System Assurance: Beyond Detecting Vulnerabilities

Paperback (Print)
Buy New
Buy New from
Used and New from Other Sellers
Used and New from Other Sellers
from $49.43
Usually ships in 1-2 business days
(Save 27%)
Other sellers (Paperback)
  • All (6) from $49.43   
  • New (5) from $49.42   
  • Used (1) from $63.26   


System Assurance Beyond Detecting Vulnerabilities provides a comprehensive view of systematic, repeatable, and affordable cyberdefense that goes beyond knowledge of vulnerabilities and includes knowledge of the system, knowledge of risks and threats, knowledge of security safeguards, as well as knowledge of the assurance argument, together with the corresponding evidence answering the question why a system is secure.
The book is organized into four parts. The first part provides an introduction to cybersecurity knowledge; the need for information exchanges for systematic, repeatable, and affordable cyberdefense; and the motivation for the Object Management Group (OMG) Software Assurance Ecosystem. It discusses the nature of system assurance and its difference for vulnerability detection, and introduces the OMG standard on Software Assurance Cases. It describes an end-to-end methodology for system assurance in the context of the OMG Software Assurance Ecosystem that brings together risk analysis, architecture analysis, and code analysis in an integrated process that is guided and planned by the assurance argument. The second part describes various aspects of cybersecurity knowledge required for building cybersecurity arguments. This knowledge includes system knowledge, knowledge related to security threats and risks, and vulnerability knowledge. The third part provides an overview of the protocols of the OMG Software Assurance Ecosystem. It covers the Common Fact Model approach; linguistic models and the OMG Semantics of Business Vocabularies and Rules (SBVR) standard; and the OMG Knowledge Discovery Metamodel (KDM). The fourth part presents a case study to illustrate some of the activities of a system assurance evaluation.

  • Provides end-to-end methodology for systematic, repeatable, and affordable System Assurance.
  • Includes an overview of OMG Software Assurance Ecosystem protocols that integrate risk, architecture and code analysis guided by the assurance argument.
  • Case Study illustrating the steps of the System Assurance Methodology using automated tools.
Read More Show Less

Editorial Reviews

From the Publisher
"The Object Management Group (OMG) Software Assurance Ecosystem described in this book is a significant step towards collaborative cyber security automation; it offers a standards-based solution for building security and resilience in computer systems." -Joe Jarzombek, Director for Software Assurance, Global Cyber Security Management, National Cyber Security Division, Department of Homeland Security

"System Assurance is a very complex and difficult subject. This book successfully demonstrates and describes in detail how to combine different existing tools together in order to systematically develop System Assurance documentation and justification in a practical manner for a specific domain. The book provides very useful practical guidance that can be used by technical and management practitioners for the specific domain described, and by example for others for different domains." -John P. Hopkinson, Security Strategist, Kwictech

Read More Show Less

Product Details

  • ISBN-13: 9780123814142
  • Publisher: Elsevier Science
  • Publication date: 12/20/2010
  • Series: MK/OMG Press Series
  • Pages: 368
  • Product dimensions: 7.40 (w) x 9.10 (h) x 0.80 (d)

Meet the Author

Nikolai Mansourov is recognized worldwide for his work in the areas of automatic code generation and using formal specifications in both forward and reverse engineering. Prior to joining KDM Analytics, Dr. Mansourov was the Chief Scientist and Chief Architect at Klocwork Inc, where he significantly helped build the company’s credibility. Dr. Mansourov also was a department head at the Institute for System Programming, Russian Academy of Sciences, where he was responsible for numerous groundbreaking research projects in advanced software development for industry leaders Nortel Networks and Telelogic. Dr. Mansourov has published over 50 research papers and is a frequent speaker as well as member of program committees at various international research forums. He is a founding member of the World-Wide Institute of Software Architects WWISA. His impact on the industry continues through his participation on several standards bodies, including the ITU-T and Object Management Group. Dr. Mansourov is one of the first OMG-certified UML Advanced Professionals and a member of the UML2 standardization team. Dr. Mansourov is the Editor of the OMG Knowledge Discovery Metamodel (KDM) specification and the Chair of the OMG Revision Task Force for KDM.

Djenana Campara has 20+ years of experience and leadership in the software engineering field. Ms. Campara is a member of the Board of Directors of the Object Management Group (OMG). Djenana Campara chairs the OMG Architecture-Driven Modernization Task Force and Software Assurance Special Interests Group, and serves as a board member on the Canadian Consortium of Software Engineering Research (CSER). Previously, Djenana was CTO of Klocwork and chairwoman of Klocwork’s Board of Directors. Djenana founded the company in 2001 as a successful Nortel Networks spin off. She has served as Klocwork's chief executive officer, securing the company's first round of funding as well as closing its first customers.

She has been awarded four US patents for her groundbreaking static analysis techniques implemented in Klocwork’s products. She has published a number of papers on software transformations, has been quoted in publications, including The Economist and Secure Computing, and has participated in Fortune Magazine's "Brainstorm 2003," an international conference of the world's most creative leaders.

Read More Show Less

Read an Excerpt

System Assurance

Beyond Detecting Vulnerabilities
By Nikolai Mansourov Djenana Campara


Copyright © 2011 Elsevier Inc.
All right reserved.

ISBN: 978-0-12-381415-9

Chapter One

Why hackers know more about our systems

We live in a world comprised of systems and risk.Clifton A. Ericson II, Hazard Analysis Techniques for System Safety Throughout history, each technological advance has inevitably become the target of those who seek to subvert it.David Icove, Computer Crime


To be effective during an operation, organizations need to be agile, mobile, and robust with a flexible service-oriented user experience. Delivering this need means relying heavily on Web and Internet services technology that enables organizations and their clients to synergistically work together by automating end-to-end information exchange processes for seamless collaboration and operation of fully automated information systems that work 24/7 without human intervention. However, along with these enhanced information exchange capabilities come significant security, privacy, and regulatory concerns and challenges.

Cyber criminals have also undergone a remarkable transformation as they exploit the global scale and connectivity of cyberspace and convergence of services onto the Internet, where a significant amount of financial and business transactions are taking place [Icove 1995]. Cyber criminals evolved from lone hackers driven by curiosity and the desire to make a point about the freedom of information into sophisticated, transnational networks of organized criminals who commit large-scale online crimes for significant profit. Over the past three decades, hackers managed to accumulate an arsenal of cyber attack methods. According to the Inquiry into Cyber Crime, performed by the Australian Parliament [Australia 2010], cyber crime "operates on an industrial scale and has become an increasingly important issue for the global community."

Furthermore, cyber-warfare became a reality that cannot be ignored since the 21st century battlefield includes not only the corn fields, deserts, mountain passes, and pine woods, but also the virtual communities in cyberspace along the information highways and back-roads supported by computers and mobile phones, and the miles of fiber optic cables, copper wires, the numerous network equipment boxes, and the very airwaves of the electromagnetic spectrum [Carr 2010]. This includes the nations' critical infrastructure and enterprise information systems, all the way down to the desktops and laptops in businesses and homes. The critical infrastructure is composed of many sectors that are in every nation's core industries—chemical, telecommunications, banking and finance, energy, agriculture and food, and defense—and bring us the services on which we all depend—water, postal and shipping, electrical power, public health and emergency services, and transportation. Each sector is extremely complex and to varying degrees is dependent on all the others.

Cyberspace and physical space are increasingly intertwined and software controlled. Each of the systems can affect our safety and security, and they have a unique design and a unique set of components; additionally, they contain inherent hazards that present unique mishap risks. We are constantly making a trade-off between accepting the benefits of a system versus the mishap risk it presents. As we develop and build systems, we should be concerned about eliminating and reducing mishap risk. Security services need to be seamlessly integrated into this new environment in order to assist civilian management and military commanders in recognizing the new information security threats posed by Web and Internet services-enabled activity, calculating the residual risk, and implementing appropriate security countermeasures to maintain order and control. Some risks are small and can be easily accepted, while other risks are so large that they must be dealt with immediately. While the trust side of the security equation has received a great deal of attention in the world of security, this growing reliance on Web and Internet services raises security issues that cannot be mitigated by traditional authentication processes. Although it remains important to know whether to trust information, it is becoming imperative to verify that there is no threat-related activity associated with this information.

Developing effective approaches to verify that systems operate as intended, that information can be trusted with confidence, and that no threat-related activity would follow is a key component in achieving systems security posture needed to defend against current and future attacks.

In particular, as mentioned in the 2008 OCED/APEC report, malware threat "is increasingly a shared concern for governments, businesses, and individuals in OECD countries and APEC economies. As governments rely evermore on the Internet to provide services for citizens, they face complex challenges in securing information systems and networks from attack or penetration by malicious actors. Governments are also being called on by the public to intervene and protect consumers from online threats such as ID theft. The past five years have indeed brought a surge in the use of malware to attack information systems for the purpose of gathering information, stealing money and identities, or even denying users access to essential electronic resources. Significantly, the capability also exists to use malware to disrupt the functioning of large information systems, surreptitiously modify the integrity of data, and to attack the information systems that monitor and/or operate major systems of the critical infrastructure" [OECD 2008].


Hackers seem to know more about our systems than we do. Does this sound strange to you? Shouldn't we—the designers, developers, implementers, administrators, and defenders—have the "home advantage"? Yet hackers keep finding means of taking over our systems. New security incidents are reported weekly, while software vendors are reacting to the incidents by issuing patches to their products. The industry seems to be trying to catch up with the hackers, hoping that the "good guys" will discover vulnerabilities quicker than the "bad guys" so that the software builders can patch systems before incidents happen.

For now let's assume that a "vulnerability" is a certain unit of knowledge about a fault in a system that allows exploiting this system in unauthorized and possibly even malicious ways. These faults are primarily caused by human error, poor requirements specifications, poor development processes, rapidly changing technology, and poor understanding of threats. Some faults are introduced deliberately through the supply chain and slip through into delivered systems due to poor development and acquisition processes. The industry came to the realization that with traditional system security engineering, error-free, failure-free, and risk-free operation is not usually achievable within acceptable cost and time constraints over the system life cycle [ISO 15443].

So why do attackers know more about our systems than developers and defenders? They are more efficient in discovering knowledge about our systems and are better at distributing this knowledge throughout their communities. How do hackers discover knowledge? Hackers relentlessly study our systems and invent new ways to attack them. Some hackers have the advantage of having access to the details of the entire development process of a system they attack and knowledge of the systems that have already been put into operation. Hackers study the source code whether they can obtain it by legal or illegal means, especially for the critical proprietary and network-based systems. But hackers also study machine code and study systems by interacting with them, where no code is required. Hackers take advantage of:

• The fact that systems are often built from commercial off-the-shelf components, including a small number of the base hardware and software platforms;

• Time flexibility – they are usually not constrained in their analysis of our systems, even though such analysis may be quite time-consuming, and;

• Vulnerable legacy systems – a vast majority of systems are still legacy systems developed with lax security requirements.

However, what makes attackers extremely efficient is extensive knowledge sharing. Since this is an important aspect for consideration in a defenders community, let's examine how knowledge sharing is done.

Attackers vary in their knowledge and capability. It is an exaggeration to say that every attacker knows more about every system than any defender or developer of that system. In the attacker community, individuals have different skills and play different roles: there are few highly skilled security researchers (known as the "elite hackers"), and a larger number of less skilled attackers (known as the "script kiddies"). However, the attacker community—a nebulous assembly of groups of like-minded individuals—is very efficient in using computer communications, and social networks to share knowledge. In fact, the hackers of the early days started as the enthusiasts of the emerging computer technology, communications, and networking. Attackers have been able to accumulate significant amounts of knowledge on how to attack systems. In addition, there are individuals who transform the theoretical knowledge of the attacks into the attack scripts and tools—attack knowledge is rather practical, and tools do play a critical role in attacking cyber systems. So, theoretical knowledge is transformed into automated attack weapons that require little technical skills. Attackers are willing to share, not just their knowledge, but also their tools and "weapons," which become available to the individuals who are willing to launch attacks. As a result, an efficient ecosystem emerges, which amplifies the results of a few highly skilled hackers, and feeds a larger number of less skilled but highly motivated criminalized attackers. Hackers may not be systematic in what they do, but they succeed in industrializing their knowledge.

A large part of modern attack weapons is known as malware. According to an earlier cited OECD report [OECD 2008], malware is a general term for a piece of software inserted into an information system to cause harm to that system or other systems, or to subvert them for use other than that intended by their owners. Malware can gain remote access to an information system, record and send data from that system to a third party without the user's permission or knowledge, conceal that the information system has been compromised, disable security measures, damage the information system, or otherwise affect the data and system integrity. Different types of malware are commonly described as viruses, worms, trojan horses, backdoors, keystroke loggers, rootkits, or spyware. Malware shrinks the time between the discovery of vulnerabilities in software products and their exploitation and makes cyber attacks repeatable, which undermines the effectiveness of current security technologies and other defenses.

The skills within the defender community also vary greatly from the elite security researchers (who are sometimes hard to distinguish from the elite hackers) all the way to the administrators of home computer systems. However, the defender community lacks efficiency in their knowledge sharing due to too many barriers designed to retain competitive edge, expand market space, enhance offerings, etc.


Defense of cybersecurity systems involves understanding the risks, managing the vulnerabilities, adding safeguards, and responding to the incidents. The foundation of this understanding is knowledge related to (1) what are you defending, (2) what are you defending against, (3) what are vulnerabilities you need to mitigate and (4) what safeguards are included. Defense is conducted throughout the entire life cycle of the system. While long-term strategy involves better security engineering to develop more secure systems, the cyberdefense community needs to defend existing systems by adding safeguards in the form of patches to existing system elements, adding new security components, improving security procedures, improving configurations, and providing training.


Excerpted from System Assurance by Nikolai Mansourov Djenana Campara Copyright © 2011 by Elsevier Inc. . Excerpted by permission of MORGAN KAUFMANN PUBLISHERS. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

Read More Show Less

Table of Contents


1. Why Hackers know more about our systems

1.1 Operating in cyberspace involves risks

1.2 Why Hackers are repeatadly successful

1.2.1 What are the challenges in defending cybersystems? Difficulties in understanding and assessing risks Understanding Development Trends Comprehending Systems’ Complexity Understanding Assessment Practices and their Limitations Vulnerability Scanning Technologies and their Issues

1.3 Where do We Go from Here

1.3.1 Systematic and repeatable defense at affordable cost

1.3.2 The OMG Software Assurance Ecosystem

1.3.3 Linguistic Modeling to manage the common vocabulary

1.4 Who should read this book

2 Chapter: Confidence as a Product

2.1 Are you confident that there is no black cat in the dark room?

2.2 The Nature of Assurance

2.2.1 Engineering, Risk and Assurance

2.2.2 Assurance Case (AC) Contents of an Assurance Case Structure of the Assurance Argument

2.3 Overview of the Assurance Process

2.3.1 Producing Confidence Economics of Confidence

3 Chapter: How to Build Confidence

3.1 Assurance in the System Lifecycle

3.2 Activities of System Assurance Process

3.2.1 Project Definition

3.2.2 Project Preparation

3.2.3 Assurance argument development

3.2.4 Architecture Security Analysis Discover System Facts Threat identification Safeguard Identification Vulnerability detection Security Posture Analysis

3.2.5 Evidence analysis

3.2.6 Assurance Case Delivery

4 Chapter: Knowledge of System as of Element in Cybersecurity argument

4.1 What is system

4.2 Boundaries of the system

4.3 Resolution of the system description

4.4 Conceptual commitment for system descriptions

4.5 System architecture

4.6 Example of an architecture framework

4.7 Elements of System

4.8 System Knowledge Involves Multiple Viewpoints

4.9 Concept of operations (CONOP)

4.10 Network Configuration

4.11 System life cycle and assurance

4.11.1 System life cycle stages

4.11.2 Enabling Systems

4.11.3 Supply Chain

4.11.4 System life cycle processes

4.11.5 The implications to the common vocabulary and the integrated system model

5 Chapter: Knowledge of Risk as an Element of Cybersecurity argument

5.1 Introduction

5.2 Basic cybersecurity elements

5.3 Common vocabulary for risk analysis

5.3.1 Defining diScernable vocabulary for Assets

5.3.2 Threats and hazards

5.3.3 Defining dicernable vocabulary for Injury and Impact

5.3.4 Defining dicernable vocabulary for threats

5.3.5 Threat scenarios and attacks

5.3.6 Defining dicernable vocabulary for vulnerabilities

5.3.7 Defining dicernable vocabulary for safeguards

5.3.8 Risk

5.4 Systematic Threat Identification

5.5 Assurance Strategies

5.5.1 Injury Argument

5.5.2 Entry point argument

5.5.3 Threat argument

5.5.4 Vulnerability argument

5.5.5 Security requirement argument

5.5.6 Assurance of the threat identification

6 Chapter: Knowledge of Vulnerabilities as an Element of Cybersecurity Argument

6.1 Vulnerability as part of system knowledege

6.1.1 What is Vulnerability

6.1.2 Vulnerability as Unit of Knowledge: The History of Vulnerability

6.1.3 Vulnerabilities and the Phases of the System Life Cycle

6.1.4 Enumeration of Vulnerabilities as a Knowledge Product

6.1.5 Vulnerability Databases US-CERT Open Source Vulnerability Database (OSVDB)

6.1.6 Vulnerability Life Cycle

6.2 NIST Security Content Automation Protocol (SCAP) Ecosystem

6.2.1 Overview of SCAP Ecosystem

6.2.2 Information Exchanges under SCAP

7 Chapter: Vulnerability Patterns as a New Assurance Content

7.1 Beyond Current SCAP Ecosystem

7.2 Vulnerability Patterns

7.3 Software Fault Patterns

7.3.1 Safeguard category of clusters and corresponding Software fault Patterns (SFPs) Authentication Access Control Privilege

7.3.2 Direct Impact category of clusters and corresponding Software fault Patterns (SFPs) Information Leak Memory Management Memory Access Path Resolution Tainted Input

8 Chapter: OMG Software Assurance Ecosystem

8.1 Introduction

8.2 OMG Assurance Ecosystem: towards collaborative cybersecurity

9 Chapter: Common Fact Model for Assurance Content

9.1 Assurance Content

9.2 The Objectives

9.3 Design criteria for information exchange protocols

9.4 Tradeoffs

9.5 Information Exchange Protocols

9.6 The Nuts and Bolts of Fact Models

9.6.1 Objects

9.6.2 Noun Concepts

9.6.3 Facts about existence of objects

9.6.4 Individual concepts

9.6.5 Relations between concepts

9.6.6 Verb concepts

9.6.7 Characteristics

9.6.8 Situational concepts

9.6.9 Viewpoints and views

9.6.10 Information exchanges and assurance

9.6.11 Fact-oriented Integration

9.6.12 Automatic derivation of facts

9.7 The representation of facts

9.7.1 Representing facts in XML

9.7.2 Representing facts and schemes in Prolog

9.8 The common schema

9.9 System assurance facts

10 Chapter: Linguistic Models

10.1 Fact Models and Linguistic Models

10.2 Background

10.3 Overview of SBVR

10.4 How to use SBVR

10.4.1 Simple vocabulary

10.4.2 Vocabulary Entries

10.4.3 Statements

10.4.4 Statements as formal definitions of new concepts Definition of a Noun Concept Definition of a Verb Concept The General Concept caption

10.5 SBVR Vocabulary for describing Elementary Meanings

10.6 SBVR Vocabulary for describing Representations

10.7 SBVR Vocabulary for describing Extensions

10.8 Reference schemes

10.9 SBVR Semantic Formulations

10.9.1 Defining new terms and facts types using SBVR

11 Chapter: Standard Protocol for Exchanging System Facts

11.1 Background

11.2 Organization of the KDM vocabulary

11.2.1 Infrastructure Layer

11.2.2 Program Elements Layer

11.2.3 Resource Layer

11.2.4 Abstractions Layer

11.3 The process of discovering system facts

11.4 Discovering the baseline system facts

11.4.1 Inventory views Inventory Viewpoint vocabulary in SBVR

11.4.2 Build Views

11.4.3 Data views

11.4.4 UI views

11.4.5 Code views Code views: Elements of Structure Code views: Elements of Behavior Micro KDM

11.4.6 Platform views

11.4.7 Event views

11.5 Performing architecture analysis

11.5.1 Structure Views

11.5.2 Conceptual Views Linguistic Viewpoint Behavior Viewpoint

12 Chapter: Case Study

12.1 Introduction

12.2 Background

12.3 Concepts of operations

12.3.1 Executive summary

12.3.2 Purpose

12.3.3 Locations

12.3.4 Operational Authority

12.3.5 System Architecture Clicks2Bricks Web server Database server SMTP server

12.3.6 System Assumptions

12.3.7 External dependencies

12.3.8 Implementation Assumptions

12.3.9 Interfaces with Other Systems

12.3.10 Security assumptions

12.3.11 External Security Notes

12.3.12 Internal Security notes

12.4 Business vocabulary and security policy for Clicks2Bricks in SBVR

12.5 Building the integrated system model

12.5.1 Building the baseline system model

12.5.2 Enhancing the baseline model with the system architecture facts

12.6 Mapping cybersecurity facts to system facts

12.7 Assurance case

Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Terms of Use.
  • - Barnes & reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously

    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)