2005 PRICE INSight
PRICE True S Solution Addresses Software Security Assurance and Corresponding Effects
on Project Costs
The Department of Defense recently requested the Government Electronics and Information Technology Association (GEIA) to study the issues associated with software assurance and related cyber security, with particular emphasis on software systems using a predominance of Commercial Off-The-Shelf (COTS) products. The increasing scrutiny of software security comes as no surprise, since the Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University, which tracks incidents of malicious software intrusions, reports a 2099 percent increase in incidents from 1998 to 2002.
Constantly increasing technological capabilities, and our dependencies on them, guarantees that the need for software security assurance will continue to increase as time and technology proceed. Though decidedly necessary, such assurance comes with a cost.
True S Security Level Adjuster Comparable with Industry Standards
PRICE Systems' True S Software Cost Estimating Model accounts for security assurance levels and their effects on costs for key activities during any software development or integration project. The security level input in True S provides analogs to various industry standards for software assurance and trusted software, enabling credible estimates of cost and effort for software projects in conformance with specific security assurance standards.
True S uses Common Criteria Evaluation Assurance Levels and the Common Criteria for Information Technology Security Evaluation (CC) as the basis for evaluating security requirements. The CC was developed to provide standards for security criteria and the evaluation processes. The CC contains seven hierarchical sets of assurance requirements called Evaluation Assurance Levels (EAL), with EAL1 representing the least amount of security and EAL7 the most.
From EA1 to EA7, the Evaluation Assurance Levels increase requirements for more rigorous documentation, design and formal processes, and are comparable to both the Federal Aviation Administration's DO-178B Safety Standard Levels and the National Security Agency's Separation Kernel Protection Profile (NSA SKPP).
True S Correlation with Industry Standards
The security level adjuster found in True S is detailed as follows:
Low
Nominal (EAL level 1, 2)
High (EAL level 3,4)
Very High (EAL level 5)
Extremely High (EAL level 6)
The Federal Aviation Administration requires all flight software to be developed with DO-178B Safety Standards. The DO-178B software levels are based on the potential of the software to cause safety-related failures identified in the system safety assessment. The levels run from A to D, with A being the highest and safest level. DO-178B and CC EALs have been found to be very similar, with a DO-178B Level A equivalent to EAL 4+ or EAL 5.
NSA SKPP is the most demanding security protection profile currently defined. This standard also has 7 levels which can be considered analogs to the CC EAL levels in True S.
As new standards evolve, PRICE Systems will continue to provide research and solutions to ensure our software cost modeling tools continue to keep pace with the latest security assurance advancements.
