Developing Cyber-Resilient Systems
Cyber Resilience is the ability to architect and build software that can withstand malicious attacks and continue to operate in unexpected circumstances (labeled as edge or corner cases by QA professionals). Cyber-resilient systems are less likely to suffer unauthorized penetrations, outages, data corruption, slow recovery times, and other operational problems. Regardless of whether software runs in core legacy systems, web apps, mobile apps, or IoT devices, cyber-resilient coding practices are critical for the safe, confidential, and sustained operation of software systems.
CISQ has developed international standards for measuring the software quality attributes of source code that most determine its level of cyber resilience. CISQ’s measures for Reliability and Security (approved by OMG® as international standards) directly measure violations of good architectural and coding practice that most affect cyber resilience. These standards are being used to assess the cyber resilience of existing systems, as well as being included in contracts to clarify expectations concerning the cyber resilience of delivered source code. The CISQ Cyber Resilience Summit is the single most important event in the industry addressing cyber resilience issues in software-intensive systems.
For more information, read CISQ's paper: How Do You Measure Software Resilience
Watch a Webinar
Reducing Software Vulnerabilities – The “Vital Few” Process and Product Metrics
Speakers: Dr. Bill Curtis, Executive Director, CISQ; Girish Seshagiri, EVP/CTO, ISHPI
This webinar demonstrates the combined impact of high maturity processes and disciplined agile teams on secure software development. Learn how disciplined agile teams consistently deliver substantially defect-free software on predictable cost, and schedule by making quality the number one goal of every project. The teams build security throughout the life cycle and do not rely on testing alone for defect removal. Customer benefits include dramatically reduced number of security incidents attributable to poor quality software code and reduced operations and maintenance costs. While time to market is important, managers must also empower developers with the skills, training and certification needed to deliver products with fewer vulnerabilities the first time around. Real world cost, schedule and quality data is used to illustrate these points.
Latest Advances in Cybersecurity and the New CISQ Security Standard
Speaker: Robert Martin, Senior Principal Engineer, MITRE. Lead on the Common Weakness Enumeration (CWE) and the lead researcher on the CISQ Security measure.
Application security is a key component of Cyber Resilience. The CISQ Security standard is an automated measure developed to predict the vulnerability of application source code to external attack. The measure draws from the CWE/SANS Institute Top 25 Most Dangerous Software Errors and identifies the most widespread and frequently exploited security weaknesses in software. Watch this webinar to learn how to use the new standard to mitigate cybersecurity vulnerabilities and measure application security. Robert Martin will also provide an overview of the security landscape and future projects under consideration by CISQ, MITRE, and U.S. Government.
Applying Software Quality Models to Software Security
Speaker: Dr. Carol Woody, Technical Lead, Survivability Analysis, Carnegie Mellon SEI
In this webinar, Dr. Carol Woody shares new empirical results that show how teams can achieve a high level of application security in a cost-effective manner by addressing software quality problems early through code checking and design review. As Dr. Woody notes, neither quality nor security can be “tested in.” You will gain ammunition to support security and software assurance measurement and analysis.
In complex software applications, the same piece of code can be of excellent quality or highly dangerous. So, excellent code quality within an independent program does not guaranty a resilient, safe and efficient IT system. Correlations between architectural programming mistakes and production defects unveil something counter-intuitive. Studies show that basic coding errors within a program account for 92% of the total errors in source code but only account for 10% of production defects. Yet, software flaws at the Technology and System Level account for 8% of total errors, but consume over half the effort spent on fixing problems and lead to 90% of the most serious production issues. Engineering quality maturity grows exponentially with adherence to CISQ best practices.
Service Level Agreements (SLAs) are integral to Application Development and Maintenance (ADM). SLAs have been used to define the relationship between a service provider and customer since the early days of IT outsourcing. Yet many of the contracts written, even in the last 5 years, use fundamentally the same time-based SLAs for ADM. The average application costs 20% of its development cost, year on year, to support. Increasing the quality of the application from “average” to “good” reduces support costs to 12%. “Excellent” code can cost as little as 3-5% of development cost to support. This savings of 8% to 17% more than justifies the tooling and approaches required to write good source code at the outset. Needless to say, this is also the most direct way to control cyber resilience related risk. It is time to step into a new set of SLAs that meet objectives for lower risk and cost. This CISQ Recommendation Guide explains how to add software quality metrics to a service level agreement for improved application ROI.
This research report concludes that poor software quality is costing the U.S. upwards of $2.84 trillion dollars in 2018 taking into account losses from software failures, legacy system problems, technical debt, finding and fixing defects, and troubled or cancelled projects. The report examines how much the world is spending on IT software today and the fundamental issues causing problems. Looking backwards, legacy IT systems are holding us captive, looking forwards, technology innovations are coming faster and faster, and looking at present day, we're facing highly vulnerable and deficient systems-of-systems. The report was written by Herb Krasner, a member of CISQ’s Advisory Board and retired Professor of Software Engineering at the University of Texas at Austin. The report was commissioned by CA.