User:Jjwhitmore/Secure Engineering

Secure Engineering new article content ...

Secure engineering

edit

Introduction

edit

Secure Engineering is the combination of methods, means and controls needed to ensure that proper attention is given to integrity, dependability and assurance in the development of Information Technology products, systems and services.

Secure Engineering is distinct from Security Engineering. Security Engineering is a domain of expertise concerned with the security functions of the developed asset. In contrast, Secure Engineering recognizes that many security-related qualities of a developed asset are influenced by decisions and actions that may be outside the purview and influence of security professionals.

Secure Engineering takes a holistic view of the factors that influence the integrity, dependability and assurance. These factors include, but are not limited to: business priorities, supply chain, personnel, skills, tools, requirements, engineering design methods, development practices, tests, organizational policies, governance and project management practices. Organizations and development teams that adopt Secure Engineering principles will identify and prioritize the intended qualities of the engineered component, product, system or service at project inception. This intent is translated into committed plans and project controls that guide and govern the pace of the project, the performance of the project team, and the precision of the delivered result.

As described by the Open Group Trusted Technology Forum, Secure Engineering has been recognized as an important aspect of global trusted supply chains for Information Technology.

Development Life Cycles (DLCs)

edit

The term System Development Life Cycle or Software Development Lifecycle, briefly SDLC, is used to describe the process followed to create, deploy and maintain Information Technology assets.

Information Technology assets typically include: software components, computing systems made up of architected sets of hardware and software, or operational computing services. These components, systems and services are designed to meet a set of requirements and specifications. The development process begins with a number of inputs (typically, budget, people with skills, tools and initial information technology assets). The inputs represent the supply chain. The output is often referred to as a work product, deliverable or developed asset. The development process is an orchestrated combination of design methods, development practices and project controls that shape the delivered result.

Early Information Technology components, products and systems were designed and built in what has been referred to as green field development projects, that is, the projects began with rudimentary practices and supply chain, creating original Information technology assets. The state of the art progressed with advanced tools and the practice of code reuse and aggregation. This evolution has led to variations in Development Life Cycle driven by complex supply chains, intermediate results and complex software, systems and services. Green field development projects still exist, but are less common than projects that begin with preexisting assets.

Software Development Projects have common elements, to include: project phases, governance, workflow for design, coding and testing. Software Development Projects vary by deliverable type & longevity or project complexity & scale. Development projects may also be distinguished in the way that the development team accounts for the supply chain inputs, how the development process is conducted and how the developed assets are applied. As an illustration, a green field project may create a rudimentary component, which in turn becomes a part of the supply chain for a larger software assembly, which in turn becomes part of an expanded supply chain for a functional subsystem such as a database, or a complex application integrated with a multi-layered infrastructure.

The Secure Engineering principles apply to each Development Life Cycle. Secure Engineering activities may vary, based on the supply chain inputs and the disposition of the developed assets.

Secure Engineering within Software Development Projects

edit

Secure Engineering principles can be applied to any development project. For the purpose of this Wikipedia entry, the following Software Development Projects are considered

  • Information Technology Building Blocks
  • Information Technology Systems & Services

Information Technology Solution Building Blocks are the foundation of Integrated Information Technology Systems & Services. These building blocks represent a significant portion of the Supply Chain for Information Technology Systems & Services. Some examples of Information Technology Solution Building Blocks include:

  • Commercial-Off-The-Shelf (COTS) components and products
  • Software intensive hardware components, such as network, system and management appliances
  • Open Source or Third Party Software that are incorporated in larger Building Blocks or IT Systems

Secure Engineering on the Software Development Life Cycle for building blocks influences the integrity, dependability and assurance of IT Systems.

Integrated Information Technology Systems & Services, are the operational computing systems that deliver and support business and technical workloads, including:

  • Enterprise Applications
  • Enterprise Computing Infrastructure
  • Hosted Environments and Services, including Clouds

For Integrated Information Technology Systems & Services, the approach for Secure Engineering must consider both the integrity, dependability and assurance of the supply chain components, as well as, the integrity, dependability and assurance of the aggregated system. These integrated systems must be designed, configured and managed with security in mind, that is, in a manner that accounts for the risks and threats found in the operating environment, given the integrity, dependability and assurance of the underlying components.

References

edit
edit