Software Engineering Institute

During the acquisition and development of software-reliant systems, DoD program personnel normally focus on meeting functional requirements, often deferring security to later lifecycle activities. In fact, security features are usually addressed during system operation and sustainment rather than being engineered into a system. Operational security vulnerabilities generally have three main causes: (1) design problems, (2) implementation/coding problems, and (3) system configuration problems.

The SERA project focuses primarily on analyzing design vulnerabilities that cannot be corrected easily during operations. Early detection and remediation of design vulnerabilities can help reduce residual security risk when a system is deployed. Scenarios relevant to target operational missions will be developed and analyzed to identify security risks, needed mitigations, and confirm requirements to address mitigations. By applying this approach, acquisition and development organizations should be able to identify a more complete set of security requirements by moving beyond compliance to consider cybersecurity risks from a mission/operational perspective.