/GST

Institutional Subscription

Secure Checkout

Personal information is secured with SSL technology.

Free Shipping

Free global shipping
No minimum order.

Table of Contents



Chapter 1: Why hackers know more about our systems

1.1 Operating in cyberspace involves risks

1.2 Why hackers are repeatedly successful

1.3 What are the challenges in defending cybersystems?

1.3.1 Difficulties in understanding and assessing risks

1.3.2 Complex supply chains

1.3.3 Complex system integrations

1.3.4 Limitations of system assessment practices

1.3.5 Limitations of white-box vulnerability detection

1.3.6 Limitations of black-box vulnerability detection

1.4 Where do we go from here?

1.4.1 Systematic and repeatable defense at affordable cost

1.4.2 The OMG software assurance ecosystem

1.4.3 Linguistic modeling to manage the common vocabulary

1.5 Who should read this book?

Chapter 2: Confidence as a product

2.1 Are you confident that there is no black cat in the dark room?

2.2 The nature of assurance

2.2.1 Engineering, risk, and assurance

2.2.2 Assurance case

2.3 Overview of the assurance process

2.3.1 Producing confidence

2.3.2 Economics of confidence

Chapter 3: How to build confidence

3.1 Assurance in the system life cycle

3.2 Activities of system assurance process

3.2.1 Project definition

3.2.2 Project preparation

3.2.3 Assurance argument development

3.2.4 Architecture security analysis

3.2.5 Evidence analysis

3.2.6 Assurance case delivery

Chapter 4: Knowledge of system as an element of cybersecurity argument

4.1 What is system?

4.2 Boundaries of the system

4.3 Resolution of the system description

4.4 Conceptual commitment for system descriptions

4.5 System architecture

4.6 Example of an architecture framework

4.7 Elements of system

4.8 System knowledge involves multiple viewpoints

4.9 Concept of operations (CONOP)

4.10 Network configuration

4.11 System life cycle and assurance

4.11.1 System life cycle stages

4.11.2 Enabling systems

4.11.3 Supply chain

4.11.4 System life cycle processes

4.11.5 The implications to the common vocabulary and the integrated system model

Chapter 5: Knowledge of risk as an element of cybersecurity argument

5.1 Introduction

5.2 Basic cybersecurity elements

5.2.1 Assets

5.2.2 Impact

5.2.3 Threats

5.2.4 Safeguards

5.2.5 Vulnerabillities

5.2.6 Risks

5.3 Common vocabulary for threat identification

5.3.1 Defining discernable vocabulary for Assets

5.3.2 Threats and hazards

5.3.3 Defining discernable vocabulary for injury and impact

5.3.4 Defining discernable vocabulary for threats

5.3.5 Threat scenarios and attacks

5.3.6 Defining discernable vocabulary for vulnerabilities

5.3.7 Defining discernable vocabulary for safeguards

5.3.8 Risk

5.4 Systematic threat identification

5.5 Assurance strategies

5.5.1 Injury argument

5.5.2 Entry point argument

5.5.3 Threat argument

5.5.4 Vulnerability argument

5.5.5 Security requirement argument

5.6 Assurance of the threat identification

Chapter 6: Knowledge of vulnerabilities as an element of cybersecurity argument

6.1 Vulnerability as a unit of knowledge

6.1.1 What is vulnerability?

6.1.2 The history of vulnerability as a unit of knowledge

6.1.3 Vulnerabilities and the phases of the system life cycle

6.1.4 Enumeration of vulnerabilities as a Knowledge product

6.2 Vulnerability databases

6.2.1 US-CERT

6.2.2 Open source vulnerability database

6.3 Vulnerability life cycle

6.4 NIST Security content automation protocol (SCAP) ecosystem

6.4.1 Overview of SCAP ecosystem

6.4.2 Information exchanges in SCAP ecosystem

Chapter 7: Vulnerability patterns as a new assurance content

7.1 Beyond current SCAP ecosystem

7.2 Vendor-neutral vulnerability patterns

7.3 Software fault patterns

7.3.1 Safeguard clusters and corresponding SFPs

7.3.2 Direct injury clusters and corresponding SFPs

7.4 Example software fault pattern

Chapter 8: OMG software assurance ecosystem

8.1 Introduction

8.2 OMG assurance ecosystem: toward collaborative cybersecurity

Chapter 9: Common fact model for assurance content

9.1 Assurance content

9.2 The objectives

9.3 Design criteria for information exchange protocols

9.4 Trade-offs

9.5 Information exchange protocols

9.6 The nuts and bolts of fact models

9.6.1 Objects

9.6.2 Noun concepts

9.6.3 Facts about existence of objects

9.6.4 Individual concepts

9.6.5 Relations between concepts

9.6.6 Verb concepts

9.6.7 Characteristics

9.6.8 Situational concepts

9.6.9 Viewpoints and views

9.6.10 Information exchanges and assurance

9.6.11 Fact-oriented integration

9.6.12 Automatic derivation of facts

9.7 The representation of facts

9.7.1 Representing facts in XML

9.7.2 Representing facts and schemes in Prolog

9.8 The common schema

9.9 System assurance facts

Chapter 10: Linguistic models

10.1 Fact models and linguistic models

10.2 Background

10.3 Overview of SBVR

10.4 How to use SBVR

10.4.1 Simple vocabulary

10.4.2 Vocabulary entries

10.4.3 Statements

10.4.4 Statements as formal definitions of new concepts

10.5 SBVR vocabulary for describing elementary meanings

10.6 SBVR vocabulary for describing representations

10.7 SBVR vocabulary for describing extensions

10.8 Reference schemes

10.9 SBVR semantic formulations

10.9.1 Defining new terms and facts types using SBVR

Chapter 11: Standard protocol for exchanging system facts

11.1 Background

11.2 Organization of the KDM vocabulary

11.2.1 Infrastructure layer

11.2.2 Program elements layer

11.2.3 Resource layer

11.2.4 Abstractions layer

11.3 The process of discovering system facts

11.4 Discovering the baseline system facts

11.4.1 Inventory views

11.4.2 Build views

11.4.3 Data views

11.4.4 UI views

11.4.5 Code views

11.4.6 Platform views

11.4.7 Event views

11.5 Performing architecture analysis

11.5.1 Structure views

11.5.2 Conceptual views

Chapter 12: Case study

12.1 Introduction

12.2 Background

12.3 Concepts of operations

12.3.1 Executive summary

12.3.2 Purpose

12.3.3 Locations

12.3.4 Operational authority

12.3.5 System architecture

12.4 Business vocabulary and security policy for Clicks2Bricks in SBVR

12.5 Building the integrated system model

12.5.1 Building the baseline system model

12.5.2 Enhancing the baseline model with the system architecture facts

12.6 Mapping cybersecurity facts to system facts

12.7 Assurance case



System Assurance teaches students how to use Object Management Group’s (OMG) expertise and unique standards to obtain accurate knowledge about existing software and compose objective metrics for system assurance.

OMG’s Assurance Ecosystem provides a common framework for discovering, integrating, analyzing, and distributing facts about existing enterprise software. Its foundation is the standard protocol for exchanging system facts, defined as the OMG Knowledge Discovery Metamodel (KDM). In addition, the Semantics of Business Vocabularies and Business Rules (SBVR) defines a standard protocol for exchanging security policy rules and assurance patterns. Using these standards together, students will learn how to leverage the knowledge of the cybersecurity community and bring automation to protect systems.

This book includes an overview of OMG Software Assurance Ecosystem protocols that integrate risk, architecture, and code analysis guided by the assurance argument. A case study illustrates the steps of the System Assurance Methodology using automated tools.

This book is recommended for technologists from a broad range of software companies and related industries; security analysts, computer systems analysts, computer software engineers-systems software, computer software engineers- applications, computer and information systems managers, network systems and data communication analysts.

Key Features

  • Provides end-to-end methodology for systematic, repeatable, and affordable System Assurance.
  • Includes an overview of OMG Software Assurance Ecosystem protocols that integrate risk, architecture and code analysis guided by the assurance argument.
  • Case Study illustrating the steps of the System Assurance Methodology using automated tools.


Technologists from a broad range of software companies and related industries; Security Analysts; Computer Systems Analysts, Computer Software Engineers-Systems Software, Computer Software Engineers- Applications, Computer and Information Systems Managers, Network systems and Data Communication Analysts.


No. of pages:
© Morgan Kaufmann 2011
6th December 2010
Morgan Kaufmann
Paperback ISBN:
eBook ISBN:


"The Object Management Group (OMG) Software Assurance Ecosystem described in this book is a significant step towards collaborative cyber security automation; it offers a standards-based solution for building security and resilience in computer systems." -Joe Jarzombek, Director for Software Assurance, Global Cyber Security Management, National Cyber Security Division, Department of Homeland Security

"System Assurance is a very complex and difficult subject. This book successfully demonstrates and describes in detail how to combine different existing tools together in order to systematically develop System Assurance documentation and justification in a practical manner for a specific domain. The book provides very useful practical guidance that can be used by technical and management practitioners for the specific domain described, and by example for others for different domains." -John P. Hopkinson, Security Strategist, Kwictech

Ratings and Reviews

About the Authors

Nikolai Mansourov

Nikolai Mansourov is recognized worldwide for his work in the areas of automatic code generation and using formal specifications in both forward and reverse engineering. Prior to joining KDM Analytics, Dr. Mansourov was the Chief Scientist and Chief Architect at Klocwork Inc, where he significantly helped build the company’s credibility. Dr. Mansourov also was a department head at the Institute for System Programming, Russian Academy of Sciences, where he was responsible for numerous groundbreaking research projects in advanced software development for industry leaders Nortel Networks and Telelogic. Dr. Mansourov has published over 50 research papers and is a frequent speaker as well as member of program committees at various international research forums. He is a founding member of the World-Wide Institute of Software Architects WWISA. His impact on the industry continues through his participation on several standards bodies, including the ITU-T and Object Management Group. Dr. Mansourov is one of the first OMG-certified UML Advanced Professionals and a member of the UML2 standardization team. Dr. Mansourov is the Editor of the OMG Knowledge Discovery Metamodel (KDM) specification and the Chair of the OMG Revision Task Force for KDM.

Affiliations and Expertise

Chief Technical Officer at KDM Analytics

Djenana Campara

Djenana Campara has 20+ years of experience and leadership in the software engineering field. Ms. Campara is a member of the Board of Directors of the Object Management Group (OMG). Djenana Campara chairs the OMG Architecture-Driven Modernization Task Force and Software Assurance Special Interests Group, and serves as a board member on the Canadian Consortium of Software Engineering Research (CSER). Previously, Djenana was CTO of Klocwork and chairwoman of Klocwork’s Board of Directors. Djenana founded the company in 2001 as a successful Nortel Networks spin off. She has served as Klocwork's chief executive officer, securing the company's first round of funding as well as closing its first customers.

She has been awarded four US patents for her groundbreaking static analysis techniques implemented in Klocwork’s products. She has published a number of papers on software transformations, has been quoted in publications, including The Economist and Secure Computing, and has participated in Fortune Magazine's "Brainstorm 2003," an international conference of the world's most creative leaders.

Affiliations and Expertise

President and CEO of KDM Analytics