An empirical study of industrial security-engineering practices

  • Authors:

  • Rayford B. Vaughn, Jr.;Ronda Henning;Kevin Fox

  • Affiliations:

  • Department of Computer Science, Mississippi State University, P.O. Box 9637, Mississippi State, MS;Department of Computer Science, Mississippi State University, P.O. Box 9637, Mississippi State, MS;Harris Corporation, Government Communications Systems Division, MS W2/9703, P.O. Box 37, Melbourne, FL

  • Venue:
  • Journal of Systems and Software
  • Year:
  • 2002

Quantified Score

Hi-index 0.00

Visualization

Abstract

This paper presents lessons learned and observations noted about the state of security-engineering practices by three information security practitioners with different perspectives - two in industry and one in academia. All authors have more than 20-years experience in this field and two were former members of the US National Computer Security Center during the early days of the Trusted Computer System Evaluation Criteria and the strong promotion of trusted operating systems that accompanied the release of that document. In the last 20 years, it has been argued that security-engineering practices have not kept pace with the escalating threats to information systems. Much has occurred since that time - new security paradigms, failure of evaluated products to emerge into common use, new systemic threats, and an increased awareness of the risk faced by information systems. This paper presents an empirical view of lessons learned in security-engineering, experiences in applying the trade, and observations made about the successes and failures of security practices and technology. This work was sponsored in part by NSF Grant.