Software and Supply Chain Assurance (SSCA) Winter Forum 2017

Location: MITRE-1, 7525 Colshire Drive, McLean, VA 22102

https://register.mitre.org/ssca/

 

Cyber risk has become a topic of core strategic concern for business and government leaders worldwide and is an essential component of an enterprise risk management strategy. The Software and Supply Chain Assurance (SSCA) Forum and Working Groups provide a venue for government, industry, and academic participants from around the world to share their knowledge and expertise regarding software and supply chain risks, effective mitigation strategies, and any gaps related to the people, processes, or technologies involved.

 

The effort was initiated in 2003 as a Department of Homeland Security (DHS)-sponsored Cross-Sector Cyber Security Working Group (CSCSWG) established under auspices of the Critical Infrastructure Partnership Advisory Council (CIPAC) that provides legal framework for public-private collaboration and participation.

 

Originally called the Software Assurance (SwA) Forum and Working Groups, its purpose was to bring together a stakeholder community to protect the Nation’s key information technologies, most of which are enabled and controlled by software. The community evolved and broadened the scope to include additional focus on the supply chain and is currently co-sponsored by DHS, the Department of Defense (DoD) Office of the Secretary of Defense, Government Services Agency (GSA), and the National Institute of Standards and Technology (NIST).

 

SSCA events are held quarterly and are free and open to the public. In general, Summer and Winter sessions are intended for working group-type discussions while the Spring and Fall sessions are reserved for more traditional forum presentations. Interaction is always encouraged.

 

To receive information about upcoming meetings and related activities, please sign up for the sw.assurance mailing list, operated by NIST, by sending a blank email to sw.assurance-join@nist.gov

Software and Supply Chain Assurance (SSCA) Fall Forum 2017

Location: MITRE-1, 7525 Colshire Drive, McLean, VA 22102

https://register.mitre.org/ssca/

 

Cyber risk has become a topic of core strategic concern for business and government leaders worldwide and is an essential component of an enterprise risk management strategy. The Software and Supply Chain Assurance (SSCA) Forum and Working Groups provide a venue for government, industry, and academic participants from around the world to share their knowledge and expertise regarding software and supply chain risks, effective mitigation strategies, and any gaps related to the people, processes, or technologies involved.

 

The effort was initiated in 2003 as a Department of Homeland Security (DHS)-sponsored Cross-Sector Cyber Security Working Group (CSCSWG) established under auspices of the Critical Infrastructure Partnership Advisory Council (CIPAC) that provides legal framework for public-private collaboration and participation.

 

Originally called the Software Assurance (SwA) Forum and Working Groups, its purpose was to bring together a stakeholder community to protect the Nation’s key information technologies, most of which are enabled and controlled by software. The community evolved and broadened the scope to include additional focus on the supply chain and is currently co-sponsored by DHS, the Department of Defense (DoD) Office of the Secretary of Defense, Government Services Agency (GSA), and the National Institute of Standards and Technology (NIST).

 

SSCA events are held quarterly and are free and open to the public. In general, Summer and Winter sessions are intended for working group-type discussions while the Spring and Fall sessions are reserved for more traditional forum presentations. Interaction is always encouraged.

 

To receive information about upcoming meetings and related activities, please sign up for the sw.assurance mailing list, operated by NIST, by sending a blank email to sw.assurance-join@nist.gov

 

 

 

 

 

Cybersecurity Workshop at OMG Technical Meeting

 

Cyber threats facing an organization’s critical infrastructure, mission-critical systems, or any Industrial Internet of Things (IIoT) system, demand a cyber infrastructure that matches their combined enormity and complexity. Risk management solutions must be capable of understanding intricate attack patterns and assessing complex vulnerabilities to give stakeholders confidence in their system’s ability to withstand malicious attacks, operate as intended, and within the appropriate regulatory boundaries.

 

The OMG’s Cybersecurity Workshop on September 28, 2017 brings together practitioners developing IT standards targeted at the security engineering lifecycle and the digital transformation of business operations. Learn how to plan for, budget, and reduce costs associated with building/acquiring secure and resilient software.

 

Dr. Bill Curtis, Executive Director of CISQ, will present Code Quality Standards and Technical Debt Management.

 

This special event is part of the OMG Technical Meeting, September 25-29, 2017 in New Orleans, LA. The registration fee for the Cybersecurity Workshop is $149 and includes lunch and refreshments throughout the day. (Full meeting week registration includes the Workshop!)

 

The Workshop begins with a cybersecurity primer aimed at executive leadership, managers and engineers. The primer will cover key concepts needed to consistently apply cybersecurity processes across product lines and programs.

 

Presentations include:

  • Safe, Secure and Reliable Industrial Internet: A Standards Story – Robert A. Martin, Senior Principal Engineer, MITRE; Steering Committee Member, Industrial Internet Consortium
  • Security Views in the UAF (Unified Architecture Framework) – Matthew Hause, GTM Solutions Specialist, Fellow, PTC; Co-Chair, OMG UAF Task Force
  • Model-based Cybersecurity Assessment – Dr. Nikolai Mansourov, CTO, KDM Analytics
  • Federated Threat Analytics and Information Sharing – Cory Casanave, President and CEO, Model Driven Solutions; Co-chair, OMG Government Domain Task Force
  • Cyber Information Sharing and Safeguarding – Mike Abramson, President and CEO, Advanced Systems Management Group (ASMG Ltd.); Co-chair, OMG C4I Domain Task Force
  • Cloud Security and Data Residency Considerations – Claude Baudoin, Owner and Principal Consultant, cébé IT and Knowledge Management; Steering Committee Member, Cloud Standards Customer Council
  • Code Quality Standards and Technical Debt Management – Dr. Bill Curtis, Executive Director, Consortium for IT Software Quality (CISQ); SVP and Chief Scientist at CAST
  • Panel Discussion on Cybersecurity: Cost vs. Protection

AFCEA OKC Technology Day @ Tinker AFB

 

The AFCEA OKC Technology Day on August 17th brings together AFCEA members and Tinker AFB (Air Force Base) personnel to discuss Information Technology and Cybersecurity. View and demo some of the latest IT products from government and industry partners, attend educational sessions, and network with peers. Registration is complimentary. On Friday, August 18th, spend the day with the AFCEA OKC Chapter on the links at the Tinker Golf Course.

 

Marc Jones, Director of Federal Outreach at CISQ, will deliver a presentation:

 

Cyber and Operational Risk Standards and Policy Update.

 

International standards referenced by DOD & GSA are available now for automating the measurement of software size and structural quality (security, reliability, performance efficiency and maintainability.) Leveraging these measures in Software acquisition programs has been shown to elevate operational readiness and lower corrective maintenance cost of software-intensive IT and Mission systems. Learn how government organizations leverage these standards to quantify risk in multi-tier, multi-language systems at each software delivery to government. Explore how to use these measures in acquisition, benchmarking, vendor management and governance. Congress has mandated that all DOD programs have software measurement capability. CISQ is an acquisition ready standard.

 
CISQ is special interest group of the Object Management Group with engineering support from FFRDC’s Software Engineering Institute (SEI) and MITRE. CISQ’s work and standards are supported by DOD, GSA, NSA, NIST and DHS.

 

Attend this presentation to hear best practices for software quality measurement that can be leveraged in Tinker AFB programs.

 

 

 

Agile Dev, Better Software & DevOps East

Learn what you need to build better software now. The Agile Dev, Better Software, and DevOps East events hosted by Techwell are co-located from November 5-10, 2017 in Orlando, FL.  With over 100 learning and networking sessions, there will be a wide variety of new things to learn:

  • Projects and teams
  • Personal excellence
  • Going mobile
  • Business analysis and requirements
  • Internet of Things (IoT)
  • Process and metrics
  • Leadership
  • Software quality and testing

 

One registration gives you access to all three of these industry-leading events.

 

Register by October 6 using CISQ’s special promo code CECM to save up to an additional $200 off. Plus, this offer can be combined with early bird pricing for even more savings.

 

CLICK HERE TO LEARN MORE & REGISTER!

 

 

 

 

 

Measuring IT Project Performances in Texas: House Bill (HB) 3275 Implications

CISQ Advisory Board member, Herb Krasner, has released a position paper for Texas state CIOs and IT leaders seeking guidance on House Bill (HB) 3275 passed in June 2017 requiring the reporting of software quality measurement in Texas State IT projects. Krasner drafted the legislation that was signed into law by Texas governor, Greg Abbott. Directives go into effect on January 1, 2018.

 

The new law, HB 3275 is available on the CISQ website for review.

 

Abstract from the position paper, Measuring IT Project Performances in Texas: House Bill (HB) 3275 Implications:

 

“Texas’ usage of IT is big and getting bigger, but past project performances have a “checkered” history. In June 2017 HB 3275 became law in Texas. It requires state agencies to improve the measuring and monitoring of large IT projects to collect and report on performance indicators for schedule, cost, scope, and quality. If these indicators go out of bounds, more intense scrutiny is then triggered, potentially requiring corrective action. These indicators will be made visible to the public via an online, user-friendly dashboard, and will be summarized annually in a report to state leaders. This new law facilitates the early detection of troubled projects, and helps establish baselines for improvement initiatives. This position paper discusses the implications and challenges of implementing this new law for state and agency IT leadership.”

 

Professor Herb Krasner recently retired from the University of Texas at Austin. He was the Director of Outreach Services for the UT Center for Advanced Research in Software Engineering (ARiSE) and founder and CTO of the UT Software Quality Institute (SQI). As a systems excellence consultant, his mission, spanning five decades, has been to enable the development of superior software intensive systems, and to stamp out poor quality software, wherever found. Mr. Krasner is active in Texas state legislature IT improvement initiatives. Full bio

 

 

 

 

 

 

PNSQC 2017

 

Registration is now open. We are scaling new heights in quality software. Join us in Portland, Oregon, October 9-11.

 

CISQ is a supporting partner of PNSQC.

 

Registration opens with super early-bird discounts for individuals and groups, students and poster paper presenters receive additional discounts. Register before August 11 and save more than $300; groups of 4 or more receive an extra 15% off. Register now to save.

 

As we scale quality software, we have included some Trends, Tricks and Traps to share, then added Agile to the mix and finally ascending to joy to the workplace with the Invited Speakers. The technical program is ready to review. Look for lots of networking opportunities with your colleagues when you join us in Portland, register now!

 

 

How Outsourcing Can Mitigate Cyberrisks in DevOps

 

Dr. Erik Beulen, Principal, Amsterdam office (beulen.erik@bcg.com); Dr. Walter W. Bohmayr, Senior Partner, Vienna office (bohmayr.walter@bcg.com); Dr. Stefan A. Deutscher, Associate Director, Berlin office (deutscher.stefan@bcg.com); and Alex Asen, Senior Knowledge Analyst, Boston office (asen.alex@bcg.com)

 

DevOps agility requires organizational adjustments and additional tooling to ensure cybersecurity. At the same time, the challenges of the cybersecurity labor market drive the need to increase tooling’s impact and to consider outsourcing. In turn, these require carefully focusing on cybersecurity governance, including the assignment of accountability and responsibility.

 

In DevOps, the business is in the driver’s seat. DevOps characteristics (such as iterative prioritizing and deployment) plus the combined responsibility for development and operations present cybersecurity risks. They also create opportunities. DevOps tools, infrastructure, processes, and procedures can be used to fully automate patch deployments and continuously monitor, for example, open ports. Best practices are to automate information security platforms using at a minimum programmable APIs, but preferably automated to control access, containers and container orchestration combined with hypervisors or physical separation to avoid the impact of an attack on the OS kernel layer.

 

Market Developments

 

Our analysis of global startup activity in cybersecurity products reveals about 1,000 firms that represent more than $20 billion of investments. This explosion of competing cybersecurity products has driven enterprise reliance on best-of-breed solutions, which requires a lot of coordination and increases the risk of gaps in the cybersecurity landscape. Consolidation of cybersecurity product portfolios through mergers and acquisitions will still take some time—about three to five years. In the enterprise segment, we have to accept best-of-breed solutions and the associated increased complexity for the years to come.

 

Meanwhile, the service market is also evolving but still scattered. Managed security service providers (MSSPs) provide end-to-end protection, stabilize infrastructure, optimize IT operations, and provide rapid responses to security breaches. On one hand, MSSPs can be used to scale up required capabilities, reduce complexity, and innovate to achieve cyberresilience. On the other hand, the service market is not mature yet, so prior to contracting with an MSSP, companies should rigorously assess a solution’s robustness and vision. Companies should also determine  the number and seniority level of the cybersecurity experts at an MSSP.

 

Accountability

 

Accountability for cyberresilience can never be outsourced. Organizations need to build a cybersecurity competence center that oversees the design and maintenance of strategy and requirements, assesses cybersecurity compliance, and evangelizes cybersecurity. (See Exhibit 1.) This competence center manages the business demands. It also directs in-house cybersecurity and MSSPs’ strategy and policies, including standards, frameworks, certification, risk tolerance levels, and attack procedures. The number of MSSPs a company should engage depends on the size of the organization, cybersecurity requirements, and the capability to manage suppliers. Rarely do organizations engage with more than three MSSPs to avoid coordination challenges and ensure unambiguous responsibilities.

 

Exhibit 1: Cybersecurity Competence Center Responsibilities
Click to view larger image

 

 

Responsibility

 

Responsibilities for cyberresilience have to be embedded from the board level down to each DevOps team. This is not straightforward and requires a constant and intense dialogue embedded in governance structures and involving all stakeholders. At the application level, product owners and scrum masters have to ensure cybersecurity is respected and embraced by the DevOps teams (“cybersecurity by design”). This doesn’t mean developers must become security experts. Rather, product owners must assign dedicated security experts to each DevOps team. This will not be a full-time role, and security experts can be allocated to multiple DevOps teams. However, cybersecurity remains a team responsibility. Scrum masters have to explicitly address cybersecurity in each step of the DevOps lifecycle. This starts with creating cybersecurity awareness by training developers using gamification (such as Microsoft EOP game[1]). Furthermore, continuously monitoring and measuring cybersecurity performance (service levels) is important. The end goal is to champion cybersecurity by deploying and maintaining software in accordance with the set risk tolerance levels and applicable security standards.

 

Conclusion

 

Ensure cybersecurity in DevOps by taking these steps: empowering your product owners and scrum masters, building a competence center, partnering with no more than three MSSPs, using automation, and, of course, making cybersecurity a business agenda item. Also follow the World Economic Forum Working Group,[2] which kicked off cyberresilience through brainstorming!

 

[1] https://www.microsoft.com/en-us/SDL/adopt/eop.aspx

[2] https://www.weforum.org/whitepapers/advancing-cyber-resilience-principles-and-tools-for-boards

 

 

 

 

Gartner Catalyst Conference 2017

Gartner Catalyst Conference gives a comprehensive view into the technologies that will power the future of your digital business.

 

Technically focused and committed to pragmatic, how-to content, Gartner Catalyst Conference, provides practical solutions, actionable advice and principled objectivity. With access to more than 150 sessions built on forward-thinking Gartner for Technical Professionals (GTP) research, attendees will leave with a framework for project planning and execution and their own professional development.

 

Through six conference tracks and four “journeys” tailored to specific roles, you’ll learn how to:

  • Build data and analytics architectures
  • Leverage DevOps to increase data center agility
  • Create scalable security and identity architectures
  • Develop innovative software architectures and practices
  • Formulate and execute your IoT strategy
  • Make sense of blockchain and how to use it
  • Understand the impact of AI and machine learning
  • Take mobility from strategy to execution
  • Achieve digital workplace productivity
  • Explore public and hybrid cloud strategies and cloud-native solutions

 

CLICK HERE TO LEARN MORE & REGISTER!

 

STARWEST – Software Testing Conference

October 1-6, 2017

Disneyland Hotel in Anaheim, CA

Website: https://starwest.techwell.com/

 

Wondering why you should attend the STARWEST software testing conference from October 1-6 in Anaheim this year? With over 100 learning and networking sessions, there will be a wide variety of new things to learn, including finding the best solutions to your software testing challenges. Register for the STARWEST software testing conference by September 1 using promo code SWCM to save up to an additional $200 off. Plus, this offer can be combined with early bird pricing for even more savings.

 

 

 

Conference highlights include:

  • Pre-conference training classes
  • In-depth half- and full-day tutorials
  • Keynotes featuring recognized thought-leaders
  • Concurrent sessions covering major issues and solutions
  • The Expo, bringing you the latest in software development solutions
  • Networking events: receptions, breakfasts, breaks, and lunches included
  • A full day to explore unique challenges at the Testing & Quality Leadership Summit

 

Explore the program here