the Embedded Extensions Project
is launching a working group to produce specifications for extending the CISQ Quality Characteristic
Measures into embedded software. Depending on the extensiveness of the embedded additions, these specifications will be submitted to OMG® either
as revisions to the four existing standards through a Revision Task Force
(RTF) or new specifications through Requests for Comment (RFCs).
The project team consists of delegates with expertise in embedded software from each participating sponsor, in addition to experts from the Software Engineering Institute and the Common Weakness Enumeration project at MITRE Corp.
The first meeting is February 13-14 at MITRE in McLean, VA. Our
plan is to submit specifications in Q3/Q4 this year.
Please join me in welcoming Northrop
Grumman and Tech
Mahindra as new CISQ sponsors. CISQ will benefit greatly from
their expertise and contribution to the program.
I look forward to seeing you there.
Dr. Bill Curtis
Automated Technical Debt Standard
live January 16, 2018
For the first time, Technical Debt measurement becomes common
currency for developers and tech managers!
The CISQ measure of Technical Debt
is a new OMG® standard for measuring the future cost of defects remaining in system source code at release.
The cost to fix structural quality problems constitutes the principal of the debt, while the inefficiencies they cause until fixed, such as greater maintenance effort or excessive computing resources, represent compounding interest on the debt.
Click here to download the
Click here to watch the webinar
is Now Open!
Resilience Summit, March 20, Reston, VA
The Cyber Resilience Summit will discuss standards and best practices for risk-managed digital transformation and the practical application of systems engineering to support agile acquisition, cloud readiness, big data, technical debt control, and cyber risk management of complex mission, C2, weapon and citizen-facing systems.
Confirmed to speak are National Cybersecurity
Leaders from the White House to discuss government IT
the next Equifax...
All CVEs have Root Causes in CWEs
A couple of key takeaways
from the breach –
Security Risks Inherent in the Use of
In the case of Equifax, action came too
Basic security prevention can help
to protect against CVEs and future
zero-day vulnerabilities. A subset of CVEs
are issued with a mapping to relevant
CWEs. The CWEs represent the
vulnerability’s root causes and
source vectors for exploitation. The
Equifax CVE, for example, was mapped
to CWE-20 (improper input validation)
and OWASP A4 (broken access control)
in the OWASP Top 10 2017.
- Developers commonly use third-party
components, both open source and
commercial-off-the-shelf, in their
code and products. It is critical for
the development team to maintain an
inventory of its third party
components to manage the component’s
source, versions, and patches.
SAFECode has published an excellent
guide on the subject. Read:
Read more on CISQ's blog
World Summit (OWS) 18, February
18-21, Orlando, FL hosted by IAOP. Save
$300 with the
code OWS18CISQ! Anyone who uses
this code is eligible for a free room
night (two night minimum) for a stay at
the host hotel during the dates of the
DC Cybersecurity Technology Summit,
February 27, Arlington, VA.
March 19-23, Reston, VA. Don't miss the Cyber
Resilience Summit, Cybersecurity
& IoT, and Modernization
Software and Cyber Solutions Symposium
2018: Agile and DevOps, March
26-28, Arlington, VA.
Midyear Conference, April 22-24,
April 29-May 4, Orlando, FL.
CISQ members save $200 off the
registration fee with the code SECM.
May 8-10, New York, NY.
CISQ presents "Putting an End to
CISQ's Event Calendar
Thank You CISQ