software assurance swa in education training
play

Software Assurance (SwA) in Education, Training & Certification - PowerPoint PPT Presentation

Software Assurance (SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center on Information Assurance (NUCIA) University of Nebraska at Omaha 1 What is a Pocketguide? Self-contained


  1. Software Assurance (SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center on Information Assurance (NUCIA) University of Nebraska at Omaha 1

  2. What is a Pocketguide? • Self-contained • Concise • Enumeration of resources • Theme • Living document • Reprints and redistribution possible • Fits in the coat pocket 2

  3. SwA ETC Pocketguide Theme • Educating the Educator/Trainer on available SwA resources • Purpose: – Awareness resource for “ getting started ” in educating, training and sustaining a workforce capable of producing secure software – An “ index ” in to a vast amount of resources, tools, curricula, and certification and training opportunities for software assurance 3

  4. Purple, v 2.1, March 2011 4

  5. Software Assurance? • The basis for the belief that software will work as expected – Claims, arguments, evidences that span the software lifecycle from cradle to grave – People, Process, Technology that enable us to promote assurances in the software that is mission and business critical 5

  6. 6

  7. SwA Knowledge Areas and Efforts Technology, Tool and Workforce Education and Training Product Evaluation Curriculum Guides Making Security Measureable Knowledge necessary to Develop CWE, CWSS Sustain, Acquire and Assure CVE, CCE, CPE, OVAL, CVSS Secure Software (SwABoK) State of the Art Reports (SOAR) Measuring Functionality and Capability of SwA Tools Guidebooks (NASA, DACS) (SAMATE) Reference Curriculum Acquisition and (MSwA2010, Undergrad outline) Functional Specifications Processes and Practices Outsourcing Security Principles Test suites and Guidelines Tool Metrics Security-Enhanced Enhancement of Logical and In-depth Metamodels for Software Software Acquisition Development Lifecycle organization of Assets and Operational and Outsourcing Integrating Security into the Principles and Guidelines Environments Software Development Lifecycle Reference Guide: Workforce Development Abstract Syntax Tree SwA in Aquisition and Improvement Requirements and Analysis Metamodel (ASTM) Competency and Practices to Enhance Knowledge Discovery Architecture and Functional Framework for SwA in Purchasing Metamodel (KDM) Design Considerations IT Security Workforce (EBK) Due diligence Software Metrics Workforce Credentials Risk-Based Security Testing Questionnaires Metamodel (SMM) Sample Contract Capability Maturity Provisions and Language Model Integration Application Security Harmonizing and Extending Procurement Language existing Security Capability Maturity Models Key Software Assurance Supply chain Risk Management Mapping Assurance Knowledge Areas and Efforts Goals and Practices Risk-based approach to CMMI for Development to Software Acquisition Maturity Model Building Security In Maturity Model (BSIMM) Software Assurance Maturity Model (SAMM) Measurement Business Case Malware Key Practices for Mitigating Software Weaknesses Making a Business Malware Dictionaries Secure Coding Standards Case for SwA Measurement Frameworks (CERT) Malware Attribute Enumeration Cost/Benefit Models and Characterization (MAEC) Practical Measurement Framework Measurement for Software Assurance and Risk Information Security Novel Approaches to Malware Prioritization Acquisition Measurement Process Improvement Measurements Goals and Globalization Questions Lists Organizational Development Case Studies and Examples 7

  8. SwA Knowledge Areas and Efforts Workforce Education Technology, Tool and Product Evaluation and Training Making Security Measureable Curriculum Guides Knowledge necessary to Develop CWE, CWSS Sustain, Acquire and Assure CVE, CCE, CPE, OVAL, CVSS Secure Software (SwABoK) Measuring Functionality State of the Art Reports (SOAR) and Capability of SwA Tools Guidebooks (NASA, DACS) (SAMATE) Reference Curriculum Acquisition and (MSwA2010, Undergrad outline) Functional Specifications Processes and Practices Outsourcing Security Principles Test suites and Guidelines Tool Metrics Security-Enhanced Enhancement of Logical and In-depth Metamodels for Software Software Acquisition Development Lifecycle organization of Assets and Operational and Outsourcing Principles and Guidelines Integrating Security into the Environments Software Development Lifecycle Reference Guide: Workforce Development Abstract Syntax Tree SwA in Aquisition and Improvement Requirements and Analysis Metamodel (ASTM) Competency and Practices to Enhance Knowledge Discovery Architecture and Functional Framework for SwA in Purchasing Metamodel (KDM) Design Considerations IT Security Workforce (EBK) Due diligence Software Metrics Workforce Credentials Questionnaires Risk-Based Security Testing Metamodel (SMM) Sample Contract Capability Maturity Provisions and Language Model Integration Application Security Harmonizing and Extending Procurement Language existing Security Capability Maturity Models Key Software Assurance Supply chain Risk Management Mapping Assurance Knowledge Areas and Efforts Goals and Practices Risk-based approach to CMMI for Development to Software Acquisition Maturity Model 8 Building Security In Maturity Model (BSIMM)

  9. Knowledge necessary to Develop CWE, CWSS Sustain, Acquire and Assure CVE, CCE, CPE, OVAL, CVSS Secure Software (SwABoK) Measuring Functionality State of the Art Reports (SOAR) and Capability of SwA Tools Guidebooks (NASA, DACS) The Various WGs and Deliverables (SAMATE) Reference Curriculum Acquisition and (MSwA2010, Undergrad outline) Functional Specifications Processes and Practices Outsourcing Security Principles Test suites and Guidelines Tool Metrics Security-Enhanced Enhancement of Logical and In-depth Metamodels for Software Software Acquisition Development Lifecycle organization of Assets and Operational and Outsourcing Integrating Security into the Principles and Guidelines Environments Software Development Lifecycle Reference Guide: Workforce Development Abstract Syntax Tree SwA in Aquisition and Improvement Requirements and Analysis Metamodel (ASTM) Competency and Practices to Enhance Knowledge Discovery Architecture and Functional Framework for SwA in Purchasing Metamodel (KDM) Design Considerations IT Security Workforce (EBK) Due diligence Software Metrics Workforce Credentials Risk-Based Security Testing Questionnaires Metamodel (SMM) Sample Contract Capability Maturity Provisions and Language Model Integration Application Security Harmonizing and Extending Procurement Language existing Security Capability Maturity Models Key Software Assurance Supply chain Risk Management Mapping Assurance Knowledge Areas and Efforts Goals and Practices Risk-based approach to CMMI for Development to Software Acquisition Maturity Model Building Security In Maturity Model (BSIMM) Software Assurance Maturity Model (SAMM) Measurement Business Case Malware Key Practices for Mitigating Software Weaknesses Making a Business Malware Dictionaries Secure Coding Standards Case for SwA Measurement Frameworks (CERT) Malware Attribute Enumeration Cost/Benefit Models Practical Measurement Framework and Characterization (MAEC) Measurement for Software Assurance and Risk Information Security Novel Approaches to Malware Prioritization Acquisition Measurement Process Improvement Measurements Goals and Globalization Questions Lists 9 Organizational Development Case Studies and Examples

  10. 10

  11. 11

  12. 12

  13. 13

  14. 14

  15. 15

  16. 16

  17. 17

  18. 18

  19. Job Roles • What kind of jobs can I get ? – Jobs and career planning • http://www.sans.org/20coolestcareers 19

  20. 20

  21. 21

  22. Got Content? • The pocket guide is a “ work in progress ” • Plenty of opportunity to contribute content • Join the Effort ! – Your comments, suggestions, criticism/praise are all very welcome 22

  23. Where to find the PocketGuide? • https://buildsecurityin.us- cert.gov/swa/pocket_guide_series.html • And many others… 23

  24. 24

  25. 25

  26. 26

  27. Find me • Robin A. Gandhi, Ph.D. Assistant Professor of Information Assurance University of Nebraska at Omaha rgandhi@unomaha.edu Voice: (402) 554 3363, Fax: (402) 554-3284 http://faculty.ist.unomaha.edu/rgandhi 27

  28. Acknowledgement • Joe Jarzombek for giving me the opportunity to lead this effort • Members of the SwA WG on Education and Training for insightful comments, reviews and content (Dan, Carol, Nancy, Art) • Susan Morris, Walter Houser, Dominick Chiriyan • And many others… 28

  29. Bonus Slides 29

  30. Why Johnny Can ’ t write secure code? • Johnny, avoid these weaknesses…. Period! – Common Weaknesses Enumeration (CWE) • Johnny…learn from your mistakes – Common Vulnerabilities and Exposures (CVE) • Johnny…these are the ways of the bad guys – Common Attack Patterns Enumeration and Classification (CAPEC) • Johnny…these are ways to develop secure code – CERT secure coding guidelines 30

  31. Poor Johnny ! 31

  32. Using Semantic Templates to Study Vulnerabilities Recorded in Large Software Repositories Harvey Siy Yan Wu Me 32

  33. The Paradox we face ! Source Code Differences after the fix Bug tracking databases Log of Changes Mailing list Discussions Weakness Enumerations Vulnerability Databases Public Descriptions 33

Recommend


More recommend