SlideShare ist ein Scribd-Unternehmen logo

Nist cosa-foundation v7

Gordon Morrison
Gordon Morrison

This was my response for a NIST request for information (RFI) relating to cybersecurity frameworks. My reply was to create a foundation first.

Technologie
1 von 29
Downloaden Sie, um offline zu lesen
NIST: Request for Information Relating to Cybersecurity Frameworks A Foundation Response by Gordon E Morrison Gordon.Morrison@VSMerlot.com (816-835-3071) 2951 Marina Bay Dr. 130-250 League City, TX 77573 19/22/2013 www.VSMerlot.com
Cyber Secure Framework • Can’t exist without a proper foundation • Current Foundation – Spaghetti code • “if – then – else” • “case – switch” • Not organized • Not structured – Artistic • Approach will not be as secure as it could be 9/22/2013 www.VSMerlot.com 2
Foundation Definition • Foundation – the architecture that software uses as the core structure for organizing human written or machine generated code. Currently writing or generating code is an artistic endeavor without an engineering structure. In practice a software engineered foundation does not exist. 9/22/2013 www.VSMerlot.com 3
Framework Definition • Framework – the collection of software designed to provide services built on a nonexistent foundation. Frameworks are often combined into application specific libraries or collections. 9/22/2013 www.VSMerlot.com 4
Software Engineering Practices • Foundation – Lacking a foundation architecture – Lacking an engineering discipline • Coding is artistic – Requirements – Specifications – Models • All depend on the foundation • Implementations drift away form original design documentation • Synchronization requires manual effort • Frameworks are built sans foundation 9/22/2013 www.VSMerlot.com 5
From CMU-SEI • www.sei.cmu.edu/solutions/softwaredev/ • “The quality of a system is influenced by the quality of the process used to acquire, develop, and maintain it, the analysis and forethought that goes into an architecture…” 9/22/2013 www.VSMerlot.com 6
CMU –SEI (cont’d) • “Using proven methods for progress and product quality, software success is predictable and achievable, and failure is avoidable.” 9/22/2013 www.VSMerlot.com 7
CMU – SEI (cont’d) • “Once coding starts, teams trained in mature software engineering processes can remove defects early, when defect removal is 10 to 100 times less costly than it is during test.” 9/22/2013 www.VSMerlot.com 8
Requirements • SEI alludes to failures due to lack of requirements. • SEI requirements don’t correlate to the application over time. • SEI requirements are documents that fail to stay in sync over time. • SEI approach not as good as it could be. A good idea poorly implemented. 9/22/2013 www.VSMerlot.com 9
No CMU-SEI Foundation Definition • Big money is in process consulting – CMU-SEI sells what it knows – Doesn’t understand lacking foundation • No solution to spaghetti code – Process Management • Often referred to as “Software Engineering” • Without a good foundation success is difficult at best. • CMU-SEI – room for improvement 9/22/2013 www.VSMerlot.com 10
SEI Template • SEI uses a template to collect information – It’s a fill in form approach – State information – Action information – Provides documentation • Template becomes throwaway • The template will not stay in sync • Good idea – poorly implemented 9/22/2013 www.VSMerlot.com 11
Herding Cats is the Standard • Programmers want to be engineers – An engineering foundation is missing • “if-then-else” and “case-switch” statements: – Are the cause of spaghetti code – Create logic that is overly complex – No support for temporal control flow • Required for correlation 9/22/2013 www.VSMerlot.com 12
Temporal Software Engineering • Similar to CMU-SEI template based logic • Integrated into the application • Uses Vector State Machine – Correlates to • Requirements • Specification • Model Driven Architecture – Maps to IDEF ++ process • Improved IDEF0 & IDEF1 • Provides a solid organized foundation 9/22/2013 www.VSMerlot.com 13
CMU-SEI Example Template Student J. Developer Date 10/27 Program LogIn Program # Instructor Humphrey Language C++ State Name Description Start Start condition for system CheckD The state of the system after a user ID is requested CheckPW The state of the system after a user password is requested End The final state: LogIn either logs in or cuts off the user. Function/Parameter Description ID User identification: ID is Valid or !Valid PW User password: PW is Valid or !Valid n Integer count of ID and password errors nMax Maximum value of ID and password errors: n >= nMax is rejected. Fail Error count or timeout error indicator: Fail = true is failure, Fail = false is ok. States/Next States Transition Condition Action Start Start No transitions from Start to Start CheckID True Get ID, n := 0; ID and PW !Valid CheckPW No transitions from Start to CheckPW End No transitions from Start to End CheckID Start No transitions from CheckID to Start CheckID No transitions from CheckID to CheckID CheckPW Valid ID Get password CheckPW !Valid ID Get password End Timeout Fail := true CheckPW Start No transitions from CheckPW to Start CheckID (!Valid PW  !Valid ID)  n < nMax  !Timeout Get ID, n := n + 1 CheckPW No transitions from CheckPW to CheckPW End Valid PW  Valid ID Fail := false, login user End (n >= nMax  Timeout)  (!Valid PW  !Valid ID) Fail := true, cut off user End No transitions from End to any state • SEI-TSP/PSP – Rule – State – Action • Mixed Modes • Does not correlate with solution • Software Engineers DON’T sync this document! 9/22/2013 www.VSMerlot.com 14
CMU-SEI - Stopwatch Example State Name Description Zero Start condition for system Running Stopwatch running and displaying On-hold Stopwatch running with display on hold Stopped Stopwatch stopped States/Next States Transition Condition Action Zero Zero reset  hold Stop clock, reset clock, clear display Running start/stop Start clock, display clock Running Zero reset Stop clock, reset clock, clear display On-hold hold Hold display Stopped start/stop Stop clock, hold display On-hold Zero reset Stop clock, reset clock, clear display Running hold Start clock, display clock Stopped start/stop Stop clock, hold display Stopped Zero reset Stop clock, reset clock, clear display Running start/stop Start clock, display clock Stopped hold Stop clock, hold display •Work is not part of implementation •Must be converted to if/else or switch-case logic 9/22/2013 www.VSMerlot.com 15
Proposed Foundation • COSA – based on US Patent 6,345,387 – Free of License – Free of License! – Template based executable logic table – Table based Vector State Machine (VSM) • Temporal Engineering – the use of COSA, correlating all aspects of the software development life cycle. • Temporal Engineering – improves the CMU-SEI management paradigm – Everything stays in sync!!! • This is a good idea – good implementation 9/22/2013 www.VSMerlot.com 16
SEI vs. COSA • Work going into the SEI template is not directly used, i.e. it’s wasted. • Work put into a COSA table is used – The table is a logic template – The table is executed with COSA Engine – Testable with populated member functions or stubs – Does one thing and does it well – Includes trace debugging 9/22/2013 www.VSMerlot.com 17
No Foundation vs. Foundation www.VSMerlot.com 18 • No Foundation Today – Bucket-of-Bolts • Spaghetti code • Foundation – COSA – An Engineering Discipline – Not an artistic approach – Not just writing code – Organized – Standardized • COSA – No License required – Patent definition open disclosure – Book available on Amazon.com 9/22/2013
What’s Missing • “Software engineering” mentioned on slide 8 does not refer to a foundation architecture. • It refers to the process in which the code is developed. • The fundamental “if-then-else” structure i.e. “spaghetti” code that SEI teaches. • Compare the next two slides… 9/22/2013 www.VSMerlot.com 19
Traditional Software What is Delivered • Authors that are like Herding Cats • The style of the author • Inconsistent development styles • Control and Preemptablity an after thought • Multiple if-then-else logic dispersed everywhere • Spaghetti Logic • Trace - True • Numerously inserted trace logic • NONE • Trace – False • Numerously inserted trace logic • Spaghetti Logic • NONE • NONE • Rarely Well Defined – No Rules – Independent Specification – Inconsistent Analysis • Never Orthogonal – Spaghetti Logic – Spaghetti Data 9/22/2013 www.VSMerlot.com 20 What Is Wanted • Engineering Discipline • Uniformity • Consistency • Preemptablity • Single Point Logic Testing • Trace - True – True Behavior Logic – True Logic Trace – True Logic Temporal Path • Trace - False – False Behavior Logic – False Logic Trace – False Logic Temporal Path • Well Defined – Rules – Specification – Analysis • Orthogonal – Logic – Data
COSA Engineering 9/22/2013 www.VSMerlot.com 21 COSA Delivers • Engineering Discipline • Uniformity • Consistency • Preemptablity • Single Point Logic Testing • Trace - True – Static Document Trace – Dynamic Logic Trace • Trace – False – Static Document Trace – Dynamic Logic Trace • Well Defined – Template Rules – Specification – Traced Spec to Application • Orthogonal – Logic – Data What Is Wanted • Engineering Discipline • Uniformity • Consistency • Preemptablity • Single Point Logic Testing • Trace - True – True Behavior Logic – True Logic Trace – True Logic Temporal Path • Trace - False – False Behavior Logic – False Logic Trace – False Logic Temporal Path • Well Defined – Rules – Specification – Analysis • Orthogonal – Logic – Data
Complexity is out of control 9/22/2013 www.VSMerlot.com 22
Compare Complexity 9/22/2013 www.VSMerlot.com 23
Now with Trace 9/22/2013 www.VSMerlot.com 24
ITE Trace Complexity 9/22/2013 www.VSMerlot.com 25 • 3 columns of trace – 4 columns info in each • Little info • Embedded throughout program • Side effects • 107 states
COSA Trace More Information Count Step Trace Eng Static Dynamic Behavior Value 1 +T= 0; 100 Off; 44; 44; Negate; N= - 2 +T= 1; 101 Off; 1; 1; Any_Number; N= -3 3 ĞF= 1; 101 On; 1; 59; Ignore; N= 4 +T= 2; 102 Off; 59; 59; One_Perio d; N= -3. 5 +T= 3; 103 Off; 1; 1; Any_Number; N= -3.1 6 +T= 3; 103 Off; 1; 1; Any_Number; N= -3.14 7 +T= 3; 103 Off; 1; 1; Any_Number; N= -3.141 8 +T= 3; 103 Off; 1; 1; Any_Number; N= -3.1415 9 +T= 3; 103 Off; 1; 1; Any_Number; N= -3.14159 10 ĞF= 3; 103 On; 1; 44; Ignore; N= 11 ĞF= 4; 104 On; 12; 44; Ignore; N= 12 ĞF= 5; 105 On; 11; 44; Ignore; N= 13 ĞF= 6; 106 On; 1; 44; Push_Disp ; N= 14 ĞF= 7; 500 On; 43; 44; Ignore; N= 15 +T= 8; 501 On; 44; 1; Subtraction; N= -3.14159 16 +T= 12; 700 Off; 1; 1; Engine_Off; N= -3.14159 17 +T= 13; 701 Off; 44; 44; Negate; N= - 18 +T= 14; 702 Off; 1; 1; Any_Number; N= -2 19 ĞF= 14; 702 Off; 1; 59; Ignore; N= 20 +T= 15; 703 Off; 59; 59; One_Perio d; N= -2. 21 +T= 16; 704 Off; 1; 1; Any_Number; N= -2.1 22 +T= 16; 704 Off; 1; 1; Any_Number; N= -2.14 23 +T= 16; 704 Off; 1; 1; Any_Number; N= -2.141 24 +T= 16; 704 Off; 1; 1; Any_Number; N= -2.1415 25 +T= 16; 704 Off; 1; 1; Any_Number; N= -2.14159 26 ĞF= 16; 705 On; 1; 13; Ignore; N= 27 ĞF= 18; 706 On; 12; 13; Ignore; N= 28 ĞF= 17; 707 On; 1; 13; Save_Disp; N= 29 ĞF= 19; 900 On; 11; 13; Ignore; N= 30 +T= 20; 901 Off; 13; 13; Equals; N= -1 • 1 Column Trace – 8 Columns Info • Reduced Complexity • More Information • Dynamic On-Off • Minimal side effects • 30 states vs. 107 9/22/2013 www.VSMerlot.com 26
Carnegie Mellon - SEI Copyright Northrop Grumman Company 20032211/18/2003 CMMI Extensibility and Flexibility Engineering Management Processes Program Management Processes Process Infrastructure Processes Integrated Enterprise Process Engineering Processes COSA impact 9/22/2013 www.VSMerlot.com 27
A 4 Step COSA Solution 1) Well Defined Core Foundation – COSA – Table Drive Vector State Machine • Temporal Software Engineering 2) Model Driven Architecture – WYSIWYG BNF model to application – Rules / Logic can be tested on boundary values 3) Re-manufactured Applications – Legacy Integrated Forward Engineering (LIFE) – Replaces & Reduces Maintenance Costs 4) System Level Integration – Focus on top-down organization – Reduce failures, improve quality, reduce costs 9/22/2013 www.VSMerlot.com 28
The End 9/22/2013 www.VSMerlot.com 29

Empfohlen

KAI, the Information Specialist
KAI, the Information SpecialistKAI, the Information Specialist
KAI, the Information Specialistaik762
 
Finding the Bad Actor: Custom scoring & forensic name matching with Elastics...
Finding the Bad Actor: Custom scoring & forensic name matching with Elastics...Finding the Bad Actor: Custom scoring & forensic name matching with Elastics...
Finding the Bad Actor: Custom scoring & forensic name matching with Elastics...Charlie Hull
 
Power Grid Identity Management addressed with NIST 1-800
Power Grid Identity Management addressed with NIST 1-800Power Grid Identity Management addressed with NIST 1-800
Power Grid Identity Management addressed with NIST 1-800David Sweigert
 
NIST Cybersecurity Framework Cross Reference
NIST Cybersecurity Framework Cross ReferenceNIST Cybersecurity Framework Cross Reference
NIST Cybersecurity Framework Cross ReferenceJim Meyer
 
Draft NIST 7628 on CyberSecurity
Draft NIST 7628 on CyberSecurityDraft NIST 7628 on CyberSecurity
Draft NIST 7628 on CyberSecurityGovLoop
 
CHIME Lead Forum - Seattle 2015
CHIME Lead Forum - Seattle 2015CHIME Lead Forum - Seattle 2015
CHIME Lead Forum - Seattle 2015Health IT Conference – iHT2
 
The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...
The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...
The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...Cohesive Networks
 
FDA Cybersecurity Recommendations to Comply with NIST - Wearables Crash Cours...
FDA Cybersecurity Recommendations to Comply with NIST - Wearables Crash Cours...FDA Cybersecurity Recommendations to Comply with NIST - Wearables Crash Cours...
FDA Cybersecurity Recommendations to Comply with NIST - Wearables Crash Cours...Epstein Becker Green
 

Empfohlen

KAI, the Information Specialist
KAI, the Information SpecialistKAI, the Information Specialist
KAI, the Information Specialistaik762
 
Finding the Bad Actor: Custom scoring & forensic name matching with Elastics...
Finding the Bad Actor: Custom scoring & forensic name matching with Elastics...Finding the Bad Actor: Custom scoring & forensic name matching with Elastics...
Finding the Bad Actor: Custom scoring & forensic name matching with Elastics...Charlie Hull
 
Power Grid Identity Management addressed with NIST 1-800
Power Grid Identity Management addressed with NIST 1-800Power Grid Identity Management addressed with NIST 1-800
Power Grid Identity Management addressed with NIST 1-800David Sweigert
 
NIST Cybersecurity Framework Cross Reference
NIST Cybersecurity Framework Cross ReferenceNIST Cybersecurity Framework Cross Reference
NIST Cybersecurity Framework Cross ReferenceJim Meyer
 
Draft NIST 7628 on CyberSecurity
Draft NIST 7628 on CyberSecurityDraft NIST 7628 on CyberSecurity
Draft NIST 7628 on CyberSecurityGovLoop
 
CHIME Lead Forum - Seattle 2015
CHIME Lead Forum - Seattle 2015CHIME Lead Forum - Seattle 2015
CHIME Lead Forum - Seattle 2015Health IT Conference – iHT2
 
The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...
The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...
The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...Cohesive Networks
 
FDA Cybersecurity Recommendations to Comply with NIST - Wearables Crash Cours...
FDA Cybersecurity Recommendations to Comply with NIST - Wearables Crash Cours...FDA Cybersecurity Recommendations to Comply with NIST - Wearables Crash Cours...
FDA Cybersecurity Recommendations to Comply with NIST - Wearables Crash Cours...Epstein Becker Green
 
How to Approach the NYDFS Proposed Cybersecurity Requirements
How to Approach the NYDFS Proposed Cybersecurity RequirementsHow to Approach the NYDFS Proposed Cybersecurity Requirements
How to Approach the NYDFS Proposed Cybersecurity RequirementsKyle Brown
 
Cybersecurity Framework - What are Pundits Saying?
Cybersecurity Framework - What are Pundits Saying?Cybersecurity Framework - What are Pundits Saying?
Cybersecurity Framework - What are Pundits Saying?Jim Meyer
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterTuan Phan
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
 
NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417James W. De Rienzo
 
Accountability for Corporate Cybersecurity - Who Owns What?
Accountability for Corporate Cybersecurity - Who Owns What?Accountability for Corporate Cybersecurity - Who Owns What?
Accountability for Corporate Cybersecurity - Who Owns What?Henry Draughon
 
NIST Cybersecurity Framework Background and Review | Jack Whitsitt
NIST Cybersecurity Framework Background and Review | Jack WhitsittNIST Cybersecurity Framework Background and Review | Jack Whitsitt
NIST Cybersecurity Framework Background and Review | Jack WhitsittJack Whitsitt
 
U.S. Approach to Cybersecurity Governance
U.S. Approach to Cybersecurity GovernanceU.S. Approach to Cybersecurity Governance
U.S. Approach to Cybersecurity GovernanceGwanhoo Lee
 
Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6Phil Agcaoili
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchMcKonly & Asbury, LLP
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleEnterpriseGRC Solutions, Inc.
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Ben Rothke
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Ben Rothke
 
NIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapNIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapWAJAHAT IQBAL
 
Introduction to Agile Hardware
Introduction to Agile Hardware Introduction to Agile Hardware
Introduction to Agile Hardware Cprime
 
Observability – the good, the bad, and the ugly
Observability – the good, the bad, and the uglyObservability – the good, the bad, and the ugly
Observability – the good, the bad, and the uglyTimetrix
 
Best practices with development of enterprise-scale SharePoint solutions - Pa...
Best practices with development of enterprise-scale SharePoint solutions - Pa...Best practices with development of enterprise-scale SharePoint solutions - Pa...
Best practices with development of enterprise-scale SharePoint solutions - Pa...SPC Adriatics
 
Future se oct15
Future se oct15Future se oct15
Future se oct15CS, NcState
 
2019 2 testing and verification of vlsi design_verification
2019 2 testing and verification of vlsi design_verification2019 2 testing and verification of vlsi design_verification
2019 2 testing and verification of vlsi design_verificationUsha Mehta
 
DevOpsDays SLC - Getting Along With Your DBOps Team
DevOpsDays SLC - Getting Along With Your DBOps TeamDevOpsDays SLC - Getting Along With Your DBOps Team
DevOpsDays SLC - Getting Along With Your DBOps TeamNick DeMaster
 
Machine learning systems for engineers
Machine learning systems for engineersMachine learning systems for engineers
Machine learning systems for engineersCameron Joannidis
 
Things to ponder before you start building [cooperate] software
Things to ponder before you start building [cooperate] softwareThings to ponder before you start building [cooperate] software
Things to ponder before you start building [cooperate] softwareTharindu Weerasinghe
 

Weitere ähnliche Inhalte

Andere mochten auch

How to Approach the NYDFS Proposed Cybersecurity Requirements
How to Approach the NYDFS Proposed Cybersecurity RequirementsHow to Approach the NYDFS Proposed Cybersecurity Requirements
How to Approach the NYDFS Proposed Cybersecurity RequirementsKyle Brown
 
Cybersecurity Framework - What are Pundits Saying?
Cybersecurity Framework - What are Pundits Saying?Cybersecurity Framework - What are Pundits Saying?
Cybersecurity Framework - What are Pundits Saying?Jim Meyer
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterTuan Phan
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
 
NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417James W. De Rienzo
 
Accountability for Corporate Cybersecurity - Who Owns What?
Accountability for Corporate Cybersecurity - Who Owns What?Accountability for Corporate Cybersecurity - Who Owns What?
Accountability for Corporate Cybersecurity - Who Owns What?Henry Draughon
 
NIST Cybersecurity Framework Background and Review | Jack Whitsitt
NIST Cybersecurity Framework Background and Review | Jack WhitsittNIST Cybersecurity Framework Background and Review | Jack Whitsitt
NIST Cybersecurity Framework Background and Review | Jack WhitsittJack Whitsitt
 
U.S. Approach to Cybersecurity Governance
U.S. Approach to Cybersecurity GovernanceU.S. Approach to Cybersecurity Governance
U.S. Approach to Cybersecurity GovernanceGwanhoo Lee
 
Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6Phil Agcaoili
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchMcKonly & Asbury, LLP
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleEnterpriseGRC Solutions, Inc.
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Ben Rothke
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Ben Rothke
 
NIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapNIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapWAJAHAT IQBAL
 

Andere mochten auch (14)

How to Approach the NYDFS Proposed Cybersecurity Requirements
How to Approach the NYDFS Proposed Cybersecurity RequirementsHow to Approach the NYDFS Proposed Cybersecurity Requirements
How to Approach the NYDFS Proposed Cybersecurity Requirements
 
Cybersecurity Framework - What are Pundits Saying?
Cybersecurity Framework - What are Pundits Saying?Cybersecurity Framework - What are Pundits Saying?
Cybersecurity Framework - What are Pundits Saying?
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
 
NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417NIST CSD Cybersecurity Publications 20160417
NIST CSD Cybersecurity Publications 20160417
 
Accountability for Corporate Cybersecurity - Who Owns What?
Accountability for Corporate Cybersecurity - Who Owns What?Accountability for Corporate Cybersecurity - Who Owns What?
Accountability for Corporate Cybersecurity - Who Owns What?
 
NIST Cybersecurity Framework Background and Review | Jack Whitsitt
NIST Cybersecurity Framework Background and Review | Jack WhitsittNIST Cybersecurity Framework Background and Review | Jack Whitsitt
NIST Cybersecurity Framework Background and Review | Jack Whitsitt
 
U.S. Approach to Cybersecurity Governance
U.S. Approach to Cybersecurity GovernanceU.S. Approach to Cybersecurity Governance
U.S. Approach to Cybersecurity Governance
 
Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)
 
NIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapNIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - Mindmap
 

Ähnlich wie Nist cosa-foundation v7

Introduction to Agile Hardware
Introduction to Agile Hardware Introduction to Agile Hardware
Introduction to Agile Hardware Cprime
 
Observability – the good, the bad, and the ugly
Observability – the good, the bad, and the uglyObservability – the good, the bad, and the ugly
Observability – the good, the bad, and the uglyTimetrix
 
Best practices with development of enterprise-scale SharePoint solutions - Pa...
Best practices with development of enterprise-scale SharePoint solutions - Pa...Best practices with development of enterprise-scale SharePoint solutions - Pa...
Best practices with development of enterprise-scale SharePoint solutions - Pa...SPC Adriatics
 
2019 2 testing and verification of vlsi design_verification
2019 2 testing and verification of vlsi design_verification2019 2 testing and verification of vlsi design_verification
2019 2 testing and verification of vlsi design_verificationUsha Mehta
 
DevOpsDays SLC - Getting Along With Your DBOps Team
DevOpsDays SLC - Getting Along With Your DBOps TeamDevOpsDays SLC - Getting Along With Your DBOps Team
DevOpsDays SLC - Getting Along With Your DBOps TeamNick DeMaster
 
Machine learning systems for engineers
Machine learning systems for engineersMachine learning systems for engineers
Machine learning systems for engineersCameron Joannidis
 
Things to ponder before you start building [cooperate] software
Things to ponder before you start building [cooperate] softwareThings to ponder before you start building [cooperate] software
Things to ponder before you start building [cooperate] softwareTharindu Weerasinghe
 
Embracing the Rise of SecDevOps
Embracing the Rise of SecDevOpsEmbracing the Rise of SecDevOps
Embracing the Rise of SecDevOpsTom Cappetta
 
Converting Your Legacy Data to S1000D
Converting Your Legacy Data to S1000DConverting Your Legacy Data to S1000D
Converting Your Legacy Data to S1000Ddclsocialmedia
 
The Diabolical Developers Guide to Performance Tuning
The Diabolical Developers Guide to Performance TuningThe Diabolical Developers Guide to Performance Tuning
The Diabolical Developers Guide to Performance TuningjClarity
 
Developing and Implementing a QA Plan During Your Legacy Data to S1000D
Developing and Implementing a QA Plan During Your Legacy Data to S1000DDeveloping and Implementing a QA Plan During Your Legacy Data to S1000D
Developing and Implementing a QA Plan During Your Legacy Data to S1000Ddclsocialmedia
 
Using Time Series for Full Observability of a SaaS Platform
Using Time Series for Full Observability of a SaaS PlatformUsing Time Series for Full Observability of a SaaS Platform
Using Time Series for Full Observability of a SaaS PlatformDevOps.com
 
Minimum Viable Architecture - Good Enough is Good Enough
Minimum Viable Architecture - Good Enough is Good EnoughMinimum Viable Architecture - Good Enough is Good Enough
Minimum Viable Architecture - Good Enough is Good EnoughRandy Shoup
 
Observability - the good, the bad, and the ugly
Observability - the good, the bad, and the uglyObservability - the good, the bad, and the ugly
Observability - the good, the bad, and the uglyAleksandr Tavgen
 
Service Architectures at Scale
Service Architectures at ScaleService Architectures at Scale
Service Architectures at ScaleRandy Shoup
 
Jonathon Wright - Intelligent Performance Cognitive Learning (AIOps)
Jonathon Wright - Intelligent Performance Cognitive Learning (AIOps)Jonathon Wright - Intelligent Performance Cognitive Learning (AIOps)
Jonathon Wright - Intelligent Performance Cognitive Learning (AIOps)Neotys_Partner
 
MongoDB.local Atlanta: MongoDB @ Sensus: Xylem IoT and MongoDB
MongoDB.local Atlanta: MongoDB @ Sensus: Xylem IoT and MongoDBMongoDB.local Atlanta: MongoDB @ Sensus: Xylem IoT and MongoDB
MongoDB.local Atlanta: MongoDB @ Sensus: Xylem IoT and MongoDBMongoDB
 

Ähnlich wie Nist cosa-foundation v7 (20)

Introduction to Agile Hardware
Introduction to Agile Hardware Introduction to Agile Hardware
Introduction to Agile Hardware
 
Observability – the good, the bad, and the ugly
Observability – the good, the bad, and the uglyObservability – the good, the bad, and the ugly
Observability – the good, the bad, and the ugly
 
Best practices with development of enterprise-scale SharePoint solutions - Pa...
Best practices with development of enterprise-scale SharePoint solutions - Pa...Best practices with development of enterprise-scale SharePoint solutions - Pa...
Best practices with development of enterprise-scale SharePoint solutions - Pa...
 
Future se oct15
Future se oct15Future se oct15
Future se oct15
 
2019 2 testing and verification of vlsi design_verification
2019 2 testing and verification of vlsi design_verification2019 2 testing and verification of vlsi design_verification
2019 2 testing and verification of vlsi design_verification
 
DevOpsDays SLC - Getting Along With Your DBOps Team
DevOpsDays SLC - Getting Along With Your DBOps TeamDevOpsDays SLC - Getting Along With Your DBOps Team
DevOpsDays SLC - Getting Along With Your DBOps Team
 
Machine learning systems for engineers
Machine learning systems for engineersMachine learning systems for engineers
Machine learning systems for engineers
 
Things to ponder before you start building [cooperate] software
Things to ponder before you start building [cooperate] softwareThings to ponder before you start building [cooperate] software
Things to ponder before you start building [cooperate] software
 
Embracing the Rise of SecDevOps
Embracing the Rise of SecDevOpsEmbracing the Rise of SecDevOps
Embracing the Rise of SecDevOps
 
Converting Your Legacy Data to S1000D
Converting Your Legacy Data to S1000DConverting Your Legacy Data to S1000D
Converting Your Legacy Data to S1000D
 
The Diabolical Developers Guide to Performance Tuning
The Diabolical Developers Guide to Performance TuningThe Diabolical Developers Guide to Performance Tuning
The Diabolical Developers Guide to Performance Tuning
 
Developing and Implementing a QA Plan During Your Legacy Data to S1000D
Developing and Implementing a QA Plan During Your Legacy Data to S1000DDeveloping and Implementing a QA Plan During Your Legacy Data to S1000D
Developing and Implementing a QA Plan During Your Legacy Data to S1000D
 
Using Time Series for Full Observability of a SaaS Platform
Using Time Series for Full Observability of a SaaS PlatformUsing Time Series for Full Observability of a SaaS Platform
Using Time Series for Full Observability of a SaaS Platform
 
Minimum Viable Architecture - Good Enough is Good Enough
Minimum Viable Architecture - Good Enough is Good EnoughMinimum Viable Architecture - Good Enough is Good Enough
Minimum Viable Architecture - Good Enough is Good Enough
 
Observability - the good, the bad, and the ugly
Observability - the good, the bad, and the uglyObservability - the good, the bad, and the ugly
Observability - the good, the bad, and the ugly
 
Service Architectures at Scale
Service Architectures at ScaleService Architectures at Scale
Service Architectures at Scale
 
Jonathon Wright - Intelligent Performance Cognitive Learning (AIOps)
Jonathon Wright - Intelligent Performance Cognitive Learning (AIOps)Jonathon Wright - Intelligent Performance Cognitive Learning (AIOps)
Jonathon Wright - Intelligent Performance Cognitive Learning (AIOps)
 
Spm lecture-3
Spm lecture-3Spm lecture-3
Spm lecture-3
 
Lect3
Lect3Lect3
Lect3
 
MongoDB.local Atlanta: MongoDB @ Sensus: Xylem IoT and MongoDB
MongoDB.local Atlanta: MongoDB @ Sensus: Xylem IoT and MongoDBMongoDB.local Atlanta: MongoDB @ Sensus: Xylem IoT and MongoDB
MongoDB.local Atlanta: MongoDB @ Sensus: Xylem IoT and MongoDB
 

Mehr von Gordon Morrison

Processing data using regular expressions
Processing data using regular expressionsProcessing data using regular expressions
Processing data using regular expressionsGordon Morrison
 
Extract Translae Load by-the-numbers
Extract Translae Load by-the-numbersExtract Translae Load by-the-numbers
Extract Translae Load by-the-numbersGordon Morrison
 
Black capped night heron v1
Black capped night heron v1Black capped night heron v1
Black capped night heron v1Gordon Morrison
 
Gordon morrison temporalengineering-delphi-v3
Gordon morrison temporalengineering-delphi-v3Gordon morrison temporalengineering-delphi-v3
Gordon morrison temporalengineering-delphi-v3Gordon Morrison
 
NIST COSA-Foundation Software
NIST COSA-Foundation SoftwareNIST COSA-Foundation Software
NIST COSA-Foundation SoftwareGordon Morrison
 
Meta edit calc execution v3
Meta edit calc execution v3Meta edit calc execution v3
Meta edit calc execution v3Gordon Morrison
 
workflow in temporal state machine v1
workflow in temporal state machine v1workflow in temporal state machine v1
workflow in temporal state machine v1Gordon Morrison
 

Mehr von Gordon Morrison (12)

Processing data using regular expressions
Processing data using regular expressionsProcessing data using regular expressions
Processing data using regular expressions
 
Extract Translae Load by-the-numbers
Extract Translae Load by-the-numbersExtract Translae Load by-the-numbers
Extract Translae Load by-the-numbers
 
Black capped night heron v1
Black capped night heron v1Black capped night heron v1
Black capped night heron v1
 
Gordon morrison temporalengineering-delphi-v3
Gordon morrison temporalengineering-delphi-v3Gordon morrison temporalengineering-delphi-v3
Gordon morrison temporalengineering-delphi-v3
 
NIST COSA-Foundation Software
NIST COSA-Foundation SoftwareNIST COSA-Foundation Software
NIST COSA-Foundation Software
 
Meta edit calc execution v3
Meta edit calc execution v3Meta edit calc execution v3
Meta edit calc execution v3
 
Cosa movie v8 handout
Cosa movie v8 handout Cosa movie v8 handout
Cosa movie v8 handout
 
It wasn’t the if-
It wasn’t the if-It wasn’t the if-
It wasn’t the if-
 
Cosa top down
Cosa top downCosa top down
Cosa top down
 
workflow in temporal state machine v1
workflow in temporal state machine v1workflow in temporal state machine v1
workflow in temporal state machine v1
 
A true state machine
A true state machineA true state machine
A true state machine
 
New Cosa Movie V8
New Cosa Movie V8New Cosa Movie V8
New Cosa Movie V8
 

Kürzlich hochgeladen

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 

Kürzlich hochgeladen (20)

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 

Nist cosa-foundation v7

  • 1. NIST: Request for Information Relating to Cybersecurity Frameworks A Foundation Response by Gordon E Morrison Gordon.Morrison@VSMerlot.com (816-835-3071) 2951 Marina Bay Dr. 130-250 League City, TX 77573 19/22/2013 www.VSMerlot.com
  • 2. Cyber Secure Framework • Can’t exist without a proper foundation • Current Foundation – Spaghetti code • “if – then – else” • “case – switch” • Not organized • Not structured – Artistic • Approach will not be as secure as it could be 9/22/2013 www.VSMerlot.com 2
  • 3. Foundation Definition • Foundation – the architecture that software uses as the core structure for organizing human written or machine generated code. Currently writing or generating code is an artistic endeavor without an engineering structure. In practice a software engineered foundation does not exist. 9/22/2013 www.VSMerlot.com 3
  • 4. Framework Definition • Framework – the collection of software designed to provide services built on a nonexistent foundation. Frameworks are often combined into application specific libraries or collections. 9/22/2013 www.VSMerlot.com 4
  • 5. Software Engineering Practices • Foundation – Lacking a foundation architecture – Lacking an engineering discipline • Coding is artistic – Requirements – Specifications – Models • All depend on the foundation • Implementations drift away form original design documentation • Synchronization requires manual effort • Frameworks are built sans foundation 9/22/2013 www.VSMerlot.com 5
  • 6. From CMU-SEI • www.sei.cmu.edu/solutions/softwaredev/ • “The quality of a system is influenced by the quality of the process used to acquire, develop, and maintain it, the analysis and forethought that goes into an architecture…” 9/22/2013 www.VSMerlot.com 6
  • 7. CMU –SEI (cont’d) • “Using proven methods for progress and product quality, software success is predictable and achievable, and failure is avoidable.” 9/22/2013 www.VSMerlot.com 7
  • 8. CMU – SEI (cont’d) • “Once coding starts, teams trained in mature software engineering processes can remove defects early, when defect removal is 10 to 100 times less costly than it is during test.” 9/22/2013 www.VSMerlot.com 8
  • 9. Requirements • SEI alludes to failures due to lack of requirements. • SEI requirements don’t correlate to the application over time. • SEI requirements are documents that fail to stay in sync over time. • SEI approach not as good as it could be. A good idea poorly implemented. 9/22/2013 www.VSMerlot.com 9
  • 10. No CMU-SEI Foundation Definition • Big money is in process consulting – CMU-SEI sells what it knows – Doesn’t understand lacking foundation • No solution to spaghetti code – Process Management • Often referred to as “Software Engineering” • Without a good foundation success is difficult at best. • CMU-SEI – room for improvement 9/22/2013 www.VSMerlot.com 10
  • 11. SEI Template • SEI uses a template to collect information – It’s a fill in form approach – State information – Action information – Provides documentation • Template becomes throwaway • The template will not stay in sync • Good idea – poorly implemented 9/22/2013 www.VSMerlot.com 11
  • 12. Herding Cats is the Standard • Programmers want to be engineers – An engineering foundation is missing • “if-then-else” and “case-switch” statements: – Are the cause of spaghetti code – Create logic that is overly complex – No support for temporal control flow • Required for correlation 9/22/2013 www.VSMerlot.com 12
  • 13. Temporal Software Engineering • Similar to CMU-SEI template based logic • Integrated into the application • Uses Vector State Machine – Correlates to • Requirements • Specification • Model Driven Architecture – Maps to IDEF ++ process • Improved IDEF0 & IDEF1 • Provides a solid organized foundation 9/22/2013 www.VSMerlot.com 13
  • 14. CMU-SEI Example Template Student J. Developer Date 10/27 Program LogIn Program # Instructor Humphrey Language C++ State Name Description Start Start condition for system CheckD The state of the system after a user ID is requested CheckPW The state of the system after a user password is requested End The final state: LogIn either logs in or cuts off the user. Function/Parameter Description ID User identification: ID is Valid or !Valid PW User password: PW is Valid or !Valid n Integer count of ID and password errors nMax Maximum value of ID and password errors: n >= nMax is rejected. Fail Error count or timeout error indicator: Fail = true is failure, Fail = false is ok. States/Next States Transition Condition Action Start Start No transitions from Start to Start CheckID True Get ID, n := 0; ID and PW !Valid CheckPW No transitions from Start to CheckPW End No transitions from Start to End CheckID Start No transitions from CheckID to Start CheckID No transitions from CheckID to CheckID CheckPW Valid ID Get password CheckPW !Valid ID Get password End Timeout Fail := true CheckPW Start No transitions from CheckPW to Start CheckID (!Valid PW  !Valid ID)  n < nMax  !Timeout Get ID, n := n + 1 CheckPW No transitions from CheckPW to CheckPW End Valid PW  Valid ID Fail := false, login user End (n >= nMax  Timeout)  (!Valid PW  !Valid ID) Fail := true, cut off user End No transitions from End to any state • SEI-TSP/PSP – Rule – State – Action • Mixed Modes • Does not correlate with solution • Software Engineers DON’T sync this document! 9/22/2013 www.VSMerlot.com 14
  • 15. CMU-SEI - Stopwatch Example State Name Description Zero Start condition for system Running Stopwatch running and displaying On-hold Stopwatch running with display on hold Stopped Stopwatch stopped States/Next States Transition Condition Action Zero Zero reset  hold Stop clock, reset clock, clear display Running start/stop Start clock, display clock Running Zero reset Stop clock, reset clock, clear display On-hold hold Hold display Stopped start/stop Stop clock, hold display On-hold Zero reset Stop clock, reset clock, clear display Running hold Start clock, display clock Stopped start/stop Stop clock, hold display Stopped Zero reset Stop clock, reset clock, clear display Running start/stop Start clock, display clock Stopped hold Stop clock, hold display •Work is not part of implementation •Must be converted to if/else or switch-case logic 9/22/2013 www.VSMerlot.com 15
  • 16. Proposed Foundation • COSA – based on US Patent 6,345,387 – Free of License – Free of License! – Template based executable logic table – Table based Vector State Machine (VSM) • Temporal Engineering – the use of COSA, correlating all aspects of the software development life cycle. • Temporal Engineering – improves the CMU-SEI management paradigm – Everything stays in sync!!! • This is a good idea – good implementation 9/22/2013 www.VSMerlot.com 16
  • 17. SEI vs. COSA • Work going into the SEI template is not directly used, i.e. it’s wasted. • Work put into a COSA table is used – The table is a logic template – The table is executed with COSA Engine – Testable with populated member functions or stubs – Does one thing and does it well – Includes trace debugging 9/22/2013 www.VSMerlot.com 17
  • 18. No Foundation vs. Foundation www.VSMerlot.com 18 • No Foundation Today – Bucket-of-Bolts • Spaghetti code • Foundation – COSA – An Engineering Discipline – Not an artistic approach – Not just writing code – Organized – Standardized • COSA – No License required – Patent definition open disclosure – Book available on Amazon.com 9/22/2013
  • 19. What’s Missing • “Software engineering” mentioned on slide 8 does not refer to a foundation architecture. • It refers to the process in which the code is developed. • The fundamental “if-then-else” structure i.e. “spaghetti” code that SEI teaches. • Compare the next two slides… 9/22/2013 www.VSMerlot.com 19
  • 20. Traditional Software What is Delivered • Authors that are like Herding Cats • The style of the author • Inconsistent development styles • Control and Preemptablity an after thought • Multiple if-then-else logic dispersed everywhere • Spaghetti Logic • Trace - True • Numerously inserted trace logic • NONE • Trace – False • Numerously inserted trace logic • Spaghetti Logic • NONE • NONE • Rarely Well Defined – No Rules – Independent Specification – Inconsistent Analysis • Never Orthogonal – Spaghetti Logic – Spaghetti Data 9/22/2013 www.VSMerlot.com 20 What Is Wanted • Engineering Discipline • Uniformity • Consistency • Preemptablity • Single Point Logic Testing • Trace - True – True Behavior Logic – True Logic Trace – True Logic Temporal Path • Trace - False – False Behavior Logic – False Logic Trace – False Logic Temporal Path • Well Defined – Rules – Specification – Analysis • Orthogonal – Logic – Data
  • 21. COSA Engineering 9/22/2013 www.VSMerlot.com 21 COSA Delivers • Engineering Discipline • Uniformity • Consistency • Preemptablity • Single Point Logic Testing • Trace - True – Static Document Trace – Dynamic Logic Trace • Trace – False – Static Document Trace – Dynamic Logic Trace • Well Defined – Template Rules – Specification – Traced Spec to Application • Orthogonal – Logic – Data What Is Wanted • Engineering Discipline • Uniformity • Consistency • Preemptablity • Single Point Logic Testing • Trace - True – True Behavior Logic – True Logic Trace – True Logic Temporal Path • Trace - False – False Behavior Logic – False Logic Trace – False Logic Temporal Path • Well Defined – Rules – Specification – Analysis • Orthogonal – Logic – Data
  • 22. Complexity is out of control 9/22/2013 www.VSMerlot.com 22
  • 24. Now with Trace 9/22/2013 www.VSMerlot.com 24
  • 25. ITE Trace Complexity 9/22/2013 www.VSMerlot.com 25 • 3 columns of trace – 4 columns info in each • Little info • Embedded throughout program • Side effects • 107 states
  • 26. COSA Trace More Information Count Step Trace Eng Static Dynamic Behavior Value 1 +T= 0; 100 Off; 44; 44; Negate; N= - 2 +T= 1; 101 Off; 1; 1; Any_Number; N= -3 3 ĞF= 1; 101 On; 1; 59; Ignore; N= 4 +T= 2; 102 Off; 59; 59; One_Perio d; N= -3. 5 +T= 3; 103 Off; 1; 1; Any_Number; N= -3.1 6 +T= 3; 103 Off; 1; 1; Any_Number; N= -3.14 7 +T= 3; 103 Off; 1; 1; Any_Number; N= -3.141 8 +T= 3; 103 Off; 1; 1; Any_Number; N= -3.1415 9 +T= 3; 103 Off; 1; 1; Any_Number; N= -3.14159 10 ĞF= 3; 103 On; 1; 44; Ignore; N= 11 ĞF= 4; 104 On; 12; 44; Ignore; N= 12 ĞF= 5; 105 On; 11; 44; Ignore; N= 13 ĞF= 6; 106 On; 1; 44; Push_Disp ; N= 14 ĞF= 7; 500 On; 43; 44; Ignore; N= 15 +T= 8; 501 On; 44; 1; Subtraction; N= -3.14159 16 +T= 12; 700 Off; 1; 1; Engine_Off; N= -3.14159 17 +T= 13; 701 Off; 44; 44; Negate; N= - 18 +T= 14; 702 Off; 1; 1; Any_Number; N= -2 19 ĞF= 14; 702 Off; 1; 59; Ignore; N= 20 +T= 15; 703 Off; 59; 59; One_Perio d; N= -2. 21 +T= 16; 704 Off; 1; 1; Any_Number; N= -2.1 22 +T= 16; 704 Off; 1; 1; Any_Number; N= -2.14 23 +T= 16; 704 Off; 1; 1; Any_Number; N= -2.141 24 +T= 16; 704 Off; 1; 1; Any_Number; N= -2.1415 25 +T= 16; 704 Off; 1; 1; Any_Number; N= -2.14159 26 ĞF= 16; 705 On; 1; 13; Ignore; N= 27 ĞF= 18; 706 On; 12; 13; Ignore; N= 28 ĞF= 17; 707 On; 1; 13; Save_Disp; N= 29 ĞF= 19; 900 On; 11; 13; Ignore; N= 30 +T= 20; 901 Off; 13; 13; Equals; N= -1 • 1 Column Trace – 8 Columns Info • Reduced Complexity • More Information • Dynamic On-Off • Minimal side effects • 30 states vs. 107 9/22/2013 www.VSMerlot.com 26
  • 27. Carnegie Mellon - SEI Copyright Northrop Grumman Company 20032211/18/2003 CMMI Extensibility and Flexibility Engineering Management Processes Program Management Processes Process Infrastructure Processes Integrated Enterprise Process Engineering Processes COSA impact 9/22/2013 www.VSMerlot.com 27
  • 28. A 4 Step COSA Solution 1) Well Defined Core Foundation – COSA – Table Drive Vector State Machine • Temporal Software Engineering 2) Model Driven Architecture – WYSIWYG BNF model to application – Rules / Logic can be tested on boundary values 3) Re-manufactured Applications – Legacy Integrated Forward Engineering (LIFE) – Replaces & Reduces Maintenance Costs 4) System Level Integration – Focus on top-down organization – Reduce failures, improve quality, reduce costs 9/22/2013 www.VSMerlot.com 28