Society for Software Quality Washington, DC Area Chapter  

Security in the Software Lifecycle

Presented by

Joe Jarzombek & Karen Goertzel

Date:   Thursday, April 19, 2007

Time: 7:00 PM Refreshments/Networking; 7:30 Meeting

Place: MITRE, Building 2, 7515 Colshire Drive, McLean, VA

Who:   All are invited.  SSQ Membership is not required for attendance

About the Topic:

This presentation will describe how security manifests as a dependability property in software, and will clarify the differences between security software and secure software. Software practitioners who attend this presentation should emerge with a much better understanding of the threats to software specifically, the way that the development of software affects its ability to resist, withstand, and recover from attack, and the subtle differences in the ways security is achieved for software vs. quality and reliability.

One key to producing secure software is the "security enhancement" of the processes used to create and sustain it. Security in the Software Life Cycle, published by the Department of Homeland Security’s National Cyber Security Division, describes techniques, technologies, and tools for "injecting" security into those phases of the software life cycle in which the software practitioner, rather than administrator or end user, is the key decision-maker. In most cases, “security enhanced” processes and methodologies shift the emphasis and expand the scope of existing development practices, so that security receives the same amount of attention as other desirable properties of software, including quality, usability, performance, interoperability, and reliability.

Security in the Software Life Cycle also suggests a set of security principles to be adopted by developers as they specify, design, implement, distribute, and maintain software. Software practitioners who attend this presentation should begin to recognize and question their own assumptions about how software should be built, and should feel empowered to start realigning their development processes to achieve software that is not only correct and predictable, but also able to resist, tolerate, and recover from attacks.

About the Speakers:

Joe Jarzombek, PMP, is the Director for Software Assurance in the Department of Homeland Security (DHS) National Cyber Security Division. He leads government interagency efforts with industry, academia, and standards organizations to shift the security paradigm away from patch management by addressing security needs in work force education and training, research and development (especially diagnostic tools), and development and acquisition practices. After retiring from the U.S. Air Force as a Lt. Col. in program management, Jarzombek worked in the cyber security industry as vice president for product and process engineering. He later served in two software-related positions within the Office of the Secretary of Defense prior to accepting his current DHS position. As a Project Management Professional, Jarzombek has spoken extensively on measurement, software assurance, and acquisition topics. He encourages further review of DHS-sponsored software assurance efforts via the BuildSecurityIn Web site.

Karen Mercedes Goertzel, CISSP, is a subject matter expert in software security assurance and information assurance, particularly multilevel secure systems and cross-domain information sharing.  She supports the Department of Homeland Security Software Assurance Program and the National Security Agency’s Center for Assured Software, and was lead technologist for three years on DISA’s Application Security Program.  Ms. Goertzel is currently lead author of a report on the state of the art in software security assurance, and has also led in the creation of state of the art reports for the Department of Defense on information assurance and computer network defense technologies and research, and was involved in requirements elicitation and architectural design of several high-assurance trusted guard and trusted server applications for the defense departments of the U.S., Canada, and Australia, for NATO, and for the U.S. Departments of State and Energy, the Internal Revenue Service, and the Federal Bureau of Investigation.

For more society information and directions to MITRE, see meeting announcement below.