Challenges of Integrating Software Assurance Engineering ... · “goodness” of the decision? ... Discussion, Raytheon, April 2017. ... F-22 CRC Tact’l Net Ops ASOC Tact’l Net

© 2017 Carnegie Mellon University

Software Engineering Institute

Carnegie Mellon University

Pittsburgh, PA 15213

Distribution Statement A: Approved for Public Release; Distribution is Unlimited

Challenges of Integrating

Software Assurance Engineering

Activities into the System

Acquisition Life Cycle

Dr. Kenneth E. Nidiffer

28th Annual IEEE Software Technology Conference

National Institute of Standards and Technology

Gaithersburg, MD

25–28 September 2017

2



STC

September 25,, 2017


Challenges of Integrating Software Assurance Engineering Activities into the System Acquisition Life Cycle

Copyright 2017 Carnegie Mellon University. All Rights Reserved.

This material is based upon work funded and supported by the Department of Defense under Contract

No. FA8702-15-D-0002 with Carnegie Mellon University for the operation of the Software Engineering

Institute, a federally funded research and development center.

The view, opinions, and/or findings contained in this material are those of the author(s) and should not

be construed as an official Government position, policy, or decision, unless designated by other

documentation.

NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING

INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY

MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY

MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR

MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL.

CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH

RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.

[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited

distribution. Please see Copyright notice for non-US Government use and distribution.

This material may be reproduced in its entirety, without modification, and freely distributed in written or

electronic form without requesting formal permission. Permission is required for any other use.

Requests for permission should be directed to the Software Engineering Institute at

[email protected].

Carnegie Mellon® is registered in the U.S. Patent and Trademark Office by Carnegie Mellon University.

DM17-0605

3



STC

September 25,, 2017


Source: SEI Increasing Globalization, Productivity, and Complexity

Software-Enabled Systems Are Today’s Strategic Resource

Dr. Bill Scherlis*

“Software is the building material for modern society”

Manual

Labor

Water

Steam

Oil

Software

//upload.wikimedia.org/wikipedia/commons/1/18/AndersonMill.jpg

//upload.wikimedia.org/wikipedia/commons/1/18/AndersonMill.jpg

4



STC

September 25,, 2017


Context: Increasingly Software Assurance Is a Moving Target

• Definition: Software assurance

provides the required level of

confidence that software functions

as intended (and no more) and is

free of vulnerabilities, either

intentionally or unintentionally

designed or inserted in software,

throughout the life cycle*

• Perspective: The changing and

expanding role that software plays in

cyberspace means that the

development of software-intensive

systems must continue to evolve

while we pursue software assurance

Source: SEI* NDAA 2013, Section 933

5



STC

September 25,, 2017


1. Increasing complexity of software-intensive systems

2. Satisfying unique operational mission and business needs

3. Solving the vulnerability identification chasm

4. Addressing system sustainment

5. Handling the expanding code base

6. Understanding attack patterns, vulnerabilities, and

weaknesses

7. Increasing vulnerabilities

8. Designing-in software quality throughout the life cycle

9. Reducing technical debt

10. Working in the infancy of the software engineering discipline

Challenges: Integrating Software Assurance Engineering Activities into the System Acquisition Life Cycle

6



STC

September 25,, 2017


- Program managers, assisted by supporting organizations to

the acquisition community, are responsible for the

cybersecurity of their programs, systems, and information…”

Context: Software Assurance/Cyber Imperative

• Software is a foundation of the DoD’s military power and the

building material for modern society

- Software assurance is a moving target

• The Office of the Under Secretary of Defense for Acquisition,

Technology, and Logistics (USD(AT&L)) updated DoDI

5000.02 to include a new Enclosure 14 - 2017. The policy

states, in part,

• Direct link between cybersecurity engineering and systems

and software assurance engineering*

*Cyber Security Engineering: A Practical Approach for Systems and Software

Assurance, Carol Woody and Nancy Mead, 2017

7



STC

September 25,, 2017


Context: Dynamics of Software

• Software is ubiquitous and growing in importance

• Codebases are increasing

• Vulnerabilities (defects, flaws) are increasing

• Software represents increasingly more

system functionality and cost

• Research is needed to address emerging software

challenges

• Software-reliant systems are becoming more

complex and intertwined

• There is national and global dependence on software

• We need to improve the management of software-

intensive systems

• Software assurance is increasingly important, and

achieving it is a moving target

8



STC

September 25,, 2017


Context: The Fabric of Computing Is Changing and Achievement of Software Assurance Is More Challenging

Source: SEI

9



STC

September 25,, 2017


Context: The DoD Should Expect Cyber Attacks to Be Part of All Conflicts in the Future*

“The DoD should not expect competitors to play by our version

of the rules”*

*Defense Science Board (DSB) Report, Jan 2013

10



STC

September 25,, 2017


Context: DoD Stakeholders and Different Perspectives on Software Assurance

Software Assurance

Mission Assurance

Cyber Resiliency

Source: DAU

11



STC

September 25,, 2017


Context: Effective Decision Making Increasingly Depends on Software Assurance

Decision

Maker

12



STC

September 25,, 2017


Context: Enduring Questions That Drive Hard Choices About Software Assurance

• How much is “enough software

assurance”?

• How much does “enough”

cost?

• Is “enough” affordable?

• How does one decide?

• How does one evaluate the

“goodness” of the decision?

Technical advancements in software assurance achievement, with

operational participation, are neededSource: SEI

13



STC

September 25,, 2017


Context: Future – Autonomous Systems Domain*

• Algorithmically driven agents will work in 5% of economic

transactions

• 20% of all business content will be authored by machines

• 6 billion connected things will be requesting support

• 50% of the fastest growing companies will have fewer

employees than smart machines

• More than 3 million workers globally will be supervised by

“robobosses”

DoD is increasingly employing autonomous capabilities across a

diverse number of systems

Source: DSB Study – June 2016

14



STC

September 25,, 2017


Context: Future – Autonomous Systems in Use Today and in the Future Are the Result of Decades of R&D

R&D areas include

• digitization of sensors

• adaptive algorithms

• natural user interfaces

• machine learning

• machine vision

• data analytics

Source: SEI

15



STC

September 25,, 2017


Context: Future – Impact of Increasing Software-Intensive Autonomous Systems

• Emergent behavior

• Continuous and asynchronous delivery

• Continuous system evolution

• Hard-to-define system boundaries

• Human-machine interface issues

• Data-rich environment

• Growing gap between information obtained using traditional

project measures and project managers’ information needs

- Software assurance is often assumed – rarely part of

Sections L &M of RFPs*

* Holly Dunlap, Cyber Resilient and Secure Weapon Systems Acquisition/Proposal

Discussion, Raytheon, April 2017

“POWER TO THE EDGE”Slide 16

F-35

F-22

CRC

Tact’l Net Ops

ASOC

Tact’l Net Ops

F-15C

ADC

F/A-18KC-135

F-35

High Alt

Gateway Relay

XX

X

ERMP

CAOC

DCGS

JFACC

Op EMS /Net Mgt

II

EC-130RC-135

B-1

B-52

RQ-4

A-10

F-16

H-60

B-2

TOC

DCGS

JFLCC JFMCC

Op EMS/Net Mgt

EMS/Net-Enabled

Attack / Weapons

Anti-access

EMS/Net-Enabled

SOF

EMS/Net-Enabled

Nuclear Response

E-2

Net-Enabled MAF

EMS/Net-Enabled C2 ISR

E-3

E-8

MQ-1/9

MUOS WGSCommercial

AEHF

B-52

Legacy TDLs

C-17

High Capacity Backbone

PermissiveContested

EMS/Net-

Enabled ISR

Voice

Link-16

VMF

SADL

Mid Alt

Gateway

Relay

Advanced TDLs

F-15E

Source: Kenneth R. Turner

Dep. Director, Spectrum

Policy and International

Engagements

DoD Chief Information Officer

Increasing Complexity of Cybersecurity SystemsComplexity and How We Interpret It Are Key Drivers in Assurance

3

UNCLASSIFIED

DoD must be able to operate

• between layers

• between networks

• between domains

• between environments

17



STC

September 25,, 2017


Satisfying Unique Operational Mission and Business

Needs as Commercial Products Are Integrated into

Military Systems

Source: SEI

http://www.bing.com/images/search?q=facebook+logo&id=B1BB872E048BBAC42E643B605530577BD4E9FAB3&FORM=IQFRBA

http://www.bing.com/images/search?q=facebook+logo&id=B1BB872E048BBAC42E643B605530577BD4E9FAB3&FORM=IQFRBA

18



STC

September 25,, 2017


Solving the Vulnerability Identification ChasmFirst line of defense in software assurance is the application (software) layer

84% of breaches exploit

vulnerabilities in the application1

1. Clark, Tim, “Most Cyber Attacks Occur

from This Common Vulnerability,”

Forbes, 03-10-2015

2. Feiman, Joseph, “Maverick Research:

Stop Protecting Your Apps; It’s Time for

Apps to Protect Themselves,” Gartner,

09-25-2014. G00269825

Yet funding for IT defense vs.

software assurance is 23 to 12

19



STC

September 25,, 2017


Addressing System SustainmentSoftware assurance development and sustainment activities need to be integrated across the entire system life cycle*

Break point where software is

handed off for sustainment is

increasing blurred

Involves coordinating

processes, procedures,

people, and information

Challenges include

• rising costs

• recertification/retesting

• dynamic operating environments

• legacy environments

• Life-cycle SwA activities and measures

Source: SEI

20



STC

September 25,, 2017


0 100 200 300 400 500 600

Boeing 787, total flight software

Android (upper estimate)

Linux 3.1 (recent version, 2013)

Apache Open Office

F-35 Fighter

Microsoft Office (2001)

Windows 2000 (2000)

Microsoft Office for Mac (2006)

Symbian

Windows 7

Windows XP (2001)

Microsoft Office (2013)

Large Hadron Collider

Microsoft Visual Studio 2012

Windows Vista (2007)

Facebook (without backend code)

US Army's Future Combat System

Debian 5.0 codebase

Mac OS X 10.4

Software in typical new car, 2013

Debian 5.0 (all software in package)

Healthcare.gov

Size of Codebase (SLOC)

Handling the Expanding Code BaseSoftware is dramatically expanding with limited natural governance

Source: David McCandless, “Information is Beautiful,” 21 September 2016 web retrieval

Millions of Source Lines of Code

Google = 2,000 MSLOC

21



STC

September 25,, 2017


Weakness

Weakness

Weakness

Weakness/Vulnerability

Reported

Asset

Attack

Impact

Item

Item

Item

Attack

Attack

Function

Asset

Impact

Impact

knownthreatactors

attack patterns(CAPEC)

weaknesses& vulnerabilities

(CWE/CVE)

actions*

technicalimpacts

operational impacts

• “Actions” include architecture choices; design choices; added security functions, activities, and processes; physical decomposition choices; static and dynamic code assessments; design reviews; dynamic testing; and pen testing.

• Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw.

System & System Security

EngineeringTrades

Understanding Attack Patterns, Vulnerabilities, and WeaknessesDefining software assurance attributes to satisfy information needs

water floodinghatch door

in sub

close door

sub fillsw/water sub sinks

Source: Bob Martin, MITRE

22



STC

September 25,, 2017


Increasing Vulnerabilities: CVE 1999 to 2017: Reported

Common Vulnerabilities and Exposures (CVE)

CVEs(reported, publicly known vulnerabilities and exposures with patches)

VULNERABILITIES

WEAKNESSES

CWEs(characterized, discoverable, possibly exploitable weaknesses with mitigations)

Zero-Day Vulnerabilities(previously unmitigated weaknesses that are exploited with little or no warning)

Uncharacterized Weaknesses

Unreported or undiscovered Vulnerabilities

Source: Dr. Robert A. Martin,

MITRE Corporation, May 2017

CWEs Zero Day

CVEs

Notional

Data

23



STC

September 25,, 2017


Designing-in Software Assurance Throughout the System Life Cycle

Sources: Critical Code; NIST, NASA, INCOSE, and Aircraft Industry Studies

Requirements

Engineering

System

Design

Software

Architectural

Design

Component

Software

Design

Code

Development

Unit

Test

Integration System

Test

Acceptance

Test

Operation

Where Software Flaws Are Introduced

70% 20% 10%

3.5% 16% 50.5% 9% 21%

Where Software Flaws Are Found

Special emphasis needed up-front in the system life cycle

24



STC

September 25,, 2017


24

Source:

Performance

of the

Defense

Acquisition

System

2015 Annual

Report, Sep.

16, 2015

Reducing Technical Debt

Right Direction if

More Assured

Programs

May Not Be Right

Direction if Pushing

Costs to Sustainment

25



STC

September 25,, 2017


Reducing Technical Debt Over the System Life Cycle

Source: U.S. Air Force Scientific Advisory Board. Sustaining Air Force Aging Aircraft into the 21st

Century (SAB-TR-11-01). U.S. Air Force, 2011.

26



STC

September 25,, 2017


Reducing Technical Debt: Engineering-in Software

Assurance Activities Across the Life Cycle

Full Rate Production

Decision Review

CA

Technology

Maturation &

Risk Reduction

Engineering &

Manufacturing

Development

Production and

Deployment

Operation and

Sustainment

SFR CDR TRR SVRASR

Materiel

Solution

Analysis

MDD

IOT&EOTRR

Requirements

Decision

Developmental RFP

Decision

PDR

B

AOA ICD

Criticality

AnalysisRFP

Threat

Vuln

Analysis

Understand

SwA Risks

Design

Inspection

Secure

Coding

Practices

Code

Inspection

Test

Coverage

Metrics

Monitor

Threats/

Attacks

Upgrade

SwADesign

Principles

Respond to

Incidents

Defects

Pen Test

Identify

Code

Flaws

Identify

Test

Gaps

IOC FOC

Vuln

Root

Cause

Effective

Threat

Response

Cyber

Situational

Awareness

Cyber

Hardened

Systems

Sound

Arch &

DesignMore

Secure

Code

Better

Test

Suites

SwA

Counter-

Measures

Fewer

Process

Vuln

Eliminate

Design

Flaws

SRR

Source: OSD/DASD/SE

.

27



STC

September 25,, 2017


Working in the Infancy of the Software Engineering DisciplineImproving the workforce by developing software core competencies and a DoD career field in software engineering

Physical Science Bioscience Computer/Software/Cyber Science

Origins/History Begun in antiquity Begun in antiquity Mid-20th century

Enduring Laws Laws are foundational to

furthering exploration in the

science

Laws are foundational to

furthering exploration in the

science

Only mathematical laws have proven

foundational to computation

Framework of

Scientific Study

Four main areas: astronomy,

physics, chemistry, and

earth sciences

Science of dealing with

health maintenance and

disease prevention and

treatment

• Several areas of study: computer

science, software/systems

engineering, IT, HCI, social

dynamics, AI

• All nodes are attached to and rely

on a netted system

R&D and Launch

Cycle

10–20 years 10–20 years Significantly compressed; solution

time to market must happen very

quickly

Source: SEIHCI: human–computer interaction; AI: artificial intelligence

28



STC

September 25,, 2017


Infancy of Software Engineering Discipline: Human-Machine Teaming

In the real world, autonomy is usually granted within some context—explicit or implicit

• parents and children

• soldiers, sailors, marines,

and airmen

How do we do this for machines?

• Explicit may be easy, but

implicit is hard for machines

• Commander’s intent

• Mission orders

Related to need for

explainability and predictability

Source: SEI

29



STC

September 25,, 2017


So Where Does This Lead Us?

• A more robust software assurance approach will be needed…

• Decision makers will need insight and understanding about

how to achieve software assurance

• As software-dominated system projects become larger in

scope/complexity, capitalizing on opportunities for making

better decisions will become more important

• Critical to shift from asking “what happened?” which is a question

of information based on sparse data

• To seeking insight by asking “what happened, why, how do we

solve the problem, and can we evaluate that it has been solved?”

• Enabling an engineering-based approach that seeks to design-

in software assurance is becoming more important

• DoD workforce needs a software engineering career field that

includes software assurance core competencies

30



STC

September 25,, 2017


Final Thought: Advanced Software Engineering with Operational Participation

Will determine if we create C-3PO and Johnny 5 . . .

Source: SEI

31



STC

September 25,, 2017


…or the Borg

AF

arc

hiv

e/A

lam

y S

toc

k P

ho

to

Source: SEI

32



STC

September 25,, 2017


Contact Information

Dr. Kenneth E. Nidiffer, Director of Strategic Plans

for Government Programs

Software Engineering Institute

Carnegie Mellon University

Office: + 1 703-247-1387

Fax: + 1 703-908-9235

Email: [email protected]

Documents

Challenges of Integrating Software Assurance Engineering ... · “goodness” of the decision? ... Discussion, Raytheon, April 2017. ... F-22 CRC Tact’l Net Ops ASOC Tact’l Net