software assurance swa in education training
play

Software Assurance (SwA) in Education, Training & Certification - PowerPoint PPT Presentation

Mar 08, 2024 •232 likes •702 views

Software Assurance (SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center on Information Assurance (NUCIA) University of Nebraska at Omaha 1 What is a Pocketguide? Self-contained

  1. Software Assurance (SwA) in Education, Training & Certification Pocket Guide v2.1 Robin A. Gandhi Nebraska University Center on Information Assurance (NUCIA) University of Nebraska at Omaha 1

  2. What is a Pocketguide? • Self-contained • Concise • Enumeration of resources • Theme • Living document • Reprints and redistribution possible • Fits in the coat pocket 2

  3. SwA ETC Pocketguide Theme • Educating the Educator/Trainer on available SwA resources • Purpose: – Awareness resource for “ getting started ” in educating, training and sustaining a workforce capable of producing secure software – An “ index ” in to a vast amount of resources, tools, curricula, and certification and training opportunities for software assurance 3

  4. Purple, v 2.1, March 2011 4

  5. Software Assurance? • The basis for the belief that software will work as expected – Claims, arguments, evidences that span the software lifecycle from cradle to grave – People, Process, Technology that enable us to promote assurances in the software that is mission and business critical 5

  6. 6

  7. SwA Knowledge Areas and Efforts Technology, Tool and Workforce Education and Training Product Evaluation Curriculum Guides Making Security Measureable Knowledge necessary to Develop CWE, CWSS Sustain, Acquire and Assure CVE, CCE, CPE, OVAL, CVSS Secure Software (SwABoK) State of the Art Reports (SOAR) Measuring Functionality and Capability of SwA Tools Guidebooks (NASA, DACS) (SAMATE) Reference Curriculum Acquisition and (MSwA2010, Undergrad outline) Functional Specifications Processes and Practices Outsourcing Security Principles Test suites and Guidelines Tool Metrics Security-Enhanced Enhancement of Logical and In-depth Metamodels for Software Software Acquisition Development Lifecycle organization of Assets and Operational and Outsourcing Integrating Security into the Principles and Guidelines Environments Software Development Lifecycle Reference Guide: Workforce Development Abstract Syntax Tree SwA in Aquisition and Improvement Requirements and Analysis Metamodel (ASTM) Competency and Practices to Enhance Knowledge Discovery Architecture and Functional Framework for SwA in Purchasing Metamodel (KDM) Design Considerations IT Security Workforce (EBK) Due diligence Software Metrics Workforce Credentials Risk-Based Security Testing Questionnaires Metamodel (SMM) Sample Contract Capability Maturity Provisions and Language Model Integration Application Security Harmonizing and Extending Procurement Language existing Security Capability Maturity Models Key Software Assurance Supply chain Risk Management Mapping Assurance Knowledge Areas and Efforts Goals and Practices Risk-based approach to CMMI for Development to Software Acquisition Maturity Model Building Security In Maturity Model (BSIMM) Software Assurance Maturity Model (SAMM) Measurement Business Case Malware Key Practices for Mitigating Software Weaknesses Making a Business Malware Dictionaries Secure Coding Standards Case for SwA Measurement Frameworks (CERT) Malware Attribute Enumeration Cost/Benefit Models and Characterization (MAEC) Practical Measurement Framework Measurement for Software Assurance and Risk Information Security Novel Approaches to Malware Prioritization Acquisition Measurement Process Improvement Measurements Goals and Globalization Questions Lists Organizational Development Case Studies and Examples 7

  8. SwA Knowledge Areas and Efforts Workforce Education Technology, Tool and Product Evaluation and Training Making Security Measureable Curriculum Guides Knowledge necessary to Develop CWE, CWSS Sustain, Acquire and Assure CVE, CCE, CPE, OVAL, CVSS Secure Software (SwABoK) Measuring Functionality State of the Art Reports (SOAR) and Capability of SwA Tools Guidebooks (NASA, DACS) (SAMATE) Reference Curriculum Acquisition and (MSwA2010, Undergrad outline) Functional Specifications Processes and Practices Outsourcing Security Principles Test suites and Guidelines Tool Metrics Security-Enhanced Enhancement of Logical and In-depth Metamodels for Software Software Acquisition Development Lifecycle organization of Assets and Operational and Outsourcing Principles and Guidelines Integrating Security into the Environments Software Development Lifecycle Reference Guide: Workforce Development Abstract Syntax Tree SwA in Aquisition and Improvement Requirements and Analysis Metamodel (ASTM) Competency and Practices to Enhance Knowledge Discovery Architecture and Functional Framework for SwA in Purchasing Metamodel (KDM) Design Considerations IT Security Workforce (EBK) Due diligence Software Metrics Workforce Credentials Questionnaires Risk-Based Security Testing Metamodel (SMM) Sample Contract Capability Maturity Provisions and Language Model Integration Application Security Harmonizing and Extending Procurement Language existing Security Capability Maturity Models Key Software Assurance Supply chain Risk Management Mapping Assurance Knowledge Areas and Efforts Goals and Practices Risk-based approach to CMMI for Development to Software Acquisition Maturity Model 8 Building Security In Maturity Model (BSIMM)

  9. Knowledge necessary to Develop CWE, CWSS Sustain, Acquire and Assure CVE, CCE, CPE, OVAL, CVSS Secure Software (SwABoK) Measuring Functionality State of the Art Reports (SOAR) and Capability of SwA Tools Guidebooks (NASA, DACS) The Various WGs and Deliverables (SAMATE) Reference Curriculum Acquisition and (MSwA2010, Undergrad outline) Functional Specifications Processes and Practices Outsourcing Security Principles Test suites and Guidelines Tool Metrics Security-Enhanced Enhancement of Logical and In-depth Metamodels for Software Software Acquisition Development Lifecycle organization of Assets and Operational and Outsourcing Integrating Security into the Principles and Guidelines Environments Software Development Lifecycle Reference Guide: Workforce Development Abstract Syntax Tree SwA in Aquisition and Improvement Requirements and Analysis Metamodel (ASTM) Competency and Practices to Enhance Knowledge Discovery Architecture and Functional Framework for SwA in Purchasing Metamodel (KDM) Design Considerations IT Security Workforce (EBK) Due diligence Software Metrics Workforce Credentials Risk-Based Security Testing Questionnaires Metamodel (SMM) Sample Contract Capability Maturity Provisions and Language Model Integration Application Security Harmonizing and Extending Procurement Language existing Security Capability Maturity Models Key Software Assurance Supply chain Risk Management Mapping Assurance Knowledge Areas and Efforts Goals and Practices Risk-based approach to CMMI for Development to Software Acquisition Maturity Model Building Security In Maturity Model (BSIMM) Software Assurance Maturity Model (SAMM) Measurement Business Case Malware Key Practices for Mitigating Software Weaknesses Making a Business Malware Dictionaries Secure Coding Standards Case for SwA Measurement Frameworks (CERT) Malware Attribute Enumeration Cost/Benefit Models Practical Measurement Framework and Characterization (MAEC) Measurement for Software Assurance and Risk Information Security Novel Approaches to Malware Prioritization Acquisition Measurement Process Improvement Measurements Goals and Globalization Questions Lists 9 Organizational Development Case Studies and Examples

  10. 10

  11. 11

  12. 12

  13. 13

  14. 14

  15. 15

  16. 16

  17. 17

  18. 18

  19. Job Roles • What kind of jobs can I get ? – Jobs and career planning • http://www.sans.org/20coolestcareers 19

  20. 20

  21. 21

  22. Got Content? • The pocket guide is a “ work in progress ” • Plenty of opportunity to contribute content • Join the Effort ! – Your comments, suggestions, criticism/praise are all very welcome 22

  23. Where to find the PocketGuide? • https://buildsecurityin.us- cert.gov/swa/pocket_guide_series.html • And many others… 23

  24. 24

  25. 25

  26. 26

  27. Find me • Robin A. Gandhi, Ph.D. Assistant Professor of Information Assurance University of Nebraska at Omaha rgandhi@unomaha.edu Voice: (402) 554 3363, Fax: (402) 554-3284 http://faculty.ist.unomaha.edu/rgandhi 27

  28. Acknowledgement • Joe Jarzombek for giving me the opportunity to lead this effort • Members of the SwA WG on Education and Training for insightful comments, reviews and content (Dan, Carol, Nancy, Art) • Susan Morris, Walter Houser, Dominick Chiriyan • And many others… 28

  29. Bonus Slides 29

  30. Why Johnny Can ’ t write secure code? • Johnny, avoid these weaknesses…. Period! – Common Weaknesses Enumeration (CWE) • Johnny…learn from your mistakes – Common Vulnerabilities and Exposures (CVE) • Johnny…these are the ways of the bad guys – Common Attack Patterns Enumeration and Classification (CAPEC) • Johnny…these are ways to develop secure code – CERT secure coding guidelines 30

  31. Poor Johnny ! 31

  32. Using Semantic Templates to Study Vulnerabilities Recorded in Large Software Repositories Harvey Siy Yan Wu Me 32

  33. The Paradox we face ! Source Code Differences after the fix Bug tracking databases Log of Changes Mailing list Discussions Weakness Enumerations Vulnerability Databases Public Descriptions 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

TECHNOLOGIES, INC. INTRODUCTION SOFTWARE QUALITY ASSURANCE SOFTWARE QUALITY ASSURANCE Software

TECHNOLOGIES, INC. INTRODUCTION SOFTWARE QUALITY ASSURANCE SOFTWARE QUALITY ASSURANCE Software

TECHNOLOGIES, INC. INTRODUCTION SOFTWARE QUALITY ASSURANCE SOFTWARE QUALITY ASSURANCE Software Quality Assurance consist of a means of monitoring the software engineering processes and methods used to ensure quality IEEE 730-2014 BETA

325 views • 20 slides
Session 13 INFM 603 Bugs, process, assurance Software assurance: quality assurance for

Session 13 INFM 603 Bugs, process, assurance Software assurance: quality assurance for

Software Assurance Session 13 INFM 603 Bugs, process, assurance Software assurance: quality assurance for software Particularly assurance of security Bad (buggy, insecure software) comes not from discrete, unpredictable,

561 views • 18 slides
Software Quality Assurance Software Quality Assurance Dr. Linda H. Rosenberg Assistant Director

Software Quality Assurance Software Quality Assurance Dr. Linda H. Rosenberg Assistant Director

Software Quality Assurance Software Quality Assurance Dr. Linda H. Rosenberg Assistant Director For Information Sciences Goddard Space Flight Center, NASA 301-286-5710 Linda.Rosenberg@gsfc.nasa.gov V&V 10/2002 Slide 1 Agenda

267 views • 26 slides
Software Quality & Software Quality Assurance p. 1 Software Quality A definition of

Software Quality & Software Quality Assurance p. 1 Software Quality A definition of

Software Quality & Software Quality Assurance p. 1 Software Quality A definition of quality should emphasize three important points: 1. Software requirements are the foundation from which quality is measured. Lack of conformance to

326 views • 13 slides
education Further Education and Training (FET) Post primary education Dictionary NAMES OF

education Further Education and Training (FET) Post primary education Dictionary NAMES OF

How do you create flexible pathways for students to continue to higher education? Share the practices in your organization to learn from each other. Vocational eduation and Training (VET) Higher = education Further Education and Training

549 views • 6 slides
education academic and administrative staff. Conducted consultancies and technical reports for

education academic and administrative staff. Conducted consultancies and technical reports for

SAT 29 JUNE 2019 Born in UK Worked in higher education for over 35 years. Vice-rector at USJ and Director of the DLCR. Quality assurance, accreditation, educational development and training for higher education academic and

626 views • 36 slides
1 What is Safety Software? (cont) What is Safety Software? (cont) What is Safety Software?

1 What is Safety Software? (cont) What is Safety Software? (cont) What is Safety Software?

Outline Outline Outline Background information on the drivers behind the New DOE Software Quality New DOE Software Quality New DOE Software Quality push for software quality assurance (SQA) Assurance Requirements and Assurance Requirements

210 views • 4 slides
FOR DOCUMENT Club Workshop Subhead text TRAINING & EDUCATION Welcome TRAINING &

FOR DOCUMENT Club Workshop Subhead text TRAINING & EDUCATION Welcome TRAINING &

TRAINING & EDUCATION TRAINING & EDUCATION RULES OF GOLF 2019 MAIN HEAD FOR DOCUMENT Club Workshop Subhead text TRAINING & EDUCATION Welcome TRAINING & EDUCATION Contents 1. New Terminology 2. New Principles 3. Areas of

706 views • 41 slides
Compliance Training Management Assurance that required Compliance Training is correctly

Compliance Training Management Assurance that required Compliance Training is correctly

Compliance Training Management Assurance that required Compliance Training is correctly identified, effectively delivered and tracked, along with the appropriate accountability process. Why Are We Here? Whats in this for you A new

613 views • 12 slides
Training Competency Assurance - Team Based Ralph Benham Maersk Training, Inc. History NASA

Training Competency Assurance - Team Based Ralph Benham Maersk Training, Inc. History NASA

DYNAMIC POSITIONING CONFERENCE OCTOBER 911, 2017 TRAINING/COMPETENCY Training Competency Assurance - Team Based Ralph Benham Maersk Training, Inc. History NASA study in 1979 Resource Management on the Flight Deck Human Factors

695 views • 15 slides
1 Measuring quality Costs of quality assurance Is it possible to quantify software

1 Measuring quality Costs of quality assurance Is it possible to quantify software

Key Points Many different characteristics of quality Quality Assurance and Testing Importance of having independent quality assurance from development The deliverable of QA is information CSE 403 Write it down Lecture 22 QA

359 views • 5 slides
Practically Formal Development and Assurance of Complex Software-Intensive Safety-Critical

Practically Formal Development and Assurance of Complex Software-Intensive Safety-Critical

Practically Formal Development and Assurance of Complex Software-Intensive Safety-Critical Systems Alan Wassyng work with Zinovy Diskin, Nicholas Annable, and Mark Lawford CyPhyAssure, 20 March 2019 GSN-like Assurance Cases Pros

720 views • 33 slides
Quality Assurance & Software Testing Services Our Expertise 28 Years of 200+ Full-Time

Quality Assurance & Software Testing Services Our Expertise 28 Years of 200+ Full-Time

Quality Assurance & Software Testing Services Our Expertise 28 Years of 200+ Full-Time About us Experience Employees ASSIST Software was founded in 1992 and is a software company based in Suceava, Romania. ASSIST Software specializes

399 views • 8 slides
The Framework for Quality Assurance in the European Higher Education Area (EHEA) Workshop for

The Framework for Quality Assurance in the European Higher Education Area (EHEA) Workshop for

European Quality Assurance Register for Higher Education The Framework for Quality Assurance in the European Higher Education Area (EHEA) Workshop for Higher Education Institutions Astana, 2 March 2017 Colin Tck Topics 1.ESG 2015 the

395 views • 35 slides
Global Trends in Quality Assurance in Higher Education Ms Hassmik Tortian, PhD, Programme

Global Trends in Quality Assurance in Higher Education Ms Hassmik Tortian, PhD, Programme

Global Trends in Quality Assurance in Higher Education Ms Hassmik Tortian, PhD, Programme Specialist Division for Teacher Development and Higher Education Global Trends in Quality Assurance in Higher Education UNESCO and Quality Assurance

456 views • 19 slides
The Bureau of Diplomatic Security Diplomatic Security Training Center(DSTC) Information Assurance

The Bureau of Diplomatic Security Diplomatic Security Training Center(DSTC) Information Assurance

U.S. DEPARTMENT OF STATE The Bureau of Diplomatic Security Diplomatic Security Training Center(DSTC) Information Assurance (IA) and Cybersecurity Training Program UNCLASSIFIED CyberSec_Training@state.gov Information Assurance Training

142 views • 11 slides
Year-End Report (September 2017 Augusti 2018) Gran Bille Peter Andersson Acting President

Year-End Report (September 2017 Augusti 2018) Gran Bille Peter Andersson Acting President

Year-End Report (September 2017 Augusti 2018) Gran Bille Peter Andersson Acting President & CEO CFO Highlights Q4 & Full Year Q4 & Full Year in numbers Going forward Questions 2 Challenges at KappAhl

302 views • 15 slides
GIS Training Classes 2019 info@TeachMeGIS.com Jennifer Harrison

GIS Training Classes 2019 info@TeachMeGIS.com Jennifer Harrison

H-GAC hosted TeachMeGIS GIS Training Classes 2019 info@TeachMeGIS.com Jennifer Harrison Jennifer.Harrison@TeachMeGIS.com info@TeachMeGIS.com Newbie GIS Professional Additional Courses Web Map ArcGIS Pro Essentials Intro to

65 views • 3 slides
as a Woman Engineer Maria Klawe Harvey Mudd College Outline Some common scenarios

as a Woman Engineer Maria Klawe Harvey Mudd College Outline Some common scenarios

Steering Your Career as a Woman Engineer Maria Klawe Harvey Mudd College Outline Some common scenarios Strategies for success The imposter syndrome Resources Questions and answers Common Scenarios Newbie To manage or

139 views • 13 slides
FOUNDERS SYNDROME The role of a creative leader is not to have all the ideas; its to

FOUNDERS SYNDROME The role of a creative leader is not to have all the ideas; its to

1 of 8 FOUNDERS SYNDROME The role of a creative leader is not to have all the ideas; its to create a culture where everyone can have ideas and feel that theyre valued. (Ken Robinson) What is Founders Syndrome ?

523 views • 8 slides
Support for Service Programs: What Works & Why Robert Sewell Health Program Manager

Support for Service Programs: What Works & Why Robert Sewell Health Program Manager

Support for Service Programs: What Works & Why Robert Sewell Health Program Manager Health Planning & Systems Development Alaska Dept of Health & Social Services Ref: Sewell, Robert. "Support for Service 1

796 views • 55 slides
Effective Presentation Blueprint: Sales Achievement Effective Presentation Blueprint: Sales

Effective Presentation Blueprint: Sales Achievement Effective Presentation Blueprint: Sales

T1KBQBPDE6JW > PDF // Effective Presentation Blueprint: Sales Achievement DNA Effective Presentation Blueprint: Sales Achievement Effective Presentation Blueprint: Sales Achievement DNA DNA Filesize: 2.41 MB Reviews Reviews Completely

223 views • 3 slides
As an Engineer Newbie Engineer Graduate Mentor Colleag ague ues. Headhun hunte ted d or

As an Engineer Newbie Engineer Graduate Mentor Colleag ague ues. Headhun hunte ted d or

Marketing Yourself As an Engineer Newbie Engineer Graduate Mentor Colleag ague ues. Headhun hunte ted d or Given a Special ial Throw Again in. Promotio ion. Start rt Again in. Starting Out Not One Solution Fits All I want to

259 views • 25 slides
Synergy of social networks defeats online privacy Eleonora Petridou Marek Kuczy nski System

Synergy of social networks defeats online privacy Eleonora Petridou Marek Kuczy nski System

Synergy Of Social Networks Defeats Online Privacy, www.socialsynergy.nl Synergy of social networks defeats online privacy Eleonora Petridou Marek Kuczy nski System And Network Engineering University of Amsterdam February 2, 2011 Synergy

710 views • 37 slides

More recommend