Keynote (Day 1)

Security Management – Building confidence that the system is secure

Carol Woody, Ph.D.
Technical Lead, Survivability Analysis
Software Engineering Institute (SEI), Carnegie Mellon University

Dr. Carol C. Woody is the technical manager of the CERT Cyber Security Engineering team in the Software Engineering Institute at Carnegie Mellon University.  Her research focuses on building capabilities for measuring, managing, and sustaining cyber security for highly complex networked systems and systems of systems.  She has coauthored a book Cyber Security Engineering: A Practical Approach for Systems and Software Assurance published November 2016 as part of the SEI Series in Software Engineering.

Abstract: How can we establish reasonable confidence that the security for a system will meet its operational needs? The first challenge is to establish that the requirements define the appropriate security behavior and the design addresses these security concerns. The second challenge is to establish that the completed system, as built, fully satisfies the specifications. Measures to provide this assurance must, therefore, address requirements, design, construction, and test.  Software is a major part of every system, typically handling over 80% of the functionality and we know that software is never defect free.  Thus, software, on average, cannot always function perfectly as intended. Additionally, we cannot establish that software is completely free from vulnerabilities since our research indicates that 5% of defects should be categorized as vulnerabilities.  The SEI is researching how measurement can be applied to monitor and manage software security to frame an approach to support our confidence that a system is security. This presentation will share our progress to date.