Note: This page is part of the us-cert.gov archive.

This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.

Architectural Risk Analysis - References

Original release date: November 04, 2005 Author(s): Steven Lavenhar Gary McGraw Maturity Levels and Audience Indicators: / E  SDLC Life Cycles: Architecture  Copyright: Copyright © Cigital, Inc. 2005-2007. Cigital retains copyrights to this material.

Abstract

Content area bibliography.

Anderson, Ross J. & Anderson, Ross. Security Engineering: A Guide to Building Dependable Distributed Systems. New York, NY: John Wiley & Sons, 2001.

Arlat, J; Aguera, M.; Amat, L.; Crouzet, Y.; Fabre, J.-C.; Laprie, J.-C.; Martins, E.; & Powell, D. "Fault Injection for Dependability Validation: A Methodology and Some Applications." IEEE Transactions on Software Engineering 16, 2 (February 1990): 166-82.

Bass, L.; Clements, P.; & Kazman, R. Software Architecture in Practice, 2nd ed. Reading, MA: Addison-Wesley, 2003.

Bedford, Tim & Cooke, Roger. Probabilistic Risk Analysis : Foundations and Methods. Cambridge, UK: Cambridge University Press, 2001.

Bishop, Matt. Computer Security: Art and Science. Boston, MA: Addison-Wesley Professional, 2002.

Bishop, Matt. Introduction to Computer Security. Boston, MA: Addison-Wesley Professional, 2004.

Clements, Paul; Bachmann, Felix; Bass, Len; Garlan, David; Ivers, James; Little, Reed; Nord, Robert; & Stafford, Judith. Documenting Software Architectures: Views and Beyond. Boston, MA: Addison-Wesley Professional, 2002.

Costello, Daniel J., Jr.; Hagenauer, Joachim; Imai, Hideki; & Wicker, Stephen B. “Applications of Error-Control Coding.” IEEE Transactions of Information Theory 44, 6 (October 1998): 2531-2560.

Evans, Eric. Domain-Driven Design: Tackling Complexity in the Heart of Software. Boston, MA: Addison-Wesley Professional, 2003.

Ferraiolo, David F.; Kuhn, D. Richard; & Chandramouli, Ramaswamy. Role-Based Access Control. Artech House Publishers, 2003.

Fowler, Martin. Patterns of Enterprise Application Architecture. Boston, MA: Addison-Wesley Professional, 2002.

Graff, Mark G. & Van Wyk, Kenneth R. Secure Coding: Principles and Practices. Sebastopol, CA: O’Reilly, 2003.

Hoglund, Greg & McGraw, Gary. Exploiting Software: How to Break Code. Boston, MA: Addison-Wesley Professional, 2004.

Hohpe, Gregor & Woolf, Bobby. Enterprise Integration Patterns: Designing, Building, and Deploying Messaging Solutions. Boston, MA: Addison-Wesley Professional, 2003.

Howard, Michael & LeBlanc, David C. Writing Secure Code, 2nd ed. Redmond, WA: Microsoft Press, 2002.

Ippolito, L. M. & Wallace, D. R. A Study on Hazard Analysis in High Integrity Software: Software Standards and Guidelines (NIS-TIR 5589). Gaithersburg, MD: National Institute of Standards and Technology, 1995.

Jones, Andy & Ashenden, Debi. Risk Management for Computer Security: Protecting Your Network & Information Assets. Burlington, MA: Butterworth-Heinemann, 2005.

Kaner, Cem. “Accountability for Defects in Commercial Software: Controversy Over the Ground Rules.” Colloquium at Carnegie Mellon University, Pittsburgh, PA, 2004.

Kazman, R.; Klein, M.; & Clements, P. ATAM: Method for Architecture Evaluation (CMU/SEI-2000-TR-004, ADA382629). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2000. http://www.sei.cmu.edu/publications/documents/00.reports/00tr004.html.

Kerievsky, Joshua. Refactoring to Patterns. Boston, MA: Addison-Wesley Professional, 2004.

King, Christopher; Osmanoglu, Ertem; & Dalton, Curtis. Security Architecture: Design, Deployment and Operations. Emeryville, CA: Osborne/McGraw-Hill, 2001.

Koller, Glenn Robert. Risk Assessment and Decision Making in Business and Industry: A Practical Guide. Boca Raton, FL: CRC Press, 1999.

Koziol, Jack; Litchfield, David; Aitel, Dave; Anley, Chris; Eren, Sinan “noir”; Mehta, Neel; & Hassell, Riley. The Shellcoder’s Handbook: Discovering and Exploiting Security Holes. New York, NY: John Wiley & Sons, 2004.

Kumamoto, Hiromitsu & Henley, Ernest J. Probablistic Risk Assessment and Management for Engineers and Scientists, 2nd ed. New York, NY: Wiley-IEEE Press, 2000.

Landwehr, Carl E.; Bull, A. R.; McDermott, J. P.; & Choi, W. S. A Taxonomy of Computer Security Flaws, with Examples (Naval Research Laboratory Report No. NRL/FR/5542-93/9591). Washington, DC: Naval Research Laboratory, 1993.

Lopez, M. An Evaluation Theory Perspective of the Architecture Tradeoff Analysis Method (ATAM) (CMU/SEI-2000-TR-012, ADA387265). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2000. http://www.sei.cmu.edu/publications/documents/00.reports/00tr012.html.

McConnell, Steve. Code Complete, 2nd ed. Redmond, WA: Microsoft Press, 2004.

McGraw, Gary. “Managing Software Security Risks.” Computer 35, 4 (March 2002): 99-101.

Neumann, Peter G. Computer-Related Risks. Boston, MA: Addison-Wesley Professional, 1994.

Peikari, Cyrus & Chuvakin, Anton. Security Warrior. Sebastopol, CA: O’Reilly, 2004.

Ramachandran, Jay. Designing Security Architecture Solutions. New York, NY: John Wiley & Sons, 2002.

Rubin, Aviel D. White-Hat Security Arsenal: Tackling the Threats. Boston, MA: Addison-Wesley Professional, 2001.

Swiderski, Frank & Snyder, Window. Threat Modeling. Redmond, WA: Microsoft Press, 2004.

Viega, John & McGraw, Gary. Building Secure Software: How to Avoid Security Problems the Right Way. Boston, MA: Addison-Wesley Professional, 2001.

Voas, Jeffrey M. & McGraw, Gary. Software Fault Injection: Inoculating Programs Against Errors. New York, NY: John Wiley & Sons, 1998.

Voas, Jeffrey M. & Miller, Keith W. “Using Fault Injection to Assess Software Engineering Standards,” 139-145. Proceedings of the Second IEEE International Software Engineering Standards Symposium. Montreal, Quebec, Aug. 21-25, 1995. New York, NY: IEEE Computer Society Press, 1995.

Zuse, Horst. Software Complexity: Measures and Methods. Berlin, Germany: W. de Gruyter, 1991.

Copyright © Cigital, Inc. 2005-2007. Cigital retains copyrights to this material.

Permission to reproduce this document and to prepare derivative works from this document for internal use is granted, provided the copyright and “No Warranty” statements are included with all reproductions and derivative works.

For information regarding external or commercial use of copyrighted materials owned by Cigital, including information about “Fair Use,” contact Cigital at copyright@cigital.com.

The Build Security In (BSI) portal is sponsored by the U.S. Department of Homeland Security (DHS), National Cyber Security Division. The Software Engineering Institute (SEI) develops and operates BSI. DHS funding supports the publishing of all site content.