Software is a growing component of modern business- and mission-critical systems. As organizations become more dependent on software, security-related risks to their organizational missions also increase. Traditional security-engineering approaches rely on addressing security risks during the operation and maintenance of software-reliant systems. The costs required to control security risks increase significantly when organizations wait until systems are deployed to address those risks. Field experiences of technical staff at the SEI indicate that few programs currently implement effective cybersecurity practices early in the acquisition lifecycle. Recent Department of Defense directives are beginning to shift programs’ priorities regarding cybersecurity. As a result, researchers from the CERT Division of the SEI have started cataloging the cybersecurity practices needed to acquire, engineer, and field software-reliant systems that are acceptably secure. In this podcast, Carol Woody and Christopher Alberts introduce the prototype Software Assurance Framework (SAF), a collection of cybersecurity practices that programs can apply across the acquisition lifecycle and supply chain. The SAF can be used to assess an acquisition program’s current cybersecurity practices and chart a course for improvement, ultimately reducing the cybersecurity risk of deployed software-reliant systems.
Dr. Carol Woody is the technical manager of the Cybersecurity Engineering Team of the CERT Division. Her research focuses on defining, acquiring, developing, managing, measuring, and sustaining secure software in very complex network systems and systems of systems. She has coauthored a book Cyber Security Engineering: A Practical Approach for Systems and Software Assurance published November 2016 as part of the SEI Series in Software Engineering.
Christopher Alberts is a principal engineer in the CERT Division at the SEI where he leads applied research and development projects in software assurance and cybersecurity. His research interests include risk analysis, measurement, and assessment. He has also co-authored two books, Managing Information Security Risks: The OCTAVE Approach and the Continuous Risk Management Guidebook.