Cybersecurity engineering (CSE) research builds knowledge and capabilities that enhance acquisition and development lifecycle methods, processes, and practices. CSE reduces security weaknesses and ensures that resulting systems, software components, and compositions address software assurance, information assurance, supply chain risk management, and more.
As organizations capitalize on the opportunities for shared resources and capabilities to improve cost efficiencies and scheduling, they must address the increased cybersecurity risk that these opportunities introduce. Third-party tools and cloud capacity, for example, provide major benefits for organizations, such as quick setup and flexibility. However, these resources are built and controlled by external parties with limited understanding of the impact of security choices. As a result, patterns of operational failure, misuse, and abuse can emerge from a variety of sources, including supply chains as well as weak internal practices in software acquisition or development.
Attackers need three key elements to successfully carry out an attack: they need software to have a vulnerability, they must have access to it, and they must have the capability to exploit it. The first two elements can be directly controlled by good decisions during the acquisition and development process, and the field of cybersecurity engineering aims to ensure that the process is secure from the outset. For these reasons, mission success depends on making sure that stakeholders in the acquisition and development process make good choices.
Many organizations, however, struggle to implement effective and repeatable practices that can respond to changing technology needs, discover vulnerabilities before attackers do, and manage the growing threats stemming from weak acquisition and legacy, as well as from third party or supply chain management (SCRM) practices. These problems are of special concern when it comes to the software products that support critical infrastructure, monitor and manage our money, or control our buildings and transportation, to name just a few examples.
Building Security into Application Lifecycles
The goal of cybersecurity engineering is to ensure that the software you develop or acquire delivers the functionality you expect of it and does not allow actions that might introduce risk. To achieve this goal, the SEI helps prepare managers, engineers, developers, testers, and other groups involved in lifecycle tasks, to build and field effective cybersecurity in current and future software acquisition and development, validate and sustain cybersecurity in systems and software, and deliver the mission impact your organization expects of its software.
The SEI’s CSE team leverages expertise in system and software engineering, risk management, program management, measurement, and cybersecurity to create methods and solutions that your organization can integrate into its existing acquisition and development lifecycle practices. To these ends, the SEI offers many tools and approaches to help engineering, development, acquisition, and sustainment groups that work in or with your organization. These tools include
- the Security Quality Requirements Engineering (SQUARE) tool, which helps define quality requirements that include sufficient security for development and supports stakeholders’ review of software requirements to ensure vendors properly prepare their software for integration
- the Security Engineering Risk Analysis (SERA) approach, which helps organizations detect and remediate design weaknesses early in the development or acquisition process
- the Software Assurance Framework (SAF), a set of practices you can use to evaluate and improve your cybersecurity
The SEI continues to expand CSE research through engagements with the DoD and other federal agencies to address real-world challenges. Over the years, we have shared our findings in many notable publications, including a book on cybersecurity, a paper on assessing DoD risk in acquisition, and a program manager’s guidebook for software assurance.
In addition, the SEI can support colleges and universities as they strive to prepare students to understand the growing threat environment. We provide materials that educational institutions can use to develop curricula and course offerings, and to prepare the future workforce for addressing cybersecurity and SCRM.
What We Offer
This program explores software-reliant systems engineering and acquisition activities to help information systems professionals improve their awareness of cybersecurity and establish an approach to identifying security requirements.
This workshop provides an overview of security requirements engineering and covers the steps used in the SQUARE methodology in detail.
Contact us to work with experts that can help you establish sound cybersecurity engineering practices.
You can incorporate these free curricula into existing education programs or use them to develop new courses. These curricula include materials for undergraduate and graduate programs as well as other materials for educators.
This report introduces the SERA Framework, a model-based approach for analyzing complex security risks in software-reliant systems and systems of systems early in the lifecycle.
In this report, the authors discuss the Software Assurance Framework (SAF), a collection of cybersecurity practices that programs can apply across the acquisition lifecycle and supply chain.
The Latest from the SEI Blog
July 08, 2019 • Blog Post
Measuring the software assurance of a product as it is developed and delivered to function in a specific system context involves assembling carefully chosen metrics. These metrics should demonstrate a range of behaviors to confirm confidence that the product functions...read
May 08, 2017 • Blog Post
This post is coauthored by Carol Woody. Software is a growing component of business and mission-critical systems. As organizations become more dependent on software, security-related risks to their organizational missions also increase. We recently published a technical note that introduces...read
Our Vision for the Future of Cybersecurity Engineering
SEI researchers continue to expand available CSE options for use by practitioners. We are currently developing archetypes to support organizations in identifying cybersecurity risks and tailoring them for improved evaluation of mission impact.
To collaborate on these new projects in the field of cybersecurity engineering, contact us .