The Goals and Purpose for This Book
Security problems are on the front page of newspapers daily. A primary cause is that software is not designed and built to operate securely. Perfect security is not achievable for software that must also be usable and maintainable and fast and cheap, but realistic security choices do not happen by accident. They must be engineered. The software is in every field and all those involved in its construction and use must learn how to choose wisely.
Security has traditionally been dealt with in operational, production environments as a reactive process focused on compliance mandates and response to incidents. Engineering requires structuring the capability to proactively plan and design for security during development and acquisition. Determining what security actions to take based on budget and schedule is not effective.
The book is primarily a reference and tutorial to expose readers to the range of capabilities available for building more secure systems and software. It could be used as an accompanying text in an advanced academic course or in a continuing education setting. Although it contains best practices and research results, it is not a “cookbook” which is designed to provide predictable repeatable outcomes.
After reading this book, the reader will be prepared to:
- Define and structure metrics to manage cyber security engineering
• Identify and evaluate existing competencies and capabilities for cyber security engineering
• Identify competency and capability gaps for cyber security engineering
• Define and prioritize cyber security engineering needs
• Explore a range of options for addressing cyber security engineering needs
• Plan for improvements in cyber security engineering performance
The book will begin with an introduction to seven principles of software assurance followed by chapters addressing the key areas of cyber security engineering. The principles presented in this book provide a structure for prioritizing the wide range of possible actions, helping to establish why some actions should be a priority and how to justify the investments required to take them. Existing security materials focus heavily on the actions to be taken (best practices) with little explanation of why they are needed and how one can recognize if actions are being performed effectively. This book is structured using a group of assurance principles that form a foundation of why actions are needed
and how to go about addressing them.