Security risks: management and mitigation in the software life cycle

A formal approach to managing and mitigating security risks in the software life cycle is requisite to developing software that has a higher degree of assurance that it is free of security defects, which pose risk to the computing environment and the organization. Due to its criticality, security should be integrated as a formal approach in the software life cycle. Both a software security checklist and assessment tools should be incorporated into this life cycle process and integrated with a security risk assessment and mitigation tool. The current research at JPL addresses these areas through the development of a Software Security Assessment Instrument (SSA1) and integrating it with a Defect Detection and Prevention (DDP) risk management tool.

[1]  Martin S. Feather,et al.  Risk-Based Analysis and Decision Making in Multi-Disciplinary Environments , 2003 .

[2]  Martin S. Feather,et al.  Security engineering: systems engineering of security through the adaptation and application of risk management , 2004 .

[3]  Matt Bishop,et al.  Computer Security: Art and Science , 2002 .

[4]  Paul Ammann,et al.  Using model checking to generate tests from specifications , 1998, Proceedings Second International Conference on Formal Engineering Methods (Cat.No.98EX241).

[5]  Joseph S. Sherif,et al.  Software security checklist for the software life cycle , 2003, WET ICE 2003. Proceedings. Twelfth IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, 2003..

[6]  Gerard J. Holzmann,et al.  The SPIN Model Checker - primer and reference manual , 2003 .

[7]  John C. Kelly,et al.  Reducing Software Security Risk through an Integrated Approach , 2000, WETICE.

[8]  David P. Gilliam,et al.  Integrating a flexible modeling framework (FMF) with the network security assessment instrument to reduce software security risk , 2002, Proceedings. Eleventh IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises.

[9]  J. D. Powell,et al.  Component based approach to modeling for model checking , 2002 .

[10]  David P. Gilliam Managing Information Technology Security Risk , 2003, ISSS.

[11]  Martin S. Feather,et al.  Optimizing spacecraft design optimization engine development: progress and plans , 2003, 2003 IEEE Aerospace Conference Proceedings (Cat. No.03TH8652).

[12]  Gary McGraw,et al.  Exploiting Software: How to Break Code , 2004 .