Effective cybersecurity engineering requires the integration of security into the software acquisition and development lifecycle. For engineering to address security effectively, requirements that establish the target goal for security must be in place. Risk management must include identification of possible threats and vulnerabilities within the system, along with the ways to accept or address them. There will always be cyber security risk, but engineers, managers, and organizations must be able to plan for the ways in which a system should avoid as well as recognize, resist, and recover from an attack. In this podcast Nancy Mead and Carol Woody discuss their new book, Cyber Security Engineering: A Practical Approach for Systems and Software Assurance, which introduces a set of seven principles that address the challenges of acquiring, building, deploying, and sustaining software systems to achieve a desired level of confidence for software assurance.
Nancy R. Mead is a fellow and principal researcher at the Software Engineering Institute (SEI). She is currently involved in the study of security requirements engineering and the development of software assurance curricula. Her research interests include software security, software requirements engineering, and software architectures. Mead is also an adjunct professor of software engineering in the Master of Software Engineering Program at Carnegie Mellon University. She served as director of education for the SEI from 1991 to 1994. Prior to joining the SEI, Mead was a senior technical staff member at IBM Federal Systems, where she spent most of her career in the development and management of large real-time systems.
Carol Woody has been a senior member of the technical staff since 2001 and is the technical manager of the Cybersecurity Engineering Team, whose research focuses on security and software assurance for highly complex networked systems throughout the development and acquisition lifecycles.