sas 04 n.
Skip this Video
Download Presentation
SAS ‘04

Loading in 2 Seconds...

play fullscreen
1 / 10

SAS ‘04 - PowerPoint PPT Presentation

  • Uploaded on

SAS ‘04. Reducing Software Security Risk through an Integrated Approach David P. Gilliam and John D. Powell. Acknowledgement. NOTE:

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'SAS ‘04' - cain-saunders

Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
sas 04

SAS ‘04

Reducing Software Security Risk through an Integrated Approach

David P. Gilliam and John D. Powell

  • NOTE:
    • This research was carried out at the Jet Propulsion Laboratory, California Institute of Technology, under a contract with the National Aeronautics and Space Administration
    • The work was sponsored by the NASA Office of Safety and Mission Assurance under the Software Assurance Research Program lead by the NASA Software IV&V Facility
    • This activity is managed locally at JPL through the Assurance and Technology Program Office
current collaborators
Current Collaborators
  • David Gilliam – Principle Investigator, JPL
  • John Powell – JPL Software Engineer
  • Matt Bishop – Associate Professor of Computer Science, University of California at Davis
  • Eric Haugh – UC Davis Researcher
  • Reduce security risk to the computing environment by mitigating vulnerabilities in the software development and maintenance life cycles
  • Provide an instrument and tools to help avoid vulnerabilities and exposures in software
  • To aid in complying with security requirements and best practices
  • Lack of Experts: Brooks – “No Silver Bullet” is still valid (IEEE Software Engineering, 1987)
  • Poor Security Requirements
  • Poor System Engineering
    • Leads to poor design, coding, and testing
  • Cycle of Penetrate and Patch
  • Piecemeal Approach to Security Assurance
reducing software security risk through an integrated approach
Reducing Software Security Risk Through an Integrated Approach


  • Software Vulnerabilities Expose IT Systems and Infrastructure to Security Risks
  • Goal: Reduce Security Risk in Software and Protect IT Systems, Data, and Infrastructure
      • Security Training for System Engineers and Developers
      • Software Security Checklist for end-to-end life cycle
      • Software Security Assessment Instrument (SSAI)
  • Security Instrument Includes:
    • Model-Based Verification
    • Property-Based Testing
    • Security Checklist
    • Vulnerability Matrix
    • Collection of security tools
womb to tomb process
Womb-to-Tomb Process
  • Coincides with Organizational Polices and Requirements
  • Software Lifecycle Integration
    • Software Security Checklist
      • Phase 1
        • Provide instrument to integrate security as a formal approach to the software life cycle
        • Requirements Driven
      • Phase 2:
        • External Release of Software
        • Release Process
    • Vulnerability Matrix – NASA Top 20
    • Security Assurance Instruments
      • Early Development – Model Checking / FMF
      • Implementation – Property Based Testing
    • Security Assessment Tools (SATs)
      • Description of available SATs
      • Pros and Cons of each and related tools with web sites
  • Notification to Users and Functional Areas when Software or Systems are De-Commissioned
current work
Current Work
  • Model-Based Verification of SSL Protocol
    • Report Submitted to IV&V Center
  • Integration of Security into Software Quality Improvement (SQI) at JPL
    • Inclusion of Security in Life Cycle Process
    • Security Risk Assessment – Potential Use of Defect Detection and Prevention Tool
  • Formal Verification of Patchlink Patch Management Software Agent
    • Used in All NASA Centers
note on future work
Note on Future Work
  • Training Course for SSC and Use of Security Assessment Tools
  • Experts and Expert Center Available to Assist with the Instrument and Tools
  • Integrate with Deep Space Mission Systems (DSMS)
    • Verifying SSL and use in DSMS
    • Potential to Verify Space Link Extension (SLE) Protocol
    • Potential to Verify Space Communication Protocol Standard (SCPS) implementations
  • Developing an Approach to Project Life Cycle Security Risk Assessment at JPL


David Gilliam


400 Oak Grove Dr., MS 144-210

Pasadena, CA 91109

Phone: (818) 354-0900 FAX: (818) 393-1377


John Powell

MS 125-233

Phone: (818) 393-1377