Cyber Resilience is the ability to architect and build software that can withstand malicious attacks and continue to operate in unexpected circumstances (labeled as edge or corner cases by QA professionals). Cyber-resilient systems are less likely to suffer unauthorized penetrations, outages, data corruption, slow recovery times, and other operational problems. Regardless of whether software runs in core legacy systems, web apps, mobile apps, or IoT devices, cyber-resilient coding practices are critical for the safe, confidential, and sustained operation of software systems.
CISQ has developed international standards for measuring the software quality attributes of source code that most determine its level of cyber resilience. CISQ’s measures for Reliability and Security (approved by OMG as international standards) directly measure violations of good architectural and coding practice that most affect cyber resilience. These standards are being used in assessing the cyber resilience of existing systems, as well as being included in contracts to clarify expectations concerning the cyber resilience of delivered source code. The CISQ Cyber Resilience Summit is the single most important event in the industry addressing cyber resilience issues in software-intensive systems.
Attend an Upcoming Cyber Resilience Summit
Cyber Resilience Summit: Securing Systems inside the Perimeter
March 21, 2017 in Reston, Virginia, USA
Cyber Resilience Summit: Measuring and Managing Software Risk, Security and Technical Debt
June 6, 2017 in Brussels, Belgium
Cyber Resilience Summit
October 2017 in Arlington, Virginia, USA
Watch a Webinar
Speakers: Dr. Bill Curtis, Executive Director, CISQ; Girish Seshagiri, EVP/CTO, ISHPI
This webinar demonstrates the combined impact of high maturity processes and disciplined agile teams on secure software development. Learn how disciplined agile teams consistently deliver substantially defect-free software on predictable cost, and schedule by making quality the number one goal of every project. The teams build security throughout the life cycle and do not rely on testing alone for defect removal. Customer benefits include dramatically reduced number of security incidents attributable to poor quality software code and reduced operations and maintenance costs. While time to market is important, managers must also empower developers with the skills, training and certification needed to deliver products with fewer vulnerabilities the first time around. Real world cost, schedule and quality data is used to illustrate these points.
Speaker: Robert Martin, Senior Principal Engineer, MITRE. Lead on the Common Weakness Enumeration (CWE) and the lead researcher on the CISQ Security measure.
Application security is a key component of Cyber Resilience. The CISQ Security measure was developed to predict the vulnerability of application source code to external attack. The measure identifies the Top 22 CWEs in software which represent the most widespread and frequently exploited security weaknesses. Watch this webinar to learn how to use the new standard to automatically detect cybersecurity vulnerabilities and measure application security. Robert Martin will also provide an overview of the security landscape and future projects under consideration by CISQ, MITRE, and U.S. Government.
Speaker: Dr. Carol Woody, Technical Lead, Survivability Analysis, Carnegie Mellon SEI
In this webinar, Dr. Woody shares new empirical results that show how teams can achieve a high level of application security in a cost-effective manner by addressing software quality problems early through code checking and design review. As Dr. Woody notes, neither quality nor security can be “tested in.” You will gain ammunition to support security and software assurance measurement and analysis.
Read Additional Resources
In complex software applications, the same piece of code can be of excellent quality or highly dangerous. So, excellent code quality within an independent program does not guaranty a resilient, safe and efficient IT system. Correlations between architectural programming mistakes and production defects unveil something counter-intuitive. Studies show that basic coding errors within a program account for 92% of the total errors in source code but only account for 10% of production defects. Yet, software flaws at the Technology and System Level account for 8% of total errors, but consume over half the effort spent on fixing problems and lead to 90% of the most serious production issues. Engineering quality maturity grows exponentially with adherence to CISQ best practices.
Service Level Agreements (SLAs) are an integral part of the Application Development and Maintenance (ADM) process. SLAs have been used to define the working relationship between a service provider and customer since the early days of IT outsourcing. Yet many of the contracts written, even in the last 5 years, use fundamentally the same time-based SLAs for ADM. The average application costs 20% of its development cost, year on year, to support. Increasing the quality of the application from “average” to “good” reduces support costs to 12%. “Excellent” code can cost as little as 3-5% of development cost to support. This savings of 8% to 17% more than justifies the tooling and approaches required to write good source code at the outset. Needless to say, this is also the most direct way to control Cyber Resilience related risk. It is time to step into a new set of SLAs that meet objectives for lower risk and cost. This CISQ Recommendation Guide explains how to add software quality metrics to a service level agreement for improved application ROI.