Acquisition of Software - Reliant Capabilities
نویسندگان
چکیده
To improve the security of software systems, we need to improve the software development processes used to produce them. Software security assurance cases have been proposed as a way of establishing security properties of software at different phases of the software development lifecycle; however, these assurance cases are difficult to write, communicate and introduce into an already burdened software development process. We evaluated a team-based, knowledge engineering approach to introduce software security assurance cases to neophytes through the utilization of concept maps. This approach allowed the study’s participants to engage in conversations with security experts about security requirements for their software and with knowledge engineers to construct concept maps demonstrating how their software met the requirements. Our survey results and feedback show great promise for our method to be effective and efficient for disseminating knowledge about software security to new hires and students which in turn would make them cognizant of the security requirements in their organization. Using Concept Maps to Introduce Software Security Assurance Cases the use of concept maps [3]. A concept map provides a simple visual representation for the capture and communication of technical knowledge about a particular domain. The knowledge engineering approach we employed combines initial skeleton concept maps that describe known types of software vulnerabilities, concept maps of the software structure derived by parsing code or interface documents from a particular system, an interview process in which a knowledge engineer facilitates a conversation between a security expert and a programmer to develop the concept map-based assurance case for that system, and a review process in which the resulting assurance case is presented to stakeholders. If successful, this approach could have several advantages. First, the knowledge engineering approach could facilitate the introduction of assurance case touchpoints into the development process. Second, participation in the interviews could improve programmer sensitivity to potential software vulnerabilities and expedite knowledge transfer. Furthermore, the concept maps supporting the assurance cases could be linked to other documentation such as design rationale to provide an integrated view of the software structure. Finally, the visual nature of assurance cases enhanced with concept maps could facilitate communication with diverse project stakeholders. In this paper we provide a discussion of literature pertaining to software security assurance cases and concept mapping. We then discuss two small-scale case studies that were conducted to gain feedback on the practicality of a knowledge engineering approach to the construction of assurance cases containing concept maps. We summarize results of these studies including the results of questionnaires that address the utility of this approach and conclude with a discussion of lessons learned. Software Security Assurance Case Development Security assurance is a multidimensional concern. Evaluation of security requires evaluating targets (systems that may be attacked), processes (used to develop the targets), and remediation (corrective action to mitigate vulnerabilities) [4]. Software security assurance cases fall at the juncture of these three concerns; they are developed for a specific target as part of its software engineering process, and they may identify vulnerabilities for remediation. An assurance case is a body of evidence that is analogous to a case presented in legal proceedings and is basically an argument assuring that some claim about a system holds. Assurance cases are structured and reviewable artifacts used to document that a system possesses required properties such as security, safety and reliability. Software security assurance cases are prepared at defined security touchpoints during the software development lifecycle. Throughout this lifecycle, the software security assurance case evolves as it is reviewed by stakeholders with varying areas of expertise. Besides security experts, these stakeholders can include developers, testers, installers, system administrators and customers [5]. A proven software security assurance case is reusable for new versions of an existing system and may be adaptable for a completely new system. The software security assurance case creates a structure for the analysis of changes to a system and helps to ensure that changes do not have adverse effects on security by introducing new vulnerabilities. A properly created Introduction Enhancing software security is, in part, about software process improvement. To improve the security of software systems we need to improve the software development processes used to produce them. Software security assurance cases have been proposed as a way of establishing security properties of software at several security touchpoints in the development process [1]. These touchpoints are defined as “lightweight software security best practice activities that are applied to various software artifacts such as requirements and code” [2]. Assurance cases are structured and reviewable artifacts to demonstrate that a system possesses required security properties. However assurance cases are not easy to write, communicate, or introduce into an already burdened software development process. So how can we introduce software security assurance cases to a development organization or to a new hire in such an organization? In this paper we propose a team-based, knowledge engineering approach that introduces assurance cases through
منابع مشابه
Open Acquisition: Combining Open Source Software Development with System Acquisition
This study explores and develops concepts leading to the combination of best practices from open source software development (OSSD) projects with emerging capabilities for virtual system acquisition. Virtual system acquisition is an evolving approach to demonstrate significant improvements in reducing the cost and cycle time for acquiring software-intensive systems, while improving their qualit...
متن کاملExploring Open Software System Acquisition Processes and Architectures
This study explores and develops concepts leading to the combination of best practices from open source software development (OSSD) projects with emerging capabilities for virtual system acquisition. Virtual system acquisition is an evolving approach to demonstrate significant improvements in reducing the cost and cycle time for acquiring software-intensive systems, while improving their qualit...
متن کاملEnhancing Information Acquisition in Game Agents
Significant enhancements in the capabilities of software agents can result through improving how they acquire information. Decision making depends on getting the right information, but the issue of what actually constitutes the right information is complex. This paper outlines important characteristics of information acquisition in agents and suggests how to improve the effectiveness of informa...
متن کاملImplications of SaaS on Competencies of IT-Brokerages
The rise of cloud computing provides important challenges for organizations. One such challenge relates to the core capabilities organizations need in order to successfully deploy cloud computing. While implications of cloud computing for client capabilities have been studied, the implications for different types of suppliers are not well understood. Our research investigates the effects of clo...
متن کاملInvestigating the Relationship between Infrastructural Capabilities and Process Capabilities of Knowledge Management in Gas Company in Chaharmahal and Bakhtiari Province
d: M.A. of Business Management. University of Isfahan . [email protected] e: Isfahan University of Medical Sciences , [email protected] Knowledge as one of the greatest factors in creating value and competitive advantage, has led organizations to show great tendency toward programs of knowledge management. Understanding the relationship between infrastructural capabilities and process c...
متن کاملWhy To Research in Knowledge Management in Software Engineering Processes?
Knowledge Management is a young discipline that nowadays it is important for software development organizations (SDO). For this reason, this paper presents a review about the form knowledge management has been included in several Software Process Reference Models. For this study, five software process reference models, broadly used in Latin-American countries, were analyzed. The findings of thi...
متن کامل