, , , e.a.

System Assurance

Beyond Detecting Vulnerabilities

Paperback Engels 2010 9780123814142
Verwachte levertijd ongeveer 9 werkdagen

Samenvatting

System Assurance teaches students how to use Object Management Group’s (OMG) expertise and unique standards to obtain accurate knowledge about existing software and compose objective metrics for system assurance.

OMG’s Assurance Ecosystem provides a common framework for discovering, integrating, analyzing, and distributing facts about existing enterprise software. Its foundation is the standard protocol for exchanging system facts, defined as the OMG Knowledge Discovery Metamodel (KDM). In addition, the Semantics of Business Vocabularies and Business Rules (SBVR) defines a standard protocol for exchanging security policy rules and assurance patterns. Using these standards together, students will learn how to leverage the knowledge of the cybersecurity community and bring automation to protect systems.

This book includes an overview of OMG Software Assurance Ecosystem protocols that integrate risk, architecture, and code analysis guided by the assurance argument. A case study illustrates the steps of the System Assurance Methodology using automated tools.

This book is recommended for technologists from a broad range of software companies and related industries; security analysts, computer systems analysts, computer software engineers-systems software, computer software engineers- applications, computer and information systems managers, network systems and data communication analysts.

Specificaties

ISBN13:9780123814142
Taal:Engels
Bindwijze:Paperback

Lezersrecensies

Wees de eerste die een lezersrecensie schrijft!

Inhoudsopgave

<p>Contents</p> <p>1. Why Hackers know more about our systems</p> <p>1.1 Operating in cyberspace involves risks</p> <p>1.2 Why Hackers are repeatadly successful</p> <p>1.2.1 What are the challenges in defending cybersystems?</p> <p>1.2.1.1 Difficulties in understanding and assessing risks</p> <p>1.2.1.2 Understanding Development Trends</p> <p>1.2.1.3 Comprehending Systems’ Complexity</p> <p>1.2.1.4 Understanding Assessment Practices and their Limitations</p> <p>1.2.1.5 Vulnerability Scanning Technologies and their Issues</p> <p>1.3 Where do We Go from Here</p> <p>1.3.1 Systematic and repeatable defense at affordable cost</p> <p>1.3.2 The OMG Software Assurance Ecosystem</p> <p>1.3.3 Linguistic Modeling to manage the common vocabulary</p> <p>1.4 Who should read this book</p> <p>2 Chapter: Confidence as a Product</p> <p>2.1 Are you confident that there is no black cat in the dark room?</p> <p>2.2 The Nature of Assurance</p> <p>2.2.1 Engineering, Risk and Assurance</p> <p>2.2.2 Assurance Case (AC)</p> <p>2.2.2.1 Contents of an Assurance Case</p> <p>2.2.2.2 Structure of the Assurance Argument</p> <p>2.3 Overview of the Assurance Process</p> <p>2.3.1 Producing Confidence</p> <p>2.3.1.1 Economics of Confidence</p> <p>3 Chapter: How to Build Confidence <p>3.1 Assurance in the System Lifecycle</p> <p>3.2 Activities of System Assurance Process</p> <p>3.2.1 Project Definition</p> <p>3.2.2 Project Preparation</p> <p>3.2.3 Assurance argument development</p> <p>3.2.4 Architecture Security Analysis</p> <p>3.2.4.1 Discover System Facts</p> <p>3.2.4.2 Threat identification</p> <p>3.2.4.3 Safeguard Identification</p> <p>3.2.4.4 Vulnerability detection</p> <p>3.2.4.5 Security Posture Analysis</p> <p>3.2.5 Evidence analysis</p> <p>3.2.6 Assurance Case Delivery</p> <p>4 Chapter: Knowledge of System as of Element in Cybersecurity argument </p> <p>4.1 What is system</p> <p>4.2 Boundaries of the system</p> <p>4.3 Resolution of the system description</p> <p>4.4 Conceptual commitment for system descriptions</p> <p>4.5 System architecture</p> <p>4.6 Example of an architecture framework</p> <p>4.7 Elements of System</p> <p>4.8 System Knowledge Involves Multiple Viewpoints</p> <p>4.9 Concept of operations (CONOP)</p> <p>4.10 Network Configuration</p> <p>4.11 System life cycle and assurance</p> <p>4.11.1 System life cycle stages</p> <p>4.11.2 Enabling Systems</p> <p>4.11.3 Supply Chain</p> <p>4.11.4 System life cycle processes</p> <p>4.11.5 The implications to the common vocabulary and the integrated system model</p> <p>5 Chapter: Knowledge of Risk as an Element of Cybersecurity argument </p> <p>5.1 Introduction</p> <p>5.2 Basic cybersecurity elements</p> <p>5.3 Common vocabulary for risk analysis</p> <p>5.3.1 Defining diScernable vocabulary for Assets</p> <p>5.3.2 Threats and hazards</p> <p>5.3.3 Defining dicernable vocabulary for Injury and Impact</p> <p>5.3.4 Defining dicernable vocabulary for threats</p> <p>5.3.5 Threat scenarios and attacks</p> <p>5.3.6 Defining dicernable vocabulary for vulnerabilities</p> <p>5.3.7 Defining dicernable vocabulary for safeguards</p> <p>5.3.8 Risk</p> <p>5.4 Systematic Threat Identification</p> <p>5.5 Assurance Strategies</p> <p>5.5.1 Injury Argument</p> <p>5.5.2 Entry point argument</p> <p>5.5.3 Threat argument</p> <p>5.5.4 Vulnerability argument</p> <p>5.5.5 Security requirement argument</p> <p>5.5.6 Assurance of the threat identification</p> <p>6 Chapter: Knowledge of Vulnerabilities as an Element of Cybersecurity Argument <p>6.1 Vulnerability as part of system knowledege</p> <p>6.1.1 What is Vulnerability</p> <p>6.1.2 Vulnerability as Unit of Knowledge: The History of Vulnerability</p> <p>6.1.3 Vulnerabilities and the Phases of the System Life Cycle</p> <p>6.1.4 Enumeration of Vulnerabilities as a Knowledge Product</p> <p>6.1.5 Vulnerability Databases</p> <p>6.1.5.1 US-CERT</p> <p>6.1.5.2 Open Source Vulnerability Database (OSVDB)</p> <p>6.1.6 Vulnerability Life Cycle</p> <p>6.2 NIST Security Content Automation Protocol (SCAP) Ecosystem</p> <p>6.2.1 Overview of SCAP Ecosystem</p> <p>6.2.2 Information Exchanges under SCAP</p> <p>7 Chapter: Vulnerability Patterns as a New Assurance Content </p> <p>7.1 Beyond Current SCAP Ecosystem</p> <p>7.2 Vulnerability Patterns</p> <p>7.3 Software Fault Patterns</p> <p>7.3.1 Safeguard category of clusters and corresponding Software fault Patterns (SFPs)</p> <p>7.3.1.1 Authentication</p> <p>7.3.1.2 Access Control</p> <p>7.3.1.3 Privilege</p> <p>7.3.2 Direct Impact category of clusters and corresponding Software fault Patterns (SFPs)</p> <p>7.3.2.1 Information Leak</p> <p>7.3.2.2 Memory Management</p> <p>7.3.2.3 Memory Access</p> <p>7.3.2.4 Path Resolution</p> <p>7.3.2.5 Tainted Input</p> <p>8 Chapter: OMG Software Assurance Ecosystem </p> <p>8.1 Introduction</p> <p>8.2 OMG Assurance Ecosystem: towards collaborative cybersecurity</p> <p>9 Chapter: Common Fact Model for Assurance Content</p> <p>9.1 Assurance Content</p> <p>9.2 The Objectives</p> <p>9.3 Design criteria for information exchange protocols</p> <p>9.4 Tradeoffs</p> <p>9.5 Information Exchange Protocols</p> <p>9.6 The Nuts and Bolts of Fact Models</p> <p>9.6.1 Objects</p> <p>9.6.2 Noun Concepts</p> <p>9.6.3 Facts about existence of objects</p> <p>9.6.4 Individual concepts</p> <p>9.6.5 Relations between concepts</p> <p>9.6.6 Verb concepts</p> <p>9.6.7 Characteristics</p> <p>9.6.8 Situational concepts</p> <p>9.6.9 Viewpoints and views</p> <p>9.6.10 Information exchanges and assurance</p> <p>9.6.11 Fact-oriented Integration</p> <p>9.6.12 Automatic derivation of facts</p> <p>9.7 The representation of facts</p> <p>9.7.1 Representing facts in XML</p> <p>9.7.2 Representing facts and schemes in Prolog</p> <p>9.8 The common schema</p> <p>9.9 System assurance facts</p> <p> 10 Chapter: Linguistic Models</p> <p>10.1 Fact Models and Linguistic Models</p> <p>10.2 Background</p> <p>10.3 Overview of SBVR</p> <p>10.4 How to use SBVR</p> <p>10.4.1 Simple vocabulary</p> <p>10.4.2 Vocabulary Entries</p> <p>10.4.3 Statements</p> <p>10.4.4 Statements as formal definitions of new concepts</p> <p>10.4.4.1 Definition of a Noun Concept</p> <p>10.4.4.2 Definition of a Verb Concept</p> <p>10.4.4.3 The General Concept caption</p> <p>10.5 SBVR Vocabulary for describing Elementary Meanings</p> <p>10.6 SBVR Vocabulary for describing Representations</p> <p>10.7 SBVR Vocabulary for describing Extensions</p> <p>10.8 Reference schemes</p> <p>10.9 SBVR Semantic Formulations</p> <p>10.9.1 Defining new terms and facts types using SBVR</p> <p>11 Chapter: Standard Protocol for Exchanging System Facts <p>11.1 Background</p> <p>11.2 Organization of the KDM vocabulary</p> <p>11.2.1 Infrastructure Layer</p> <p>11.2.2 Program Elements Layer</p> <p>11.2.3 Resource Layer</p> <p>11.2.4 Abstractions Layer</p> <p>11.3 The process of discovering system facts</p> <p>11.4 Discovering the baseline system facts</p> <p>11.4.1 Inventory views</p> <p>11.4.1.1 Inventory Viewpoint vocabulary in SBVR</p> <p>11.4.2 Build Views</p> <p>11.4.3 Data views</p> <p>11.4.4 UI views</p> <p>11.4.5 Code views</p> <p>11.4.5.1 Code views: Elements of Structure</p> <p>11.4.5.2 Code views: Elements of Behavior</p> <p>11.4.5.3 Micro KDM</p> <p>11.4.6 Platform views</p> <p>11.4.7 Event views</p> <p>11.5 Performing architecture analysis</p> <p>11.5.1 Structure Views</p> <p>11.5.2 Conceptual Views</p> <p>11.5.2.1 Linguistic Viewpoint</p> <p>11.5.2.2 Behavior Viewpoint</p> <p>12 Chapter: Case Study </p> <p>12.1 Introduction</p> <p>12.2 Background</p> <p>12.3 Concepts of operations</p> <p>12.3.1 Executive summary</p> <p>12.3.2 Purpose</p> <p>12.3.3 Locations</p> <p>12.3.4 Operational Authority</p> <p>12.3.5 System Architecture</p> <p>12.3.5.1 Clicks2Bricks Web server</p> <p>12.3.5.2 Database server</p> <p>12.3.5.3 SMTP server</p> <p>12.3.6 System Assumptions</p> <p>12.3.7 External dependencies</p> <p>12.3.8 Implementation Assumptions</p> <p>12.3.9 Interfaces with Other Systems</p> <p>12.3.10 Security assumptions</p> <p>12.3.11 External Security Notes</p> <p>12.3.12 Internal Security notes</p> <p>12.4 Business vocabulary and security policy for Clicks2Bricks in SBVR</p> <p>12.5 Building the integrated system model</p> <p>12.5.1 Building the baseline system model</p> <p>12.5.2 Enhancing the baseline model with the system architecture facts</p> <p>12.6 Mapping cybersecurity facts to system facts</p> <p>12.7 Assurance case</p>

Managementboek Top 100

Rubrieken

Populaire producten

    Personen

      Trefwoorden

        System Assurance