Howard F. Lipson

The architecture tradeoff analysis method

This paper presents the Architecture Tradeoff Analysis Method (ATAM), a structured technique for understanding the tradeoffs inherent in the architectures of software-intensive systems. This method was developed to provide a principled way to evaluate a software architectures fitness with respect to multiple competing quality attributes: modifiability, security, performance, availability, and so forth. These attributes interact-improving one often comes at the price of worsening one or more of the others-as is shown in the paper, and the method helps us to reason about architectural decisions that affect quality attribute interactions. The ATAM is a spiral model of design: one of postulating candidate architectures followed by analysis and risk mitigation, leading to refined architectures.

Survivability: protecting your critical systems

Society is increasingly dependent upon large-scale, distributed systems that operate in unbounded network environments. Survivability helps ensure that such systems deliver essential services and maintain essential properties in the face of attacks, failures, and accidents.

Survivability—a new technical and business perspective on security

In recent years, there have been dramatic changes in the character of security problems, in their technical and business contexts, and in the goals and purposes of their stakeholders. As a consequence, many of the assumptions underlying traditional security technologies are no longer valid. Failure to recognize the depth and breadth of these changes in combination prevents effective solutions to modern security problems. Survivability provides a new technical and business perspective on security, which is essential to our search for solutions. Moreover, our survivability approach expands the view of security from a narrow technical specialty, accessible only to security experts, towards a risk-management perspective that requires the participation of an organization as a whole (executive management, security experts, application domain experts, and other stakeholders) to protect missioncritical systems from cyber-attacks, failures, and accidents. ® CERT and CERT Coordination Center are registered in the U.S. Patent and Trademark Office.

Emergent algorithms-a new method for enhancing survivability in unbounded systems

Traditional security approaches are not sufficient to deal with the protection and survivability of highly distributed information systems operating in unbounded networks. This paper discusses the need for and importance of survivability, defines unbounded network, and examines the characteristics that differentiate survivability from other software quality attributes and nonfunctional properties of systems. It introduces emergent algorithms as an approach to problem solving in unbounded networks and suggests a methodology for their development. Emergent algorithms are philosophically and methodologically different from traditional approaches. The characteristics of emergent algorithms are examined. A strategy for the development of high performance solutions using emergent algorithms is illustrated in outline form for a problem in Internet routing.

Requirements definition for survivable network systems

Pervasive societal dependency on large scale, unbounded network systems, the substantial risks of such dependency, and the growing sophistication of system intruders, have focused increased attention on how to ensure network system survivability. Survivability is the capacity of a system to provide essential services even after successful intrusion and compromise, and to recover full services in a timely manner. Requirements for survivable systems must include definitions of essential and non essential services, plus definitions of new survivability services for intrusion resistance, recognition, and recovery. Survivable system requirements must also specify both legitimate and intruder usage scenarios, and survivability practices for system development, operation, and evolution. The paper defines a framework for survivable systems requirements definition and discusses requirements for several emerging survivability strategies. Survivability must be designed into network systems, beginning with effective survivability requirements analysis and definition.

Managing Software Development for Survivable Systems

The environment in which software projects are managed has evolved dramatically in recent years. This evolution has been driven by an extraordinary increase in network connectivity and extensive use of contractors for system development, raising issues of interoperability, security, ownership, and intellectual property rights. Project managers face the ongoing challenge of creating an orderly incremental development process, which often proceeds for years, in this complex environment. At the same time, the dependency of organizations, their suppliers, and their customers on complex, large-scale information systems is increasing at an astonishing rate, to the point that conduct of business operations is virtually impossible if these systems are compromised. As a result, survivability is receiving increasing attention as a key property of critical systems. Survivability is the capability of a system to fulfill its mission, in a timely manner, in the presence of attacks, failures, or accidents. Given the severe consequences of system failure, it is clear that many more organizations should be, and at present are not, concerned with survivability issues. However, when survivability is added to the project management equation, software life cycles can look rather different from the traditional life-cycle model. In this paper we discuss this changing software project management environment, the impact of system survivability, and life-cycle activities that are tailored to development and evolution of survivable systems. Achieving survivable systems requires that survivability be integrated into project life cycles, and not treated as an add-on property.