2013_019_001_297293.pdf - Security and Project Management...

This preview shows page 1 - 3 out of 14 pages.

Software Engineering Institute Carnegie Mellon University 4500 Fifth Avenue Pittsburgh, PA 15213-2612 Phone: 412-268-5800 Toll-free: 1-888-201-4479 Security and Project Management ABSTRACT: Software errors can be introduced by disconnects and miscommu-nications during the planning, development, testing, and maintenance of the components. The likelihood of disconnects and miscommunications increases as more system components have to satisfy security requirements. Project managers should consider the additional communications requirements, linkage among life-cycle activities, and the potential usage environment as these items relate to security needs. BUSINESS CASE An organization can either incorporate security guidance into its general project management processes or react to security failures. It is increasingly difficult to respond to new threats by simply adding new security controls. Security control is no longer centralized at the perimeter. Meeting security requirements now de-pends on the coordinated actions of multiple security devices, applications and supporting infrastructure, end users, and system operations. Reengineering a sys-tem to incorporate security is a time consuming and expensive alternative. A recent Computer World article quoted Theresa Lanowitz, an analyst at Gartner Inc. [Hildreth 05]: The life cycle may appear obvious, but most organizations—close to about 90%—do not know how to effectively manage the life cycle. If the life cycle was truly embraced with the right people, process, and technologies, we would see better-quality software and more efficient and effective IT organizations. As it is, most IT organizations waste quite a bit of their budget because they have bad business practices, fail to deliver on requirements, and fail to manage projects to meet schedule, cost, and quality goals. On the list of examples of software failures for the Computer World article was “A software bug apparently caused the largest power outage in North America, the Northeast blackout of August 2003, which threw millions of people into darkness.” The analysis of that event, though, identified a collection of system, organizational, and operational errors [NERC 04]. The software error was cer-tainly one trigger for the incident, but the eventual failure of the power grid was the result of multiple of errors in system development and in operations. Robert J. Ellison February 2006
Cyber attacks take advantage of software errors, such as not properly validating user input, inconsistencies in the design assumptions among system components, and unanticipated user and operator actions. Software errors can be introduced by disconnects and miscommunications during the planning, development, test-ing, and maintenance of the components. Although an application development team may be expert in the required business functionality, that team usually has limited or no applicable security expertise.

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture