developing construction workers for securely built
play

Developing Construction Workers for Securely Built Software James - PowerPoint PPT Presentation

Dec 13, 2022 •241 likes •566 views

Developing Construction Workers for Securely Built Software James R Lindley CISSP, ISSAP, ISSEP, ISSMP, CISA, PMP, SSE-CMM Team Chief, IRS Penetration Testing and Code Analysis Tuesday, March 18, 2014,11:05 -11:40 Three Types of Security

  1. Developing Construction Workers for Securely Built Software James R Lindley CISSP, ISSAP, ISSEP, ISSMP, CISA, PMP, SSE-CMM Team Chief, IRS Penetration Testing and Code Analysis Tuesday, March 18, 2014,11:05 -11:40

  2. Three Types of Security Personnel 1. Those who advise on security 2. Those who audit security 3. Those who create security Types 1 and 2 are usually in cybersecurity. Type 3 is in application development and operations. • Most academic education and training efforts involving whole curricula are focused on types 1 and 2. • Academic security education and training is usually grafted into non-security curricula for type 3 via non-integrated classes. We’re going to look at a suggested better way to train type 3. 3/27/2014 2014 FISSEA Conference 2

  3. What is IRS PTCA • Largest group of federal civilian code analysts and penetration testers outside DHS • Conducts automated static source code analyses of source code placed on IRS systems • Coordinates with penetration testers for dynamic White Box code penetration testing • Penetration tests of all major IRS applications and other code sets as directed 3/27/2014 2014 FISSEA Conference 3

  4. An Emergent Quality • If software security is an emergent quality , from what does that quality emerge? • Security quality will not emerge unless software project managers recognize and demand the skills and tools relevant to that quality. 3/27/2014 2014 FISSEA Conference 4

  5. Metaphors Affect Understanding • Software development as a construction project • Architectural perspective vs. blueprints • Discipline specialization 3/27/2014 2014 FISSEA Conference 5

  6. Methods • Grouping Stakeholders • Separating Requirements from Specifications • Data Design Documentation • Functional Design by Atomic Function • Supporting the Project Manager – Earned Value Management – Quality Assurance 3/27/2014 2014 FISSEA Conference 6

  7. Models - Sequential vs. Iterative (Looped) Sequential Boehm and Agile Feasibility Analysis (Requirements) Design Construction & Testing Installation Operations & Maintenance 3/27/2014 2014 FISSEA Conference 7

  8. Agile manifesto • We are uncovering better ways of developing software by doing it and helping others do it. Through this work we have come to value: – Individuals and interactions over processes and tools – Working software over comprehensive documentation – Customer collaboration over contract negotiation – Responding to change over following a plan • That is, while there is value in the items on the right, we value the items on the left more. 3/27/2014 2014 FISSEA Conference 8

  9. Comparison of Models Suitability of different development methods Agile home ground Plan-driven home ground Formal methods Low criticality High criticality Extreme criticality Senior developers Junior developers Senior developers Limited Requirements Requirements do not requirements, change often change often limited features see Wirth's law Small number of Large number of developers Requirements that developers can be modeled 3/27/2014 2014 FISSEA Conference 9

  10. Where We Are • Strict Straight Waterfall Model • An Implementation Phase Desert • Waivers and Deviations • Little Training In Security Quality 3/27/2014 2014 FISSEA Conference 10

  11. Fish And Ladders • Have to work within the Straight Waterfall Enterprise Life Cycle model (policy) • Collaborative phasing between the architectural phases (Requirements, Specification, and Design) • Collaborative phasing is how the fish build and climb the waterfall ladder. • A change in practice, not a change in policy. 3/27/2014 2014 FISSEA Conference 11

  12. Lessons Learned • Agency cyber security team performs source code security scan for project exit approval • Lesson: pushback from software project managers – Action: application development executives brought on board – Action: software project managers offered source code scanning tool for in-development software – Action: training on tool and security assessment for code writers • Lesson: project managers and phase practitioners have weak software project management skills – Action: Develop course to teach secure software construction to project managers – Action: Develop courses for each of the phase practitioners 3/27/2014 2014 FISSEA Conference 12

  13. Project Manager Pushback • Action: application development executives brought on board • Action: software project managers offered source code scanning tool for in-development software • Action: training on tool and security assessment for code writers 3/27/2014 2014 FISSEA Conference 13

  14. Weak Software Project Skills • Action: Develop course to teach secure software construction to project managers • Action: Develop courses for each of the phase practitioners – Requirement Elicitors – Specification Writers – Designers (Data and Software) – Code Writers – Quality Assessment 3/27/2014 2014 FISSEA Conference 14

  15. Approach to Training • Craft unionism refers to organizing … workers in a particular industry along the lines of the particular craft or trade that they work in by class or skill level. It contrasts with industrial unionism , in which all workers in the same industry are organized into the same union, regardless of differences in skill. 3/27/2014 2014 FISSEA Conference 15

  16. A Human Capital Crisis in Cybersecurity Technical Proficiency Matters • There are continuing efforts by federal agencies to define an information technology (IT) security work force improvement program based on role definitions • I contend: There is a lack of adequate detail in defining specialized IT security roles, especially as understood by managers without a security background or training. • Center for Strategic and International Studies (CSIS) Report 3/27/2014 2014 FISSEA Conference 16

  17. Points To Ponder • Simple evolves into Complex • Complexity generates specialization • Applications become APPLICATIONS • Everybody wants to design, nobody wants to build • Academia produces architects and engineers • BUT…there is no degree in plumbing! 3/27/2014 2014 FISSEA Conference 17

  18. I am a dry pipe plumbing inspector • Static source code analysis (dry pipe) • Penetration testing (wet pipe) • Design assessment (Architecture and Civil Engineering) • Every stage of “plumbing” has a specialized creator and a specialized inspector – Requirements – Specification – Design – Code writing – Install and configure – Operations – Decommission 3/27/2014 2014 FISSEA Conference 18

  19. If You Build It Correctly, Security Will Come • If software security is an emergent quality, from what does software security emerge? ***The quality of all surrounding processes*** • A failure in any phase means a failed project. 3/27/2014 2014 FISSEA Conference 19

  20. A Team of Craftsman 3/27/2014 2014 FISSEA Conference 20

  21. Software is a Synergistic Effort 3/27/2014 2014 FISSEA Conference 21

  22. FORGET DEVELOPER!!!!! Think Code-Writer • Requirements Elicitor (Security policy) • Specification Writer (Security Engineer) • Application and Data Designers (Security Architects) • Code Writers (Code Analysts, Pen Testers) • Installation and Configuration (Pen Testers) • Quality Assurance Testers (functional and non- functional) • Operations and Operational Security (Security Monitors) • Decommission (Data and application destruction specialists) The Blue Collar Office Worker 3/27/2014 2014 FISSEA Conference 22

  23. Requirements Elicitors • Focused on problem space • Group Stakeholders – Regulatory – Environmental – Customer – Users – Project Team • Elicitation skills – Strategic Debrief – Interrogation – Document Research and Analysis • Reading and writing Skills • Gregarious personality 3/27/2014 2014 FISSEA Conference 23

  24. Specification Writer • Focused on solution space • Mathematically resolvable solution descriptions for problem requirements • Active writing skills • Formal methods • Detail-oriented perfectionist 3/27/2014 2014 FISSEA Conference 24

  25. Designers • Data designers – Schema – Data Item Dictionary – Detail-oriented • Code Designers – UML skills – Function Point Design = Earned Value Management – Vision of the whole 3/27/2014 2014 FISSEA Conference 25

  26. Code Writers • Adopt a standard of secure coding practices • Teach the coding standard • Teach code evaluation tools and skills • Demand the standard by evaluating employees using the standard • Detail-focused 3/27/2014 2014 FISSEA Conference 26

  27. Secure Coding Quality Assessment • Study and learn from the Building Security In Maturity Model (BSIMM) • Train and use a security evaluation team as a part of the application development (AD) team and processes. • Specifications = development of test scripts and scenarios • Teach the evaluation tools and standards • Collaboration between the AD team and the agency cyber-security penetration testing and code analysis team 3/27/2014 2014 FISSEA Conference 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Construction OS&H for workers Action plans & conclusions Job done! ILO Construction

Construction OS&H for workers Action plans & conclusions Job done! ILO Construction

Construction OS&H for workers Action plans & conclusions Job done! ILO Construction OS&H We will start this module with some pictures to remind you of some basic safety precautions required during construction operations. ILO

570 views • 46 slides
Construction Trade Union perspectives Workers approach OS&H ILO Construction OS&H

Construction Trade Union perspectives Workers approach OS&H ILO Construction OS&H

Construction Trade Union perspectives Workers approach OS&H ILO Construction OS&H The three sections of the workers perspectives The Trade Union Approach to Health and Safety Organising for a Healthy and Safe Workplace

806 views • 31 slides
Construction OS&H Workers perspectives Trade Union approach ILO Construction OS&H

Construction OS&H Workers perspectives Trade Union approach ILO Construction OS&H

Construction OS&H Workers perspectives Trade Union approach ILO Construction OS&H The three sections of the workers perspectives The Trade Union Approach to Health and Safety Organising for a Healthy and Safe Workplace

416 views • 16 slides
Construction OS&H Workers perspectives Trade Union approach ILO Construction OS&H

Construction OS&H Workers perspectives Trade Union approach ILO Construction OS&H

Construction OS&H Workers perspectives Trade Union approach ILO Construction OS&H The three sections of the workers perspectives The Trade Union Approach to Health and Safety Organising for a Healthy and Safe Workplace

594 views • 17 slides
Construction OS&H Workers perspectives Trade Union approach ILO Construction OS&H

Construction OS&H Workers perspectives Trade Union approach ILO Construction OS&H

Construction OS&H Workers perspectives Trade Union approach ILO Construction OS&H The three sections of the workers perspectives The Trade Union Approach to Health and Safety Organising for a Healthy and Safe Workplace

454 views • 31 slides
Construction OS&H Workers perspectives Getting Management to Make Improvements Part

Construction OS&H Workers perspectives Getting Management to Make Improvements Part

Construction OS&H Workers perspectives Getting Management to Make Improvements Part 1 ILO Construction OS&H The three sections of the workers perspectives The Trade Union Approach to Health and Safety Organising for a

810 views • 13 slides
Construction OS&H Workers perspectives Getting Management to Make Improvements Part

Construction OS&H Workers perspectives Getting Management to Make Improvements Part

Construction OS&H Workers perspectives Getting Management to Make Improvements Part 2 ILO Construction OS&H The union health and safety representative & accidents All accidents have causes, they do not just

672 views • 21 slides
Developing from Level 2 It's BIM folks, but not as we know it Professor Tim Broyd Chair in Built

Developing from Level 2 It's BIM folks, but not as we know it Professor Tim Broyd Chair in Built

Developing from Level 2 It's BIM folks, but not as we know it Professor Tim Broyd Chair in Built Environment Foresight, UCL Vice President, ICE thinkBIM, London, 17 September 2014 Level 2 Package PAS1192:2 Capital

737 views • 54 slides
Mozambiques $90B LNG construction boom - Five years of planning set to culminate in first

Mozambiques $90B LNG construction boom - Five years of planning set to culminate in first

+ Supplying labour and training to Mozambiques $90B LNG construction boom - Five years of planning set to culminate in first contracts - 50,000 workers and extensive training required - Large database of Mozambican workers 1 February 2020

159 views • 12 slides
Through the Workers Eyes Developing Learning Activities with Work-Related Documents Workshop

Through the Workers Eyes Developing Learning Activities with Work-Related Documents Workshop

Through the Workers Eyes Developing Learning Activities with Work-Related Documents Workshop framework Whats the point? Review of Essential Skills Collecting work-related documents Developing worker-focused learning activities

889 views • 87 slides
Jules Quested-Williams Built for Marketing Built for Marketing 2014 Established in 2008

Jules Quested-Williams Built for Marketing Built for Marketing 2014 Established in 2008

Jules Quested-Williams Built for Marketing Built for Marketing 2014 Established in 2008 Wealth of experience in sales and marketing strategies, people management and change management 25 years in the construction industry Built

895 views • 15 slides
CHANGES Architecture, Built Environment and Construction Engineering Cultural Heritage

CHANGES Architecture, Built Environment and Construction Engineering Cultural Heritage

ABC Department CHANGES Architecture, Built Environment and Construction Engineering Cultural Heritage Activities: New Goals and benefits for Economy and Society Work Package 6 Economic analysis of costs and benefits of preventive

511 views • 25 slides
Construction OS&H General duties ILO Construction OS&H Summary ILO Convention C167,

Construction OS&H General duties ILO Construction OS&H Summary ILO Convention C167,

Construction OS&H General duties ILO Construction OS&H Summary ILO Convention C167, Recommendation R175 and the Code of Practice Duties of authorities, employers, the self-employed, and workers Duties of construction clients and

758 views • 43 slides
for Construction Workers to Ensure High Performance Building Envelopes Contract N

for Construction Workers to Ensure High Performance Building Envelopes Contract N

7th EU Exchange Meeting BUILD UP Skills Workshop "Outcomes of advanced projects" Brussels, 18 January 2016 National Qualification Scheme for Construction Workers to Ensure High Performance Building Envelopes Contract N

235 views • 11 slides
Sheet Metal, Construction, and Manufacturing Workers in the Tool Belt Recession: Crisis and

Sheet Metal, Construction, and Manufacturing Workers in the Tool Belt Recession: Crisis and

Sheet Metal, Construction, and Manufacturing Workers in the Tool Belt Recession: Crisis and Opportunity Driving Change, Creating Opportunities 2010 Partners in Progress Conference Kate Gordon Las Vegas, Nevada Vice President of Energy Policy

282 views • 10 slides
Brains are Built, Not Born Dr. Jack Shonkoff Harvard Center for the Developing Child The NC

Brains are Built, Not Born Dr. Jack Shonkoff Harvard Center for the Developing Child The NC

Brains are Built, Not Born Dr. Jack Shonkoff Harvard Center for the Developing Child The NC Pathways to Grade-Level Reading initiative was created to address one of the greatest challenges facing the state: the majority of our children are not

385 views • 21 slides
Optimal Approach to the Clinical Evaluation Process Tami Abudi, President and CEO BBA Agenda

Optimal Approach to the Clinical Evaluation Process Tami Abudi, President and CEO BBA Agenda

Optimal Approach to the Clinical Evaluation Process Tami Abudi, President and CEO BBA Agenda Placing the Clinical Evaluation process in historical perspective Understanding the requirements and placing them into practice Discussing

392 views • 28 slides
Mental Health and Human Emotion Domestic Depressive Disorder (persons) OECD Suicide Rate (persons)

Mental Health and Human Emotion Domestic Depressive Disorder (persons) OECD Suicide Rate (persons)

The 16 th U.S.-Korea Forum on Nanotechnology: Nanosensors Related to Human Cognition and Brain Research & Nanomedicine Focusing on Single Cell Level W EARABLE H UMAN E MOTION M ONITORING S YSTEMS 23 September 2019 Young-Ho Cho Nano

613 views • 28 slides
Sufficiency, Shortage or Stress Thomas C. Ricketts, Ph.D. MPH, Erin Fraher, PhD MPP Katie

Sufficiency, Shortage or Stress Thomas C. Ricketts, Ph.D. MPH, Erin Fraher, PhD MPP Katie

Physicians in North Carolina: Sufficiency, Shortage or Stress Thomas C. Ricketts, Ph.D. MPH, Erin Fraher, PhD MPP Katie Gaul, M.A. University of North Carolina at Chapel Hill The Current Policy Context Demand side : aging population,

636 views • 49 slides
Broke, ill, and obese: Broke, ill, and obese: The effect of household debt on health Matthias

Broke, ill, and obese: Broke, ill, and obese: The effect of household debt on health Matthias

Broke, ill, and obese: Broke, ill, and obese: The effect of household debt on health Matthias Keese Hendrik Schmitz Ruhr Graduate School in Economics Ruhr Graduate School in Economics University of Duisburg-Essen RWI Essen The 2010 IRDES

506 views • 14 slides
Health System Matrix: Providing a perspective into the provincial health system In the majority

Health System Matrix: Providing a perspective into the provincial health system In the majority

Health System Matrix: Providing a perspective into the provincial health system In the majority of conditions, the First Nations prevalence rate was stable or improved between 2008/09 and 2014/15 No Difference with Other Stable Rates Gap

677 views • 13 slides
Biometrix Medical Presentacin General Presentacin - Biometrix Medical Desarrolla, fabrica y

Biometrix Medical Presentacin General Presentacin - Biometrix Medical Desarrolla, fabrica y

Biometrix Medical Presentacin General Presentacin - Biometrix Medical Desarrolla, fabrica y comercializa dispositivos mdicos para Salas de Cuidados Intensivos, Quirfanos y Salas de Angiografa Intervencionista Fundada en 1986

498 views • 15 slides
Introduction to PTCA The Programme for Theology and Cultures in Asia (PTCA) was founded in

Introduction to PTCA The Programme for Theology and Cultures in Asia (PTCA) was founded in

6/10/2015 Brief History of PTCA Introduction to PTCA The Programme for Theology and Cultures in Asia (PTCA) was founded in 1983. o A join programme collaborated by CCA, ATESEA, SEAGST,Tao Fong Shan and Kansai Seminar House, Japan. Later,

333 views • 4 slides
Overview & Update Alaska Health Care Commission Meeting Deborah Erickson Alaska Health Care

Overview & Update Alaska Health Care Commission Meeting Deborah Erickson Alaska Health Care

Overview & Update Alaska Health Care Commission Meeting Deborah Erickson Alaska Health Care Commission October 11, 2011 UPDATED 06-11-12 1 Legal Challenges & Political Realities Status of Federal Implementation Structure of

624 views • 39 slides

More recommend