BP: Integrating Cyber Vulnerability Assessments Earlier into the Systems Development Lifecycle: A Methodology to Conduct Early-Cycle Cyber Vulnerability Assessments

摘要

During development of high assurance cyber systems, third-party security evaluations such as cyber vulnerability assessments (CVAs) and red teaming may not be conducted until after system implementation. This late in the systems development lifecycle (SDLC), mitigating a single implementation vulnerability may require altering the system requirements, architecture, and design, resulting in a cascade of secondary effects that necessitate additional implementation changes. This paper proposes to identify and mitigate vulnerabilities earlier in the SDLC by conducting early-cycle CVAs (eCVAs). eCVAs initiate the vulnerability assessment process earlier and integrate three CVAs into the SDLC. The three types of assessments include a requirements CVA to analyze system requirements specifications, an architecture and design CVA to evaluate architecture and design artifacts, and an implementation CVA with a focus on manual code review, static and dynamic analysis, and researching leveraged code for known vulnerabilities. This paper describes the three types of CVAs and outlines the results of a year-long pilot effort carried out by the Air Force Research Laboratory Information Directorate eCVA team.