Building Assured Systems Framework

Abstract : Researchers at the CERT (trademark) Program, part of Carnegie Mellon University's Software Engineering Institute, need a framework to organize research and practice areas focused on building assured systems. The Building Assured Systems Framework (BASF) addresses the customer and researcher challenges of selecting security methods and research approaches for building assured systems. After reviewing existing life-cycle process models, security models, and security research frameworks, the authors used the Master of Software Assurance Reference Curriculum knowledge areas as the BASF. The authors mapped all major CERT research areas to the BASF, proving that the BASF is useful for organizing building assured systems research. The authors also performed a gap analysis to identify promising CERT research areas. The BASF is a useful structure for planning and communicating about CERT research. The BASF will also be useful to CERT sponsors to track current research and development efforts in building assured systems.

[1]  J. Leiwo Observations on information security crisis , 1999 .

[2]  Premkumar T. Devanbu,et al.  Software engineering for security: a roadmap , 2000, ICSE '00.

[3]  Ken Stranc Measurement Working Group , 2000 .

[4]  Nancy R. Mead,et al.  Software Security Engineering: A Guide for Project Managers , 2004 .

[5]  Felix Bachmann,et al.  Security and Survivability Reasoning Frameworks and Architectural Design Tactics , 2004 .

[6]  Steven B. Lipner,et al.  The trustworthy computing security development lifecycle , 2004, 20th Annual Computer Security Applications Conference.

[7]  Steven A. Demurjian,et al.  A Framework for Composable Security Definition, Assurance, and Enforcement , 2005, MoDELS Satellite Events.

[8]  Cmmi Product Team CMMI for Development, Version 1.2 , 2010 .

[9]  A Min Tjoa,et al.  First International Conference on Availability, Reliability and Security (ARES´06) , 2006 .

[10]  Michael Howard,et al.  The security development lifecycle : SDL, a process for developing demonstrably more secure software , 2006 .

[11]  Thomas McGibbon,et al.  Software Security Assurance: A State-of-Art Report (SAR) , 2007 .

[12]  Hidehiko Tanaka,et al.  Secure Software Development through Coding Conventions and Frameworks , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[13]  Software Assurance: An Overview of Current Industry Best Practices , 2008 .

[14]  Paul Popick,et al.  A DoD-Oriented Introduction to the NDIA's System Assurance Guidebook , 2010 .

[15]  Nancy R. Mead,et al.  Software Assurance Curriculum Project Volume I: Master of Software Assurance Reference Curriculum , 2010 .

[16]  Carol Woody,et al.  Engineering Improvement in Software Assurance: A Landscape Framework , 2010 .

[17]  W. Douglas Maughan,et al.  The need for a national cybersecurity research and development agenda , 2010, Commun. ACM.