Pub Date : 2018-04-01DOI: 10.4018/IJSSSP.2018040101
Beatrix Boyens
This article provides an overview of discussions held at the Software and Supply Chain Assurance (SSCA) forum held May 1-2, 2018, in McLean, Virginia. The two-day event focused on education and training for software assurance (SwA) and Cyber-Supply Chain Risk Management (C-SCRM). Attendees discussed questions such as “What are some challenges facing industry, academia, and government organizations in this area?” “Who needs education or training?” “What needs to be taught?” and “What strategies do or do not work?” Discussions related to the current environment, hiring and retaining qualified employees, defining roles and responsibilities, and the knowledge, skills, and abilities (KSAs) that are most in-demand.
{"title":"Opinions of the Software and Supply Chain Assurance Forum on Education, Training, and Certifications","authors":"Beatrix Boyens","doi":"10.4018/IJSSSP.2018040101","DOIUrl":"https://doi.org/10.4018/IJSSSP.2018040101","url":null,"abstract":"This article provides an overview of discussions held at the Software and Supply Chain Assurance (SSCA) forum held May 1-2, 2018, in McLean, Virginia. The two-day event focused on education and training for software assurance (SwA) and Cyber-Supply Chain Risk Management (C-SCRM). Attendees discussed questions such as “What are some challenges facing industry, academia, and government organizations in this area?” “Who needs education or training?” “What needs to be taught?” and “What strategies do or do not work?” Discussions related to the current environment, hiring and retaining qualified employees, defining roles and responsibilities, and the knowledge, skills, and abilities (KSAs) that are most in-demand.","PeriodicalId":135841,"journal":{"name":"Int. J. Syst. Softw. Secur. Prot.","volume":"9 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129387646","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2018-04-01DOI: 10.4018/IJSSSP.2018040103
D. Bird, J. Curry
This article explores the UK's current approach in addressing the cybersecurity skills gap championed by the National Cyber Security Strategy. There have been progressive and elaborate steps taken in the UK toward professionalization of the cybersecurity field. However, cybersecurity knowledge has been labelled as inconsistent when a cybersecurity Chartered status is being proposed. The objective of this analysis was to apply an academic lens over the UK's voyage towards the establishment of a cybersecurity profession. It has been an ambitious but complex endeavor that at times has had alterations of course. Learning from this experience, a blended learning and development approach is now recommended underpinned by an overarching core knowledge framework. Such a framework could join up the existing silos of learning and development activities to benefit from, and build upon, a coherent core knowledge-base for the community. It is argued that this will provide a more satisfactory outcome to enhance the UK's cybersecurity capability on the road to a cybersecurity profession.
{"title":"A Case for Using Blended Learning and Development Techniques to Aid the Delivery of a UK Cybersecurity Core Body of Knowledge","authors":"D. Bird, J. Curry","doi":"10.4018/IJSSSP.2018040103","DOIUrl":"https://doi.org/10.4018/IJSSSP.2018040103","url":null,"abstract":"This article explores the UK's current approach in addressing the cybersecurity skills gap championed by the National Cyber Security Strategy. There have been progressive and elaborate steps taken in the UK toward professionalization of the cybersecurity field. However, cybersecurity knowledge has been labelled as inconsistent when a cybersecurity Chartered status is being proposed. The objective of this analysis was to apply an academic lens over the UK's voyage towards the establishment of a cybersecurity profession. It has been an ambitious but complex endeavor that at times has had alterations of course. Learning from this experience, a blended learning and development approach is now recommended underpinned by an overarching core knowledge framework. Such a framework could join up the existing silos of learning and development activities to benefit from, and build upon, a coherent core knowledge-base for the community. It is argued that this will provide a more satisfactory outcome to enhance the UK's cybersecurity capability on the road to a cybersecurity profession.","PeriodicalId":135841,"journal":{"name":"Int. J. Syst. Softw. Secur. Prot.","volume":"13 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132313865","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2018-04-01DOI: 10.4018/IJSSSP.2018040104
W. A. Conklin, C. Bronk
Supply chain-related curricula exist across many universities, with many including risk management as an important or focal element. With the rise of software-driven technology across the supply chain, how can firms manage the inherent risks associated with software as part of a procurement process? This article examines how to provide context appropriate cybersecurity exemplars in a model supply chain education program, bringing to light the issue of embedded risk in software acquisition. Through a series of specifically placed educational elements that provide targeted cybersecurity knowledge to students, the objective is to provide additional skill sets for future supply chain professionals to assist firms in including software related cybersecurity risk as a component in SCRM.
{"title":"Enhancing a SCRM Curriculum With Cybersecurity","authors":"W. A. Conklin, C. Bronk","doi":"10.4018/IJSSSP.2018040104","DOIUrl":"https://doi.org/10.4018/IJSSSP.2018040104","url":null,"abstract":"Supply chain-related curricula exist across many universities, with many including risk management as an important or focal element. With the rise of software-driven technology across the supply chain, how can firms manage the inherent risks associated with software as part of a procurement process? This article examines how to provide context appropriate cybersecurity exemplars in a model supply chain education program, bringing to light the issue of embedded risk in software acquisition. Through a series of specifically placed educational elements that provide targeted cybersecurity knowledge to students, the objective is to provide additional skill sets for future supply chain professionals to assist firms in including software related cybersecurity risk as a component in SCRM.","PeriodicalId":135841,"journal":{"name":"Int. J. Syst. Softw. Secur. Prot.","volume":"52 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130013469","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 1900-01-01DOI: 10.4018/IJSSSP.2018010103
Kalle Rindell, S. Hyrynsalmi, V. Leppänen
Security objectives in software development are increasingly convergent with the business objectives, as requirements for privacy and the cost of security incidents call for more dependable software products. The development of secure software is accomplished by augmenting the software development process with specific security engineering activities. Security engineering, in contrast to the iterative and incremental software development processes, is characterized by sequential life cycle models: the security objectives are thus to be achieved by conflicting approaches. In this study, to identify the incompatibilities between the approaches, the security engineering activities from Microsoft SDL, the ISO Common Criteria and OWASP SAMM security engineering models are mapped into common agile software development processes, practices and artifacts.
{"title":"Fitting Security into Agile Software Development","authors":"Kalle Rindell, S. Hyrynsalmi, V. Leppänen","doi":"10.4018/IJSSSP.2018010103","DOIUrl":"https://doi.org/10.4018/IJSSSP.2018010103","url":null,"abstract":"Security objectives in software development are increasingly convergent with the business objectives, as requirements for privacy and the cost of security incidents call for more dependable software products. The development of secure software is accomplished by augmenting the software development process with specific security engineering activities. Security engineering, in contrast to the iterative and incremental software development processes, is characterized by sequential life cycle models: the security objectives are thus to be achieved by conflicting approaches. In this study, to identify the incompatibilities between the approaches, the security engineering activities from Microsoft SDL, the ISO Common Criteria and OWASP SAMM security engineering models are mapped into common agile software development processes, practices and artifacts.","PeriodicalId":135841,"journal":{"name":"Int. J. Syst. Softw. Secur. Prot.","volume":"23 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116021747","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 1900-01-01DOI: 10.4018/IJSSSP.2018010102
J. Morales, Hasan Yasar, A. Volkmann
In this article, the authors discuss enhancing a DevOps implementation in a highly regulated environment (HRE) with security principles. DevOps has become a standard option for entities seeking to streamline and increase participation by all stakeholders in their Software Development Lifecycle (SDLC). For a large portion of industry, academia, and government, applying DevOps is a straight forward process. There is, however, a subset of entities in these three sectors where applying DevOps can be very challenging. These are entities mandated by security policies to conduct all, or a portion, of their SDLC activities in an HRE. Often, the reason for an HRE is protection of intellectual property and proprietary tools, methods, and techniques. Even if an entity is functioning in a highly regulated environment, its SDLC can still benefit from implementing DevOps as long as the implementation conforms to all imposed policies. A benefit of an HRE is the existence of security policies that belong in a secure DevOps implementation. Layering an existing DevOps implementation with security will benefit the HRE as a whole. This work is based on the authors extensive experience in assessing and implementing DevOps across a diverse set of HREs. First, they extensively discuss the process of performing a DevOps assessment and implementation in an HRE. They follow this with a discussion of the needed security principles a DevOps enhanced SDLC should include. For each security principle, the authors discuss their importance to the SDLC and their appropriate placement within a DevOps implementation. They refer to a security enhanced DevOps implementation in an HRE as HRE-DevSecOps.
{"title":"Weaving Security into DevOps Practices in Highly Regulated Environments","authors":"J. Morales, Hasan Yasar, A. Volkmann","doi":"10.4018/IJSSSP.2018010102","DOIUrl":"https://doi.org/10.4018/IJSSSP.2018010102","url":null,"abstract":"In this article, the authors discuss enhancing a DevOps implementation in a highly regulated environment (HRE) with security principles. DevOps has become a standard option for entities seeking to streamline and increase participation by all stakeholders in their Software Development Lifecycle (SDLC). For a large portion of industry, academia, and government, applying DevOps is a straight forward process. There is, however, a subset of entities in these three sectors where applying DevOps can be very challenging. These are entities mandated by security policies to conduct all, or a portion, of their SDLC activities in an HRE. Often, the reason for an HRE is protection of intellectual property and proprietary tools, methods, and techniques. Even if an entity is functioning in a highly regulated environment, its SDLC can still benefit from implementing DevOps as long as the implementation conforms to all imposed policies. A benefit of an HRE is the existence of security policies that belong in a secure DevOps implementation. Layering an existing DevOps implementation with security will benefit the HRE as a whole. This work is based on the authors extensive experience in assessing and implementing DevOps across a diverse set of HREs. First, they extensively discuss the process of performing a DevOps assessment and implementation in an HRE. They follow this with a discussion of the needed security principles a DevOps enhanced SDLC should include. For each security principle, the authors discuss their importance to the SDLC and their appropriate placement within a DevOps implementation. They refer to a security enhanced DevOps implementation in an HRE as HRE-DevSecOps.","PeriodicalId":135841,"journal":{"name":"Int. J. Syst. Softw. Secur. Prot.","volume":"18 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116248078","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 1900-01-01DOI: 10.4018/IJSSSP.2018010101
Ronald Jabangwe, Kati Kuusinen, K. R. Riisom, M. S. Hubel, H. M. Alradhi, Niels Bonde Nielsen
{"title":"Challenges and Solutions for Addressing Software Security in Agile Software Development: A Literature Review and Rigor and Relevance Assessment","authors":"Ronald Jabangwe, Kati Kuusinen, K. R. Riisom, M. S. Hubel, H. M. Alradhi, Niels Bonde Nielsen","doi":"10.4018/IJSSSP.2018010101","DOIUrl":"https://doi.org/10.4018/IJSSSP.2018010101","url":null,"abstract":"","PeriodicalId":135841,"journal":{"name":"Int. J. Syst. Softw. Secur. Prot.","volume":"38 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130611797","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: