Standardizing Speed and Security for Software-Based Systems
Frances Paulisch, Siemens Corporate Technology
Common thematic trend at SATURN: people and culture. Change from command and control to more empowerment, autonomy, enabling people to make decentralized decisions. Conveying vision so people can make decisions in the right way is a more motivating way to work together.
Software initiative at Siemens will take on more of a governance role. Siemens has issues with embedded-system complexity. Software is not subject to law of physics. There are more interfaces with potential threats as well as benefits. As software interconnects with everything, that poses more threats, and there are more threats out there in the cyber world.
Siemens is active in energy, healthcare, industry, infrastructures, and cities. More than 15,000 software engineers worldwide. 60% of sales from products based on software. Large, multisite projects. Increasing functionality realized in software, and quality attributes are important. Siemens is an integrated technology company and active member of the software engineering community. Can offer products that cover large span of products.
Into a lot of infrastructure and single-solution products for big customers as opposed to mass-market products.
In R&D, an architecture-driven approach is recognized as most effective way to achieve quality attributes in products.
Strong process orientation. Commitment to CMMI-based process assessment and improvement activities, realized in iterative and agile way.
Organizational structure: mix of central guidance and empowerment of parts, both Siemens-wide and within business units.
Software Initiative Curriculum – qualification and training program to address critical roles. Networking by missionaries in technical debt, internal code quality, test-driven domain modeling, IT security, open source, and model-driven development.
Software Initiative Guiding Principles on how to do software, e.g., early attention to quality attributes, architect as central development, involved the whole time. Teach same common understanding to various roles involved. Encourage recommended way of doing software development.
Process maturity–common process throughout Siemens. Accommodation of improvement suggestions. Experience with Agile and Lean.
See “Management Challenges to Implement Agile Processes in Traditional Development Organizations,” Barry Boehm and Richard Turner, IEEE Software, Sept/Oct 2005.
Growing threat. Only a fully integrated secure development lifecycle ensures protection against targeted attacks. Strategies: security features; singular, ad hoc activities; “design for security.” More effective to build security in, in the development cycle. This is a business opportunity for an organization: treating design for security as a system quality attribute.
Vulnerabilities can be at coding, algorithm, architecture, or configuration level.
Model similar to CMMI is required to provide security guidance in a diverse environment. Siemens defined an extension to CMMI that addresses cyber security, currently under review by SEI and SEI Partners. It is a CMMI-like framework for secure development guidance. Other best-practice collections are helpful, just not on process level. It is called +SECURE. Process Areas: Organizational Preparedness for Secure Development (OPS), Security Management in Projects (SMP), Security Requirements & Technical Solution (SRT), Security Verification & Validation (SVV). This is Siemens way of communicating to various roles what to do with respect to security.
Improvement for secure development results in building a security organization, at organizational and project levels. Secure development requires a security organization providing guidance. People to be trained and assigned responsibilities. Recommended security headcount varies, up to 2% of the development organization.
Security know-how is required for process improvement, conduction, and appraisal. A way to protect systems is to compartmentalize the problem–isolate the layer where security is most needed. Systems integrator must look through entire chain of product as used at the customer site.
- coaching and independent checking (not process police)
- make easy for developers and others to do what is necessary as part of regular work, e.g., piggyback +SECURE onto CMMI
- not process but characteristics of product
- design security into systems from the beginning