software security requirementseprints.leedsbeckett.ac.uk/6416/6/keynoteon...should be build security...

41
Citation: Ramachandran, M (2015) Keynote on Software Security Requirements Engineering : State of the Art. In: 10th International Conference on Global Security, Safety & Sustainability, 15 September - 17 September 2015, London. (Unpublished) Link to Leeds Beckett Repository record: http://eprints.leedsbeckett.ac.uk/6416/ Document Version: Conference or Workshop Item The aim of the Leeds Beckett Repository is to provide open access to our research, as required by funder policies and permitted by publishers and copyright law. The Leeds Beckett repository holds a wide range of publications, each of which has been checked for copyright and the relevant embargo period has been applied by the Research Services team. We operate on a standard take-down policy. If you are the author or publisher of an output and you would like it removed from the repository, please contact us and we will investigate on a case-by-case basis. Each thesis in the repository has been cleared where necessary by the author for third party copyright. If you would like a thesis to be removed from the repository or believe there is an issue with copyright, please contact us on [email protected] and we will investigate on a case-by-case basis.

Upload: others

Post on 18-Aug-2020

4 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

Citation:Ramachandran, M (2015) Keynote on Software Security Requirements Engineering : State of theArt. In: 10th International Conference on Global Security, Safety & Sustainability, 15 September - 17September 2015, London. (Unpublished)

Link to Leeds Beckett Repository record:http://eprints.leedsbeckett.ac.uk/6416/

Document Version:Conference or Workshop Item

The aim of the Leeds Beckett Repository is to provide open access to our research, as required byfunder policies and permitted by publishers and copyright law.

The Leeds Beckett repository holds a wide range of publications, each of which has beenchecked for copyright and the relevant embargo period has been applied by the Research Servicesteam.

We operate on a standard take-down policy. If you are the author or publisher of an outputand you would like it removed from the repository, please contact us and we will investigate on acase-by-case basis.

Each thesis in the repository has been cleared where necessary by the author for third partycopyright. If you would like a thesis to be removed from the repository or believe there is an issuewith copyright, please contact us on [email protected] and we will investigate on acase-by-case basis.

Page 2: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

Software Security Requirements Engineering: State of the Art

Principal LecturerHead of Software Engineering Research

School of Computing, Creative Technologies and EngineeringLeeds Beckett University

Leeds LS6 3QS UKEmail: [email protected]

www.leedsbeckett.ac.ukResearch Projects

www.soft-research.com

Muthu Ramachandran MSc MTech PhD FBCS SFHEA MIEEE MACM

Keynote Talk 16th September 2015 ICGS3, London

Page 3: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

∗Why Software Security Engineering?∗ Software Security RE: Concepts, Definitions &

Perspectives∗Design For Software Security: A Unique

Chapter in My book∗ SSRE Processes∗ Software Security Requirements Process

Simulation with OPNET & BPMN∗ Conclusion & Questions

21/05/20152

Outline

Page 4: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

21/05/20153

Page 5: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

21/05/20154

Page 6: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

21/05/20155

Committing to secure SDLC way of showing our gratitude and thankfulness to our consumers

Page 7: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

21/05/20156

Personal details of up to 2.4 million CarphoneWarehouse customers may have been accessed in a cyber-attack, the mobile phone retailer says.

http://www.bbc.co.uk/news/uk-33835185

Cyber-attack on 8th August 2015

Page 8: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

Why Research into Software Security?

21/05/20157

NASA link to Avvaiyar from 4th Century

What we have discovered is only a handful on cyber-attacks and software vulnerabilities

My Personal Moto Learned from childhood : As Avvaiyar (a Tamil Lady poet from 1st-2nd Century of C.E (roughly 2000 years ago Common Era or A.D) wrote (wikipedia ):

"Katrathu Kai Mann Alavu, Kallathathu Ulagalavu"

meaning roughly "What you have learned is only a handful; What you haven't learned is the size of the world"

79.1

71.165.1

58.1

Annual Spending on Information Security in Billion

Dollars Worldwide

2015201420132012

http://www.gartner.com/newsroom/id/2828722

Page 9: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

Known Vulnerabilities: A History of Knowledge

21/05/20158

0

200

400

600

800

1000

1200

1400

1600

Firefox Chrome Internet Explorer

Num

ber o

f vul

nera

biite

s

Browers

Total number of vulnerabilities in browsers

Firefox

Chrome

Internet Explorer

Page 10: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

21/05/20159

Page 11: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

21/05/201510

Page 12: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

21/05/201511

Page 13: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

What is Security?

21/05/201512

Page 14: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

Classical Security Triangle

21/05/201513

We need include socio-technical perspective and trust in the current and emerging technologies

Page 15: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

Software Security vs Computer Security vsInformation Security

21/05/201514

• Software Engineering has established techniques, methods and technology over two decades.

• However, due to the lack of understanding of software security vulnerabilities, we have not been so successful in applying software engineering principles when developing secure software systems.

• Security can’t be just added later to a delivered product

Page 16: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

Why Security RE?

21/05/201515

Distinction between functional and service requirements vs quality requirements such as Security

Page 17: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

Trust and resiliency model for software security

21/05/201516

Techniques Knowledge Verification

TRUST

Experience & continuity

Software security Software safety Availability

ReliabilityUsabilityPrivacy

Wee need to include trust modelling (relationships and agreements) and resilient computing (survivability modelling)

Page 18: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

21/05/201517

Page 19: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

Design For Software Security

21/05/201518

Security RE & architecturalproperties and features

Design properties:CorrectnessPredictabilityReliabilitySafetyDependability

Attack

Patterns

Software security properties:

IntegrityAvailabilityAccountabilityNon-repudiationConfidentiality

Secured Software Systems

Build Security In (BSI) Software components, interfaces, exception handlers for software security attack patterns

Page 20: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

Build Security In (BSI) Component Model: Independent and Pluggable to Any Applications

21/05/201519

cmp

IAuthenticationIAuthorization

IEncryptionISignature IKeyManagement

IUserManagement

ITLS

ILogService

IInteroperablity

Security Serv ices

IAuthenticationIAuthorization

IEncryptionISignature IKeyManagement

IUserManagement

ITLS

ILogService

IInteroperablity

An example of design for software security

Page 21: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

Automated Secure Code Improvement

21/05/201520

Language-Specific security Assessor

Code/Components/Systems

Language and best practice coding knowledge

Domain-specific knowledge

Domain Classifier

Security Improvement

Software Engineer & Software security experts

Software Security analysis

Software Security advice

Page 22: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

21/05/201521

Page 23: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

Traditional RE Process

21/05/201522

Page 24: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

Requirements Classification

21/05/201523

B2B, B2C, C2CService requirementsGovernance Requirements

Industry strategiesOpportunities

Competitors

Application systemsDynamic scalingInfrastructure service security

Business Assets

Service Security, availability, resiliency

Enterprise Requirements Frameworkguidelines

Customer Requirements

Investment Analysis

Market Analysis

Page 25: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

∗ Eliciting and extracting requirements for software security explicitly with visual notations

∗ Prioritising software security requirements∗ Risk assessment and mitigation for software security

requirements∗ Use security modelling techniques Tropos, MS Threat

Modelling, Attack Tree, Attack Patterns∗ Design and implement software security requirements∗ Providing SDLC life-cycle support

21/05/201524

Best Practices SSRE

Page 26: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

Secure SDLC Touchpoints

21/05/201525

SDLC security touchpoints (Allen et al 2008, p248)

UMLsecAttack Tree

Thread Model

Tropos

Page 27: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

Threat Modelling Process

21/05/201526

Identify and list all critical assets

Identify existing safeguardsUnderstand the systemInterview stakeholders

Identify possible points of attack

Decompose the system to be assessed

Use any modellingtool to decompose the system

Identify critical assets

Information gathering

Categorise& prioritisethreats

Identify attack points and designate trust boundaries

Identify threats

Identify actions to be taken & implement

Mitigate

Identify threats in each attack points & also identify conditions that must exist for an attack to be successful. Use prioritisation matrix

Page 28: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

Software Security RE Process

21/05/201527

Requirements Elicitation

Business requirements

Systems Requirements

Functional vs Non-Functional

Requirements

Security & privacy

requirements

Software Security Requirements

Vulnerability Analysis

Assessment

Page 29: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

Integrated SSRE Process Validation Tools

21/05/201528

Distributed Systems Security

requirements Elicitation and

Validation

OPNET Simulation

Software Security Requirements

Elicitation & Validation

Allows to validate security requirements

Page 30: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

Threat Modeling Framework

Characterizing the

architectureUse

Scenarios, Data Flows,

Trust Boundaries

Identifying Assets

according to their

sensitivity

Threat Enumeration

STRIDE approach,

Attack trees

Mitigation (cost)

Accept risk, redesign, use

unique or standard

mitigation

Validating the Threat

Model

Risk Reduction

Policy

Threatclassification:

Impact assessement,

DREAD, Sample FailureMode Analysis

Matrix

Page 31: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

Amazon EC2 Architectural Simulation

1

4

3 2

Presenter
Presentation Notes
http://yourstory.com/2012/08/geo-distributed-architecture-using-route53-lbr-part-2/
Page 32: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

Results and Analysis

Performance Simulation: Network Load

Queuing Delay DDoS Attck

Scenario Simulation

EC2 Server UtilizationSimulation

Page 33: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

21/05/201532

Page 34: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

Cloud service security development process with build in security – Our Systematic Approach to adopt BSI as part of

CCAF

RequirementsEngineering forcloudapplications(services &security)

ConductBPM

IdentifySLAs

Designservicecomponents

Test &Deploy

Cloud servicesecurityrequirements

Cloud businessprocess securityvulnerabilities

SLAssecurityrules andrisks

Cloud servicesecurityspecificcomponents &interfaces

Cloudservicesecuritytesting

Build Cloud Security In – Cloud service development with build-in security

Cloud service development

Page 35: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

BPMN Simulation Process

BPMN simulation process consists of a number of cyclic phases as shown in this illustration. BPMN starts with an actor called Client with a small circle notation which sends a message to a process (Data Request with rounded square) which task has been devoted to take action based the request and therefore send a message to the cloud (finishing circle). The second phase is to annotate each element in the process and thirdly to create tasks, assign simulation variables (different types of requests both valid and invalid) to process and tasks with that process. Finally, create messages between elements in the process and run a number of simulations.

Page 36: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

Amazon EC2: Large Scale Case Study: Cloud Data Security

Page 37: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

Security measures impacts on execution time

The implications of this result show that data security instances execution time can be high when data was constantly in use. On the other hand, the execution time was less than 2 hours if data was not in use.

Page 38: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

Integrated secure software development engineering life cycle (IS-SDLC)

21/05/201537

Page 39: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

Stakeholders in SSE

21/05/201538

IS-SDLC

Business leaders B2B

Managers

B2C Managers

System engineers

IT Managers

Network and

Internet Specialits

Software Defined Security (SDN) experts

Enterprise security specialist

Software Requirem

ents Engineers

Software Architect

Security Specialits

Software Engineers

Marketing managers

Page 40: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

∗ Ramachandran, M (2012) Software Security Engineering: Design and Applications, Nova Science Publishers, New York, USA, 2011, ISBN: 978-1-61470-128-6, https://www.novapublishers.com/catalog/product_info.php?products_id=26331

∗ Ramachandran, M (2014) Advances in Cloud Computing Research, Nova, 2014∗ Ramachandran, M (2013) Business Requirements Engineering for Developing

Cloud Computing Services, Springer, Software Engineering Frameworks for Cloud Computing Paradigm, Mahmood, Z and Saeed, S (eds.), http://www.springer.com/computer/communication+networks/book/978-1-4471-5030-5

∗ Ramachandran, M (2011) Software components for cloud computing architectures and applications, Springer, Mahmmood, Z and Hill, R (eds.).

∗ Ramachandran, M (2014) Enterprise Security Framework for Cloud Data Security, Book chapter "Delivery and Adoption of Cloud Computing Services in Contemporary Organizations, Chang, V (ed.) IGI Global

∗ Ramachandran, M (2008) Software Components: Guidelines and Applications, Nova Science Publishers, New York, USA. ISBN: 978-1-60456-870-7, October/November 2008, https://www.novapublishers.com/catalog/product_info.php?products_id=7577 Pages 410

∗ Ramachandran, M (2011) Knowledge Engineering for Software Development Life Cycles: Support Technologies and Applications, http://www.igi-global.com/bookstore/titledetails.aspx?titleid=46170&detailstype=description

21/05/201539

References

Page 41: Software Security Requirementseprints.leedsbeckett.ac.uk/6416/6/KeynoteOn...should be Build Security In (BSI) ∗Secure software should continue to operate correctly even under attack

∗ Security can’t just be added after release instead it should be Build Security In (BSI)

∗ Secure software should continue to operate correctly even under attack

∗ Secure software can recognize attack patterns and avoid or withstand recognized attacks

∗ Secure software must be built-in with known vulnerabilities

∗ Build-In Trust and Resiliency remain a challenge for researchers

Conclusion , Questions & Thank You

21/05/201540