Brought To You By: Sponsored By:
Presented By: Taz Daughtrey
Copyright © 2013 Taz Daughtrey. All Rights Reserved.
Software Quality Engineering Tackles Security Issues
ASQ Software Division Invites You to Attend•
Held concurrently with the ASQ World Conference on Quality and Improvement
May 6 – 8, 2013 in Indianapolis, Indiana
at the Indiana Convention Center
For ongoing information:
Visit the ISE website at: asq.org/conferences/institute-for-software-excellence/index.html
Visit the ASQ Software Division website at: asq.org/software/
Logistics
– Attendees are on mute
– Type your questions into the Question area
- Louise will ask questions between slides
– A recording of this webinar will be available online
– Certificates are available for RUs, PUs, etc.
– You will receive an email tomorrow telling you:
• How to request a certificate of attendance
• How to access the recording
ASQ Software Division Webinar14 March 2013
Software Quality Engineering Tackles Security Issues
Taz Daughtrey
Senior ScientistQuanterion Solutions, Inc.
Cyber Security Information Analysis Center
“Finance software bug causes $217m in investor loses ”
"Why the FBI Can't Build a Case Management System"
Ready
Ready
Fire
Ready
Fire
Aim
Ready
Ready
Aim
Ready
Fire
Aim
Specify
Execute
Plan
14
Make it.
15
Make it.
acceptable
17
Make it.
Make it work.
18
Make it.
Make it work.
acceptable
functional
20
Make it.
Make it work.
Make it work right.
21
Make it.
Make it work.
Make it work right.
acceptable
functional
correct
23
Make it.
Make it work.
Make it work right.
Make it work right, regardless …
24
Make it.
Make it work.
Make it work right.
Make it work right, regardless …
acceptable
functional
correct
dependable
acceptable
functional
correct
dependable
acceptable
functional
correct
dependable
maintainable ?
reviews tests
stakeholder agreement operational profiles
verifiable requirements fault-tolerant design
ISO/IEC 9126-1:2001
suitability + accurateness + interoperability + com pliance + security
maturity
+ fault tolerance
+ recoverability
understandability
+ learnability
+ operability
analyzability
+ changeability
+ stability
+ testability
adaptability
+ installability
+ conformance
+ replaceability
time behavior + resource behavior
ISO/IEC 9126-1:2001
“When the only tool you have is a hammer …
… everything starts to look like a nail.”
31
But not everything is a nail …
… so you need a collection of different tools.
32
… require plenty of different tools
Different targets …
BASIC / CLASSIC QUALITY TOOLS
34
Apply each “classic” tool to software ….
35
Software Reliability Engineering
Software Reliability Modeling
Statistical Modeling and Estimation of Reliability Functions for Software
Reliability : does what is expected
Unreliability : doesn’t do what is expected
Software Security Engineering
Software Security Engineering
confidentiality
Software Security “Touchpoints”
Software Security Modeling
Software Security Modeling
Security Risk Exposure =
Probability of occurrence
X
Consequence of occurrence
Security Risk Exposure =
Probability of occurrence
X
Consequence of occurrence
(knowledge * skill * resources * motivation)
Security Risk Exposure =
Probability of occurrence
X
Consequence of occurrence
(knowledge * skill * resources * motivation)
Resilient Military Systems and the Advanced Cyber Threat Defense Science Board Task Force Report: January 2013
R O I = returninvestment
R O S I = risk exposure reduction
security investment
Cyber Security and Information Systems Information Analysis Center
Community of Practice � Practical Products
58
Set measureable dependability targets
Design. Implement.Build in dependability.
Conduct appraisals.Identify opportunities.Release? Rework?
Improve processes
Handbook of Software Reliability and Security Testing
“Improving Your Software Reliability and Security”
ongoing mentoring
on-the-job application
management-sponsored project
initial class session
follow-up [virtual] sessions
Reminders
– A recording of this webinar will be available online
– Certificates are available for RUs, PUs, etc.
– You will receive an email tomorrow telling you:
• How to request a certificate of attendance
• How to access the recording