SEI's current research in the discipline of risk management is being conducted jointly with the CERT Cyber Security Engineering Team. The CSE Team is using the MRD to assess software security risk across the life cycle and supply chain. As part of this work, the team is also conducting research into risk-based measurement and analysis, where the MRD is being used to direct an organization's measurement and analysis efforts. The CSE Team has chartered the Software Security Measurement and Analysis (SSMA) Project to conduct this research.
Without established methods to measure how secure software is, decision makers lack confidence in the security of their software-reliant systems. The Software Security Measurement and Analysis (SSMA) project is exploring how to use risk analysis to direct an organization's software security measurement and analysis efforts. The overarching goal is to develop a risk-based approach for measuring and monitoring the security characteristics of interactively complex, software-reliant systems across the life cycle and supply chain. The SEI Integrated Measurement and Analysis Framework (IMAF) and the SEI Mission Risk Diagnostic (MRD) are part of this work. The IMAF helps decision makers by integrating performance data for individual components, including targeted analysis, status reporting, and measurement activities, to provide a consolidated view of the performance of software-reliant systems. The MRD (a product of earlier MSCE work) analyzes the risk to the system as a whole, providing a comprehensive view of the overall risk to a system's mission.
We encourage anyone interested in working with us on the research, development and piloting in these areas contact us.