Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Course Tech 2013, Dan Shoemaker & Ken Sigler, Engineering a More Secure Software Organization


Published on

Security of information and communications technology (ICT) organizations is a critical topic due to our society’s
reliance on digital information. The problem is that it is hard to reliably manage something we can’t see. This session
will present a unified approach to secure ICT management. Attendees will better understand the importance and
function of a standard framework of organizational practices in building a secure management process for ICT work.
Participants will be shown specific case studies to illustrate how this tailoring is done in the practical universe.

  • Be the first to comment

  • Be the first to like this

Course Tech 2013, Dan Shoemaker & Ken Sigler, Engineering a More Secure Software Organization

  1. 1. Engineering a More Secure SoftwareOrganization Defects are not an Option
  2. 2. Defects are Not an Option Today•Over the past 15 years we have become globally connected through layers of systems, made-up of trillions of lines of code•Those layers underlie every aspect of our way of life, from our personal entertainment, to national defense.•The inconvenient truth is that a security breakdown in any one of these layers could potentially lead to personal tragedy, or even unthinkable disaster.
  3. 3. Defects are Not an Option•Nevertheless, in 2005 the President’s Information Technology Advisory Council (PITAC) found that•“Commonly used ICT development and sustainment practices still permit dangerous defects that allow attackers to compromise millions of computers every year.•Worse, PITAC estimated that “in the future, the Nation may face even more challenging problems as adversaries - both foreign and domestic – become increasingly sophisticated in their ability to insert malicious code into critical software”•We have seen that prediction come true in the succeeding eight years
  4. 4. Defects are Not an Option• This discussion contains recommendations that will guide technology professionals in the creation of a comprehensive lifecycle management model.• That model will incorporate well-defined management approaches into a standardized process to prevent the common defects in technology products.
  5. 5. Good Products from Good Processes• It is axiomatic that a product will only be as good as the process that built it• Thus, any discussion about defects hinges on ensuring the capabilities of each product’s development and maintenance process throughout the lifecycle.
  6. 6. Good Products from Good Processes• The direct benefit from effective processes will be that production will be more cost efficient and overall product quality will be higher.• At the same time, leveraging the capability of the development, sustainment and acquisition processes will ensure fewer mistakes and less costly rework.
  7. 7. Good Products from Good Processes• Our premise is that the organization that follows a disciplined set of best practices is able to duplicate its successes as well as learn from its failures.• That is because disciplined execution makes the outcomes of the process more reliably repeatable and therefore comparable across projects.
  8. 8. Good Products from Good Processes• Systematization of lifecycle practices based on repeatable, organization-wide processes imposes discipline and control over the software lifecycke• However, in order to ensure that those systematic practices are correct it is important to base their definition on recommendations of commonly accepted industry standards.
  9. 9. Standards and Best Practice• Formal Standards embody the model for the “common body of knowledge and accepted state of industry best practice• A common body of industry best practice will also enable all stakeholders to know what is expected of them.
  10. 10. Standards and Best Practice• Standards are important because they are the industry’s accepted means of documenting best practice.• Standards encapsulate and then communicate a logical concept and resulting approach to a particular aspect of “real world” work.• Standards for a defined area of work are created and sponsored by recognized standards bodies.
  11. 11. ISO 12207 and Lifecycle Management• The ISO 12207-2008 Standard provides a generic model that defines the ideal structure of the software process as a whole.• In that sense it can serve as a stable basis for defining a lifecycle management framework that is applicable to any form of software operation.• It also provides managers with the point of reference necessary to ensure that all regulatory and contractual requirements are met.
  12. 12. ISO 12207 and Lifecycle Management• 12207 provides a globally acknowledged basis to define and inter- relate all of the large components of software activity• ISO 12207 covers the life cycle of software from conceptualization through retirement and consists of processes for – acquiring and supplying software products and services – establishing, enabling and supporting development – sustaining products and fostering reuse.
  13. 13. ISO 12207 and Lifecycle Management• The processes activities and tasks itemized in the Standard are grouped into categories – Agreement Processes – Organizational Project Enabling Processes – Project Processes – Technical Processes – Software Specific Processes – Software Support Processes – Software Reuse Processes
  14. 14. ISO 12207 and Lifecycle Management• An optimum approach can be engineered top-down for each individual product lifecycle using the 12207 framework,• That is, an explicit process model can always be constructed for any given product lifecycle, at any level of definition by tailoring the reference framework• The framework provides the consistent elements and structural relationships to allow for designing and implementing a detailed, real-world management approach at any desired level of application.
  15. 15. ISO 12207 and Lifecycle Management• Each category specifies from three to eleven lifecycle processes Those processes are then further divided into a set of activities and each activity is subdivided into tasks.• The outcome of the tailoring process is a particular set of activities that become the instantiation of the ideal process recommendations of the standard.• Because those elements are defined in concrete terms they are particularly useful for coordinating complex activities
  16. 16. Summary• Managing a complex technical organization is a difficult task.• That is because the technical process is complex and involves work on abstract entities such as software• Therefore it is difficult to oversee and control.• The consistent application of a standard set of best practices to enforce visibility and control within the lifecycle lets managers substantively manage technology operations
  17. 17. Summary• The ISO 12207-2008 itemizes those best practices within a comprehensive lifecycle framework• Therefore a thorough understanding of the recommendations of that framework will allow managers to design and deploy well-defined and repeatable process architecture tailored to their organization• That architecture will help minimize defects and thereby ensure a more safe and secure lifecycle for the products and services within their technology organization
  18. 18. Thank you for Your Attention