Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University
Menu
Home Digital Library Nancy R. Mead | SEI Digital Library

Digital Library

Javascript is currently disabled for your browser. For an optimal search experience, please enable javascript.

Advanced Search

Basic Search

Content Type

Topics

Publication Date

Nancy R. Mead

Author

Nancy R. Mead

4267

Software Engineering Institute

Nancy R. Mead is a fellow and principal researcher at the Software Engineering Institute (SEI). She is currently involved in the study of security requirements engineering and the development of software assurance curricula. Her research interests include software security, software requirements engineering, and software architectures. Mead is also an adjunct professor of software engineering in the Master of Software Engineering Program at Carnegie Mellon University. She served as director of education for the SEI from 1991 to 1994.

Prior to joining the SEI, Mead was a senior technical staff member at IBM Federal Systems, where she spent most of her career in the development and management of large real-time systems. She also worked in IBM's software engineering technology area and managed IBM Federal Systems" software engineering education department. She developed and taught numerous courses on software engineering topics, both at universities and in professional education courses.

Mead has authored more than 150 publications and invited presentations. She serves on the editorial boards for the International Journal on Secure Software Engineering and the Requirements Engineering Journal and is a member of numerous advisory boards and committees. She is a Fellow of the Institute of Electrical and Electronics Engineers, Inc. (IEEE) and the IEEE Computer Society, and she is a Distinguished Educator of the Association of Computing Machinery. Mead received the 2015 Distinguished Education Award from the IEEE Computer Society Technical Council on Software Engineering.

Mead is also the founding Steering Committee Chair of the Conference on Software Engineering Education and Training (CSEE&T). The conference has given the Nancy Mead Award for Excellence in Software Engineering Education since 2010, with Mary Shaw as the first recipient. The award is presented to individuals who demonstrate outstanding contributions to software engineering education, training, and professionalism.

Mead received her PhD in mathematics from the Polytechnic Institute of New York, and earned a BA and an MS in mathematics from New York University.

March 2018 - Technical Note A Hybrid Threat Modeling Method

Topics: Cybersecurity Engineering, Software Assurance

Authors: Nancy R. Mead, Forrest Shull, Krishnamurthy Vemuru (University of Virginia), Ole Villadsen (Carnegie Mellon University)

Presents a hybrid method of threat modeling that attempts to meld the desirable features of three methods: Security Cards, Persona non Grata, and STRIDE.

March 2017 - Presentation Using Malware Analysis to Identify Overlooked Security Requirements

Topics: Malware Analysis, Vulnerability Analysis

Authors: Nancy R. Mead, Jose A. Morales

This presentation describes initial research conducted by CERT and Carnegie Mellon to determine if malware report databases were amenable to automated processing to identify flaws

January 2017 - Presentation Panel: Secure Software Workforce Development Panel Session

Authors: Girish Seshagiri (Ishpi Information Technologies, Inc), Nancy R. Mead, William Newhouse (NIST), James W. Over

This panel discussed programs designed to meet the growing need for software assurance professionals.

January 2017 - Presentation Using Malware Analysis to Identify Overlooked Security Requirements (MORE)

Topics: Cybersecurity Engineering

Authors: Nancy R. Mead

In this presentation, Nancy Mead explains how malware analysis can be used effectively to identify otherwise overlooked security requirements.

December 2016 - Video SEI Cyber Minute: Cyber Security Engineering

Authors: Nancy R. Mead

Watch Nancy Mead in this SEI Cyber Minute as she discusses "Cyber Security Engineering."

December 2016 - Podcast Cyber Security Engineering for Software and Systems Assurance

Topics: Cybersecurity Engineering

Authors: Nancy R. Mead, Carol Woody, PhD

In this podcast Nancy Mead and Carol Woody discuss their new book, Cyber Security Engineering: A Practical Approach for Systems and Software Assurance, which introduces a set of seven principles for software assurance.

November 2016 - Book Cyber Security Engineering: A Practical Approach for Systems and Software Assurance

Topics: Software Architecture

Authors: Nancy R. Mead, Carol Woody, PhD

Pioneering software assurance experts Dr. Nancy R. Mead and Dr. Carol C. Woody present the latest practical knowledge and case studies.

August 2016 - Podcast The SEI Fellow Series: Nancy Mead

Topics: Cybersecurity Engineering

Authors: Nancy R. Mead

This podcast is the first in a series highlighting interviews with SEI Fellows.

June 2016 - Special Report Report Writer and Security Requirements Finder: User and Admin Manuals

Topics: Malware Analysis, Software Assurance

Authors: Nancy R. Mead, Anand Sankalp (Carnegie Mellon University), Gupta Anurag (Carnegie Mellon), Priyam Swati (Carnegie Mellon University), Yaobin Wen (Carnegie Mellon University), Walid El Baroni (Carnegie Mellon University)

This report presents instructions for using the Malware-driven Overlooked Requirements (MORE) website applications.

January 2016 - Podcast The SEI Fellows Series: Nancy Mead

Topics: Workforce Development, Performance and Dependability

Authors: Nancy R. Mead

This podcast, featuring an interview with Dr. Nancy Mead, is the first in a series highlighting interviews with SEI Fellows.

September 2015 - Podcast A Software Assurance Curriculum for Future Engineers

Topics: Software Assurance

Authors: Nancy R. Mead

In this podcast, Nancy Mead discusses how, with support from the Department of Homeland Security, SEI researchers developed software assurance curricula and programs for graduate, undergraduate, and community colleges.

August 2015 - Conference Paper Using Malware Analysis to Improve Security Requirements on Future Systems

Topics: Software Assurance, Cybersecurity Engineering

Authors: Nancy R. Mead, Jose A. Morales

In this paper, the authors propose to improve how security requirements are identified.

April 2015 - Conference Paper Industry/University Collaboration in Software Engineering Education: Refreshing and Retuning Our Strategies

Topics: Cybersecurity Engineering, Software Assurance

Authors: Nancy R. Mead

In this paper, Nancy Mead describes a panel session that explored strategies for industry/university collaboration in software engineering education.

January 2015 - Article A Method and Case Study for Using Malware Analysis to Improve Security Requirements

Topics: Software Assurance, Cybersecurity Engineering

Authors: Nancy R. Mead, Jose A. Morales, Gregory Paul Alice

In this article, the authors propose to enhance software development lifecycle models by implementing a process for including use cases based on previous cyberattacks.

November 2014 - Technical Note Using Malware Analysis to Tailor SQUARE for Mobile Platforms

Topics: Cybersecurity Engineering, Malware Analysis

Authors: Gregory Paul Alice, Nancy R. Mead

This technical note explores the development of security requirements for the K-9 Mail application, an open source email client for the Android operating system.

August 2014 - Presentation Eliciting Unstated Requirements

Topics: Measurement and Analysis

Authors: Nancy R. Mead, Michael D. Konrad, Robert W. Stoddard

The tutorial presents the traditional KJ method for eliciting unstated user needs and extensions made to allow KJ to be used in a virtual environment.

May 2014 - Technical Note An Evaluation of A-SQUARE for COTS Acquisition

Topics: Cybersecurity Engineering

Authors: Sidhartha Mani, Nancy R. Mead

An evaluation of the effectiveness of Software Quality Requirements Engineering for Acquisition (A-SQUARE) in a project to select a COTS product for the advanced metering infrastructure of a smart grid.

May 2014 - Book Chapter Software Assurance

Topics: Cybersecurity Engineering, Software Assurance

Authors: Nancy R. Mead, Dan Shoemaker (University of Detroit Mercy), Carol Woody

In this book chapter, the authors discuss modern principles of software assurance and identify a number of relevant process models, frameworks, and best practices.

December 2013 - White Paper Foundations for Software Assurance

Topics: Cybersecurity Engineering, Software Assurance

Authors: Carol Woody, Nancy R. Mead, Dan Shoemaker (University of Detroit Mercy)

In this paper, the authors highlight efforts to address the principles of software assurance and its educational curriculum.

November 2013 - Technical Note Software Assurance Measurement – State of the Practice

Topics: Software Assurance, Measurement and Analysis

Authors: Dan Shoemaker (University of Detroit Mercy), Nancy R. Mead

In this report, the authors describe the current state of the practice and emerging trends in software assurance measurement.

August 2013 - White Paper An Evaluation of Cost-Benefit Using Security Requirements Prioritization Methods

Topics: Cybersecurity Engineering, Software Assurance

Authors: Nancy R. Mead, Travis Christian

In this paper, the authors provide background information on penetration testing processes and practices.

July 2013 - White Paper Teaching Security Requirements Engineering Using SQUARE

Topics: Cybersecurity Engineering, Software Assurance

Authors: Dan Shoemaker (University of Detroit Mercy), Jeff Ingalsbe (University of Detroit Mercy), Nancy R. Mead

In this paper, the authors detail the validation of a teaching model for security requirements engineering that ensures that security is built into software.

July 2013 - White Paper Development of a Master of Software Assurance Reference Curriculum - 2013 IJSSE

Topics: Cybersecurity Engineering, Software Assurance

Authors: Andrew J. Kornecki (Embry-Riddle Aeronautical University), James McDonald (Monmouth University), Julia H. Allen, Mark A. Ardis (Stevens Institute of Technology), Nancy R. Mead, Richard C. Linger (Oak Ridge National Laboratory), Thomas B. Hilburn (Embry-Riddle Aeronautical University)

In this paper, the authors present an overview of the Master of Software Assurance curriculum, including its history, student prerequisites, and outcomes

July 2013 - White Paper The Development of a Graduate Curriculum for Software Assurance

Topics: Cybersecurity Engineering, Software Assurance

Authors: Mark A. Ardis (Stevens Institute of Technology), Nancy R. Mead

In this paper, the authors describe the work of the Master of Software Assurance curriculum project, including sources, process, products, and more.

July 2013 - White Paper Requirements Prioritization Case Study Using AHP

Topics: Cybersecurity Engineering, Software Assurance

Authors: Nancy R. Mead

In this paper, Nancy Mead describes a tradeoff analysis that can select a suitable requirements prioritization method and the results of trying one method.

July 2013 - White Paper Requirements Elicitation Case Studies Using IBIS, JAD, and ARM

Topics: Cybersecurity Engineering, Software Assurance

Authors: Nancy R. Mead

In this paper, Nancy Mead describes a tradeoff analysis that can be used to select a suitable requirements elicitation method.

July 2013 - White Paper The Common Criteria

Authors: Nancy R. Mead

In this paper, Nancy Mead discusses how Common Criteria is evaluated, it also presents a standard that is related to developing security requirements.

July 2013 - White Paper Measuring the Software Security Requirements Engineering Process

Topics: Cybersecurity Engineering, Software Assurance

Authors: Nancy R. Mead

In this paper, Nancy Mead describes a measurement approach to security requirements engineering to analyze projects that were developed with and without SQUARE.

May 2013 - White Paper Integrating Software Assurance Knowledge into Conventional Curricula

Topics: Cybersecurity Engineering, Software Assurance

Authors: Dan Shoemaker (University of Detroit Mercy), Jeff Ingalsbe (University of Detroit Mercy), Nancy R. Mead

In this paper, the authors discuss the results of comparing the Common Body of Knowledge for Secure Software Assurance with traditional computing disciplines.

May 2013 - White Paper Models for Assessing the Cost and Value of Software Assurance

Authors: Antonio Drommi, Dan Shoemaker (University of Detroit Mercy), Jeff Ingalsbe (University of Detroit Mercy), John Bailey, Nancy R. Mead

In this paper, the authors present IT valuation models that represent the most commonly accepted approaches to the valuation of IT and IT processes.

May 2013 - White Paper Requirements Engineering Annotated Bibliography

Topics: Cybersecurity Engineering, Software Assurance

Authors: Nancy R. Mead

In this paper, Nancy Mead provides a bibliography of sources related to requirements engineering.

May 2013 - White Paper Defining the Discipline of Secure Software Assurance: Initial Findings from the National Software Assurance Repository

Topics: Incident Management

Authors: Dan Shoemaker (University of Detroit Mercy), Jeff Ingalsbe (University of Detroit Mercy), Nancy R. Mead,

In this paper, the authors characterize the current state of secure software assurance work and suggest future directions.

May 2013 - White Paper Making the Business Case for Software Assurance

Topics: Cybersecurity Engineering, Software Assurance

Authors: Nancy R. Mead

In this paper, Nancy Mead provides an overview of the Business Case content area.

May 2013 - White Paper The Software Assurance Competency Model: A Roadmap to Enhance Individual Professional Capability

Topics: Acquisition Support, Cybersecurity Engineering, Software Assurance

Authors: Nancy R. Mead, Dan Shoemaker (University of Detroit Mercy)

In this paper, the authors describe a software assurance competency model that can be used by professionals to improve their software assurance skills.

May 2013 - White Paper Building a Body of Knowledge for ICT Supply Chain Risk Management

Topics: Acquisition Support, Cybersecurity Engineering, Software Assurance

Authors: Dan Shoemaker (University of Detroit Mercy), Nancy R. Mead

In this paper, the authors propose a set of Supply Chain Risk Management (SCRM) activities and practices for Information and Communication Technologies (ICT).

May 2013 - White Paper Software Assurance Education Overview

Topics: Cybersecurity Engineering, Software Assurance

Authors: Nancy R. Mead

In this paper, Nancy Mead discusses the growing demand for skilled professionals who can build security and correct functionality into software.

May 2013 - White Paper Getting Secure Software Assurance Knowledge into Conventional Practice

Topics: Cybersecurity Engineering, Software Assurance

Authors: Dan Shoemaker (University of Detroit Mercy), , Nancy R. Mead

In this paper, the authors describe three educational initiatives in support of software assurance education.

May 2013 - White Paper A Common Sense Way to Make the Business Case for Software Assurance

Topics: Cybersecurity Engineering, Software Assurance

Authors: Antonio Drommi, Dan Shoemaker (University of Detroit Mercy), Jeff Ingalsbe (University of Detroit Mercy), John Bailey, Nancy R. Mead

In this article, the authors demonstrate how a true cost/benefit for secure software can be derived.

May 2013 - White Paper Two Nationally Sponsored Initiatives for Disseminating Assurance Knowledge

Topics: Cybersecurity Engineering, Software Assurance

Authors: Dan Shoemaker (University of Detroit Mercy), Nancy R. Mead

In this paper, the authors describe two efforts that support national cybersecurity education goals.

May 2013 - White Paper Foundations for Software Assurance

Topics: Cybersecurity Engineering, Software Assurance

Authors: Carol Woody, Dan Shoemaker (University of Detroit Mercy), Nancy R. Mead

In this paper, the authors highlight efforts underway to address our society's growing dependence on software and the need for effective software assurance.

May 2013 - White Paper Software Security Engineering: A Guide for Project Managers (white paper)

Topics: Cybersecurity Engineering, Software Assurance

Authors: Gary McGraw, Julia H. Allen, Nancy R. Mead, Robert J. Ellison, Sean Barnum

In this guide, the authors discuss our reliance on software and systems that use the internet or internet-exposed private networks.

May 2013 - White Paper Requirements Elicitation Introduction

Topics: Cybersecurity Engineering, Software Assurance

Authors: Nancy R. Mead

In this paper, Nancy Mead discusses elicitation methods and the kind of tradeoff analysis that can be done to select a suitable one.

May 2013 - White Paper Requirements Prioritization Introduction

Topics: Cybersecurity Engineering, Software Assurance

Authors: Nancy R. Mead

In this paper, Nancy Mead discusses using a systematic prioritization approach to prioritize security requirements.

May 2013 - White Paper Optimizing Investments in Security Countermeasures: A Practical Tool for Fixed Budgets

Authors: Eric Hough, Hassan Osman, Jonathan Caulkins, Nancy R. Mead

In this paper, the authors introduce a novel method of optimizing using integer programming (IP).

March 2013 - Technical Note Software Assurance Competency Model

Topics: Cybersecurity Engineering, Software Assurance

Authors: Thomas B. Hilburn (Embry-Riddle Aeronautical University), Mark A. Ardis (Stevens Institute of Technology), Glenn Johnson ((ISC)2), Andrew J. Kornecki (Embry-Riddle Aeronautical University), Nancy R. Mead

In this report, the authors describe a model that helps create a foundation for assessing and advancing the capability of software assurance professionals.

January 2013 - Article Guest Editorial Preface for 2013 Special Issue of the International Journal of Secure Software Engineering

Topics: Cybersecurity Engineering, Software Assurance

Authors: Nancy R. Mead, Ivan Flechais (University of Oxford), Dan Shoemaker (University of Detroit Mercy), Carol Woody

In this preface, the guest editors of this special edition provide a context for the articles that comprise the issue.

January 2013 - Book Chapter Principles and Measurement Models for Software Assurance

Topics: Cybersecurity Engineering, Measurement and Analysis, Software Assurance

Authors: Nancy R. Mead, Dan Shoemaker (University of Detroit Mercy), Carol Woody

In this book chapter, the authors present a measurement model with seven principles that capture the fundamental managerial and technical concerns of development and sustainment.

October 2012 - Educational Material Software Security Engineering Course Material

Topics: Cybersecurity Engineering, Software Assurance

Authors: Nancy R. Mead

This course focuses on fundamental concepts, methods, and practices for developing secure software systems.

December 2011 - Book Chapter Combining Security and Privacy in Requirements Engineering

Topics: Cybersecurity Engineering

Authors: Saeed Abu-Nimeh (Damballa), Nancy R. Mead

In this book chapter, the authors present SQUARE, a security requirements approach, privacy requirement elicitation, and security risk assessment techniques.

September 2011 - Technical Report Software Assurance Curriculum Project Volume IV: Community College Education

Topics: Software Assurance

Authors: Nancy R. Mead, Elizabeth K. Hawthorne (Union County College), Mark A. Ardis (Stevens Institute of Technology)

In this report, the authors focus on community college courses for software assurance.

June 2011 - User's Guide Software Assurance Curriculum Master Bibliography and Course References

Topics: Cybersecurity Engineering, Software Assurance

Authors: Julia H. Allen, Nancy R. Mead, Mark A. Ardis (Stevens Institute of Technology), Thomas B. Hilburn (Embry-Riddle Aeronautical University), Andrew J. Kornecki (Embry-Riddle Aeronautical University), Richard C. Linger (Oak Ridge National Laboratory)

In this report, the authors provide the master bibliography that is used with the software assurance curriculum.

March 2011 - Technical Report Software Assurance Curriculum Project Volume III: Master of Software Assurance Course Syllabi

Topics: Cybersecurity Engineering, Software Assurance

Authors: Nancy R. Mead, Julia H. Allen, Mark A. Ardis (Stevens Institute of Technology), Thomas B. Hilburn (Embry-Riddle Aeronautical University), Andrew J. Kornecki (Embry-Riddle Aeronautical University), Richard C. Linger (Oak Ridge National Laboratory)

In this report, the authors provide sample syllabi for the nine core courses in the Master of Software Assurance Reference Curriculum.

February 2011 - Technical Note Integrating the Master of Software Assurance Reference Curriculum into the Model Curriculum and Guidelines for Graduate Degree Programs in Information Systems

Topics: Software Assurance

Authors: Dan Shoemaker (University of Detroit Mercy), Nancy R. Mead, Jeff Ingalsbe (University of Detroit Mercy)

In this report, the authors examine how the Master of Software Assurance Reference Curriculum can be used for a Master of Science in Information Systems.

October 2010 - Podcast Software Assurance: A Master's Level Curriculum

Topics: Workforce Development

Authors: Nancy R. Mead, Thomas B. Hilburn (Embry-Riddle Aeronautical University), Richard C. Linger (Oak Ridge National Laboratory), Julia H. Allen

In this podcast, participants explain how knowledge about software assurance is essential to ensure that complex systems function as intended.

October 2010 - Article Development of a Master of Software Assurance Reference Curriculum - 2010 IJSSE

Topics: Cybersecurity Engineering

Authors: Nancy R. Mead, Julia H. Allen, Mark A. Ardis (Stevens Institute of Technology), Thomas B. Hilburn (Embry-Riddle Aeronautical University), Andrew J. Kornecki (Embry-Riddle Aeronautical University), Richard C. Linger (Oak Ridge National Laboratory), James McDonald (Monmouth University)

In this article, the authors summarize the Master of Software Assurance curriculum project, including its history, outcomes, a core body of knowledge, and curriculum architecture.

October 2010 - Article Guest Editorial Preface for 2010 Special Issue on Software Security Engineering Education

Topics: Cybersecurity Engineering

Authors: Nancy R. Mead, Dan Shoemaker (University of Detroit Mercy)

In this preface, the authors describe the rest of the issue, which discusses how to bring software security education to the mainstream.

September 2010 - Technical Note Security Requirements Reusability and the SQUARE Methodology

Authors: Travis Christian, Nancy R. Mead

In this report, the authors discuss how security requirements engineering can incorporate reusable requirements.

September 2010 - Technical Report Building Assured Systems Framework

Authors: Nancy R. Mead, Julia H. Allen

This report presents the Building Assured Systems Framework (BASF) that addresses the customer and researcher challenges of selecting security methods and research approaches for building assured systems.

August 2010 - Technical Report Software Assurance Curriculum Project Volume I: Master of Software Assurance Reference Curriculum

Topics: Cybersecurity Engineering, Software Assurance

Authors: Nancy R. Mead, Julia H. Allen, Mark A. Ardis (Stevens Institute of Technology), Thomas B. Hilburn (Embry-Riddle Aeronautical University), Andrew J. Kornecki (Embry-Riddle Aeronautical University), Richard C. Linger (Oak Ridge National Laboratory), James McDonald (Monmouth University)

In this report, the authors present a master of software assurance curriculum that educational institutions can use to create a degree program or track.

August 2010 - Technical Report Software Assurance Curriculum Project Volume II: Undergraduate Course Outlines

Topics: Cybersecurity Engineering, Software Assurance

Authors: Nancy R. Mead, Thomas B. Hilburn (Embry-Riddle Aeronautical University), Richard C. Linger (Oak Ridge National Laboratory)

In this report, the authors describe seven courses for an undergraduate curriculum specialization for software assurance.

July 2010 - White Paper Security Requirements Engineering

Topics: Cybersecurity Engineering, Software Assurance

Authors: Nancy R. Mead

In this paper, Nancy Mead how a systematic approach to security requirements engineering helps to avoid problems.

July 2010 - Technical Note Adapting the SQUARE Process for Privacy Requirements Engineering

Topics: Cyber Risk and Resilience Management

Authors: Ashwini Bijwe (Carnegie Mellon University), Nancy R. Mead

In this 2010 report, the authors explore how the SQUARE process can be adapted for privacy requirements engineering in software development.

February 2010 - White Paper Adapting the SQUARE Method for Security Requirements Engineering to Acquisition

Topics: Cybersecurity Engineering

Authors: Nancy R. Mead

In this paper, Nancy Mead adapts the SQUARE process for security requirements engineering to different acquisition situations.

February 2010 - Conference Paper Workshop: How to Get Started in Software Assurance Education

Authors: Nancy R. Mead, Dan Shoemaker (University of Detroit Mercy)

In this workshop, software assurance education is introduced to faculty who are interested in adding these concepts to existing and new educational programs.

July 2009 - Special Report Privacy Risk Assessment Case Studies in Support of SQUARE

Topics: Cybersecurity Engineering

Authors: Varokas Panusuwan, Prashanth Batlagundu, Nancy R. Mead

In this report, the authors describe enhancements to the SQUARE method for addressing privacy requirements.

May 2009 - Webinar SQUARE Up Your Security Requirements Engineering with SQUARE

Topics: Cyber Risk and Resilience Management

Authors: Nancy R. Mead

In this 2009 webinar, Nancy Mead provides an overview of the CERT SQUARE process, and discusses current activities and plans.

April 2009 - Special Report Making the Business Case for Software Assurance

Topics: Cybersecurity Engineering, Software Assurance

Authors: Nancy R. Mead, Julia H. Allen, W. Arthur Conklin, Antonio Drommi, John Harrison, Jeff Ingalsbe (University of Detroit Mercy), James Rainey, Dan Shoemaker (University of Detroit Mercy)

In this report, the authors provide advice for those making a business case for building software assurance into software products during software development.

January 2009 - Book Chapter Novel Methods of Incorporating Security Requirements Engineering into Software Engineering Courses

Topics: Cybersecurity Engineering

Authors: Nancy R. Mead, Dan Shoemaker (University of Detroit Mercy)

In this book chapter, the authors describe methods of incorporating security requirements engineering into software engineering courses and curricula.

September 2008 - Book Chapter Identifying Security Requirements Using the Security Quality Requirements Engineering (SQUARE) Method - Information Security and Ethics

Topics: Cybersecurity Engineering

Authors: Nancy R. Mead

In this book chapter, Nancy Mead describes issues in developing security requirements, useful methods, including details about the SQUARE method.

July 2008 - Podcast Identifying Software Security Requirements Early, Not After the Fact

Topics: Software Assurance

Authors: Nancy R. Mead, Julia H. Allen

In this podcast, Nancy Mead explains that during requirements engineering, software engineers need to think about how software should behave when under attack.

June 2008 - Special Report SQUARE-Lite: Case Study on VADSoft Project

Topics: Cyber Risk and Resilience Management

Authors: Ashwin Gayash, Venkatesh Viswanathan, Deepa Padmanabhan, Nancy R. Mead

In this 2008 report, the authors describe SQUARE and SQUARE-Lite, and using SQUARE-Lite to develop security requirements for a financial application.

May 2008 - Technical Note Incorporating Security Quality Requirements Engineering (SQUARE) into Standard Life-Cycle Models

Topics: Cybersecurity Engineering

Authors: Nancy R. Mead, Venkatesh Viswanathan, Deepa Padmanabhan, Anusha Raveendran

In this 2008 report, the authors describe how SQUARE can be incorporated into standard lifecycle models for security-critical projects.

March 2008 - Book Software Security Engineering: A Guide for Project Managers (book)

Topics: Cybersecurity Engineering

Authors: Julia H. Allen, Sean Barnum, Robert J. Ellison, Gary McGraw, Nancy R. Mead

In this book, the authors provide sound practices likely to increase the security and dependability of your software during development and operation.

August 2007 - Technical Note How To Compare the Security Quality Requirements Engineering (SQUARE) Method with Other Methods

Topics: Cybersecurity Engineering

Authors: Nancy R. Mead

In this 2007 report, Nancy Mead describes SQUARE, and outlines other methods used for identifying security requirements.

August 2006 - Book Chapter Identifying Security Requirements Using the Security Quality Requirements Engineering (SQUARE) Method - Integrating Security and Software Engineering

Topics: Cybersecurity Engineering

Authors: Nancy R. Mead

In this book chapter, Nancy Mead describes the SQUARE method, which can be used to elicit, analyze, and document security requirements for software systems.

May 2006 - Special Report Security Quality Requirements Engineering (SQUARE): Case Study Phase III

Topics: Cyber Risk and Resilience Management

Authors: Lydia Chung, Frank Hung, Eric Hough, Don Ojoko-Adams, Nancy R. Mead

In this report, the authors present their results of using SQUARE when working with three clients over the course of a semester.

November 2005 - Technical Report Security Quality Requirements Engineering Technical Report

Topics: Cybersecurity Engineering

Authors: Nancy R. Mead, Eric Hough, Ted Stehney II

In this 2005 report, the authors present the SQUARE Methodology for eliciting and prioritizing security requirements in software development projects.

August 2005 - Book Chapter Recommended Practices - Chapter from Secure Coding in C and C++

Topics: Cybersecurity Engineering

Authors: Noopur Davis, Chad Dougherty, Nancy R. Mead,

In this book chapter, the authors recommend specific development practices for improving the overall security of your C/C++ application.

May 2005 - Special Report System Quality Requirements Engineering (SQUARE): Case Study on Asset Management System, Phase II

Topics: Cyber Risk and Resilience Management

Authors: Dan Gordon, Neha Wattas, Eugene Yu, Ted Stehney II, Nancy R. Mead

In this report, the authors describe the second phase of an application of the SQUARE Methodology on an asset management system.

December 2004 - Special Report Systems Quality Requirements Engineering (SQUARE) Methodology: Case Study on Asset Management System

Topics: Cyber Risk and Resilience Management

Authors: Peter Chen, Marjon Dean, Don Ojoko-Adams, Hassan Osman, Lilian Lopez, Nick Xie, Nancy R. Mead

In this 2004 report, the authors describe the first case study that applied the SQUARE methodology to an organization.

November 2004 - Technical Note SQUARE Project: Cost/Benefit Analysis Framework for Information Security Improvement Projects in Small Companies

Topics: Cyber Risk and Resilience Management

Authors: Nick Xie, Nancy R. Mead, Peter Chen, Marjon Dean, Lilian Lopez, Don Ojoko-Adams, Hassan Osman

In this 2004 report, the authors describe a cost/benefit analysis for estimations in small companies' information security improvement projects.

October 2004 - Technical Report Results of SEI Independent Research and Development Projects and Report on Emerging Technologies and Technology Trends (FY 2004)

Authors: John K. Bergey, Edwin J. Morris, Jeannine Siviy, Dennis B. Smith, William O'Brien, Carol Woody, Sven Dietrich, Donald Firesmith, Eileen C. Forrester, Angel Jordan, Rick Kazman, Grace Lewis, Howard F. Lipson, Nancy R. Mead

This report describes the IR&D projects that were conducted during fiscal year 2004 (October 2003 through September 2004).

September 2004 - Book Chapter Industrial Input to the Computing Curriculum

Topics: Cybersecurity Engineering

Authors: Nancy R. Mead

In this book chapter, the authors discuss successful collaborations between industry and universities that improve software engineering education.

September 2003 - Technical Note Requirements Engineering for Survivable Systems

Topics: Cybersecurity Engineering, Software Assurance

Authors: Nancy R. Mead

In this 2003 report, Nancy Mead describes the state of requirements engineering for survivable systems.

July 2003 - Special Report International Liability Issues for Software Quality

Topics: Cyber Risk and Resilience Management

Authors: Nancy R. Mead

In this 2003 report, Nancy Mead focuses on international liability as it relates to information security for critical infrastructure applications.

October 2002 - Technical Report Life-Cycle Models for Survivable Systems

Topics: Cybersecurity Engineering, Software Assurance

Authors: Richard C. Linger (Oak Ridge National Laboratory), Howard F. Lipson, John McHugh, Nancy R. Mead, Carol A. Sledge

In this 2002 report, the authors describe a software development life-cycle model for survivability and illustrate techniques to support survivability goals.

July 2002 - Special Report Reeducation to Expand the Software Engineering Workforce: Successful Industry/University Collaborations

Topics: Cybersecurity Engineering, Software Assurance

Authors: Heidi J. Ellis, Ana M. Moreno (Universidad Politecnica de Madrid), Nancy R. Mead, Stephen B. Seidman

In this 2002 report, the authors describe a study of reeducating non-software professionals and practitioners to become software engineers.

May 2002 - White Paper Foundations for Survivable Systems Engineering

Authors: Robert J. Ellison, Richard C. Linger (Oak Ridge National Laboratory), Nancy R. Mead, Andrew P. Moore

In this paper, the authors describe their efforts to perform risk assessment and analyze and design robust survivable systems.

December 2001 - Technical Note Can We Ever Build Survivable Systems from COTS Components?

Authors: Howard F. Lipson, Nancy R. Mead, Andrew P. Moore

In this 2001 report, the authors describe a risk-mitigation framework for deciding when and how COTS components can be used to build survivable systems.

September 2000 - Technical Report Survivable Network Analysis Method

Authors: Nancy R. Mead, Robert J. Ellison, Richard C. Linger (Oak Ridge National Laboratory), Thomas A. Longstaff, John McHugh

This report, published in 2000, describes the SNA method developed at the SEI's CERT Coordination Center. The SNA method guides stakeholders through an analysis process intended to improve system survivability when a system is threatened.

September 1998 - Technical Report Case Study in Survivable Network System Analysis

Topics: Network Situational Awareness

Authors: Robert J. Ellison, Richard C. Linger (Oak Ridge National Laboratory), Thomas A. Longstaff, Nancy R. Mead

In this report, the authors present a method for analyzing the survivability of distributed network systems and an example of its application.

November 1997 - Technical Report Survivable Network Systems: An Emerging Discipline

Authors: David Fisher, Richard C. Linger (Oak Ridge National Laboratory), Howard F. Lipson, Thomas A. Longstaff, Nancy R. Mead, Robert J. Ellison

This 1997 report describes the survivability approach to helping assure that a system that must operate in an unbounded network is robust in the presence of attack and will survive attacks that result in successful intrusions.

November 1996 - Technical Report Best Training Practices Within the Software Engineering Industry

Authors: Nancy R. Mead, Lawrence Tobin, Suzanne D. Couturiaux

This report provides the results of a benchmarking study to identify the best training practices within the software engineering community.

January 1996 - White Paper A Case Study in Requirements for Survivable Systems

Authors: Robert J. Ellison, Richard C. Linger (Oak Ridge National Laboratory), Thomas A. Longstaff, Nancy R. Mead

This case study summarizes the application and results of applying the SNA method to a subsystem of a large-scale, distributed healthcare system.