1 / 10

SAS ‘04

SAS ‘04. Reducing Software Security Risk through an Integrated Approach David P. Gilliam and John D. Powell. Acknowledgement. NOTE:

cain-saunders
Download Presentation

SAS ‘04

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SAS ‘04 Reducing Software Security Risk through an Integrated Approach David P. Gilliam and John D. Powell

  2. Acknowledgement • NOTE: • This research was carried out at the Jet Propulsion Laboratory, California Institute of Technology, under a contract with the National Aeronautics and Space Administration • The work was sponsored by the NASA Office of Safety and Mission Assurance under the Software Assurance Research Program lead by the NASA Software IV&V Facility • This activity is managed locally at JPL through the Assurance and Technology Program Office

  3. Current Collaborators • David Gilliam – Principle Investigator, JPL • John Powell – JPL Software Engineer • Matt Bishop – Associate Professor of Computer Science, University of California at Davis • Eric Haugh – UC Davis Researcher • http://rssr.jpl.nasa.gov

  4. Goal • Reduce security risk to the computing environment by mitigating vulnerabilities in the software development and maintenance life cycles • Provide an instrument and tools to help avoid vulnerabilities and exposures in software • To aid in complying with security requirements and best practices

  5. Problem • Lack of Experts: Brooks – “No Silver Bullet” is still valid (IEEE Software Engineering, 1987) • Poor Security Requirements • Poor System Engineering • Leads to poor design, coding, and testing • Cycle of Penetrate and Patch • Piecemeal Approach to Security Assurance

  6. Reducing Software Security Risk Through an Integrated Approach NASA • Software Vulnerabilities Expose IT Systems and Infrastructure to Security Risks • Goal: Reduce Security Risk in Software and Protect IT Systems, Data, and Infrastructure • Security Training for System Engineers and Developers • Software Security Checklist for end-to-end life cycle • Software Security Assessment Instrument (SSAI) • Security Instrument Includes: • Model-Based Verification • Property-Based Testing • Security Checklist • Vulnerability Matrix • Collection of security tools

  7. Womb-to-Tomb Process • Coincides with Organizational Polices and Requirements • Software Lifecycle Integration • Software Security Checklist • Phase 1 • Provide instrument to integrate security as a formal approach to the software life cycle • Requirements Driven • Phase 2: • External Release of Software • Release Process • Vulnerability Matrix – NASA Top 20 • Security Assurance Instruments • Early Development – Model Checking / FMF • Implementation – Property Based Testing • Security Assessment Tools (SATs) • Description of available SATs • Pros and Cons of each and related tools with web sites • Notification to Users and Functional Areas when Software or Systems are De-Commissioned

  8. Current Work • Model-Based Verification of SSL Protocol • Report Submitted to IV&V Center • Integration of Security into Software Quality Improvement (SQI) at JPL • Inclusion of Security in Life Cycle Process • Security Risk Assessment – Potential Use of Defect Detection and Prevention Tool • Formal Verification of Patchlink Patch Management Software Agent • Used in All NASA Centers

  9. Note on Future Work • Training Course for SSC and Use of Security Assessment Tools • Experts and Expert Center Available to Assist with the Instrument and Tools • Integrate with Deep Space Mission Systems (DSMS) • Verifying SSL and use in DSMS • Potential to Verify Space Link Extension (SLE) Protocol • Potential to Verify Space Communication Protocol Standard (SCPS) implementations • Developing an Approach to Project Life Cycle Security Risk Assessment at JPL

  10. FOR MORE INFO... David Gilliam JPL 400 Oak Grove Dr., MS 144-210 Pasadena, CA 91109 Phone: (818) 354-0900 FAX: (818) 393-1377 Email: david.p.gilliam@jpl.nasa.gov John Powell MS 125-233 Phone: (818) 393-1377 Email: john.d.powell@jpl.nasa.gov Website: http://rssr.jpl.nasa.gov/

More Related