Software Special Interest Group  

Building a Software 

Assurance Roadmap and

Using It Effectively

by: Robert Martin

Tuesday April 22, 2014

presentation slides

With so many ways for software to be vulnerable, businesses needs a way to focus their assurance efforts on those potential vulnerabilities that are most dangerous to them and their software.  This talk will offer a new way to focus and organize your software vulnerability assessment and assurance efforts across the entire life-cycle of a project so that you target the most impactful weaknesses when they are most visible.

The approach described can be done consistently across your enterprise and will have you looking for specific weaknesses at the point where you can gain the most assurance that you have dealt with them successfully. Matched to the activities of your development effort, this approach will have your team looking for those security weaknesses (CWEs) that are most discernible/findable in each of the different stages of a software development effort.  For example, when you have a live exemplar system available you should look for the weaknesses in design, configuration, code, or architecture that are findable through dynamic analysis, pen testing, or red teaming of that living system. Similarly, in the coding phase you want the emphasis to be looking for weaknesses that are findable by static analysis tools.

The follow-on step to this approach is to use what you found and what you did to create �An Assurance Diary", basically an assurance "map" for the code of that project.  This talk will conclude with a discussion of what such a map could look like, what it could capture, how the information could be obtained, whom would/could create them, and how they could be represented for customers and partners to use.

Robert Martin, a CSSLP and Senior Principal Engineer at MITRE, spends the majority of his time working with industry on the CWE, CVE, MAEC, CAPEC and STIX security standardization initiatives. For the past 22 years, Robert's efforts focused on the interplay of risk management and cyber security.  Robert is a frequent international speaker on the various security and quality issues surrounding information technology systems, has published numerous papers on these topics, authored over a dozen ITU-T X-series Recommendations, and chairs the OMG Structured Assurance Cases Metamodel Task Force. Robert joined MITRE in 1981 with a BS and MS in EE from RPI, later he earned an MBA from Babson College. He is a member of the ISC2, ACM, AFCEA, OMG, The OpenGroup, IEEE, and the IEEE Computer Society.

Details and driving directions in: April 2014 Software SIG Announcement

Registration Website: https://asq509.org/ht/d/DoSurvey/i/26913

You must register by noon on Monday, April 21. If you cannot attend at any location, select telephone dial-in when you register. FDA (Silver Spring) cannot host non-citizen visitors. If not a US citizen, please provide your title, employer, and address. Allow 2 business days for registration before the meeting.