Engineering Safe and Secure Software Systems
1st Edition
Published on 1. January 2012
350 pages
978-1-60807-473-0 (ISBN)
Description
This first-of-its-kind resource offers a broad and detailed understanding of software systems engineering from both security and safety perspectives. Addressing the overarching issues related to safeguarding public data and intellectual property and preventing control systems from causing harm, the book defines such terms as systems engineering, software engineering, security, and safety as precisely as possible, making clear the many distinctions, commonalities, and interdependencies among various disciplines. You explore the various approaches to risk and the generation and analysis of appropriate metrics. This unique book explains how processes relevant to the creation and operation of software systems should be determined and improved, how projects should be managed, and how products can be assured. You learn the importance of integrating safety and security into the development life cycle. Additionally, this practical volume helps identify what motivators and deterrents can be put in place in order to implement the methods that have been recommended.
More details
Other editions
Additional editions
C. Warren Axelrod
Engineering Safe and Secure Software Systems
Book
12/2012
Artech House Publishers
€178.27
Shipment within 10-20 days
Content
- Intro
- Contents
- Preface
- Endnotes
- Foreword
- 1 Introduction
- Preamble
- Scope and Structure of the Book
- Acknowledgments
- Endnotes
- 2 Engineering Systems
- Introduction
- Some Initial Observations
- Deficient Definitions
- Rationale
- What Are Systems?
- Deconstructing Systems Engineering
- What Is Systems Engineering?
- Systems Engineering and the Systems Eng
- The DoD Text
- Another Observation
- More on Systems Engineering
- The Systems Engineering Process (SEP)
- Summary and Conclusions
- Endnotes
- 3 Engineering Software Systems
- Introduction
- The Great Debate
- Some Observations
- Rationale
- Understanding Software Systems Engineeri
- Deconstructing Software Systems Engineer
- What Is Software?
- What Are Software Systems?
- Are Control Software Systems Different?
- What is Software Systems Engineering?
- The Software Systems Engineering Process
- Steps in the Software Development Proces
- Omissions or Lack of Attention
- Nonfunctional Requirements
- Testing Nonfunctional Attributes
- Verification and Validation
- Creating Requisite Functional and Nonfun
- Resiliency and Availability
- Decommissioning
- Summary and Conclusions
- Endnotes
- 4 Engineering Secure and Safe Systems, Part I
- Introduction
- The Approach
- Security Versus Safety
- Four Approaches to Developing Critical Systems
- The Dependability Approach
- The Safety Engineering Approach
- The Secure Systems Approach
- The Real-Time Systems Approach
- Security-Critical and Safety-Critical Systems
- Summary and Conclusions
- Endnotes
- 5 Engineering Secure and Safe Systems, Part 2
- Introduction
- Approach
- Reducing the Safety-Security Deficit
- Game-Changing and Clean-Slate Approaches
- A Note on Protection
- Safety-Security Governance Structure and Risk Management
- An Illustration
- The General Development Life Cycle
- Structure of the Software Systems Development Life Cycle
- Life Cycle Processes
- Governance Structure for Systems Enginee
- Risks of Security-Oriented Versus Safety
- Expertise Needed at Various Stages
- Summary and Conclusions
- Endnotes
- 6 Software Systems Security and Safety Risk
- Introduction
- Understanding Risk
- Risks of Determining Risk
- Software-Related Risks
- Motivations for Risk Mitigation
- Defining Risk
- Assessing and Calculating Risk
- Threats Versus Exploits
- Threat Risk Modeling
- Threats from Safety-Critical Systems
- Creating Exploits and Suffering Events
- Vulnerabilities
- Application Risk Management Considerations
- Subjective vs. Objective vs. Personal Risk
- Personalization of Risk
- The Fallacies of Data Ownership, Risk Appetite, and Risk Tolerance
- The Dynamics of Risk
- A Holistic View of Risk
- Summary and Conclusions
- Endnotes
- 7 Software System Security and Safety Metrics
- Introduction
- Obtaining Meaningful Data
- Defining Metrics
- Differentiating Between Metrics and Meas
- Software Metrics
- Measuring and Reporting Metrics
- Metrics for Meeting Requirements
- Risk Metrics
- Consideration of Individual Metrics
- Security Metrics for Software Systems
- Safety Metrics for Software Systems
- Summary and Conclusions
- Endnotes
- 8 Software System Development Processes
- Introduction
- Processes and Their Optimization
- Processes in Relation to Projects and Products/Services
- Some Definitions
- Chronology of Maturity Models
- Security and Safety in Maturity Models
- FAA Model
- The +SAFE V1.2 Extension
- The +SECURE V1.3 Extension
- The CMMI Approach
- General CMMI
- CMMI for Development
- Incorporating Safety and Security Proces
- +SAFE V1.2 Comparisons
- +SECURE V1.2 Comparisons
- Summary and Conclusions
- Endnotes
- 9 Secure SSDLC Projects in Greater Detail
- Introduction
- Different Terms, Same or Different Meani
- Creating and Using Software Systems
- Phases and Steps of the SSDLC
- Summary and Conclusions
- Endnotes
- 10 Safe SSDLC Projects in Greater Detail
- Introduction
- Definitions and Terms
- Hazard Analysis
- Software Requirements Hazard Analysis
- Top-Level Design Hazard Analysis
- Detailed Design Hazard Analysis
- Code-Level Software Hazard Analysis
- Software Safety Testing
- Software/User Interface Analysis
- Software Change Hazard Analysis
- The Safe Software System Development Lif
- Combined Safety and Security Requirement
- Summary and Conclusions
- Endnotes
- 11 The Economics of Software Systems' Safety and Security
- Introduction
- Closing the Gap
- Technical Debt
- Application of Technical Debt Concept to
- System Obsolescence and Replacement
- The Responsibility for Safety and Security by Individuals and Groups
- Basic Idea
- Extending the Model
- Concept and Requirements Phase
- Design and Architecture Phase
- Development
- Verification
- Validation
- Deployment, Operations, Maintenance, and
- Decommissioning and Disposal
- Overall Impression
- Methods for Encouraging Optimal Behavior
- Pricing
- Chargeback
- Costs and Risk Mitigation
- Management Mandate
- Legislation
- Regulation
- Standards and Certifications
- Going Forward
- Tampering
- Tamper Evidence
- Tamper Resistance
- Tamperproofing
- A Brief Note on Patterns
- Conclusions
- Endnotes
- Appendix A Software Vulnerabilities, Errors, and Attacks
- Ranking Errors, Vulnerabilities, and Risks
- The OWASP Top Security Risks
- The CWE/SANS Most Dangerous Software Errors
- Top-Ranking Safety Issues
- Enumeration and Classification
- WASC Threat Classification
- Summary and Conclusions
- Endnotes
- Appendix B Comparison of ISO/IEC 12207 and CMMI-DEV Process Areas
- Appendix C Security-Related Tasks in the Secure SSDLC
- Task Areas for SSDLC Phases
- Involvement by Teams and Groups for Secure SSDLC Phases
- A Note on Sources
- Endnotes
- Appendix D Safety-Related Tasks in the Safe SSDLC
- Task Areas for Safe SSDLC Phases
- Levels of Involvement
- A Note on Sources
- Endnotes
- About the Author
- Index
