Security Management – Building confidence that the system is secure
Carol Woody, Ph.D.
Technical Lead, Survivability Analysis
Software Engineering Institute (SEI), Carnegie Mellon University
Abstract: How can we establish reasonable confidence that the security for a system will meet its operational needs? The first challenge is to establish that the requirements define the appropriate security behavior and the design addresses these security concerns. The second challenge is to establish that the completed system, as built, fully satisfies the specifications. Measures to provide this assurance must, therefore, address requirements, design, construction, and test. Software is a major part of every system, typically handling over 80% of the functionality and we know that software is never defect free. Thus, software, on average, cannot always function perfectly as intended. Additionally, we cannot establish that software is completely free from vulnerabilities since our research indicates that 5% of defects should be categorized as vulnerabilities. The SEI is researching how measurement can be applied to monitor and manage software security to frame an approach to support our confidence that a system is security. This presentation will share our progress to date.