Software Process Improvement Overview

1
OCTAVESM Process 6Evaluate Selected Components

• Software Engineering Institute
• Carnegie Mellon University
• Pittsburgh, PA 15213
• Sponsored by the U.S. Department of Defense

2
OCTAVESM

• Operationally Critical Threat, Asset, and
  Vulnerability EvaluationSM
• OCTAVE and Operationally Critical Threat, Asset,
  and Vulnerability Evaluation are service marks of
  Carnegie Mellon University.

3
OCTAVE Process
Phase 1 OrganizationalView
Phase 3 Strategy and Plan Development
Planning
Phase 2 TechnologicalView
Evaluate Selected Components
4
Objective of This Workshop

• To review technology vulnerabilities with respect
  to the critical assets and summarize results

5
Technology Vulnerability Summary

• Contains the following information for each
  component that was evaluated
• the number of vulnerabilities to fix immediately
  (high-severity vulnerabilities)
• the number of vulnerabilities to fix soon
  (medium-severity vulnerabilities)
• the number of vulnerabilities to fix later
  (low-severity vulnerabilities)

6
Vulnerability Summary

• A vulnerability summary contains
• the types of vulnerabilities found and when they
  need to be addressed
• the potential effect on the critical assets
• how the technology vulnerabilities could be
  addressed (applying a patch, hardening a
  component, etc.)

7
Reviewing Technology Vulnerabilities

• For each selected component, review the types of
  technology vulnerabilities that were identified.

8
Identifying Threats

• Perform a gap analysis of the the threat three
  for human actors using network access
• Do the technology vulnerabilities associated with
  the critical assets key infrastructure
  components indicate that there is a
  non-negligible possibility of a threat to the
  asset?

9
Summary

• We have completed the following in this workshop
• reviewed the technology vulnerabilities for the
  key components of critical assets
• summarized the results