Cybersecurity Engineering Publications

Identifying Software Security Requirements Early, Not After the Fact
In this podcast, Nancy Mead discusses how early identification of requirements reduces total cost, how security requirements are different, and how to get started.

Security Quality Requirements Engineering (SQUARE) Methodology
In this 2005 report, the authors present the SQUARE Methodology for eliciting and prioritizing security requirements in software development projects.

Software Supply Chain Risk Management: From Products to Systems of Systems
In this report, the authors consider current practices in software supply chain analysis and suggest some foundational practices.

Measuring Software Security
In this report, the authors examine how decision makers can measure and monitor the security posture of large, networked, software-reliant systems.

Survivability Analysis Framework
In this report, the authors describe the Survivability Analysis Framework, which is used to evaluate critical operational capabilities.

Building Assured Systems Framework (BASF)
In this report, the authors explain the benefits of investing in building assured systems.

Software Assurance Curriculum Project Volume I: Master of Software Assurance Reference Curriculum
In this report, the authors present a master of software assurance curriculum that educational institutions can use to create a degree program or track.

  • 1996

  • 01/01/1996 Continuous Risk Management Guidebook This book describes the underlying principles, concepts, and functions of risk management and provides guidance on how to implement it as a continuous practice in your projects and organization.

General Information

Software Security Engineering: A Guide for Project Managers
In this book, the authors provide sound practices likely to increase the security and dependability of your software during development and operation.

Identifying Software Security Requirements Early, Not After the Fact
In this podcast, Nancy Mead discusses how early identification of requirements reduces total cost, how security requirements are different, and how to get started.

Build Security In articles
In these articles on the US-CERT website called Build Security In, authors cover a variety of related topics.

Security Quality Requirements Engineering (SQUARE)

Security Quality Requirements Engineering (SQUARE) Methodology
In this 2005 report, the authors present the SQUARE Methodology for eliciting and prioritizing security requirements in software development projects.

P-Square Tool Video Demonstrations
This series of short video demonstrations show you how to use the the P-SQUARE tool.

Adapting the SQUARE Process for Privacy Requirements Engineering
In this 2010 report, the authors explore how the SQUARE process can be adapted for privacy requirements engineering in software development.

Adapting the SQUARE Method for Security Requirements Engineering to Acquisition
In this paper, Nancy Mead adapts the SQUARE process for security requirements engineering to different acquisition situations.

Systems Quality Requirements Engineering (SQUARE) Methodology: Case Study on Asset Management System
In this 2004 report, the authors describe the first case study that applied the SQUARE methodology to an organization.

SQUARE Project: Cost/Benefit Analysis Framework for Information Security Improvement Projects in Small Companies
In this 2004 report, the authors describe a cost/benefit analysis for estimations in small companies' information security improvement projects.

System Quality Requirements Engineering (SQUARE): Case Study on Asset Management System, Phase II
In this report, the authors describe the second phase of an application of the SQUARE Methodology on an asset management system.

Security Quality Requirements Engineering (SQUARE) Methodology
In this report, the authors describe the second phase of an application of the SQUARE Methodology on an asset management system.

Security Quality Requirements Engineering (SQUARE) Case Study Phase III
In this report, the authors present their results of using SQUARE when working with three clients over the course of a semester.

Security Requirements Reusability and the SQUARE Methodology
In this report, the authors discuss how security requirements engineering can incorporate reusable requirements.

How To Compare the Security Quality Requirements Engineering (SQUARE) Method with Other Methods
In this 2007 report, Nancy Mead describes SQUARE, and outlines other methods used for identifying security requirements.

Incorporating Security Quality Requirements Engineering (SQUARE) into Standard Life-Cycle Models
In this 2008 report, the authors describe how SQUARE can be incorporated into standard lifecycle models for security-critical projects.

SQUARE-Lite: Case Study on VADSoft Project
In this 2008 report, the authors describe SQUARE and SQUARE-Lite, and using SQUARE-Lite to develop security requirements for a financial application.

Privacy Risk Assessment Case Studies in Support of SQUARE
In this report, the authors describe enhancements to the SQUARE method for addressing privacy requirements.

Identifying Security Requirements Using the SQUARE Method
In this book chapter, the authors describe general issues in developing security requirements, methods that have been useful, and a method (SQUARE) that can be used for eliciting, analyzing, and documenting security requirements for software systems.

Software Security Engineering: A Guide for Project Managers
In this book, the authors provide sound practices likely to increase the security and dependability of your software during development and operation.

Novel Methods of Incorporating Security Requirements Engineering into Software Engineering Courses
In this book chapter, the authors describe methods of incorporating security requirements engineering into software engineering courses and curricula, the importance of security requirements engineering, and the relationship of security knowledge to general computing knowledge by comparing a security body of knowledge to standard computing curricula.

Security Requirements Engineering for Software Systems: Case Studies in Support of Software Engineering Education
In this report, the authors, focus on three case studies in which graduate students applied a novel security requirements engineering methodology to real-world software development projects. The experiences showed promise for curriculum integration in educating students about the importance of security requirements in software engineering, as well as how to develop such requirements.

Experiences in Eliciting Security Requirements
In this article, Nancy Mead describes an approach for doing trade-off analysis among requirements elicitation methods. Several case studies were conducted in security requirements elicitation; the detailed results of one case study and brief results of two other case studies are presented here.

Incorporating Security Requirements Engineering into the Rational Unified Process
In this paper, the authors provide a roadmap for developing security-critical projects using rational unified process as a framework for development.

Incorporating Security Requirements Engineering into the Dynamic Systems Development Method
In this paper, the authors provide a roadmap for addressing security requirements on projects using an agile approach.

Incorporating Security Requirements Engineering into Standard Lifecycle Processes
In this paper, the authors give an overview of various standard lifecycle development processes. It then provides a roadmap for developing security-critical projects using Rational Unified Process as a framework for development.

Computer-Aided Privacy Requirements Elicitation Technique
In this paper, the authors propose a computer-aided Privacy Requirements Elicitation Technique (PRET) that helps software developers elicit privacy requirements more efficiently in the early stages of software development.

Ensuring Cost Efficient and Secure Software through Student Case Studies in Risk and Requirements Prioritization
In this paper, the authors present a discussion of educational case studies used in security requirements assessment and requirements prioritization.

Square Up Your Security Requirements Engineering with SQUARE
In this 2009 webinar, Nancy Mead provides an overview of the CERT SQUARE process, and discusses current activities and plans.

Integrating Privacy Requirements into Security Requirements Engineering
In this paper, the authors examine a method for identifying privacy requirements within the context of a security requirements engineering method. It briefly describes the security quality requirements engineering (SQUARE) methodology.

Benefits and Challenges in the Use of Case Studies for Security Requirements Engineering Methods
In this article, the authors explain how pilot case studies in security requirements engineering provide both benefits and challenges to the underlying research, education, and technology transition effort.

Teaching Security Requirements Engineering Using SQUARE
In this paper, the authors detail the validation of a comprehensive teaching model for security requirements engineering which ensures that security is built into the software from its inception. It centers on the employment of the SQUARE method for secure software requirements engineering.

Privacy Risk Assessment in Privacy Requirements Engineering
In this paper, the authors propose considering security risk assessment along with privacy impact and risk assessment approaches using the Security Quality Requirements Engineering (SQUARE) method. The study focuses on PIA and HIPAA as privacy risk assessment techniques.

Adapting the SQUARE Method for Security Requirements Engineering to Acquisition
In this paper, Nancy Mead adapts the SQUARE process for security requirements engineering to different acquisition situations.

Identifying Security Requirements Using the Security Quality Requirements Engineering (SQUARE) Method - Integrating Security and Software Engineering
In this book chapter, Nancy Mead describes general issues in developing security requirements, methods that have been useful, and a method (SQUARE) that can be used for eliciting, analyzing, and documenting security requirements for software systems.

Identifying Security Requirements Using the Security Quality Requirements Engineering (SQUARE) Method - Information Security and Ethics
In this book chapter, Nancy Mead describes general issues in developing security requirements, methods that have been useful, and a method (SQUARE) that can be used for eliciting, analyzing, and documenting security requirements for software systems.

Supply Chain Assurance

Software Supply Chain Risk Management: From Products to Systems of Systems
In this report, the authors consider current practices in software supply chain analysis and suggest some foundational practices.

Evaluating and Mitigating Software Supply Chain Security Risks
In this 2010 report, the authors identify software supply chain security risks and specify the evidence to gather to determine if these risks were mitigated.

Securing Global Software Supply Chains
In this webinar, Robert J. Ellison discusses an ongoing SEI effort to develop an approach for assessing software supply chains and identifying the associated software assurance risks.

A Systemic Approach for Assessing Software Supply-Chain Risk
In this paper, the authors highlight the approach being implemented by SEI researchers and provides a summary of the status of this work.

Software Security Measurement and Analysis

Mission Risk Diagnostic (MRD) Method Description
In this report, the authors describe the Mission Risk Diagnostic (MRD) method, which is used to assess risk in systems across the lifecycle and supply chain.

Deriving Software Security Measures from Information Security Standards of Practice
In this white paper, the authors describe an approach for deriving measures of software security from established and commonly used standard practices.

Risk-Based Measurement and Analysis: Application to Software Security
In this report, the authors present the concepts of a risk-based approach to software security measurement and analysis and describe the IMAF and MRD.

Security Measurement and Analysis
In this presentation, the authors describe work being performed by the SEI in the area of security measurement and analysis.

Measuring Software Security Assurance
In this report, the authors examine how decision makers can measure and monitor the security posture of large, networked, software-reliant systems.

Integrated Measurement and Analysis Framework for Software Security
In this report, the authors address how to measure software security in complex environments using the Integrated Measurement and Analysis Framework (IMAF).

Preview of the Mission Assurance Analysis Protocol (MAAP): Assessing Risk and Opportunity in Complex Environments
In this 2008 document, th authors preview a core set of activities and outputs that define a MAAP assessment.

Survivability Analysis Framework (SAF)

Survivability Analysis Framework
In this report, the authors describe the Survivability Analysis Framework, which is used to evaluate critical operational capabilities.

Survivability Analysis Framework Webinar
In this October 2009 webinar, Robert J. Ellison and Carol Woody present the Survivability Analysis Framework.

Survivability Assurance for System of Systems
In this report, the authors describe the Survivability Analysis Framework, a structured view of people, process, and technology.

Complexity Modeling and Analysis

Building Assured Systems Framework (BASF)
In this report, the authors explain the benefits of investing in building assured systems.

Software Assurance

A Framework for Modeling the Software Assurance Ecosystem: Insights from the Software Assurance Landscape Project
In this report, the authors describe the SEI Assurance Modeling Framework, piloting to prove its value, and insights gained from that piloting.

Improving Software Assurance
In this paper, the authors discuss what practitioners should know about software assurance, where to look, what to look for, and how to demonstrate improvement.
 

2013 IJSSE Special Issue on Cybersecurity Scientific Validation
In this special issue of the International Journal of Secure Software Engineering (IJSSE), the authors focus on software assurance topics.

Principles and Measurement Models for Software Assurance
In this book chapter, the authors present a measurement model with seven principles that capture the fundamental managerial and technical concerns of development and sustainment.

Considering Operational Security Risk During System Development
In this article, the authors examine OCTAVE, an operational security-risk methodology, and apply it to security-related risks during system development.

Eliciting and Analyzing Quality Requirements: Management Influences on Software Quality Requirements
In this 2005 report, Carol Woody documents how environments for system development can support or reject improved quality requirements elicitation mechanisms.

 Software Assurance Measurement—State of the Practice
In this report, the authors describe the current state of the practice and emerging trends in software assurance measurement. 

Software Assurance Curriculum

Development of a Master of Software Assurance Reference Curriculum
In this paper, the authors present an overview of the Master of Software Assurance curriculum, including its history, student prerequisites, and outcomes.

Graduate Curricula in Software Engineering and Software Assurance: Need and Recommendations
In this paper, the authors discuss two efforts to provide guidance about improving professional software engineering through graduate education: a project which produced the Graduate Software Engineering 2009: Curriculum Guidelines for Graduate Degree Programs in Software Engineering and a current SEI project which is developing a Master of Software Assurance Reference Curriculum.

Software Assurance Curriculum Project Volume III: Master of Software Assurance Course Syllabi
In this report, the authors provide sample syllabi for the nine core courses in the Master of Software Assurance Reference Curriculum.

Software Assurance Curriculum Master Bibliography and Course References
In this report, the authors provide the master bibliography that is used with the software assurance curriculumIn this report, the authors provide the master bibliography that is used with the software assurance curriculum.

Software Assurance Curriculum Project Volume IV: Community College Education
In this report, the authors focus on community college courses for software assurance.

Software Assurance Curriculum Project Volume I: Master of Software Assurance Reference Curriculum
In this report, the authors present a master of software assurance curriculum that educational institutions can use to create a degree program or track.

Software Assurance Curriculum Project Volume II: Undergraduate Course Outlines
In this report, the authors describe seven courses for an undergraduate curriculum specialization for software assurance.

Two Initiatives for Disseminating Software Assurance Knowledge
In this article, the authors describe two efforts that support national cybersecurity education goals: development of SwA learning artifacts that can be integrated into conventional learning environments and establishment of a reference curriculum for a master's degree program, known as the MSwA.

Integrating the Master of Software Assurance Reference Curriculum into the Model Curriculum and Guidelines for Graduate Degree Programs in Information Systems
In this report, the authors examines how the Master of Software Assurance Reference Curriculum can be used for a Master of Science in Information Systems.

Engaging the Community: Strategies for Software Assurance Curricula Outreach
In this paper, Carol Sledge explores strategies a team of educators used to encourage the community of computing educators to adopt software assurance curricula.

How to Get Started in Software Assurance Education
In this paper, the authors explain the goals of a CSEET Workshop where software assurance education was introduced to faculty members who are interested in incorporating software assurance concepts into existing and new degree programs.

MSwA Curriculum Overview Presentation to Faculty
This tailorable presentation can be used to brief faculty on the MSwA Curriculum.

Software Assurance: A Master's Level Curriculum
In this podcast, Nancy Mead, Thomas Hilburn, Richard Linger, and Julia Allen discuss how knowledge about software assurance is essential to ensure that complex systems function as intended.

Novel Methods of Incorporating Security Requirements Engineering into Software Engineering Courses and Curricula
In this book chapter, the authors describe methods of incorporating security requirements.

2010 IJSSE Special Issue on Software Security Engineering Education
In this preface, the authors describe the rest of the issue, which discusses how to bring software security education to the mainstream.

Risk Management

Risk Management Framework
In this report, the authors specify (1) a framework that documents best practice for risk management and (2) an approach for evaluating a programs risk management practice in relation to the framework.

Risk-Based Measurement and Analysis: Application to Software Security
In this report, the authors present the concepts of a risk-based approach to software security measurement and analysis and describe the IMAF and MRD.

Wireless Emergency Alerts (WEA) Cybersecurity Risk Management Strategy for Alert Originators
In this report, the authors describe a four-stage cybersecurity risk management (CSRM) strategy that alert originators can use throughout WEA adoption, operations, and sustainment, as well as a set of governance activities for developing a plan to execute the CSRM.

Managing Information Security Risks: The OCTAVE Approach
In this book, the authors provide a systematic way to evaluate and manage information security risks through the use of the OCTAVE approach.

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Framework, Version 1.0 
The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) is a framework for identifying and managing information security risks.

An Introduction to the Mission Risk Diagnostic for Incident Management Capabilities (MRD-IMC)
The Mission Risk Diagnostic for Incident Management Capabilities revises the Incident Management Mission Diagnostic Method with updated and expanded drivers.

Mission Risk Diagnostic (MRD) Method Description
In this report, the authors describe the Mission Risk Diagnostic (MRD) method, which is used to assess risk in systems across the lifecycle and supply chain.

Preview of the Mission Assurance Analysis Protocol (MAAP): Assessing Risk and Opportunity in Complex Environments
The purpose of this 2008 document is to preview a core set of activities and outputs that define a MAAP assessment.

Continuous Risk Management Guidebook
In this book, the authors describe the underlying principles, concepts, and functions of risk management and provide guidance on how to implement it as a continuous practice in your projects and organization.

A Framework for Categorizing Key Drivers of Risk
This 2009 report features a systemic approach for managing risk that takes into account the complex nature of distributed environments.

Considering Operational Security Risk during System Development
In this paper, the authors examine OCTAVE, an operational security-risk methodology, and apply it to the security-related risks identifiable while developing software-intensive systems.

HIPAA and Information Security Risk: Implementing an Enterprise-Wide Risk Management Strategy
In this article, the authors describe an information security risk evaluation that enables risks assessment and mitigation consistent with HIPAA guidelines.

P-SQUARE Tool Video Demonstrations
This series of short video demonstrations shows users how to use the the P-SQUARE tool.

Navigating the Waters of Incident Response and Recovery
In this video, the authors present how to navigate the waters of incident response and recovery.

Importance of Cybersecurity in Healthcare
In this video, Nate Silcox presents how important cybersecurity is in healthcare.

Cybersecurity HIE Welcome and Overview
In this video, Sam Merrell welcomes attendees at The CERT Symposium on Cyber Security Incident Management for Health Information Exchanges.

Pennsylvania's Journey for Health Information Exchange
This presentation at The CERT Symposium on Cyber Security Incident Management for Health Information Exchanges was delivered on June 26, 2013.

Cyber Security Service Level Agreements
In this video, Matthew Butkovic presents information about cyber security service level agreements.

Overview of Cyber Security Incident Management
In this video, Mark Zajicek presents an overview of cyber security incident management.

HIE Sustainability Under Cyber Security
In this video, Buddy Gillespie presents about health information exchange sustainability under cybersecurity.

Principles for Establishing a Practical Cyber Security Incident Management
Process in Your HIE

In this video, John Houston presents principles for establishing a practical cyber security incident management process.

Medical Identity Theft, an Alarming Trend: Incident Response Considerations
In this video, Greg Porter presents an alarming trend, medical identity theft.