1 SAS ‘04 Reducing Software Security Risk through an Integrated Approach David P. Gilliam and John D. Powell.

Slides:



Advertisements
Similar presentations
Ways to Improve the Hazard Management Process
Advertisements

Workshop on High Confidence Medical Device Software and Systems (HCMDSS) Research & Roadmap June 2-3, 2005 Philadelphia, PA. Manufacturer/Care-Giver Perspective.
Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
1 SQA & Reuse Katerina Goseva-Popstojanova, WVU Aaron Wilson, NASA IV&V Kalynnda Berens & Richard Plastow, GRC Joanne Bechta Dugan, UVa David Gilliam JPL.
Transformations at GPO: An Update on the Government Printing Office's Future Digital System George Barnum Coalition for Networked Information December.
Ask Pete Acquired Software Knowledge Project - Estimation- Tool - Effort Presented to the NASA OSMA SAS ‘01 NASA IV&V Facility September 5-7, 2001 Tim.
SDN Security Matt Bishop, Brian Perry University of California at Davis 1GEC 22, March 24th, 2015.
ACS 567: Software Project Management Spring 2009 Instructor: Dr. John Tanik.
School of Computing, Dublin Institute of Technology.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Verification and Validation of Programmable Logic Devices James A. Cercone Ph.D., P.E.,James A. Cercone Ph.D., P.E., Chair and Professor of Computer ScienceChair.
1 IS112 – Chapter 1 Notes Computer Organization and Programming Professor Catherine Dwyer Fall 2005.
Computer Security: Principles and Practice
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Responsible CarE® Employee health and Safety Code David Sandidge Director, Responsible Care American Chemistry Council June 2010.
Developing a Chemical Risk Management Program
Developing Secure Systems Introduction Jan 8, 2013 James Joshi, Associate Professor.
National Aeronautics and Space Administration SAS08_Classify_Defects_Nikora1 Software Reliability Techniques Applied to Constellation Allen P. Nikora,
IT:Network:Microsoft Applications
NASA PKI for PKI FORUM Presenters: Paul Ma, NASA-Ames Research Center
Every student prepared for a world yet to be imagined Seamless Technology and Services that are available every time, without fail Provide excellent, distinctive.
1 The Standards Based Management System Approach to Deploying the Environmental Management System at Oak Ridge National Laboratory Dr. Fay Frederick, Division.
SEC835 Database and Web application security Information Security Architecture.
EOSC Generic Application Security Framework
IEEE S2ESC Report1 Software And Systems Engineering Standards Committee (S2ESC) Paul R. Croll S2ESC Sponsor Chair June 2004 Report.
© Palaniappan R Kannan PMP.,CFSE 1 IEC Standard – What is it? IEC is a Standard for the functional safety of Electric / Electronic / Programmable.
Information Systems Security Computer System Life Cycle Security.
Page 1 MODEL TEST in the small GENERALIZE PROGRAM PROCESS allocated maintenance changes management documents initial requirement project infrastructure.
 Protect customers with more secure software  Reduce the number of vulnerabilities  Reduce the severity of vulnerabilities  Address compliance requirements.
Software Quality Assurance Activities
© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.
2 Systems Architecture, Fifth Edition Chapter Goals Describe the activities of information systems professionals Describe the technical knowledge of computer.
S Q A.
1 SAS ‘05 Reducing Software Security Risk through an Integrated Approach David P. Gilliam, John D. Powell Jet Propulsion Laboratory, California Institute.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Slide 1V&V 10/2002 Software Quality Assurance Dr. Linda H. Rosenberg Assistant Director For Information Sciences Goddard Space Flight Center, NASA
Reducing Software Security Risk Through an Integrated Approach David Gilliam, John Powell, & John Kelly Jet Propulsion Laboratory Matt Bishop University.
Data Management Practices for Early Career Scientists: Closing Robert Cook Environmental Sciences Division Oak Ridge National Laboratory Oak Ridge, TN.
SAS ‘05 Reducing Software Security Risk through an Integrated Approach David P. Gilliam, John D. Powell Jet Propulsion Laboratory, California Institute.
California Institute of Technology Formalized Pilot Study of Safety- Critical Software Anomalies Dr. Robyn Lutz and Carmen Mikulski This research was carried.
Presented to: By: Date: Federal Aviation Administration Quality and Standards Team (QST) In-Service Management Gold Standard ATO Acquisition Practices.
ANKITHA CHOWDARY GARAPATI
ST5 PDR June 19-20, 2001 NMP 2-1 EW M ILLENNIUM P ROGRA NNMM Program Overview Dr. Christopher Stevens Jet Propulsion Laboratory, California Institute of.
New Products from NASA’s Software Architecture Review Board
1 Technology Infusion of the Software Developer’s Assistant (SDA) into the MOD Software Development Process NASA/JSC/MOD/Brian O’Hagan 2008 Software Assurance.
24b - 1 NASA’s Goddard Space Flight Center LRO Safety Dave Bogart Code 302 August 16-17, 2005.
LOGO TESTING Team 8: 1.Nguyễn Hoàng Khánh 2.Dương Quốc Việt 3.Trang Thế Vinh.
TRAC Software for creation of supplier contract risk profile
GSFC Safety & Mission Assurance (SMA) Briefing for Goddard Contractor Association 7/2/15.
SAS_05_Contingency_Lutz_Tal1 Contingency Software in Autonomous Systems Robyn Lutz, JPL/Caltech & ISU Doron Tal, USRA at NASA Ames Ann Patterson-Hine,
Data Systems Integration Committee of the Earth Science Data System Working Group (ESDSWG) on Data Quality Robert R. Downs 1 Yaxing Wei 2, and David F.
California Institute of Technology 1 Operationalization and Enhancement of the Advanced Risk Reduction Tool (ARRT) Presentation to the 2 nd Annual NASA.
Export Compliance Laboratory Outreach Practices Rachel Skinner Office of Export Compliance Jet Propulsion Laboratory
By Ramesh Mannava.  Overview  Introduction  10 secure software engineering topics  Agile development with security development activities  Conclusion.
Information Security tools for records managers Frank Rankin.
Ted Biess NASA HQ Environmental Mgt Div Scott Motter Northrop Grumman NASA Risk Management Aligned Environmental Management System (RM-A-EMS)
National Aeronautics and Space Administration Jet Propulsion Laboratory March 17, 2009 Workflow Orchestration: Conducting Science Efficiently on the Grid.
Workshop on Science Associated with the Lunar Exploration Architecture - Earth Science Subcommittee Theme: A Lunar-Based Earth Observatory Science Observations.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Dr. Yeffry Handoko Putra, M.T
Security Standard: “reasonable security”
Presented to the NASA OSMA SAS ‘01
CSCE 548 Secure Software Development Test 1 Review
CAE-SCRUB for Incorporating Static Analysis into Peer Reviews
Rational Unified Process (RUP)
Making the System Operational Implementation & Deployment
Reducing Software Security Risk Through an Integrated Approach
Cybersecurity Threat Assessment
Albeado - Enabling Smart Energy
Jeff Dutton/NASA COR August 26, 2019
Presentation transcript:

1 SAS ‘04 Reducing Software Security Risk through an Integrated Approach David P. Gilliam and John D. Powell

2 Acknowledgement  NOTE: This research was carried out at the Jet Propulsion Laboratory, California Institute of Technology, under a contract with the National Aeronautics and Space Administration The work was sponsored by the NASA Office of Safety and Mission Assurance under the Software Assurance Research Program lead by the NASA Software IV&V Facility This activity is managed locally at JPL through the Assurance and Technology Program Office

3 Current Collaborators  David Gilliam – Principle Investigator, JPL  John Powell – JPL Software Engineer  Matt Bishop – Associate Professor of Computer Science, University of California at Davis  Eric Haugh – UC Davis Researcher 

4 Goal  Reduce security risk to the computing environment by mitigating vulnerabilities in the software development and maintenance life cycles  Provide an instrument and tools to help avoid vulnerabilities and exposures in software  To aid in complying with security requirements and best practices

5 Problem  Lack of Experts: Brooks – “No Silver Bullet” is still valid (IEEE Software Engineering, 1987)  Poor Security Requirements  Poor System Engineering Leads to poor design, coding, and testing  Cycle of Penetrate and Patch  Piecemeal Approach to Security Assurance

6 Reducing Software Security Risk Through an Integrated Approach Software Vulnerabilities Expose IT Systems and Infrastructure to Security Risks Goal: Reduce Security Risk in Software and Protect IT Systems, Data, and Infrastructure Security Training for System Engineers and Developers Software Security Checklist for end-to-end life cycle Software Security Assessment Instrument (SSAI) Security Instrument Includes: Model-Based Verification Property-Based Testing Security Checklist Vulnerability Matrix Collection of security tools NASA

7 Womb-to-Tomb Process  Coincides with Organizational Polices and Requirements  Software Lifecycle Integration Software Security Checklist  Phase 1 Provide instrument to integrate security as a formal approach to the software life cycle Requirements Driven  Phase 2: External Release of Software Release Process Vulnerability Matrix – NASA Top 20 Security Assurance Instruments  Early Development – Model Checking / FMF  Implementation – Property Based Testing Security Assessment Tools (SATs)  Description of available SATs  Pros and Cons of each and related tools with web sites  Notification to Users and Functional Areas when Software or Systems are De-Commissioned

8 Current Work  Model-Based Verification of SSL Protocol Report Submitted to IV&V Center  Integration of Security into Software Quality Improvement (SQI) at JPL Inclusion of Security in Life Cycle Process Security Risk Assessment – Potential Use of Defect Detection and Prevention Tool  Formal Verification of Patchlink Patch Management Software Agent Used in All NASA Centers

9 Note on Future Work  Training Course for SSC and Use of Security Assessment Tools  Experts and Expert Center Available to Assist with the Instrument and Tools  Integrate with Deep Space Mission Systems (DSMS) Verifying SSL and use in DSMS Potential to Verify Space Link Extension (SLE) Protocol Potential to Verify Space Communication Protocol Standard (SCPS) implementations  Developing an Approach to Project Life Cycle Security Risk Assessment at JPL

10 David Gilliam JPL 400 Oak Grove Dr., MS Pasadena, CA Phone: (818) FAX: (818) John Powell MS Phone: (818) Website: FOR MORE INFO...