Security Engineering Risk Analysis (SERA)

During the acquisition and development of software-reliant systems, the normal focus is on meeting functional requirements; security is often deferred to later lifecycle activities. In fact, security features are usually addressed during system operation and sustainment, not engineered into systems. As a result, many software-reliant systems are deployed with significant residual security risk, putting operations in jeopardy.

Vulnerabilities that affect operational security generally have three main causes: (1) design weaknesses, (2) implementation/coding errors, and (3) system configuration errors. Our research focuses primarily on design weaknesses that cannot be corrected easily during operations.

Our researchers are currently developing the Security Engineering Risk Analysis (SERA) method, an approach for identifying and analyzing the impact of design weaknesses early in the lifecycle. Early detection and remediation of design weaknesses helps to reduce residual security risk when a system is deployed. Our researchers are developing and analyzing scenarios that identify security risks and needed mitigations. They are also confirming requirements for addressing those mitigations.

The purpose of this research is to help acquisition and development organizations move beyond compliance to consider cybersecurity risks from a mission/operational perspective and identify a more complete set of security requirements.

The SEI is a leader in software and security risk management, providing non-proprietary risk management solutions for over twenty years. Two SEI risk methods have had considerable impact on risk management practice throughout the software engineering and cybersecurity communities:

  • The Continuous Risk Management (CRM) method enables acquisition and development programs to manage their program risks.
  • The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) method enables organizations to assess their operational information-security risks.