Robert J. Ellison

Survivable network system analysis: a case study

The Survivable Network Analysis method permits assessment of survivability at the architecture level. Steps include system mission and architecture definition, essential capability definition, compromisable capability definition, and survivability analysis of architectural soft-spots that are both essential and compromisable. The article summarizes application of the method to a subsystem of a large-scale, distributed health care system.

The evolution of the GANDALF system

The GANDALF System is used to generate highly interactive software development environments. This paper describes some design decisions made during the development of the GANDALF system and the systems applicability to the generation of single-user programming environments and multi-user software development environments.

Supply-Chain Risk Management: Incorporating Security into Software Development

As outsourcing and expanded use of commercial off-the-shelf (COTS) products increase, supply-chain risk becomes a growing concern for software acquisitions. Supply-chain risks for hardware procurement include manufacturing and delivery disruptions, and the substitution of counterfeit or substandard components. Software supply-chain risks include third-party tampering with a product during development or delivery, and, more likely, a compromise of the software assurance through the introduction of software defects. This paper describes practices that address such defects and mechanisms for introducing these practices into the acquisition life cycle. The practices improve the likelihood of predictable behavior by systematically analyzing data flows to identify assumptions and using knowledge of attack patterns and vulnerabilities to analyze behavior under conditions that an attacker might create.

A Systemic Approach for Assessing Software Supply-Chain Risk

In todays business environment, multiple organizations must routinely work together in software supply chains when acquiring, developing, operating, and maintaining software products. The programmatic and product complexity inherent in software supply chains increases the risk that defects, vulnerabilities, and malicious code will be inserted into a delivered software product. As a result, effective risk management is essential for establishing and maintaining software supply-chain assurance over time. The Software Engineering Institute (SEI) is developing a systemic approach for assessing and managing software supply-chain risks. This paper highlights the basic approach being implemented by SEI researchers and provides a summary of the status of this work.

TRIAD: a framework for survivability architecting

High confidence in a systems survivability requires an accurate understanding of the systems threat environment and the impact of that environment on system operations. This paper describes a framework for intrusion-aware design called trustworthy refinement through intrusion-aware design (TRIAD). The spiral structure of TRIAD iterates through three sectors of activity for developing the architectural strategy, for instantiating the architecture using technical components, and for analyzing the impact of the threat environment on system operations. TRIAD helps developers of complex, internetworked information systems to formulate, implement, and maintain a coherent, justifiable, and affordable survivability strategy that addresses mission-compromising threats for their organization. TRIAD facilitates planning for the inevitable change to the threat and operational environment and helps trace the effect of change back to the survivability requirements and architecture.