INFORMATION SYSTEMS SECURITY ENGINEERING: A CRITICAL COMPONENT OF THE SYSTEMS ENGINEERING LIFECYCLE Kevin Behr SE 516 – Technical Article Presentation.

Slides:

Advertisements

Similar presentations

Trusted Computing in Government Networks May 16, 2007 Richard C. (Dick) Schaeffer, Jr. Information Assurance Director National Security Agency.

Advertisements

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),

SL21 Information Security Board Mission, Goals and Guiding Principles.

Dr. Bhavani Thuraisingham The University of Texas at Dallas August 6, 2007 Software Engineering Systems Engineering Security Engineering.

Trusted Hardware: Can it be Trustworthy? Design Automation Conference 5 June 2007 Karl Levitt National Science Foundation Cynthia E. Irvine Naval Postgraduate.

Chapter 6 SYSTEMS DEVELOPMENT Phases, Tools, and Techniques

Security Controls – What Works

1 Steve Chenoweth Friday, 10/21/11 Week 7, Day 4 Right – Good or bad policy? – Asking the user what to do next! From malware.net/how-to-remove-protection-system-

Secure Data Transmission James Matheke Information Security Architect Ohio Department of Job and Family Services.

Soft. Eng. IDr Driss Kettani1 CSC-3324: Chapter I Introduction and definition Reading: I. Sommerville, Edition 7, Chap. 1.

© Prentice Hall CHAPTER 9 Application Development by Information Systems Professionals.

SYSTEMS DEVELOPMENT Phases, Tools, and Techniques

SDLC. Information Systems Development Terms SDLC - the development method used by most organizations today for large, complex systems Systems Analysts.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

A Robust Health Data Infrastructure P. Jon White, MD Director, Health IT Agency for Healthcare Research and Quality

Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

SEC835 Database and Web application security Information Security Architecture.

Practical IS security design in accordance with Common Criteria Security and Protection of Information 2005 František VOSEJPKA S.ICZ a.s. June 5, 2005.

Introduction to Software Quality Assurance (SQA)

BA 378: Accounting Information Systems Instructor: Dr. James R. Coakley.

Theo Tryfonas Centre in Systems, Faculty of Engineering Embedding Competitor Intelligence Capability in the Software Development Lifecycle Security and.

Information Assurance Opportunities and Requirements Doug Jimenez, IA Division Director Mary Mayonado, CISSP, IA Program Manager Marla Shipley, CND/aXiom.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

(ISC)2 SecureLondon 2009, London, United Kingdom This information is not intended, and should not be construed, as an offer to sell, or as a solicitation.

Software engineering. What is software engineering? Software engineering is an engineering discipline which is concerned with all aspects of software.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

CSCE 727 Information Warfare

Version 02U-1 Computer Security: Art and Science1 Penetration Testing by Brad Arkin Scott Stender and Gary McGraw.

ESA/ESTEC, TEC-QQS August 8, 2005 SAS_05_ESA SW PA R&D_Winzer,Prades Slide 1 Software Product Assurance (PA) R&D Road mapping Activities ESA/ESTEC TEC-QQS.

Industry SDLCs and Business Climate. Justin Kalicharan Credentials Director and Senior Technology Officer Over 14 years of coding experience in various.

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

Object-Oriented Software Engineering Practical Software Development using UML and Java Chapter 1: Software and Software Engineering.

Accident Investigation Board (AIB) for the Test Site 9920 Event 1 SAND P.

Object-Oriented Software Engineering Practical Software Development using UML and Java Chapter 1: Software and Software Engineering.

Introduction to Systems Analysis and Design

Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:

An Introduction to Software Engineering. Communication Systems.

1 ISA&D29-Oct ISA&D29-Oct-13 Systems Analyst: problem solver IT and Strategic Planning.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

1 University of Palestine Information Security Principles ITGD 2202 Ms. Eman Alajrami 2 nd Semester

Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id #

LECTURE 20 26/11/15. Summary - Testing ◦ Testing affects all stages of software engineering cycle ◦ One strategy is a bottom-up approach – class, integration,

Game Programmer By: Lindsey Holcomb. What they do Game programmers work at the heart of the game development process. They design and write the computer.

LOGO TESTING Team 8: 1.Nguyễn Hoàng Khánh 2.Dương Quốc Việt 3.Trang Thế Vinh.

Chapter 1: Introduction Omar Meqdadi SE 3860 Lecture 1 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.

High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.

CNCI-SCRM STANDARDIZATION Discussion Globalization Task Force OASD-NII / DoD CIO Unclassified / FOUO.

Industrial safety 0. Highlights Communication Management Evaluation Investigation Practice/implementation Development 1.

By Ramesh Mannava.  Overview  Introduction  10 secure software engineering topics  Agile development with security development activities  Conclusion.

The NIST Special Publications for Security Management By: Waylon Coulter.

CS223: Software Engineering Lecture 32: Software Maintenance.

INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.

Software Engineering Process - II 7.1 Unit 7: Quality Management Software Engineering Process - II.

Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.

Security Architecture and Design Chapter 4 Part 4 Pages 377 to 416.

CS457 Introduction to Information Security Systems

Reliable Software Services Inc.

CS4311 Spring 2011 Process Improvement Dr

SEVERITY & PRIORITY RELATIONSHIP

UNIT I INTRODUCTION Growing IT Security Importance and New Career Opportunities – Becoming an Information Security Specialist – Conceptualizing.

Introduction What's my experience? Why am I talking to you?

Trends in my profession, Information Technology

MANAGING APPLICATION SECURITY

Information Security Board

Introduction What's my experience? Why am I talking to you?

NSA Security-Enhanced Linux (SELinux)

Albeado - Enabling Smart Energy

PROJECT MANAGEMENT MATURITY MODEL (PMMM)

OU BATTLECARD: WebLogic Server 12c

Presentation transcript:

INFORMATION SYSTEMS SECURITY ENGINEERING: A CRITICAL COMPONENT OF THE SYSTEMS ENGINEERING LIFECYCLE Kevin Behr SE 516 – Technical Article Presentation James F. Davis, "Information systems security engineering: a critical component of the systems engineering lifecycle," ACM SIGAda Ada Letters, December, 2004,

Introduction  Presented before Congress (Sept. 2003):  “…there is a growing problem with the security of our cyberinfrastructure…” Federal Government  Commercial Off-the Shelf Software (COTS)  My Experience  Why? No focus on Information Assurance in the Systems Development Life Cycle (SDLC)

Information Assurance  What is Information Assurance (IA)?  The protection of information and information systems by ensuring: Confidentiality Integrity Authentication Availability Non-Repudiation  Where is IA handled in the SDLC today?

NSA sponsored framework (2002)

IA (cont’d)  Due to high upfront costs and lack of end user awareness, IA is implemented post hoc  Most users choose features, convenience, and performance over security  Rising demand for IA awareness requires a new approach

Information Systems Security Engineering (ISSE)  What is ISSE?  “the systematic approach to building IA techniques and tools within a software systems engineering process.”  NSA: “the art and science of discovering users’ information protection needs and then designing and making information systems, with economy and elegance, so they can safely resist the forces to which they me be subjected.”  Objective of ISSE  Addressing IA from the beginning of the SDLC…  Approaching IA proactively to prevent need for security fixes

SDLC with ISSE

ISSE (cont’d) ISSE AdvantagesISSE Disadvantages Avert system vulnerabilities & failuresHigh upfront costs Save $ in the long-runLack of end user awareness

ISSE realization within…  Federal Government  “is making progress and is moving to a system-wide acceptance of ISSE”  International Information Systems Security Certification Consortium (ISC)  Information Systems Security Engineering Professional (ISSEP)  Industries  Demand for Security Engineers and ISSE principles is growing (in support of federal and commercial missions)  Increasing residential bandwidth and globalization  Academia  Response has been broadened by federal ventures  Design for Securability

Recommendations  In order to incorporate IA in today’s system’s, ISSE is needed  Build security engineers from the ground up  Academia  End User realization  Incorporation of ISSE principles  Certification Processes

Conclusion  There exists a fundamental need for ISSE  What is ISSE  Use of ISSE Today Federal, Corporate, Academic  Critical component of SDLC  Without ISSE, post hoc security  System vulnerabilities  Long run failures and costs  Growing Academic and Industrial awareness

Our Role (as SE students)?  Think about the security needs for our Graduate Thesis System – are there any?  How do we find out?  What can we do to ensure IA? Interface Restrictions Encryption Code Minimalization Etc.