|
Book Chapters
Software Assurance in Education, Training & Certification
Life Cycle Support Volume I – (Version 2.1, March 1, 2011)
Current events related to cybersecurity encourage a fundamental
shift in the way we think about educating and training a
workforce prepared to address security issues in all phases of a
software system. Software assurance education and training is
aimed to ensure adequate coverage of requisite knowledge areas
in contributing disciplines such as software engineering
(including its many subdisciplines), systems engineering,
project management, etc., to identify and acquire competencies
associated with secure software. The primary audiences for this
pocket guide are educators and trainers who can use this guide
to identify resources to supplement their efforts as well as
identify strategies to inject software assurance related topics
in the existing education and training programs.
https://buildsecurityin.us-cert.gov/swa/downloads/SwAWETPG-02-25-11v2.1.pdf
Gandhi, R. A., Lee, S. W., Ontology guided risk analysis: from
informal specifications to formal metrics.
Information &
Intelligent Systems, Springer Studies in Computational
Intelligence, 2009.
Lee, S. W., Gandhi, R. A., Park, S.,
Requirements:
Tracing, The Encyclopedia of Software
Engineering, Taylor and Francis Group, LLC, 2010.
Refereed Journal/Magazine Publications:
Mahoney, W., Gandhi, R.A., An Integrated Framework for Control
System Simulation and Regulatory Compliance Monitoring,
International Journal on Critical Infrastructure Protection (IJCIP), 2011,
http://dx.doi.org/10.1016/j.ijcip.2011.03.002.
Gandhi, R.A., Sharma, A., Mahoney, W., Sousan, W., Zhu, Q.,
Laplante, P., "Dimensions of Cyber-Attacks: Cultural, Social,
Economic, and Political," IEEE Technology and Society Magazine,
vol.30, no.1, pp.28-38, Spring 2011, doi:
10.1109/MTS.2011.940293, URL:
http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5725605&isnumber=5725598
Gandhi, R.A., Siy, H., Wu, Y.,
Studying Security
Vulnerabilities, CrossTalk, The Journal of
Defense Software Engineering, Sept/Oct issue 2010.
Gandhi, R.A., Lee, S.W., “Discovering Multi-dimensional
Correlations among Regulatory Requirements to Understand Risk”
In the ACM Transaction on Software Engineering and
Methodology (ToSEM), Volume 20 Issue 4, 2011.
Lee, S.W, Gandhi R.A., Wagle, S.J., “Ontology Guided Dynamic
Composition of Service-Oriented Architectures as reflections of
Process Definition” International Journal of
Software Engineering and Knowledge Engineering, World
Scientific, Vol. 19, No.6, September 2009. (fully accepted July
14, 2008)
Lee, S. W., Gandhi, R. A., and Ahn, G., “Certification Process
Artifacts Defined as Measurable Units for Software-intensive
Systems Lifecycle” International Journal on Software Process:
Improvement and Practice, Volume 12, Issue 2, 2007. Pages
165-189 (March/April) , John Wiley & Sons, Ltd. 2007. (Published
early view online in Wiley InterScience (www.interscience.wiley.com
) DOI: http://dx.doi.org/10.1002/spip.313
Lee, S. W., and Gandhi, R. A., "Requirements as Enablers for
Software Assurance", CrossTalk: The Journal of Defense
Software Engineering, December, Vol. 19, No. 12, pp.20-24, 2006.
United States Department of Defense.
Lee, S. W., Muthurajan, D., Gandhi, R. A., Yavagal, D., and Ahn,
G., “Building Decision Support Problem Domain Ontology from
Security Requirements to Engineer Software-intensive Systems”
International Journal on Software Engineering and Knowledge
Engineering, Vol. 16, No. 6, pp.851-884, December, World
Scientific Publishing Company, 2006.
Lee, S. W., Gandhi, R. A., Ahn, G., "Establishing
Trustworthiness in Services of the Critical Infrastructure
through Certification and Accreditation", ACM SIGSOFT Software
Engineering Notes", Vol. 30, Issue 4, July 2005. ACM Press, New
York, NY. (Also appeared in SESS workshop at ICSE '05)
Refereed Conference/Workshop Publications:
W., Sousan, Gandhi, R.A., Zhu, Q., Mahoney, W., "Using
Anomalous Event Patterns in Control Systems for Tamper
Detection," 7th Annual Cyber Security and Information
Intelligence Research Workshop, CSIIRW 2011, Oak Ridge National
Laboratory, Oak Ridge, TN, 2011.
Wertzberger, N., Glatter, C., Mahoney, W., Gandhi, R.A.,
Dick, K., “Towards a Low-Cost SCADA Test Bed: An Open-Source
Platform for Hardware-in-the-Loop Simulation”, The 2011
International Conference on Security and Management, Special
Track on Mission Assurance and Critical Infrastructure
Protection (STMACIP’11), Las Vegas, Nevada, 2011.
Siy, H., Wu, Y.,
Gandhi, R.A., Empirical Results on the Study of
Software Vulnerabilities (NIER Track). In proceedings of the
33rd International Conference on Software Engineering (ICSE
2011), Waikiki, Honolulu, Hawaii, May 21-28, 2011
Sharma, A., Gandhi, R.A., Mahoney, W., Sousan, W., Zhu, Q.,
“Building a Social Dimensional Threat Model from Current and
Historic Events of Cyber Attacks,” International Symposium on
Secure Computing (SecureCom-10) In conjunction with The Second
IEEE International Conference on Privacy, Security, Risk and
Trust.
Walnez, B., Gandhi, R.A., Mahoney, Zhu, Q., “Exploring Social
Contexts along the Time Dimension: Temporal Analysis of Named
Entities,” International Symposium on Secure Computing
(SecureCom-10) In conjunction with The Second IEEE International
Conference on Privacy, Security, Risk and Trust.
W., Sousan, Gandhi, R.A., Mahoney, W., Zhu, Q., Sharma, A.,
“Using Term Extraction Patterns to Discover Coherent
Relationships from Open Source Intelligence,” International
Symposium on Secure Computing (SecureCom-10) In conjunction with
The Second IEEE International Conference on Privacy, Security,
Risk and Trust.
Yan, W., Gandhi, R.A, and Siy, H., “Using Semantic Templates to
Study Vulnerabilities Recorded in Large Software Repositories”
Proc. of The 6th International Workshop on Software Engineering
for Secure Systems (SESS'10) at the 32nd International
Conference on Software Engineering (ICSE 2010), South Africa,
Cape Town. 2010
Gandhi, R.A., Mahoney, W., Dick, K., and Wilson, Z., (2010)
"Language-driven Assurance for Regulatory Compliance of Control
Systems" To appear in Proceedings of the 5th International
Conference on Information Warfare and Security, The Air Force
Institute of Technology, Wright-Patterson Air Force Base, Ohio,
USA, 8-9 April 2010
Cooper, J, Lee, S.W., Gandhi, R.A., Gotel, O.(2009) “Requirements
Engineering Visualization: A Survey on the State-of-the-Art” In Proceedings of the
Fourth International Workshop on Requirements Engineering
Visualization (REV’09), at the 17th International Conference on
Requirements Engineering, Atlanta, Georgia, USA.
Gandhi, R.A., Mahoney, W., Dick, K. (2009) “ADACS – A
Language for Monitoring Regulatory Compliance in Control
Systems” In Proceedings of the 2nd Workshop on
Compiler and Architectural Techniques for Application
Reliability and Security at the 39th IEEE/IFIP International
Conference on Dependable Systems and Networks (DSN 2009),
Lisbon, Portugal.
Gandhi R.A. and Lee, S.W., “Assurance
Case driven Case Study Design in Requirements Engineering
Research,” In: 15th International Working Conference
on Requirements Engineering: Foundations for Software Quality,
REFSQ 2009.
Gandhi, R. A. and Lee, S. W., “Discovering and Understanding
Multi-dimensional Correlations among Certification Requirements
with application to Risk Assessment”, In the Proceedings of the
15th IEEE International Requirements Engineering Conference (RE
07), October 15-19, Delhi, India, 2007. (Acceptance ratio 35/172
≈ 20%) [PDF]
Gandhi, R. A. and Lee, S. W., “Visual Analytics for
Requirements-driven Risk Assessment”, In the Proceedings of 2nd
International Workshop on Requirements Engineering Visualization
(REV 07) at the 15th IEEE International Requirements Engineering
Conference (RE 07), October 15-19, Delhi, India, 2007. [PDF]
Lee, S. W., Gandhi, R. A., Siddharth Wagle, and Ajeet Murty
“r-AnalytiCA: Requirements Analytics for Certification &
Accreditation” In Proceedings of the IEEE 15th International
Requirements Engineering Conference (RE '07), Posters, Demos and
Exhibits Session. October 15-19, Delhi, India, 2007. [PDF]
Lee, S.W, Gandhi R. A., Siddharth, W., "Towards
Requirements-driven Workbench for Supporting Software
Certification and Accreditation", In the Proceedings of the 3rd
International Workshop on Software Engineering for Software
Systems (SESS 07), at the 29th International Conference on
Software Engineering (ICSE 07), Minneapolis, MN, USA, 2007 [PDF]
Gandhi, R. A. and Lee, S.W., "Methodological Support for
Building Cohesion among Software Artifacts to Help Understanding
Emergent Software Behavior," In the Proceedings of Doctoral
Symposium at the 14th International Requirements Engineering
Conference (RE'06). September 11-15, 2006 Minneapolis/St. Paul,
Minnesota, USA. [PDF]
Gandhi, R. A., Siddharth, W., and Lee, S.W., "Process Artifacts
Defined as an Aspectual Service to System Models" In Proceedings
of the 2nd International Workshop on Service-Oriented Computing:
Consequences for Engineering Requirements (SOCCER'06), 14th
International Requirements Engineering Conference (RE'06),
September 11-15, 2006 Minneapolis/St. Paul, Minnesota, USA.
[PDF]
Richter, H, Gandhi, R.A., Liu, L., and Lee, S.W., "Incorporating
Multimedia Source Materials into a Traceability Framework," In
Proceedings of the First International Workshop on Multimedia
Requirements Engineering - Beyond Mere Descriptions, 14th
International Requirements Engineering Conference (RE'06),
September 11-15, 2006 Minneapolis/St. Paul, Minnesota, USA.
[PDF]
Lee, S.W, Gandhi, R. A, Muthurajan, D., Yavagal, D.S., and Ahn,
G, "Building problem domain ontology from security requirements
in regulatory documents," In Proceedings of the 2006
international Workshop on Software Engineering For Secure
Systems (Shanghai, China, May 20 - 21, 2006). SESS '06. ACM
Press, New York, NY, pp. 43-50. [PDF]
Lee, S.W. and Gandhi, R. A., "Ontology-based Active Requirements
Engineering Framework", In Proceedings of the 12th Asia-Pacific
Software Engineering Conference (APSEC '05), Taipei, Taiwan,
Dec. 15-17, 2005. pp. 481-490 IEEE Computer Society Press. [PDF]
Lee, S.W., Gandhi, R. A. and Ahn, G. "Security Requirements
Driven Risk Assessment for Critical Infrastructure Information
Systems", In Proceedings of the 13th IEEE International
Requirements Engineering Conference (RE '05), Symposium on
Requirements Engineering for Information Security (SREIS 05),
8/29-9/2, Paris, France. IEEE Press, Also invited for the
publication by Springer. [PDF]
Lee, S.W. and Gandhi, R. A, "Engineering Dependability
Requirements for Software-intensive Systems through the
Definition of a Common Language", In Proceedings of the 13th
IEEE International Requirements Engineering Conference (RE '05),
Workshop on Requirements Engineering for High-Availability
Systems (RHAS), pp. 40-48, 8/29 - 9/2, Paris, France. Software
Engineering Institute (SEI), Carnegie Mellon University & IEEE
Press. [PDF]
Lee, S.W. and Gandhi, R. A, "Ontology-based Active Requirements
Engineering Framework" Accepted to the Eleventh International
Workshop on Requirements Engineering: Foundation for Software
Quality (REFSQ '05), In connection with The 17th conference on
Advanced Information Systems Engineering (CAiSE '05), June 13 -
17, Porto, Portugal, 2005.
Lee, S.W., Gandhi, R. A, Ahn, G. "Establishing Trustworthiness
in Services of the Critical Infrastructure through Certification
and Accreditation", In Proceedings of the 27th IEEE
International Conference on Software Engineering (ICSE 05),
Software Engineering for Secure Systems (SESS 05) Workshop, pp.
43-49, St. Louis, Missouri, May 15-21, 2005. [PDF]
Lee, S.W., Ahn, G. and Gandhi, R. A. "Engineering Information
Assurance for Critical Infrastructures: The DITSCAP Automation
Study", In Proceedings of the Fifteenth Annual International
Symposium of the International Council on Systems Engineering (INCOSE
'05), - Systems Engineering: Bridging Industry, Government, and
Academia, Session1, Track2, Rochester, NY, July 10-15. 2005.
Yavagal, D.S., Lee, S.W., Ahn, G. and Gandhi, R.A. “Common
Criteria Requirements Modeling and its Uses for Quality of
Information Assurance (QoIA)”, In Proceedings of the 43rd Annual
ACM Southeast Conference (ACMSE ‘05), Vol. 2, pp. 130-135, March
18-20, Kennesaw State Univ. Kennesaw, Georgia. 2005. [PDF]
Lee, S.W., Gandhi, R. A, Ahn, G. and Yavagal, D. "Active
Automation of the DITSCAP", In Proceedings of the IEEE
International Conference on Intelligence and Security
Informatics (IEEE ISI-2005), Atlanta, Georgia, May 19-20, 2005.
A Book Chapter in Lecture Notes in Computer Science, Volume
3495, pp. 479-485, Springer.
Tolone, W.J.; Gandhi, R. A.; Gail-Joon Ahn, "Locale-based access
control: placing collaborative authorization decisions in
context," IEEE International Conference on Systems, Man and
Cybernetics,5-8 Oct. 2003., vol.5, no.pp. 4120- 4127
Dissertation
Discovering and Understanding Multi-dimensional Correlations
among
Regulatory Certification Requirements with application to Risk
Assessment [PDF]
Advisor: Dr. Seok-Won Lee
Technical Reports
Technical Report, "ADACS – A Language for Monitoring
Regulatory Compliance in Control Systems," Gandhi, R., Mahoney,
W., Dick, K., White paper - requested by Sponsored Programs.
2009
Technical Report, Accepted, "Following the Breadcrumbs: From
Cultural, Social, Economic, and Political Turmoil to Cyber
Attacks," Gandhi, R., Mahoney, W., Sharma, A., Sousan, W., Zhu,
Q., White paper - requested by Dr. Bob Herklotz, AFOSR. 2009
Technical Report, Accepted, "Evaluating Processor Architectures
for Multi-Level Secure Memory Management," Nicoll, A., Gandhi,
R., 7. 2009
Technical Report, Accepted, "Development and Training with
Multics-like System Interfaces to Enhance Trustworthy Computing
Education," Gandhi, R., Burnham, B., 2. 2009 Gandhi, R.A., Lee, S.W., “Understanding Risks in an
Organizational Infrastructure during Software Certification
Activities” TR-NISE-07-02, Feb, 2007.
Gandhi, R.A., Lee, S.W., “On Establishing Software Dependability
through Certification and Accreditation Requirements,”
TR-NISE-07-01, Jan, 2007.
Gandhi, R.A, Lee, S.W., “Methodological Support for Engineering
Needs-driven Software Dependability,” TR-NiSE-06-03, Mar, 2006.
Lee, S.W., Gandhi, R.A., “Ontology-based Active Requirements
Engineering and its Applications to the DITSCAP,” TR-NiSE-05-06,
June, 2005.
Lee, S.W., Ahn, G., Gandhi, R.A., Yavagal, D. “An Information
Assurance Engineering Methodology for Critical Infrastructure
Protection: The DITSCAP Automation Study”, TR-NiSE-04-03, Nov,
2004. |
