Software and Cyber Solutions Symposium (SCSS) 2019

 

Acquisition, Security and the Supply Chain

 

This event is organized by the Software Engineering Institute (SEI) at Carnegie Mellon University.

 

From the event website:

 

When building and acquiring software-reliant systems, the stakes are high and the risks can be daunting. Today’s systems are built with newly developed software, along with legacy, COTS, and open source applications, libraries, and data. Leveraging existing software components can help deliver capability at reduced cost, but what are the risks? How can you know what’s in the software that powers your mission-critical capabilities and how resilient it is to attacks?

 

When you consider additional factors such as the need to increase the pace of acquisition and the use of multiple providers in different teaming arrangements, it’s clear that new tactics are needed to manage and secure a supply chain that includes software.

 

The Software and Cyber Solutions Symposium (SCSS) returns in 2019 with a two-day event focusing on acquisition, security, and the supply chain. Join us for a one-day symposium on Wednesday, February 13, free to attendees, that includes two dynamic keynote presenters, Shannon Lietz, DevSecOps Leader and Director at Intuit; and Dr. Will Roper, Assistant Secretary for Acquisition, Technology and Logistics, U.S. Air Force, who will discuss the risks facing the supply chain in today’s world.

 

Other topic experts on the SCSS program include

 

Then on February 14, choose from four affordably priced half-day tutorials:

 

Morning
Secure DevOps: Build Secure Deployment Pipeline to Deploy Secure Application
Software Assurance for the Supply Chain

 

Afternoon
Scaling Agile Metrics to Large Complex Programs
Understanding Software Architecture, Quality, and Security through Code

 

Tutorials are free to U.S. government employees using the promotional code GOVMIL. 

 

Non-government employees can use the promotional code BONUS20 to receive 20% off the standard tutorial fee of $250 if purchasing more than one tutorial.

 

Venue:

NRECA Building, Suite 200
4301 Wilson Boulevard
Arlington, VA 22203

CISQ Webinar: How Can VMOs Ensure Vendor-Supplied Software is Trustworthy?

 

Presented live on February 6, 2019

Download the presentation

 

Vendor-supplied software has become a high-value/high-risk acquisition to Vendor Management Offices (VMOs) in every industry vertical. The sourcing of Application Development and Maintenance (ADM) is shifting from time and material to outcome-based agreements. With the skyrocketing costs of IT outages and breaches, trustworthy software that is secure, resilient, and dependable is just as important as time and cost in contracts.

 

Dr. Bill Curtis will discuss best practices and measures to use in managing your software vendors to ensure you are protecting your organization from unnecessary risk. In particular, he will introduce the CISQ structural quality measures as a way of measuring the trustworthiness of vendor-supplied software.

 

All attendees will receive examples and common language based on industry standards to set requirements in Requests for Proposals (RFPs), vendor contracts, and acceptance criteria with software supplier partners.

 

SPEAKER

 

Dr. Bill Curtis is the Executive Director of the Consortium for IT Software Quality™ (CISQ™), an IT leadership group that develops standards for automating software measurement. He will introduce standards and best practices for managing and measuring the acquisition of trustworthy software.  He is best known for leading development of the Capability Maturity Model (CMM) at the Software Engineering Institute (SEI), which has been widely used in managing software vendors. He will introduce principles from the Trustworthy Systems Manifesto aimed at executives that set policy for acquiring vendor-supplied software included in business and mission-critical systems.

 

HOST

 

 

 

WATCH NOW

 

Software and Supply Chain Assurance (SSCA) Forum Spring 2019

Cyber risk has become a topic of core strategic concern for business and government leaders worldwide and is an essential component of an enterprise risk management strategy. The Software and Supply Chain Assurance Forum (SSCA) provides a venue for government, industry, and academic participants from around the world to share their knowledge and expertise regarding software and supply chain risks, effective practices and mitigation strategies, tools and technologies, and any gaps related to the people, processes, or technologies involved.

 

The effort is co-led by the National Institute of Standards and Technology (NIST), the Department of Homeland Security (DHS), the Department of Defense (DoD), and the Government Services Agency (GSA). Participants represent a diverse group of career professionals including government officials, chief information security officers, those in academia with cybersecurity and supply chain specialties, system administrators, engineers, consultants, vendors, software developers, managers, analysts, specialists in IT and cybersecurity, and many more fields.

 

SSCA forums are held 2-3 times/year and are free and open to all interested parties.

 

While the general intent is to share information, the SSCA Forum also offers government and private sector participants, including international participants, an opportunity to openly collaborate by presenting and receiving feedback on current and potential future work. Most events are two to three days long and contain a mixture of discussion and presentation; interaction is always strongly encouraged. To encourage open interaction, SSCA Forum meetings operate under the Chatham House Rule, meaning “participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed,” though many speakers allow NIST to post their presentations on this website.

 

To receive information about upcoming meetings and related publications and activities, please sign up for the sw.assurance mailing list, operated by NIST, by sending a blank email to sw.assurance-join@nist.gov

 

Visit https://csrc.nist.gov/Projects/Supply-Chain-Risk-Management/SSCA to view upcoming meetings.

OMG Technical Meeting

 

From the OMG website:

 

Technical Meeting Overview

 

March 18-22, 2019 at the Hyatt Regency Reston in Reston, VA, USA

 

The OMG Technical Meeting provides IT architects, business analysts, government experts, vendors and end-users a neutral forum to discuss, develop and adopt standards that enable software interoperability for a wide range of industries. Attend an OMG Technical Meeting to influence the direction of future standards work, hear from industry experts, network with your peers and be among the first to know what will be cutting edge tomorrow.

 

Information Days — one or two-day in-depth events on a specific area of interest — are held during each Technical Meeting and are a great way to get training and learn about standards and related practices, methodologies & technologies.

 

The OMG hosts four Technical Meetings approximately every ten to twelve weeks per year in various locations around the world. Typically, three are located within the US and one is held at an international venue. At these meetings, technical experts from member companies and organizations meet to discuss OMG technologies and work on new specifications.

 

Meeting Format

 

Sunday – Thursday: Throughout the meeting week, up to 25 parallel subgroup meetings are held.  These subgroup meetings are working meetings which focus on the development of software standards in the domain and platform technology areas.  Domain areas include, but are not limited to Finance, Manufacturing, Space,  Telecomm and Life Sciences.  Platform technologies represented are Model Driven Architecture® (MDA®), UML®, CORBA®, CWM™, Security and more.

 

Wednesday: Presentation(s) by select sponsoring organization(s) made during a plenary session. The presentation(s) is(are) technological or strategic in nature.

 

Tuesday & Wednesday: An exhibit area is open for viewing demonstrations of OMG technology-based products.

 

Friday: The meeting week concludes with an Architectural Board (AB) Domain (DTC) and Platform Technology Committee (PTC) Plenary.  At this meeting, representatives of member organizations with voting privileges recommend adoption of specifications. This is the culmination of member involvement in the OMG Technology Adoption Process.

 

Useful Links

Agendas

Chairs Room Request Form

Contact Us

Convince Your Boss

Hotel Info

Exhibits

Overview

Registration

Special Events

Technology Committee

 

CISQ’s Automated Function Points: History and Calculation

 

David Herron, Co-Founder, David Consulting Group, Editor of IFPUG MetricViews

Bill Curtis, Executive Director, CISQ     

 

After requests from numerous commercial enterprises, the Consortium for IT Software Quality (CISQ) was formed in 2010 by the Software Engineering Institute at Carnegie Mellon University and the Object Management Group (OMG), an international IT standards organization. CISQ was chartered to create international standards for automating the measurement of size and structural quality from software source code. During early executive forums held in Washington DC, Frankfurt, and Bangalore, five measures were selected for initial specification, among which was a request to automate the counting of Function Points from source code based as closely as possible on counting guidelines from the International Function Points User Group (IFPUG).

 

The David Consulting Group, (DCG) a leader in Function Point analysis, was one of the founding members of CISQ. David Herron, co-founder of DCG, co-author of the Function Point Analysis, and a leader in IFPUG, was selected to head the international team chartered to develop a specification for automating Function Point counting. David’s team included members from North America, Europe, and India.

 

Function Points were originally defined by Allen Albrecht of IBM back in the 1970s to measure the functionality delivered by a software application. Traditionally Function Points are counting manually by trained Function Point experts. They are often counted from initial program specifications to estimate the size of the system and the effort required to build it. In 1986 the IFPUG was formed to support the Function Point counting community and formalize guidelines for counting Function Points.

 

While thorough in covering the many issues affecting Function Point counting, IFPUG counting guidelines leave some counting decisions to the judgement of the manual counter. These ambiguities had to be resolved to specify a consistent algorithm for automating the count. As a result, the OMG/CISQ Automated Function Point Sizing specification prioritizes repeatability and consistency over consistency with the IFPUG Function Point counting guidelines.

 

In certain counting situations, IFPUG guidelines are vague, leaving the interpretation to the judgment of the counter. In order to remove subjectivity, the specification makes explicit decisions about counting techniques in situations where the IFPUG guidelines were vague. Consequently some variation from the IFPUG guidelines were introduced in order to achieve the precision required for automation.

 

IFPUG functional sizing requires the identification of 5 types of functions; inputs, outputs, inquiries, external (referenced) data files and internal (stored) data. The challenge presented to the CISQ team was determining how to properly identify unique functions.

 

Identifying input and output functions is technically a simple process. Distinguishing the difference between an output and an inquiry can be a bit more difficult; however, the difference in functional value between the two is negligible. The real challenge is with identifying unique file types. Part of the solution is to collect specific inputs prior to automation. These include, along with the complete source code, a listing of all excluded files and libraries that don’t belong to the application. Additionally data definitions of data bases and flat files along with naming conventions are required. The result is an automated sizing capability that is consistent and verifiable.

 

How the automated counting tool performed relative to outcomes that were consistent with the IFPUG process of manual counting was a focus of the first round of analytics. It was always understood that a certain degree of calibration would be required. An independent study was performed on a random selection of 20 applications of varying sizes and technical profiles. Each application had been manually counted using current IFPUG guidelines. The objective was to understand the ‘accuracy’ of the automated counts relative to the manual IFPUG counts and to determine how many iterations were required until the automated tool had been properly calibrated for each application. The results were impressive.

 

The two critical variables that were analyzed were the variance between automated and manual counts and the number of iterations required to realize an acceptable size variance. The automated sizing on the first five applications resulted in a 300% variance between automated and manual counts and required 3 to 4 iterations each to calibrate the tool to result in an acceptable size variance of +/- 10%. After calibrating the tool for the first 10 applications the remaining 10 applications had a lower initial count variance of 13% (down from 300%) and required, on average, 1.5 iterations per application to realize an acceptable size range variance between automated and manual counts of -2.2% to 7.0%. This was a positive indicator that the initial calibrations included ‘standard’ adjustments that could be built into the automated tool and applied on subsequent calibrations thereby reducing the number of iterations and improving accuracy.

 

The benefits of functional size automation are many. It allows for the increased sizing at the application level providing the opportunity to more effectively and efficiently manage portfolios and better control production support costs. Organizations such as IFPUG, NESMA and Cosmic should continue to advocate and support the continued development of software that automates functional sizing and other software measurement practices.

Applying Coding Standards to the NIST Cybersecurity Framework

 

The NIST Cybersecurity Framework was first published in 2014 for operators of U.S. critical infrastructure and is now the de facto cybersecurity framework for a wide range of businesses and organizations across industries. Organizations link their cyber approaches to the Framework’s core functions of Identify, Protect, Detect, Respond and Recover to manage their cybersecurity strategy and identify areas for improvement.

 

Once aligned, an organization can use the NIST Cybersecurity Framework as evidence when seeking certifications or shopping for cyber insurance. Good cyber risk practices will result in a less expensive premium for cyber insurance services.

 

NIST hosted a Cybersecurity Risk Management Conference from November 7-9 in Baltimore, MD to discuss the current state of cybersecurity risk management and approaches being employed to strengthen quality and resiliency in the software development lifecycle and supply chain. Marc Jones, CISQ Director of Public Sector Outreach, presented on the automated quality characteristic measures developed by CISQ for measuring software Security, Reliability, Performance Efficiency and Maintainability to industry-supported standards.

 

The slide below depicts how the coding standards from CISQ map to various steps in the NIST Cybersecurity Framework. Download the presentation deck, Measuring the Cybersecurity Risk of Software-Intensive Systems, to learn more.

 

 

CISQ’s global private sector and government membership appreciates the continued support and input provided by NIST leadership over the last 6 years to support impactful and measurable automated software risk standards.

Software and Supply Chain Assurance (SSCA) Forum Winter 2018

 

CISQ delivered a presentation on the Trustworthy Systems Manifesto and standards developed by CISQ for developing and maintaining secure, reliable and trustworthy software-intensive systems.

 

Publicly releasable presentations are now online! (PDF download)

 

Cyber risk has become a topic of core strategic concern for business and government leaders worldwide and is an essential component of an enterprise risk management strategy. The Software and Supply Chain Assurance Forum (SSCA) provides a venue for government, industry, and academic participants from around the world to share their knowledge and expertise regarding software and supply chain risks, effective practices and mitigation strategies, tools and technologies, and any gaps related to the people, processes, or technologies involved.

 

The effort is co-led by the National Institute of Standards and Technology (NIST), the Department of Homeland Security (DHS), the Department of Defense (DoD), and the Government Services Agency (GSA). Participants represent a diverse group of career professionals including government officials, chief information security officers, those in academia with cybersecurity and supply chain specialties, system administrators, engineers, consultants, vendors, software developers, managers, analysts, specialists in IT and cybersecurity, and many more fields.

 

SSCA forums are held 2-3 times/year and are free and open to all interested parties.

 

While the general intent is to share information, the SSCA Forum also offers government and private sector participants, including international participants, an opportunity to openly collaborate by presenting and receiving feedback on current and potential future work. Most events are two to three days long and contain a mixture of discussion and presentation; interaction is always strongly encouraged. To encourage open interaction, SSCA Forum meetings operate under the Chatham House Rule, meaning “participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed,” though many speakers allow NIST to post their presentations on this website.

 

To receive information about upcoming meetings and related publications and activities, please sign up for the sw.assurance mailing list, operated by NIST, by sending a blank email to sw.assurance-join@nist.gov

 

Visit https://csrc.nist.gov/Projects/Supply-Chain-Risk-Management/SSCA to view upcoming meetings.

CISQ Announces “Future of Software Delivery” Seminar on Nov. 16 in Bangalore

 

Industry thought leaders will discuss how measurement and intelligence will change the future of software delivery

 

BANGALORE, India – November 6, 2018 – The Consortium for IT Software Quality™ (CISQ™), an IT industry leadership group that develops standards for automating software quality measurement, today announced that registration is open for its “Future of Software Delivery” seminar in India on Friday, November 16. CISQ is organizing this full-day event in cooperation with Tech Mahindra at its Bangalore campus. Registration is complimentary, but pre-registration is required due to limited seating capacity.

 

Dr. Bill Curtis, CISQ Executive Director, will introduce software measurement standards and best practices for measuring software size, software quality, and technical debt. L. Ravichandran (“Ravi”), President and COO of Tech Mahindra, will deliver the keynote address, followed by distinguished speakers from NASSCOM, EY, rpa2ai and other organizations.

 

The seminar will address:

  • international standards for automating software size and structural quality measures
  • advances in productivity measurement – challenges and solutions
  • case study of measuring an Agile and DevOps transformation
  • progress on applying machine learning to software quality
  • capitalizing on the delivery capabilities of automation, RPA and AI

Attendees will also learn about the recently-released Trustworthy Systems Manifesto from CISQ, which contains 5 principles to ensure secure and trustworthy software systems. Senior executives are encouraged to read the Manifesto and become signatories. Signatories demonstrate a commitment to reduce the business or mission risk of critical software-intensive systems by creating policies to govern system development, deployment, and operations. To become a signatory, visit https://www.omg.org/it-cisq/tsm/signatures.php.

 

The Tech Mahindra campus is located at:

 

Plot No. 45 – 47, KIADB Industrial Area
Phase – II, Electronic City
Bengaluru – 560100 (Karnataka) India
Phone: + 91 80 67807777

 

The event is supported by CISQ sponsors: CAST, CGI, Cognizant, ISHPI Information Technologies, Northrop Grumman, Synopsys and Tech Mahindra.

 

About CISQ

The Consortium for IT Software Quality™ (CISQ™) is an IT leadership group that develops international standards for automating the measurement of software size and structural quality from the source code. The standards written by CISQ enable IT and business leaders to measure the risk IT applications pose to the business, as well as estimate the cost of ownership. CISQ was co-founded by the Object Management Group® (OMG®) and Software Engineering Institute (SEI) at Carnegie Mellon University. For more information, visit https://www.it-cisq.org/

 

Contact

Ann McDonough
mcdonough@omg.org
+1 781-444-0404

 

###

Note to editors: CISQ is an Object Management Group program. Object Management Group and OMG are registered trademarks of the Object Management Group. For a listing of all OMG trademarks, visit https://www.omg.org/legal/tm_list.htm. All other trademarks are the property of their respective owners.

 

 

Consortium for IT Software Quality Launches Trustworthy Systems Manifesto

 

December 6 webinar will outline 5 policy principles to advance the trustworthiness of software-intensive systems

 

Needham, MA – November 1, 2018 – The Consortium for IT Software Quality™ (CISQ™), an IT industry leadership group that develops standards for automating software quality and size measurement, today unveiled its Trustworthy Systems Manifesto. The Manifesto lists 5 principles around which senior executives can develop policy to govern system development and deployment.

 

Software-intensive systems are one of the largest sources of risk to enterprises and their customers. For example, IT-related incidents at Knight Capital, SWIFT, Target, and United Airlines far exceeded $100 million in damages. A new research report from CISQ estimates the cost of poor quality software in the U.S. to top $2.8 trillion. In the era of 9-digit glitches, the Manifesto will help management determine policies that strengthen software development and mitigate the risk exposure of these systems.

 

According to CISQ Executive Director Dr. Bill Curtis, “Financial risks from software-intensive systems dramatically increase as enterprises automate more of their critical business functions.  Executives are ultimately responsible for managing this risk. The Manifesto provides guidance to executives and senior managers, the majority of whom are not IT experts, for developing policy to ensure their critical systems are trustworthy.  The manifesto’s objective is to initiate discussions between the enterprise and IT or engineering about reducing operational and cost risks to the business.  Trustworthy systems are secure from malicious actors, reliable and safe in operation, resilient to unexpected conditions, and accurate in their computations.”

 

Dr. Curtis will present a webinar on Thursday, December 6, 2018 at 11 a.m. EST to introduce the Trustworthy Systems Manifesto and discuss its 5 principles:

 

  1. Engineering discipline in product and process
  2. Quality assurance to risk tolerance thresholds
  3. Traceable properties of system components
  4. Proactive defense of the system and its data
  5. Resilient and safe operations

 

Become a Signatory

Signatories indicate their willingness to develop policies and practices within their organizations to support these principles, and to encourage adoption of these principles in other organizations. To become a signatory, visit https://www.omg.org/it-cisq/tsm/signatures.php.

 

About CISQ

The Consortium for IT Software Quality™ (CISQ™) is an IT leadership group that develops international standards for automating the measurement of software size and structural quality from the source code. The standards written by CISQ enable IT and business leaders to measure the risk IT applications pose to the business, as well as estimate the cost of ownership. CISQ was co-founded by the Object Management Group® (OMG®) and Software Engineering Institute (SEI) at Carnegie Mellon University. For more information, visit https://www.it-cisq.org/

 

Contact

Ann McDonough
mcdonough@omg.org
+1 781-444-0404

 

###

Note to editors: CISQ is an Object Management Group program. Object Management Group and OMG are registered trademarks of the Object Management Group. For a listing of all OMG trademarks, visit https://www.omg.org/legal/tm_list.htm. All other trademarks are the property of their respective owners.