Building Bridges of Security, Sovereignty and Trust in Business and Industry 27th Edition | Page 41

CONTENTS
1 Cybersecurity as a Continuous, Knowledge-Based Process............................................... 39
1.1
Cybersecurity in the System Lifecycle................................................................................. 39
1.2
Knowledge as the Backbone of Cybersecurity..................................................................... 39
1.3
From Tool-Centric Pipelines to Knowledge Pipelines........................................................... 40
1.4
Interoperability Standards and Automation....................................................................... 41
2 System Facts as Foundational Knowledge for Cybersecurity Pipelines.............................. 41
2.1
SysML: From Communication to Computation.................................................................... 41
2.2
Tailoring Semantics for Cyber-Physical Systems.................................................................. 42
2.3
Mending the Threads with OMG SPECTRA.......................................................................... 43
3 Risk Claims as Inference in the Risk-Centric DecSecOps Pipelines..................................... 43
3.1
Manual Risk Assessment is Dead........................................................................................ 43
3.2
Reimagining Risk as Structured Inference........................................................................... 44
3.3
The Attack-centric Risk Claim Structure that Supports Automation..................................... 44
3.4
Risk Clustering and Comprehensive Enumeration............................................................... 45
4 Attack Path Characterization in Risk-Centric DevSecOps.................................................. 46 5 Vulnerability Characterization in Rick-Centric DevSecOps................................................ 49
6 Security Argument as the Orchestrator in Risk-Centric DevSecOps................................... 51
6.1
Argument-Driven Automation of Cybersecurity Pipelines................................................... 51
6.2
Example: Asset Claims and pipeline orchestration.............................................................. 51
6.3
Assurance Case: From Documentation to Intelligent Control............................................... 53
6.4
A Standards-Enabled Assurance Ecosystem........................................................................ 53
7 Existing Approaches to Security Assurance Cases............................................................. 53
8 Use Cases and Applications of the Framework................................................................. 54
8.1
Enabling Continuous Test and Evaluation........................................................................... 54
8.2
Supporting Continuous Authorization................................................................................ 55
9 Conclusion...................................................................................................................... 55 10 References...................................................................................................................... 56 11 Acknowledgements......................................................................................................... 57
36