Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Software Engineering
Thesis no: MSE-2012-95
May 2012
School of Computing
Blekinge Institute of Technology
SE-371 79 Karlskrona
Sweden
Contact Information:
Authors:
Gibrail Islam
E-mail: gibrailislam@gmail.com
Murtaza Ali Qureshi
E-mail: ma911262@gmail.com
University advisor:
DR. JRGEN BRSTLER
Department of Software Engineering and Computer Science
School of Computing
Blekinge Institute of Technology
SE-371 79 Karlskrona
Sweden
Internet
Phone
Fax
: www.bth.se/com
: +46 455 38 50 00
: +46 455 38 50 57
ii
ABSTRACT
Context.Securityconsiderationsaretypicallyincorporatedinthelaterstagesofdevelopmentasan
afterthought.Securityinsoftwaresystemisputunderthecategoryofnonfunctionalrequirements
bytheresearchers.Understandingthesecurityneedsofasystemrequiresconsiderableknowledge
of assets, data security, integrity, confidentiality and availability of services. Counter measures
againstsoftwareattacksarealsoasecurityneedofasoftwaresystem.Toincorporatesecurityinthe
earlieststages,i.e.requirementgathering,helpsbuildingsecuresoftwaresystemsfromthestart.For
that purpose researchers have proposed different requirements elicitation techniques. These
techniquesarecategorizedintoformalandinformaltechniquesonthebasisoffinitenessandclarity
inactivitiesofthetechniques.
Objectives.Limitationsofformalmethodsandlackofsystematicapproachesininformalelicitation
techniques make it difficult to rely on a single technique for security requirements elicitation.
Therefore we decided to utilize the strengths of formal and informal technique to mitigate their
weaknesses by combining widely used formal and informal security requirements elicitation
techniques. The basic idea of our research was to integrate an informal technique with a formal
techniqueandproposeaflexibleframeworkwithsomelevelofformalityinthesteps.
Methods.Weconductedasystematicliteraturereviewtoseewhicharethewidelyusedsecurity
requirementelicitationtechniques?asaprestudyforourthesis?Wesearchedonlinedatabasesi.e.
ISI, IEEE Xplore, ACM, Springer, Inspec and compendeX. We also conducted a literature review for
differentframeworksthatareusedinindustry,forsecurityrequirementelicitation.Weconducted
an experiment after proposing a security requirements elicitation Framework and compared the
resultfromtheFrameworkwiththatofCLASPandMisusecases.
Results.Twotypesofanalysiswereconductedonresultsfromtheexperiment:Vulnerabilityanalysis
andRequirementsanalysiswithrespecttoasecuritybaseline.Vulnerabilityanalysisshowsthatthe
proposed framework mitigates more vulnerabilities than CLASP and Misuse Cases. Requirements
analysiswithrespecttothesecuritybaselineshowsthattheproposedframework,unlikeCLASPand
Misusecases,coversallthesecuritybaselinefeatures.
Conclusions. The framework we have proposed by combining CLASP, Misuse cases and Secure
TROPOS contains the strengths of three security requirements elicitation techniques. To make the
proposedframeworkevenmoreeffective,wealsoincludedthesecurityrequirementscategorization
by Bogale and Ahmed [11]. The framework is flexible and contains fifteen steps to elicit security
requirements.Inadditionitalsoallowsiterationstoimprovesecurityinasystem.
Keywords:
Security
Framework, Security
SoftwareSecurity
Requirement
Elicitation
Requirement Engineering,
ACKNOWLEDGEMENTS
WearethankfultoAlmightyGodforgivinguscourageandstrengthtocompleteourthesis
withinsixmonthsoftime.
WewouldalsoliketothankourParents,FamilyandFriendsfortheirconstantsupportand
prayers. We would like to thank Dr. JRGENBRSTLER for helping us throughout the thesis.
We are grateful to him for his guidance and never ending willingness to transfer the
knowledgehehas.
In the end we would also like to thank each other for working as a team and solving
conflictsduringthestudywithpatience.
ii
CONTENTS
ABSTRACT......................................................................................................................................I
ACKNOWLEDGEMENTS..................................................................................................................II
CONTENTS....................................................................................................................................III
1
LISTOFFIGURES...................................................................................................................VI
LISTOFTABLES....................................................................................................................VII
CHAPTER1INTRODUCTION................................................................................................1
1.1
BACKGROUND...........................................................................................................................1
1.1.1 Securityinsoftware .......................................................................................................... 1
1.1.2 Howissecurityneglected?................................................................................................ 2
1.1.3 Howissecurityaddressed? ............................................................................................... 2
1.1.4 SecureSoftwareEngineering ............................................................................................ 2
1.2
OURIDEA.................................................................................................................................3
1.3
PRESTUDYFORTHESIS...............................................................................................................4
1.3.1 SelectionCriteriafortechniques ....................................................................................... 4
1.3.2 SystematicLiteratureReviewforSecurityRequirementElicitationTechniques(Prework
forThesis)....................................................................................................................................... 4
1.3.2.1
SearchStrategy ...................................................................................................................... 4
1.3.2.2
ResearchQuestionsforSLR.................................................................................................... 5
1.3.2.3
SearchTerms .......................................................................................................................... 5
1.3.2.4
Databasesanddatacollectionsource .................................................................................... 6
1.3.2.5
Inclusion/ExclusionCriteria ................................................................................................... 7
1.3.2.5.1 ExclusionCriteria ............................................................................................................... 7
1.3.2.6
KappaCoefficient ................................................................................................................... 7
Toincreasethelevelofagreementamongtheauthors,wetriedtoresolveourconflictsthroughmutual
understandinganddiscussionsbetweenus. ............................................................................................. 8
1.3.2.7
StudyQualityAssessment ...................................................................................................... 8
1.3.2.8
DataExtractionCriteria .......................................................................................................... 9
1.3.2.9
SynthesisofArticles ............................................................................................................. 12
1.3.2.10 Conclusion ............................................................................................................................ 13
1.3.2.11 Limitations............................................................................................................................ 13
iii
UNDERSTANDINGSECURETROPOS,MISUSECASESANDCLASP...........................................23
3.1
SECURETROPOS....................................................................................................................23
3.2
MISUSECASE..........................................................................................................................27
3.2.1 MisuseCasesTemplate ................................................................................................... 28
3.3
CLASP...................................................................................................................................29
3.4
SUMMARY..............................................................................................................................34
PROPOSEDFRAMEWORK....................................................................................................35
4.1
OVERLAPPINGACTIVITIESOFCLASPANDSECURETROPOS............................................................35
4.2
BESTPRACTICESELECTION.........................................................................................................35
4.3
ACTIVITYSELECTION.................................................................................................................36
4.4
ADDITIONALFIELDSINMISUSECASESTEMPLATE............................................................................37
4.5
SEQUENCINGTHESTEPS............................................................................................................37
4.6
ANALYSISOFSELECTEDSTEPS:ACTIVITYREVISIT.............................................................................37
4.7
USINGSECURITYREQUIREMENTCATEGORIZATION.........................................................................38
4.8
PROPOSEDFRAMEWORK...........................................................................................................38
4.8.1 HowtoconducteachstepofFramework ....................................................................... 38
4.8.1.1
4.8.1.2
4.8.1.3
4.8.1.4
4.8.1.5
4.8.1.6
4.8.1.7
4.8.1.8
4.8.1.9
4.8.1.10
4.8.1.11
4.8.1.12
SpecifyOperationalenvironment ........................................................................................ 39
Identifyglobalsecuritypolicy............................................................................................... 39
Identifyresourcesandtrustboundaries .............................................................................. 40
Identifyuserrolesandresourcecapabilities........................................................................ 40
Identifyindepthuserroles,securecapabilitiesandsecurityconstraintsforeachactor .... 41
Identifyattacksurface.......................................................................................................... 41
Researchandassesssecurityposture .................................................................................. 42
Detailmisusecase ................................................................................................................ 42
Documentsecurityrelevantrequirements .......................................................................... 43
Performsecurityanalysisofsystemrequirementsanddesign. ........................................... 44
Updatesecurityrequirementsdocument ............................................................................ 45
Identifyresources,entrypoints,functionalities,assets,servicesandactorsforthesystem
45
4.8.1.13 Supposeallthethreatsmentionedinthecategorizationaretrueforallresources,entry
points,functionalities,assets,servicesandactorsforthesystem .......................................................... 45
4.8.1.14 Validatethreatsforeachresource,entrypoint,functionality,asset,serviceandactorsfor
thesystem 45
4.8.1.15 Updatethedocument .......................................................................................................... 46
EXPERIMENT.......................................................................................................................47
5.1
EXPERIMENTDEFINITION...........................................................................................................47
5.1.1 Objective ......................................................................................................................... 47
5.1.2 Context ............................................................................................................................ 47
5.1.3 SampleSpace .................................................................................................................. 48
5.2
EXPERIMENTPLANNING.............................................................................................................48
5.2.1 Purpose ........................................................................................................................... 48
5.2.2 Qualityfocus ................................................................................................................... 48
5.2.3 Perspective ...................................................................................................................... 48
5.2.4 Contextselection............................................................................................................. 48
5.2.5 Hypothesisformulation................................................................................................... 48
5.2.6 Variableselection............................................................................................................ 48
5.2.7 Subjectselection ............................................................................................................. 49
5.3
EXPERIMENTDESIGN.................................................................................................................49
5.3.1 Designprinciple............................................................................................................... 49
5.3.2 Designtype ..................................................................................................................... 49
5.3.3 Instrumentation .............................................................................................................. 50
5.3.4 Validityevaluation .......................................................................................................... 50
5.4
EXPERIMENTOPERATION...........................................................................................................51
5.4.1 SoftwareSystemforExperiment..................................................................................... 51
5.4.1.1
MonolithicMainframe ......................................................................................................... 51
5.4.1.1.1 Glossary ........................................................................................................................... 51
5.4.1.1.2 SystemDescription .......................................................................................................... 52
iv
5.4.2
Experimentexecution ..................................................................................................... 52
5.4.2.1
OutputduringeachactivityofFramework .......................................................................... 53
5.4.2.1.1 SpecifyOperationalEnvironment(Implementationscenario) ........................................ 54
5.4.2.1.2 IdentifyGlobalSecurityPolicy ......................................................................................... 54
5.4.2.1.3 Identifyresourcesandtrustboundaries ......................................................................... 54
5.4.2.1.4 Identifyuserrolesandresourcecapabilities ................................................................... 56
5.4.2.1.5 Identifyindepthuserroles,securecapabilitiesandsecurityconstraintsforeachactor 57
5.4.2.1.6 Identifyattacksurface ..................................................................................................... 57
5.4.2.1.7 Researchandassesssecurityposture ............................................................................. 57
5.4.2.1.8 DetailMisuseCase .......................................................................................................... 58
5.4.2.1.9 Documentsecurityrelevantrequirements ..................................................................... 59
5.4.2.1.10 Performsecurityanalysisofsystemrequirementsanddesign...................................... 59
5.4.2.1.11 UpdateSecurityRequirementsDocument: ................................................................... 61
5.4.2.1.12 IdentifyResources,EntryPoints,Functionalities,Assets,Capabilities,Resources,
ServicesAndActors. ........................................................................................................................... 61
5.4.2.1.13 SupposeAllTheThreatsMentionedInTheCategorizationAreTrueForAllResources,
EntryPoints,Functionalities,Assets,ServicesAndActorsForTheSystem. ....................................... 62
5.4.2.1.14 Validatethreatsforeachresource,entrypoint,functionality,asset,serviceandactors
forthesystem ..................................................................................................................................... 62
5.4.2.1.15 UpdateSecurityRequirementsDocument: ................................................................... 62
ANALYSISANDINTERPRETATION:........................................................................................63
6.1
DATASETREDUCTION...............................................................................................................63
6.2
DESCRIPTIVESTATISTICS.............................................................................................................63
6.2.1 VulnerabilityComparison................................................................................................ 63
6.2.2 RequirementTypeswithRespecttoSystemssecuritybaseline ..................................... 65
6.3
RESULTSANDDISCUSSIONS........................................................................................................68
6.4
RETURNOFINVESTMENTFOREACHTECHNIQUE..............................................................................69
6.5
VALIDITYTHREATS....................................................................................................................69
6.5.1 Limitations ...................................................................................................................... 70
6.6
ANSWERSTORESEARCHQUESTIONS............................................................................................71
6.7
CONCLUSIONANDLESSONLEARNED............................................................................................72
6.8
FUTUREWORK........................................................................................................................73
REFERENCES........................................................................................................................74
APPENDIX...........................................................................................................................81
8.1
8.2
8.3
8.4
8.5
8.6
8.7
8.8
8.9
8.10
8.11
8.12
8.13
APPENDIXA.........................................................................................................................81
APPENDIXB.........................................................................................................................81
APPENDIXC(THREATSCATEGORIZATION)..................................................................................81
APPENDIXD(CLASPANDFRAMEWORKSECURITYRELEVANTREQUIREMENTS).................................85
APPENDIXE(CLASPANDFRAMEWORKSECURITYANALYSISREQUIREMENTS)..................................88
APPENDIXF(FRAMEWORKSFINALUPDATEREQUIREMENTS).........................................................89
APPENDIXG(MISUSECASEREQUIREMENTS).............................................................................90
APPENDIXH(QUESTIONNAIRE)................................................................................................92
APPENDIXI(FEEDBACKFORM)................................................................................................93
APPENDIXJMISUSECASETEMPLATE........................................................................................95
APPENDIXKSEQUENCEDIAGRAMSHOWINGACTIVITYFLOW........................................................96
APPENDIXLUSECASEDIAGRAMFORMONOLITHICSYSTEM..........................................................97
APPENDIXMSEARCHSTRINGS.....................................................ERROR!BOOKMARKNOTDEFINED.
LISTOFFIGURES
Figure1:OverallResearchOverview____________________________________________1
Figure2:SearchStrategy _____________________________________________________5
Figure3:StudySelectionCriteria_______________________________________________9
Figure4:SearchStrategy ____________________________________________________20
Figure5:SecureTROPOSexample_____________________________________________27
Figure6:MisuseCasesexample_______________________________________________27
Figure7:ComponentArchitectureDiagram _____________________________________55
Figure8:ThreatTree________________________________________________________61
Figure9:Percentagecomparisonwithknownvulnerabilities________________________64
Figure10:Authorizationrequirements _________________________________________66
Figure11:AuthenticationRequirements________________________________________66
Figure12:ConfidentialityRequirements________________________________________66
Figure13:DataintegrityRequirements_________________________________________67
Figure14:AvailabilityRequirements___________________________________________67
Figure15:NonRepudiationRequirement_______________________________________68
Figure16:AccountabilityRequirements ________________________________________68
Figure17:RequirementAnalysisw.r.tSecurityBaseline____________________________69
vi
LISTOFTABLES
Table1:TwoPhaseInclusionCriteria____________________________________________7
Table2:KappaCoefficient ____________________________________________________8
Table3:RelevanceofPaperswithResearchQuestions _____________________________9
Table4:Categorizationbyresearchmethods____________________________________11
Table5:DataExtractionCriteria_______________________________________________11
Table6:SynthesisofArticles _________________________________________________12
Table7:StarRatingsofDifferentSecurityRequirementElicitationTechniques(reproduced
fromRomeroMarionaetal.[69])._________________________________________13
Table8:DescriptionforStarRating(reproducedfromRomeroMarionaetal.[69])._____14
Table9:TwoPhaseInclusionCriteria___________________________________________21
Table10:SearchResult______________________________________________________21
Table11:FourPhasesofSecureTROPOS________________________________________23
Table12:ImplementationStepsofSecureTROPOS _______________________________25
Table13:MisuseCasesImplementationSteps ___________________________________28
Table14:MisuseCaseTemplate ______________________________________________28
Table15:CLASPViews ______________________________________________________29
Table16:CLASPActivities____________________________________________________29
Table17:CLASPBestPractices________________________________________________33
Table18:OverlappingActivitiesofCLASPandSecureTROPOS ______________________35
Table19:SelectedBestPracticesforCLASP______________________________________36
Table20:SelectedActivitiesfromCLASP________________________________________36
Table21:SelectedActivitiesfromSecureTROPOS ________________________________37
Table22:AdditionalfieldsinMisuseCaseTemplate_______________________________37
Table23:SequenceofCLASPActivities_________________________________________37
Table24:Mergedactivitiesfromtechniques_____________________________________37
Table25:FrameworkSteps __________________________________________________38
Table26:Experimentdesigntype _____________________________________________49
Table27:Activityflow_______________________________________________________52
Table28:PlanforDay1ofExperiment__________________________________________52
Table29:PlanforDay2ofExperiment__________________________________________53
Table30:SecurityBaseline___________________________________________________54
Table31:ComponentArchitecture ____________________________________________55
Table32:Systemresourcesandcapabilities_____________________________________56
Table33:User'scapabilities__________________________________________________56
Table34:Application'scapabilities ____________________________________________56
Table35:Accessmethodcapabilities___________________________________________57
Table36:Technologiesandproblems __________________________________________58
Table37:MisuseCase_______________________________________________________58
Table38:MisuseCase_______________________________________________________58
Table39:CorrelationMatrix__________________________________________________59
Table40:ThreatsonAssets __________________________________________________60
Table41:ThreatsonCapabilities______________________________________________60
Table42:System'sresources/assets ___________________________________________62
Table43:ValidThreats______________________________________________________62
Table44:VulnerabilityandSecurityrequirementcomparison_______________________64
Table45:RequirementanalysiswithrespecttoSecuritybaseline____________________65
vii
CHAPTER1INTRODUCTION
Thepurposeofthischapteristogiveanintroductionaboutsecurityinsoftware,
the way security is addressed in software and to present an overall idea of our
research. We have explained our research plan and the basic idea behind our
researchinthischapter.
Figure1:OverallResearchOverview
1.1
Background
1.1.1
Securityinsoftware
As assets got connected to software, security concerns for software grew more
and more. Over the years, the level of threats to software systems has varied
dependingupontheenvironmentsinwhichsoftwaresystemsareusedandthedata
thesesoftwaresystemsprocess[54,81].Internetandconnectivitywasconsideredas
asocialandcommercialbreakthroughbutithasincreasedtheopportunitiesforthose
whowanttoelectronicallyexploitothers[81].Softwareattacksandhackingincidents
actuated the software world to concentrate on security of the software produced.
Constantandsuccessfulattackstoriesmakeitclearthatyetsoftwaresaredeveloped
withvulnerabilitiesinside[30,90].
1.1.2
Howissecurityneglected?
1.1.3
Howissecurityaddressed?
1.1.4
SecureSoftwareEngineering
of the method, formal techniques are hard to use for big projects [69]. There are
predefined roles and repetition of process in formal techniques to conduct the
requirementspecification.
Ontheotherhand,informaltechniquesaremoreflexibleanditbecomeseasyto
definethestepsaccordingtothenatureofthesystemunderconsideration.Despite
theflexibilityofinformaltechniques,theylackasystematicapproach.Repetitionof
theprocessininformaltechniquesisnoteasyascomparedtoformalmethods.Since
there are no predefined steps in informal security requirement elicitation
techniques, most of the software professionals avoid [41] using them. Informal
security requirements elicitation techniques lack a proper structure and normally
leave few security problems unaddressed. In addition, particular roles are not
defined for the stakeholders in order to conduct the specification [69]. These are
some of the main reasons that informal techniques are normally avoided by the
securityrequirementengineers.
Mainideabehindsecurityrequirementelicitationwastouseelicitationmethods,
which are used to gather functional requirements, for nonfunctional requirement
(e.g.security)[3].Sinceelicitationtechniquesarefocusedonfunctionalrequirements
[2,3,14,23,63], it is difficult to use the same technique for capturing nonfunctional
requirements. For this purpose, many of the elicitation techniques were extended
and were used in an extended form [2,14,23,63] to capture nonfunctional
requirement (e.g. security). Some researchers have proposed new frameworks and
techniques especially for security requirement elicitation [4,48,49,51,92]. Whereas
some of the techniques were combined with other elicitation techniques [2,84] to
produce better results. All this, ongoing and past, work [3,8,45,46,65,69] is aimed
upondevelopingattackresistantandsecuresoftwaresystems.
1.2
OurIdea
Different researchers have rated security requirement elicitation techniques
differently [3,69,85]. This makes it very difficult to compare the results and various
ratingsofsecurityrequirementelicitationtechniques.Limitationsofformalmethods
andlackofsystematicapproachesininformalelicitationtechniquesmakesitdifficult
torelyonasingletechniqueforsecurityrequirementelicitation.
As it is mentioned above, that formal techniques lack flexibility and informal
techniques lack systematic approach, we decided to combine the strengths of both
formal and informal techniques to mitigate the problems in both techniques, when
used separately. The basic idea of our research was to integrate an informal
techniquewithformaltechniqueandproposeaflexibleframeworkwithsomelevelof
formality in the steps. Following were some questions which we needed to answer
beforewestartourresearch
1. Whichinformaltechniquearewegoingtochooseforintegration?
2. Whichformaltechniquesareintegrateablewithaninformaltechnique?
3. What is going to be our selection criteria for selecting security requirement
elicitationtechniques?
4. Aretheframeworksproposedbyotherresearchersnotgoodenough?
5. Doweneedanotherframework?
Toanswerpointnumber3abovei.e.SelectionCriteria,weconductedaliterature
review. After deciding a selection criteria (see next section), we conducted a
SystematicliteraturereviewasaPrestudyforourresearch.Followingweretheaims
ofoursystematicliteraturereview.
1.3
PreStudyforThesis
1.3.1
SelectionCriteriafortechniques
Assaidearlier,manyresearchershavecomparedsecurityrequirementelicitation
techniques according to their self selected criteria. Each one of them
[3,17,18,22,40,41,49,50,69,7072,75,85] have rated the techniques differently.
Varietyofcriteriaanddifferentratingshinderstheselectionofsecurityrequirement
elicitation techniques. So we conducted a literature review and selected quality
criteriaforevaluatingsecurityrequirementelicitationtechniques.Ourqualitycriteria
werebaseduponthosequalitycriteriathatwerecommoninmostofthepaperswe
selectedforunderstandingevaluation[17,41,49,50,69,7072,75]oftechniques.i.e.
Easy toImplement:Stepsandactivitiesinvolvedin the method arenottoo
complexandcanbeexecutedeasily[49].
Flexibility:Techniqueismodifiableforuse[49,75].
Adaptability:Themethodcanbeusedinmultipleenvironments[49].
Learnability: Technique is learnable in definite and acceptable time period
[17,49,72].
Understandability:Clarityofstepsandactivitiesofthetechniquealongwith
thecapabilityoftechniquetounderstandrequirementspecification[70,71].
Scalability:Techniqueservesforprojectsofdifferentsizes[49,69,71].
Visualoutput:Techniqueproducesunderstandablegraphicaloutput[49].
1.3.2
SystematicLiteratureReviewforSecurityRequirement
ElicitationTechniques(PreworkforThesis)
1.3.2.1
SearchStrategy
This section is an explanation of search strategy implementation using
KitchenhamGuidelines[43].
1. We identified keywords and important search terms from research
questions.
2. We also used synonyms of important search terms to improve our
search.
3. We formed search strings by using AND and OR Boolean operators (see
section1.2.2.3).
Oursearchstrategyispartiallyiterative.ItmeansthatwhilesearchingDatabases,
we changed and refined keywords and search terms to improve our search. We
gatheredalargesetofinitialstudiesafterexhaustingallthesearchtermsandsearch
strings(mentionedinsection1.2.2.3).Itisshownbelowinfigure1.
Figure2:SearchStrategy
1.3.2.2
ResearchQuestionsforSLR
1. Whatarethesoftwaresecurityrequirementselicitationtechniquesthatare
widelyused?
2. Whatarethetwowidelyusedtechniquesforsecurityrequirementelicitation
i.e. which satisfies these evaluation criteria (mentioned and explained in
section1.3.1);
EasytoImplement
Flexibility
Adaptability
Learnability
Understandability
Scalability
Visualoutput
3. Whichinformaltechniqueforsecurityrequirementelicitationhasthehighest
ratingforfollowingevaluationcriteria;
EasytoImplement
Flexibility
Adaptability
Learnability
Understandability
Scalability
Visualoutput
These research questions help us in evaluating security requirement elicitation
techniquesaccordingtoabovementionedcriteria.
InordertohavebetterunderstandingofRQ2i.e.whydidweselecttwoformal
techniques,refertosection1.3.4.
1.3.2.3
SearchTerms
To find papers in databases we used two Boolean operators i.e. AND & OR.
Firstly, we search papers with keywords and then we combined the keywords with
theBooleanoperatorstogetthedesiredoutput.
1.
2.
3.
4.
5.
SoftwareRequirements
RequirementsElicitation
RequirementsElicitationProcess
TechniquesusedtoelicitSecurityRequirements
RequirementsElicitationTechnique
5
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
FormalRequirementsElicitationMethods
RequirementsGathering
FormalRequirementsElicitationTechnique
Softwarerequirementelicitation
Softwarerequirementelicitationtechnique
Softwarerequirementelicitationmethods
FormalElicitationTechnique
InformalElicitationTechnique
Softwaresecurity
SecurityRequirementElicitationTechnique
Softwaresecurityrequirements
Softwaresecurityrequirementselicitation
Softwaresecurityrequirementsformalelicitationtechnique
Softwaresecurityrequirementsformalelicitationmethods
1OR2OR3
6OR7OR8
FormalElicitationANDElicitationprocessANDElicitationmethods
Formal Elicitation Technique AND Software requirement elicitation AND
Softwarerequirementelicitationtechnique
ElicitationMethodsAND5AND6
ElicitationMethodsAND14
SoftwareSecurityAND11AND12
SoftwareSecurityAND11AND13
SoftwaresecurityAND15AND16
16AND17AND18
ElicitationTechniqueAND7AND8
ElicitationTechniqueAND19
(Software Requirements OR Requirements Elicitation OR Requirements
Elicitation Process OR Formal Requirements Elicitation Methods OR
RequirementsGatheringORFormalRequirementsElicitationTechniques)AND
(Formal Elicitation OR Elicitation Process OR Elicitation Methods OR Formal
Elicitation Technique OR Software Requirements Elicitation OR Software
Requirement Elicitation Technique) AND (Software Security OR Formal
Elicitation Technique OR Informal Elicitation Technique OR Security
RequirementsElicitationTechnique)
1.3.2.4
Databasesanddatacollectionsource
We used BTH Library to search the relevant material. We also searched the
databasesusingthekeywordswhichwereusedintheinitialsearchtomakesurethat
there isnoFormalorInformalSecurityRequirementElicitation Techniqueswhichis
left untouched. We searched online databases i.e. ISI, IEEE Xplore, ACM, Springer,
InspecandcompendeX.
1.3.2.5
Inclusion/ExclusionCriteria
In abstract level we selected papers based on their title, abstract, keywords,
languageetctocheckwhetherpapersarerelevanttoourfield.Indetailedlevelwe
furtheranalyzedpaperswhetherthedetaillevelinformation(mentionedinTable1)
existintheselectedpapers.
Table1:TwoPhaseInclusionCriteria
AbstractLevel
DetailedLevel
PapersandjournalsinEnglishlanguage.
Articlesthatlookedrelevantbykeywords.
Searchforrecentpapersfromlast89years.
AvailabilityofpaperthroughBTHlibrary.
Papersthatarepublishedinjournalsandconferencesareincluded.
Articleswereincludedwithrelevancetometadata.
ArticleswereincludedwithrelevancetometadataandFulltext.
Articleswereincludedrelevancetotitleandabstract.
Articleswereselectedrelatedtothesoftwaresecurityandformalelicitationtechniques.
ArticleswereselectedrelatedtosoftwaresecurityandInformalelicitationtechniques.
RelationshipwithRQ(ResearchQuestions):ThepaperselectionwasfocusedonourRQs.
Articleswereselectedthatcomparesoftwarerequirementelicitationtechniques.
Articleswereselectedthatevaluatesoftwarerequirementelicitationtechniques.
ArticleswereselectedbasedonEvaluationCriteriamentionedinRQ2andRQ3.
1.3.2.5.1
ExclusionCriteria
Therewerenumberofarticlesandpaperswhichwererepeatedinnumberof
databases. We removed duplicates automatically with the help of software
calledEndNote.Literaturewithsamereferencetypeistakenasaduplicateby
EndNote.Forexampleifjournalarticle,author,year,titlefieldsareidenticalfor
twoormorepapers,Endnotewillconsidersucharticlesasduplicatesandkeep
onlyonereferenceforsucharticles.Otheridenticalarticleswithdifferencein
referencetype,canberemovedmanually.
Paperswerediscardedwhichdidnotfulfillthecriteriaofinclusion.
Studies were excluded if its main focus was not on security requirement
elicitationtechniquesi.e.somepapersfocusedonlyonrequirementelicitation
techniquese.g.brainstorming,interviewsetcwereexcluded.
Articleswereexcludedwhichwerenothavinginformationaboutinformaland
formalsecurityrequirementelicitationtechniques.
1.3.2.6
KappaCoefficient
Werandomlyselected25studieswhileapplyinginclusioncriteriatochecklevel
ofagreementanddisagreementbetweentwoauthors.Tochecklevelofagreement
betweentwoauthorsweusedkappacoefficient.Thevalueofkappacoefficient[43]
intableis0.40whichisafairagreementbetweenauthors.
K=P(o)P(E)
1P(E)
P(o)=ProbabilityofObservedagreementbetweenauthors.
P(E)=ProbabilityofExpectedagreementbetweenauthors.
N=Numberofstudiesrandomlyselected
K=[1,1]
K=1:Perfectagreement
K=0:Agreementisequaltochance
K=1:Perfectdisagreement.
P(o)=(NoofstudiesbothresearchersaysYes+Noofstudiesboth
Researchersaysno)/N
(Inordertocalculateobservedagreementwecalculatednumberof
studies in which both researchers agreed that they must be
included and added with the number of studies on which both
researchers disagreed. Result of this was divided with number of
studiesrandomlyselectedi.e.25here)
P(o)=11+6/25
P(E)=[16/25*14/25]+[9/25*11/25]
Table2:KappaCoefficient
Studies
InclusionExclusion
Criteria
PapersSelected
Randomly
25
P(A)
P(E)
0.70
0.50
0.40
Toincreasethelevelofagreementamongtheauthors,wetriedtoresolveour
conflictsthroughmutualunderstandinganddiscussionsbetweenus.
1.3.2.7
StudyQualityAssessment
Inordertosearchdifferentrelevantarticlesinthedatabases,weproposedsome
checklist points. A list of papers was selected after applying an inclusion/ exclusion
criteria. Information extracted from studies was analyzed on the basis of approach,
techniques, methods and results. The main objective was to find answer to our
research questions. So the relevancy of problems addressed in the papers was of
significantimportance.
The search was basically focused on different available security requirement
elicitation techniques and their effectiveness of use in different scenarios. Inclusion
andExclusioncriteriawerealsotakenintoaccounttosearchmaterial.Inordertofind
authentic articles, we used checklist points for quality assessment. We applied
checklistpointsbymanuallybyreadingthearticles.Followingarethequalitycriteria
whichweretakenintoconsideration:
Theresearchmethodologyisunderstoodbythereader.
Limitationsofthestudyarereported.
Primarystudieswereselectedbasedonempiricalevidencei.e.datamustbe
availableinqualitativeorinquantitativeform.
Figure3:StudySelectionCriteria
1.3.2.8
DataExtractionCriteria
After the inclusion and exclusion criteria we choose 24 articles
[1,5,6,9,17,19,20,31,32,36,41,49,50,5255,57,7072,76,78,83]whicharemorerelated
to our research area with respect to process, techniques, approaches, gap, future
work,advantagesanddisadvantagesofsecurityrequirementselicitationtechniques.
Found articles are related to the various important techniques for security
requirementsengineering.Papersincludebothformalandinformaltechniques.
Table3:RelevanceofPaperswithResearchQuestions
Papers
Titleofthepaper
Paper related
to Research
question
RQ:2
RQ:1
RQ:2
RQ:2
RQ:2
A systematic review of
[54]
requirementsengineering
RQ:1,RQ:2
security
RQ:1,RQ:2
RQ:2
RQ:1
ElicitingSecurityRequirementsbyMisuse
[78]
Cases
RQ:2
RQ:1
RQ:1,RQ:2
to
RQ:2
RQ:2
[17]
RQ:3
[72]
RQ2
[49]
RQ3
[41]
[50]
[71]
RQ:1
RQ:2,RQ:3
RQ3
RQ2,RQ3
[70]
RQ2,RQ3
[6]
RQ3
[5]
MisuseCasesHelptoelicitnonfunctional
requirements.
RQ3
RelevantPaperswereextractedbasedontheresearchquestionsasshowninthe
above table. Based on the selected papers above we categorized the papers
according to the research methodology used in each paper. One article was found
10
Table4:Categorizationbyresearchmethods
Articles
Methodology
[50]
[17][9][36][50][52][54][53][49][5][31][76]
[9][19][55][57][41][72][71][70][78][6]
[19][1]
[54]
[55]
[32],[20][31],[83]
Experiment
CaseStudy
Survey
LiteratureReview
SLR
Interviews
Others
Followinginformationwasrecordedforeachpaper.
Table5:DataExtractionCriteria
ArticleTitle
Journal/Conference/ConferenceProceedings
DateofPublication
StudyContext(Academia/Industrial)
ResearchMethod(Experiment/CaseStudy/Survey/LiteratureReviewetc.)
External/InternalValidity
RetrievalSearchQuery
Evaluation/Metrics(RQ2,RQ3)
Abstract
ArticleTitle:Relevanttitleswereselectedbasedonourstudy.
Journal/conference/Conferenceproceedings:WeincludedpapersfromJournals,
conferencesandconferenceproceedings.
StudyContext(Academia/Industrial):Inourstudyweconsideredbothacademia
andindustrialstudy.
ResearchMethod(Experiment/casestudy/survey/LiteratureReviewetc):Based
on the selected papers above we categorize the papers according to their research
methodology.
Abstract:Inabstractsummaryofthepaperispresented.Basedontheabstractof
thepaperwecanhaveageneralideawhetherthepaperisrelevanttoourstudyor
not.
11
1.3.2.9
SynthesisofArticles
In synthesis of articles, we synthesize the articles on the basis of research
methods, and the way the articles are related to our research area of software
securityrequirements.Articlesaresummarizedbelowtoshowthatwhatexactlywe
havefoundandwhatistheresultofourstudyregardingourchosenresearchareafor
systematicreview.
Table6:SynthesisofArticles
Articles
[54][78][17][50][71][52]
[55][76][9][53][19][1][31]
Summary
These papers explain the benefits of applying
securityinearlyrequirementphasewiththehelpof
security requirement elicitation techniques. It
resultsindetectingsecurityvulnerabilities,decrease
cost of software maintenance and helps in finding
complex components in software architecture.
Furthermore we get to know different techniques
and the benefits of combined requirement
elicitation techniques in different applications from
thesepapers.
[41][54][78][70][49][50][72]
[71][5][6][1][83][57][31]
EasytoImplement
Flexibility
Adaptability
Learnability
Understandability
Scalability
Visualoutput
Thesepapersproposeaframeworkforrequirement
elicitation and analysis. These frameworks were
proposedto elicitqualityrequirement.Applicability
offrameworkswascheckedinindustry.
[32],[36],[20],[53]
Results
By analyzing these articles we
understood different security
requirement
elicitation
techniques and their benefits.
Secondly we analyze the
application
of
combined
requirements
engineering
techniques for efficient and
successful
requirements
engineering process for real life
complex project. We cannot say
thatonetechniqueisbetterthan
the others. There are number of
security requirement elicitation
techniques which facilitates in
detecting different security
vulnerabilities.
Different research methods are
used in found articles to elicit
security requirements. These
papers
evaluate
different
techniques based upon some
criteria. We evaluated the
techniques on the basis of our
own criteria. We came to know
that CLASP and Secure TROPOS
are widely used techniques in
formal techniques. Whereas in
informal techniques, Misuse case
is mostly understandable and
used.
Models are proposed by using
some standards to gather
requirements in the early stages
of the product. It is used as a
reference models in decision
making. Reason behind analyzing
differenttechniquesistoseethat
which
techniques
and
frameworks are suitable in
practicalworld.
Wehavenarrowdownourresearchareatothreeresearchquestions,andthese
posedresearchquestionsareansweredinfollowingways.
Wesearchedoutinavailabledatabasesusingdifferentsearchstringsandsearch
criteriatofindthetechniquestoelicitsoftwaresecurityrequirementswhichgivethe
answerofthefirstresearchquestion.Afterreviewingthefoundresearcharticleswe
analyzed all techniques to find out widely used formal and informal security
requirements elicitation technique on the basis of evaluation criteria mentioned in
research questions. We analyzed the widely used technique based on its
implementationandapplication.Aftertheinclusion/exclusioncriteriawechoosethe
24articles[1,5,6,9,17,19,20,31,32,36,41,49,50,5255,57,7072,76,78,83].
12
1.3.2.10 Conclusion
There are a number of security requirement elicitation techniques. The security
requirementelicitationtechniquesfallundertwocategoriesi.e.formalandinformal
security requirement elicitation techniques. Formal techniques follow certain
methods which are understandable and explainable. After reviewing and analyzing
theformalandinformalsecurityrequirementselicitationtechniquesweselectedtwo
widely used formal techniques (CLASP and Secure TROPOS) and one informal
technique(Misuse cases) based on the evaluation criteria. The reason to choose
formal security requirements elicitation techniques is that they follow a formal
processthatincludesstandardstepstodevelopsecurityrequirementsspecifications
andalsothereisadefinedorderinwhichsuchstandardstepsaretobefollowed,and
rolesaredefinedforsystemsstakeholders[72].Afterreviewingdifferentarticleswe
came to know that CLASP and Secure TROPOS are the most widely used security
requirementselicitationtechniquesinindustryandacademiaonthebasisofarticles
[31,41,57,71,72]. Though the informal technique does not follow any predefined
steps, reason to choose the informal technique (Misuse cases) is that it is used to
analyzeasituationfromdifferentaspectsandcapturesecurityrequirementsinorder
to remove threats in early phases of requirements engineering. Misuse cases as a
solution for security requirement elicitation is accepted by different researchers
becauseofitssimplicityandeffectivenessofuse.Basedontheevaluationcriteriawe
selectedinformaltechnique[5,6,31,41,49,50,70,71].Unfortunately,wedidnothave
accesstoindustryandwehadtodrawconclusionsfrompublishedmaterialalone.If
we had access to industry, we would be able to gather more evidence for the
conclusionsdrawnfromtheSLRhere.
Afterreviewingandanalyzingthecomparisonoftheformaltechniqueswiththe
help of literature review, we concluded that CLASP and Secure TROPOS are easy to
understandandimplement,morescalableandhavemoreusagehistoryforsecurity
criticalsystems.
1.3.2.11 Limitations
After reviewing and analyzing all the found articles from available and possible
databases for the systematic review, we found some limitations in our systematic
literaturereview.Somesearchtermsorstringswerenotworkingproperlytofindthe
articlesfromdatabasesrelatedtosecurityrequirementselicitation.Wetriedourbest
tofindthearticleswhichareavailableinlast89yearssothatwecanfindthelatest
researchgapsinthisareabutyetwe mayhavemissedsomearticlesthatwerenot
availabletous.
1.3.3
QuickcomparisonofSecurityRequirementElicitation
techniques
Table7:StarRatingsofDifferentSecurityRequirementElicitationTechniques(reproduced
fromRomeroMarionaetal.[69]).
Resulting
System
Security
Scalability
Integrationof
security
Requirements
Constraint
Consideration
Benefitsof
testing
Other
Requirements
Integration
13
Misusecases
(Informal)
AbuserStories
(Informal)
Secure
TROPOS
(Formal)
Security
Problem
Frames
(Informal)
AntiModels
(Formal)
I*
(Formal)
Common
Criteria
(Formal)
SQUARE
(Informal)
OCTAVE
(Formal)
AttackTrees
(Informal)
USerMethod
(Formal)
**
None
None
***
None
I**
None
**
****
**
A**
D**
**
***
**
***
None
A****
None
None
**
****
None
None
****
**
None
D**
I***
****
****
D**
I*
***
****
None
A*
None
**
****
None
**
None
None
***
None
**
**
None
****
****
**
D**
D**
I**
A*
D**
I*
M*
****
CLASP
(Formal)
Table8:DescriptionforStarRating(reproducedfromRomeroMarionaetal.[69]).
Notation
None
TranslatedAs
Notspecified
Low
**
Moderate
***
ModerateHigh
****
High
Description
Thereisnoinformationregardinganyaspects/conceptsaboutthequestionathandin
anyofthesourcesdescribingtheapproach.
Aspects/conceptsrelatedtothequestionathandaresuggested(butnotindetail)OR
there is enough information to suggest that any support would be possible by the
approach.
Aspects/conceptsrelatedtothequestionathandareexplicitlymentionedinsomeof
the sources describing the approach, but it is not a critical component. Support is
described,butnospecificmeasurestooperationalizethatsupportaregiven.
Aspects/conceptsrelatedtothequestionathandareexplicitlymentionedinamajority
of the sources describing the approach; they are important aspects to the approach.
Supportisdescribedandsomemeasurestooperationalizethatsupportaredescribed.
Aspects/conceptsrelatedtothequestionathandarecriticaltotheapproach.Support
for the specific question is described across the majority of sources describing the
approach. There is evident and extensive support for the question at hand, and
measuresforachievingthissupportaredescribed.
We can see that RomeroMariona et al. [69] rated CLASP and Secure TROPOS
higher than other security requirement elicitation techniques. There is another
research conducted by Khan and Zulkernine [41] which also draws the same
conclusion as RomeroMariona et al.[69]. They [41] have compared Secure TROPOS
and CLASP with all other formal/Informal techniques and the results were almost
similar to that of RomeroMariona et al.[69]. Khan and Zulkernine [41] compared
different security specification languages according to properties like Security
14
1.3.4
Whydidwechoosetwoformaltechniques?
Thereasonforchoosingtwoformaltechniquesi.e.CLASPandSecureTROPOSout
ofseveralformaltechniqueswasthattheycoverthesecurityaspectsofthesystem
notintherequirementphaseonlybutalsointhedesignandtheimplementationpart
[41].Sobyusingthesetechniquestogether,wecangetusefulresult,whichismore
likely to elicit the security requirements, keeping in view, all software development
phases. These techniques also consider low and basic level security requirements
whichincludeintegrity,availabilityandconfidentialityofthesystem[41].Weignored
others formal techniques because constraints and approaches defined in formal
techniques follow strict systematic procedures [41] which are difficult to integrate
withothertechniques.Integratingtwowidelyusedtechniquesandgeneralizingtheir
stepsiseasyascomparetocombinemorethantwotechniqueswhichwillresultina
messandthusrequiremoreknowledgeinunderstandingthenotationswhichmight
beunfitforourframeworkanalysis[25].Integratingtwowidelyusedtechniquescan
have the benefit of using the different style and meaning of both the methods.
Moreover, considering two techniques will provide us with more options and
freedominordertoproposeaframework.
1.3.5
WhyMisusecases?
In addition to our systematic literature review and its results, we would like to
mentionsomemainreasonbehindselecting Misusecasesasaninformaltechnique
for our framework. Misuse cases are used to analyze a situation from different
aspectsandcapturesecurityrequirementsinordertoremovethreatsinearlyphases
of requirements engineering [68]. Alexander [5] indicated that Misuse cases can be
used for capturing nonfunctional requirements other than security like reliability,
availabilityandmaintainability.Thisinformal(MisuseCases)methodisveryusefulin
analyzing security threats and requirements [78]. Misuse cases as a solution for
security requirement elicitation is accepted by different researchers because of its
simplicity and effectiveness of use. It has a graphical and a textual form of
representation [6,4446,65,79,84,89]. In graphical representations, we can use
differentnotationstoshowthesecuritythreats.Textualtemplatesareusedtogather
detailed use cases descriptions which will benefit the requirement engineers to
analyzethesystem.
15
1.4
Aimsandobjectives
Themainaimofthisthesisistoproposeaconcrete,implementableframework
forsecurityrequirementelicitation.
To understand common software requirement elicitation mistakes that
causesecurityproblemsinasystem,atlaterstages.
Study formal and informal techniques for security requirement
elicitation.
Develop an implementable systematic procedure for security
requirementelicitationbyintegratingMisusecaseswithtwowidelyused
formaltechniquesforsecurityrequirementelicitation.
Toevaluateourproposedframework.
Understanding the validity of attack scenarios i.e. there are possibilities
of getting results some of which may not be applicable in case of the
systemunderconsideration.Inthatcaseweshallhavetovalidateevery
attackscenario.
1.5
ResearchQuestionsforOurthesis
We formulated three research questions for our research. The first research
questionwillbeansweredbyliteraturereviewandanalysisofavailableandongoing
research. We shall also conduct an experiment to conclude RQ1. The second and
third research questions will be validated through experiments or case studies. For
this, we have created two hypothesis null (H0) and alternative (H1) hypothesis in
RQ3.Wegavespecialattentiontotheanswerabilityofeachresearchquestion.Every
research question has an elaboration under the research question which discusses
motivation of the research question and in what way the research question is
answerable.
It should be noted that we used CLASP and Misuse Cases to elicit security
requirements (as mentioned in elaboration of RQ1). We did not elicit security
requirements from Secure TROPOS because later analysis (see Chapter 3) showed
that Secure TROPOS uses strict diagrammatical notations (see Figure 4) which are
difficulttointegratewithtextualform.MoreovermostofthestepsofSecureTROPOS
overlap with some of the activities of CLASP. Therefore, we decided to use CLASP
fromtheformaltechniquesforcomparison.
RQ1.
Doformalapproachesproducebetterresultswhenintegratedwithinformal
approachi.e.Misusecase?
Elaboration: Generalizing the steps of the two widely used formal security requirement
elicitationtechniquesCLASPandSecureTROPOSandintegratingthemwith
MisusecaseswillbethefirststeptoanswerRQ1.Inasecondstepweshall
conductanexperimentanduseCLASPandMisusecasesseparatelytoelicit
security requirements. Then we will use our framework to elicit security
requirements and compare results of our framework with the result from
CLASP and Misuse case respectively. During the comparison, we shall see
thatwhichonefromCLASP,MisuseandFramework,producesmorenumber
ofsecurityrequirements.
H0: Formal approaches do not produce better results when integrated
withinformalapproachi.e.Misusecase.
H1: Formal approaches produce better results when integrated with
informalapproachi.e.Misusecase.
16
RQ2.
RQ3.
On what basis and for which type of software systems, is the proposed
frameworkbetterthanotherwidelyknownsecurityrequirementelicitation
techniques?
Elaboration: We need to compare our framework with several wellknown security
requirement elicitation techniques. It will help us in determining if the
proposed framework captures more security requirements in number than
other security requirement elicitation techniques. By answering this
researchquestionwewillfindoutlimitationsandrankingofourframework
ascomparedtotheothersecurityrequirementelicitationtechniques.
H0: The proposed framework is not better than other security
requirementelicitationtechniques.
H1: Proposed framework is significantly better than the other
requirementelicitationtechniques.
1.6
ExpectedOutcomes
17
CHAPTER2ANALYSISOFAVAILABLEFRAMEWORKSDO
WEREALLYNEEDANEWFRAMEWORK?
Purpose of this chapter is to discuss the overall concept behind security
requirement elicitation techniques and available frameworks for security
requirementelicitationinindustry.
This chapter is divided into three main parts, Concept behind Security
Requirement Elicitation Techniques, Security Requirement Frameworks in industry
andliteraturereviewforexistingframeworksforsecurityrequirement.
Different requirement elicitation techniques and frameworks address security
fromdifferentanglesandperspectivesinordertoprovidemaximumbenefittouser
of the technique or framework. To understand the concept behind the creation of
thesetechniques,weneedtolookintovariousdefinitionsofsecuritybyresearchers
and try to establish their relationship with requirement elicitation techniques and
frameworks.
2.1
ConceptbehindSecurityRequirementElicitation
Techniques
Rushby [73] describes the concept of security as something which must not
happen. This description of security is quite vague but it is used by Sindre and
Opdahl to create an informal security requirement elicitation technique [78]. If we
take inverse of this description i.e. what must happen, we touch use cases. Use
casestechniqueisapictorialandtextualrepresentationoffunctionalrequirementsof
a software system. In other words a representation of what must happen in a
softwaresystem.MisusecasesissaidtobeinverseofUsecases[78].Inotherwords,
we can say Misuse cases represent what must not happen in a software system.
ThisdescriptionofMisusecasestechniqueisvagueandambiguouswhichissameas
theconceptofsecuritydescribedinRushbys[73]paper.Misusecasesisaninformal
security requirement elicitation technique which is an extension of Use case
requirementelicitationtechnique[61].InputforMisusecasesisatleastoneUsecase
[46,78,84]. There can be one or many misuse cases for a single use case. Misuse
creation depends upon the creativity of the person creating misuse cases
[45,65,6,79].Itmeansthatthereisnomeasurementofhowmanymaximummisuse
cases can be created for a particular use case. This vague concept of misuse case
creationestablishesitsrelationshipwithRushbys[73]description.Itmaybesaidthat
Misusecasesisarealizationofwhatmustnothappenduringasoftwareoperation.
AccordingtoMouratidis[58],asystemssecurityrequirementsaredefinedbya
systemssecurityconstraints.Sameconceptofsecurityispresentedbyothers[56,59]
whodefinesecuritytoasasystemsconstraint.Thisconceptofsecurityisseenini*
whichisaninformalrequirementelicitationtechnique.I*usestheconceptofgoals,
actors and dependencies to gather systems requirements. The concept of
dependenciesusedinI*canbedefinedasobligations[58]ontheactors.I*isused
forcapturingfunctionalrequirementsofasystembutusingtheconceptofsystems
constraint, I* is also used for capturing security requirements [16,23,57]. Tropos, a
formal technique for requirement elicitation is based upon I* modeling. Although
Troposwasnotdevelopedwithsecurityonmind[58],setofsecurityconstraintswas
proposed in order to enable Tropos to consider security aspects [23,58,59]. Secure
TROPOS, an extension of Tropos methodology, emerge as a formal technique for
securityrequirementelicitation[2,41,59].SecureTROPOSlacksincleardefinitionof
18
systemassets.Moreover,theideabehindSecureTROPOSmethodologydoesnottalk
about what system services are being constrained and its effect on systems
functionality[33].
IfwelookatCLASP,itconsistsoffiveviewswhichcontaintwentyfouractivities,
in total [66]. Each of the twenty four activities of CLASP is further divided [66] into
discreteprocesscomponentandlinkedtooneormorespecificprojectroles. Detail
workingofCLASPwillbeexplainedinanupcomingsection(seeChapter3).CLASPisa
formal technique it focuses on removing vulnerabilities in software environment.
CLASP emphasizes more on white box testing [29]. Therefore, despite the detail in
differentviewsandactivitiesofCLASP,itlacksindeterminingthetypesofbugstobe
fixed.CLASPactivitiesusuallyfocusonthearchitecturalandthetechnicalweaknesses
[29].Theseactivitiesignorethebusinesslevelthreats[29].CLASPdoesnothaveany
clear methodology how to realize or understand its activities [29,49,67,87].
Moreover,CLASPlackstoolsupport[29].
We see that not one description of software security encompasses the whole
problemareai.e.securityissuesinsoftware.Itisbecauseofthevarietyofresources
involved in software. Different natures of software systems, type of resources
involved,differentarchitecturalstylesandlifecyclemodelsaresomeofthereasons
ofvaryingefficiencyofsecurityrequirementelicitationtechniquesandframeworks.
Someresearchersconfinesecuritytoauthorization,integrity,confidentialityand
availabilityofservices[30,78,81],whereassome[4,65,92]focusonassets,activities,
goals and restrictions. Security requirement elicitation techniques and frameworks
are constructed on the concept of security. The way security is presented by
predecessors,inresearch,isreflectedlaterintherealizationoftheconceptsbythe
successors in the form of methods and techniques. Every requirement elicitation
technique and framework is a realization of a concept and the way security is
presentedbyoneormoreresearchers[4,32,33].Ithasbecomeclear,afterindepth
study of security concepts, that a flaw or shortcoming in a concept of security is
reflectedintherealizationoftheconceptlater.Itmeansthatifasecurityconcepthas
flaws, almost same flaws are reflected in realization of the concept whether the
conceptisrealizedbythesameordifferentresearcher(s).
2.2
SecurityRequirementFrameworksinIndustry
While studying existing techniques and frameworks, we saw that frameworks
proposedinacademiaareseldomusedinindustryatlarge.Mostorganizationshave
their own set of steps or framework to address security needs of a system. To
understandtheactualuseofsecurityrequirementelicitationframeworksinindustry,
we searched for security requirement frameworks used in software industry. We
selected literature available from two organizations i.e. IBM and CISCO. We were
surprised to know that these organizations have their own frameworks and set of
defined rules to address security in their systems. For example CISCO [39] uses
standardslikeISO17799andNISTSP800.CISCOisusingintegratedapproachinwhich
theyhaveintegratedstandardslikeISO17799andNISTSP800withdifferentstepsand
procedurestobeabletoimplementsecurityinallphasesofsoftwaredevelopment.
IBM [13] created a framework using the holistic approach to business security.
Security framework consists of 5 steps that enable the organization to secure the
solutions and the services. Framework used by IBM characterized security
requirements with respect to business policies which is again a customized
framework.
Frameworks proposed by researchers [4,12,21,24,32,33,38,52,58,77] are based
on different research methods. Researchers conducted detail studies in order to
19
addresssecurityrequirementsandtomakesoftwareworkbetter.Thereisnotmuch
literatureavailablewhichshowsthatdifferentframeworksproposedbyresearchers
areactuallyusedintheindustryonwidescale.
Beforeproposinganewframework,itwasimportanttolookintothepublished
materialregardingdifferentframeworksproposedbyresearchers.Inordertohavea
clear understanding of the existing frameworks and to know whether we need
anotherframeworkornot,weconductedaliteraturereview.
2.3
LiteratureReviewforExistingFrameworksforSecurity
RequirementElicitation
2.3.1
SearchStrategy
Inthissectionweexplainthesearchstrategyforourliteraturereview.
1. We identified keywords and important search terms from research
questions.
2. We also used synonyms of important search terms to improve our
search.
3. We formed search strings by using AND and OR Boolean operators (see
section2.3.3).
Oursearchstrategyispartiallyiterative.ItmeansthatwhilesearchingDatabases,
we changed and refined keywords and search terms to improve our search. We
gatheredalargesetofinitialstudiesafterexhaustingallthesearchtermsandsearch
strings(mentionedinsection2.3.3).Itisshownbelowinfigure3.
Figure4:SearchStrategy
2.3.2
ResearchQuestionsforLiterature
RQ2. WhataretheproblemsintheResultingframeworksfrom(RQ1)?
2.3.3
SearchTerms
FormalTechniqueSecurityRequirementElicitationFramework
InformalTechniqueSecurityRequirementElicitationFramework
CLASPSecurityRequirementElicitationFramework
MisuseCaseSecurityRequirementElicitationFramework
SecureTROPOSSecurityRequirementElicitationFramework
Securityrequirementelicitationframework
1AND2
20
1OR2
FrameworkforSecurityRequirementElicitation
Formalinformaltechniquesframeworks
Generalframeworkforformalinformaltechniques
SecureTROPOSFramework
Misusecaseframeworks
Modelingsecurityrequirementswithmisusecases
Semiformalframeworkelicitationtechniques
2.3.4
Databasesanddatacollectionsource
We used BTH Library to search the relevant material. We also searched the
databasesusingthekeywordswhichwereusedintheinitialsearchtomakesurethat
thereisnoSecurityRequirementElicitationFrameworkwhichisleftuntouched.We
searched online databases like ISI, IEEE Xplore, ACM, Springer, Inspec and
compendeX.
2.3.5
Inclusion/ExclusionCriteria
Table9:TwoPhaseInclusionCriteria
Abstract
Level
Detailed
Level
PapersandjournalsinEnglishlanguage.
Articlesthatlookedrelevantbykeywords.
AvailabilityofpaperthroughBTHlibrary.
Papersthatarepublishedinjournalsandconferencesareincluded.
Articleswereincludedwithrelevancetometadata.
ArticleswereincludedwithrelevancetometadataandFulltext.
Articleswereincludedrelevancetotitleandabstract.
Articleswereselectedrelatedtothesoftwaresecurityframeworks.
RelationshipwithRQ(ResearchQuestions):ThepaperselectionwasfocusedonourRQs.
PapersrelatedtoIntegrationofformalandinformalsecurityrequirementelicitationtechniques
wereincluded
Articleswereselectedthatevaluateanddiscussproblemsinsecurityrequirementelicitation
frameworks.
2.3.6
SearchResults
Table10:SearchResult
DBs
Title,Abstract,fulltext,Metadata,Topic
TotalSearchResult
Googlescholar
FullText
144983
IEEE
Fulltextandmetadata
22,714
ISI
Topic
194
ACM
Title,abstract,review
9323
Eng.Village
Allfields
2904
Total
All
180,118
Abovearethesearchresultsfromdifferentdatabases.
21
2.4
ResultsandConclusions
Wewouldliketomentionherethatwewerenotabletofindanypaperinwhich
theauthor(s)haveproposedaframeworkbycombiningFormalandInformalsecurity
requirement elicitation techniques. We found few papers in which author(s) have
combined two informal techniques [47,84] but we did not find any paper which
combinesformalandinformalsecurityrequirementelicitationtechnique.Aswehave
mentioned earlier, many frameworks are available [24,33,47,77] for security
requirement elicitation. We only looked for the papers in which researchers have
combined formal and informal technique i.e. the context and basic idea of our
research. After our literature review for frameworks, in which we did not find any
helpfulmaterial,aquestionwasraisedi.e.Maybeitisnotagoodideatocombine
formalandinformaltechniqueforsecurityrequirementelicitation!
We have to answer the above question in our research (See RQ1). The idea
behind our research is to propose a framework by combining formal and informal
security requirement elicitation techniques. In this way we can use strengths in
formalandinformaltechniquestomitigatetheproblemsintheusageofbothformal
andinformaltechniques.
22
UNDERSTANDINGSECURETROPOS,MISUSECASESAND
CLASP
Inthischapter,wehavedoneimplementationanalysisofSecureTROPOS,Misuse
caseandCLASP.Wehavelistdownimplementationstepsoftechniques.Therewere
some steps in these techniques, which needed to be further broken down to
understand actual implementation e.g. (see Table 12). Following aspects were
consideredduringimplementationanalysisoftechniques
ID: An identification number is assigned to identify and differentiate a
particularactivity.
Description:Descriptionandtitleoftheactivity.
Input:Inputandprerequirementsfortheactivity.
Participants:Peopleinvolvedincarryingouttheactivity.
Output:Resultoftheactivity
Purpose:Reasontocarryouttheactivity.
RiskinOmission:Threatsiftheactivityisnotcarriedout.
Analysisand stepsextractionwascarriedoutafter carefulliteraturereview. We
combinedpointsmentionedinseveralpapersintabularformforeasyunderstanding.
3.1
SecureTROPOS
Secure TROPOS was initiated as a PhD project in 2000 [61]. Secure TROPOS is
extension of Tropos methodology to model security features throughout the
developmentprocess.Purposeofthisextensionistoproposesecurityconstraintsina
well defined manner. Secure TROPOS methodology was proposed to fulfill the
limitations of Tropos [26,62]. Secure TROPOS Process includes early requirement
analysis ,late requirement analysis, architectural design and detail design stage.
Early Requirement phase starts from actor modeling. Early requirements and late
requirements have the same activities like actor modeling, dependency modeling,
trust modeling, delegation, security constraint modeling and goal modeling.
Differenceisthatearlyrequirementsmodeltheenvironmentofthesystemwhereas
late requirements model the system to be [26]. Architectural phase defines the
relationships of actors with external actors. Last phase is the detail design phase
where the components identified, in the previous phases, are modeled using the
agentunifiedmodelinglanguage[26].
BelowisthephasewiseexplanationofSecureTROPOS(seeTable11).Inorderto
haveanindepthunderstandingofSecureTROPOSactivities,pleaserefertoTable12.
Table11:FourPhasesofSecureTROPOS
Phase
PhaseDescription
Input
Participants
Output
Purpose
RiskinOmission
23
1. Early
Requirement
analysisstage.
2. Late
Requirement
AnalysisStage
3. Architectural
designStage
Definitionofthe
overall
organization.
Identificationof
thecapabilities.
Identificationof
agentTypes.
Inthisstagedevelopers
understandthe
problembystudying
theorganization
environmentandtheir
settings.Stakeholders
areidentifiedand
developersmodelthe
stakeholdersasactors
toidentifythegoals,
dependenciesbetween
theactors.Actorsgoals
aredecomposeinto
moreprecisegoal
throughgoaloriented
analysisinorderto
achievethegoals
[59][60].
Firststagewasto
analyzetheactors.In
thisstagesystemis
analyzedinoperational
environmentalongwith
thefunctionsandthe
qualities.Inthelate
requirementstageone
ormoreactorsarealso
introducedbecause
sometimestheexisting
actorsdefinedinthe
firststagecannotthe
satisfythegoalsand
thedependencies
betweenthem[59][60].
Organization
Environment
andtheir
settings.
Stakeholders
(Actors),
Developers
Outputwillbe
organizational
modelwhich
includethe
actors,
Security
entitiesand
the
dependencies
betweenthem
[59][60].
Thepurposeisto
identifytheactors,
securityentitiesand
tounderstandthe
problemofthe
organization
[59][60].
Securityconstraintsare
identifiedforthe
stakeholderswhoare
furtheranalyzedinthe
latersteps.Foreach
actorcorresponding
securegoalsare
introducedinorderto
satisfythem.By
omittingthisstep
securityconstraintswill
beignoredforeach
actorandwecannot
furtheranalyzethe
securitygoalsforthe
correspondingactors
[59][60].
Operational
environment
,System,
Early
Requirement
analysis
stage.
Actors,
Developers,
analyst
System
functionaland
nonfunctional
requirement
aredefined.
Furthermore
entitiesare
assignedto
theactorsin
orderto
satisfythe
securitygoals
[59][60].
Thepurposeisto
describethemodel
ofthesystemasan
actorwhichare
definedinthe
previousstage.
Inthisstage
architectureofthe
systemisdefinedin
termsof:
Subsystems.
Thesesubsystems
areinterconnected
throughdataand
dependencies.
Furthermorethisstage
isdividedintothree
stepsaslistedinsteps
section.Architectureof
theorganizationis
definedbyidentifying
thenewactorsand
correspondinggoalsare
assignedtothem.
Secondstepexplains
theresourcesor
capabilityneededby
theactortoachieve
theirgoals.Thirdstep
identifytheagenttypes
[59][60].
Actors,
Goals,Early
Requirement
analysis
stage.
Architect,
Designer,
Developer
Setof
software
agentsare
identified
corresponding
totheactors
[59][60].
Thepurposeofthis
step[59][60]:
Involvenew
actorsthattheycan
interactwiththe
externalactors.
Decompositionof
theactorsothat
everyactordefined
mustbeanalyzedin
detailwithrespectto
theirgoals.
Setofagenttypes
aredefinedandtheir
corresponding
capabilities.
Mostoftheactors
definedinthefirststep
couldnotsatisfytheir
corresponding
intentionsgoalsortheir
relationshipsbetween
them.Byomittingthis
stepwecouldnotadd
moreactorsinthe
systemwhichcanlead
tofailureinsatisfying
thegoalsofthesystem.
Secondlywewillbe
unabletodefinethe
functionalandnon
functionalrequirements
ofthesystem[59][60].
Bydefiningnewactors
inthisstagewedefine
securityconstraintsand
whenwefurther
decomposeactorswe
identifysecuritysub
constraintsandtheir
entities.Byomitting
thisstepsomesecurity
constrainsandsub
constraintswillbe
neglectedwhichcan
leadthesystem
insecure.Furthermore
wecannotmovetothe
nextstepwhichisdetail
designstage[59][60].
24
4. DetailDesign
Stage.
Inthisstage
architectural
componentdefinedin
thepreviousstageare
discussedindetailsin
termsof[59][60]:
Inputs
Outputs
Security
Control
Architectural
DesignStage,
Early
requirement
analysis,late
requirement
analysis
[59][60].
Architect,
Designer,
Developer
Capabilitiesof
thesoftware
agentsare
identifiedand
their
interaction
throughthe
systemis
modeled.
Agentsare
derivedfrom
theactors
definedinthe
previousstage
[59][60].
Purposeistoidentify
thesoftwareagent
capabilitiesby
introducingthe
securityrulesandto
furtheranalyzethe
architectural
component[59][60].
Inthisstagesecurity
aspectsaretakeninto
accountfromthe
previoussteps.By
omittingthisstepwe
cannottracebackto
earlyrequirement
phase[59][60].
Table12:ImplementationStepsofSecureTROPOS
ID
ST1
ST2
ST3
ST4
Step
Description
Construction of
Security
reference
diagram
Modeling
Stakeholders
alongwiththeir
goals,
dependencies,
and
security
constraints.
Analyze
In
depth
each
actors goals
and
security
constraints
imposed
to
them.
Introduce
Secureentities
Input
Participants
Output
Purpose
RiskinOmission
SecurityFeatures
Stakeholders
(Actors),
Developers
Security
Reference
Model/diagram
Stakeholders,
dependencies,
security
constraints,
SecurityReference
Model
Stakeholders
(Actors),
Developers,
Requirement
analyst
(Partial)
Stakeholder/Act
ordiagram
(Partial)
Stakeholder/Actor
diagram
Stakeholders
(Actors),
Developers,
Requirement
analyst
Detail
actor
diagramfor each
actor
Identification
of
relationships
and
constraints related to
eachactor
Detail
actor
diagram for each
actor
Stakeholders
(Actors),
Developers,
Requirement
analyst
Detail
actor
diagramfor each
actor. (Steps 3
and
4
are
performed
simultaneously)
25
ST5
Analysis
of
system under
development
within
its
operational
environment
along
with
relevant
functions and
qualities
Complete actor
analysis from step
3and4
Actors,
Developers,
Requirement
analyst
System (partial)
analysis
(diagram)
ST6
Additionofnew
actors
System (partial)
analysis(diagram)
System (partial)
analysis
(diagram)
ST7
Actor
Decomposition
System (partial)
analysis
(diagram)
Eachactorisdescribedin
detail with respect to
theirgoalsandtasks
ST8
Identify secure
capabilities for
eachactor
System (partial)
analysis
(diagram)
Capabilities needed by
the actors to fulfill their
goalsareidentified
ST9
Agent
Assignment
Architect,
Designer,
Developer,
Requirement
Analyst,Actors
Architect,
Designer,
Developer,
Requirement
Analyst,Actors
Architect,
Designer,
Developer,
Requirement
Analyst,Actors
Architect,
Designer,
Developer
Thesystemisintroduced
as one more actors, to
which existing actors
delegate responsibilities
for some of the goals
and the dependencies
that they cannot satisfy.
The
delegated
dependencies define all
the functional and non
functional requirements
ofthesystem.
To make the system
interact with external
actors
Architectural
design
ST10
Specify agent
capabilities and
interactions
taking
into
account
the
securityaspects
derived from
previous steps
ofanalysis.
Validation
Architecture
design
Architect,
Designer,
Developer
DetailDesign
DetailDesign
Stakeholders,
Architect,
Designer,
Developer
Final
model
ST11
security
Relationship
between
security constraints and
operational environment
cannotbeunderstood
Development of Secure
communication methods
between internal and
external
actors
is
neglected
Goal associated with the
actors
might
be
misunderstood
Lackofconsensusamong
stakeholders.
System might not work
with some components
orothersystems.
26
Figure5:SecureTROPOSexample
3.2
MisuseCase
Misusecasesareactionsthatareperformedbyactor(Person)inordertoharm
system. Purpose of misuse cases elements is to threat use case to hinder them in
achievingthegoal[6].
Figure6:MisuseCasesexample
Abovediagram(Figure5)isanexamplewhichshowsuseandmisusecaseofcar
securityrequirements.Asitisshowninfiguredriverthecar,lockthecarandlockthe
transmission are use case elements. Where as in the right side of picture steal the
27
car,shorttheignitionaremisusecaseelements.Inordertomitigatethreat(Stealthe
car) driver must lock the car. To mitigate short the ignition driver must lock the
transmission[6].
As discussed earlier, Misuse cases is an informal technique proposed by Sindre
and Opdahl. Normally, informal techniques lack definition of discrete and clear
number of steps [41]. If we look at the Implementation steps of Misuse cases, we
clearly see that there is no predefined end state and creation of Misuse case
dependsuponthecreativityofthepersonusingMisusecasestechnique[6,45,65,79].
We have used MC with a digit in ID field, in order to be able to uniquely identify
activitiesofMisusecasesfromactivitiesofothertechniques.
Table13:MisuseCasesImplementationSteps
Step
Number
Step
Description
Concentrate on
normal actors
andusecases
Input
Participants
Output
Purpose
RiskinOmission
Use
Cases
Stakeholders,
Analyst
To understand the
services user wants.
Simplemotivationfor
thisstepis:ifthereis
nothing to use, there
isnothingtomisuse.
Introduce major
MisuseCases
Output
from
step2
Analyst
To express the
intentions of mis
actors who intend to
harmthesystem.
Investigate
Potential
Relation
between Misuse
cases and Use
cases
Misuse
case
Analyst
Major Misuse
case
identification,
Misuse
case
diagram
Detail
Misuse
case
Misuse case is
created on the
basis of Use Case.
Omitting this step
will stop further
progress
with
misuse
case
technique[80].
By omitting this
step,
misusers
intentions towards
the system are
skipped[80].
Wehavenoclueof
the nature of
attacks[80].
MC1
MC2
MC3
To identify the
nature of threat.
Many threats to a
system
can
be
achieved
through
normal functionality
e.g.DenialofService
3.2.1
MisuseCasesTemplate
Since Misuse cases is an extension of Use case [80], there are common fields
betweenUsecaseandMisusecasestemplatessuchasName,Date,andAuthoretc.
There are some additional fields that are specific for Misuse cases Template.
FollowingarethefieldsincludedinMisusecasestemplate[80].
Table14:MisuseCaseTemplate
Field
Name
Summary
Date
Author
BasicPath
AlternativePath
CapturePoint
ExtensionPoint
Triggers
Preconditions
Assumptions
Postconditions
WorstCaseThreat
Preventionguarantee
Description
MisuseCaseName/Title
ExplanationofMisusecase
DateofcreationofMisusecase
CreatorofMisusecase
Stepswhichamisuserisgoingtotakebeforereachingthegoal
Otherpathsthroughwhichthesamegoalcanbereached
Optionsforhowmisusecanbedetectedandprevented[61].
Optionalpathstakenbymisuse
Conditionthatcaninitiatemisusecase
Thisconditiondescribesthosestatesofthesystemwhichmakemisuse
possible
This condition describes those states of the systems environment
whichmakemisusepossible
Stateofthesystemaftersuccessfulmisuse case
Maximum damage possible in case of a successful misuse case.
Optionalpathsarealsoincluded.
Prevention Guarantee describes the result that would be obtained by
following the Basic or Alternate path if the threat were detected
andminimumthreatmitigationoccurs.[34]
28
Detectionguarantee
RelatedBusinessRule
PotentialMisuserProfile
Stakeholders
Scope
AbstractionLevel
Technology and Data
Variations
TheDetectionGuaranteedescribestheresultthatwouldbeobtained
ifthemisuseweredetected,butnotmitigated.[34]
RelatedBusinessRulesareusecasebusinessrulesthatarebrokenby
themisusecase[34]
Levelofskillsandintentionsofthemisusemustbeassessedinorderto
beawareoftheseverityofthreat
The people who have concern about what should not happen in the
system
The scope of modeling, e.g., the entire business or just the planned
computerizedinformationsystem[80]
Whatisthelevelofabstractionforthemisusecasee.g.summary,sub
functionetc.
Which various ways and technologies can be used to achieve the
misuse
3.3
CLASP
CLASP is an application security process which focuses on security throughout
software development life cycle. CLASP has five views (see Table 15), twenty four
activities(seeTable16)whicharegroupedinsevenbestpractices(seeTable17).
Table15:CLASPViews
View
ConceptsView
RoleBasedView
Activityassessmentview
ActivityImplementationView
VulnerabilityView
Description
Purpose of this view is to gain an overview of all the CLASP
processes and activities. Special attention is given to all the
concepts,activitiesandprocessesofCLASP[28,88,66].
This Section Gives an idea to the project manager how he and
his project members will deal or interact with the security
problems. Role based also introduces the basic responsibilities
fortheteammembers.Rolebasedisusedasinitialpointforthe
team members in order to address the security of software
[88,28,66].
CLASP Includes24activities.Itisnotnecessarytoincludeallof
them.Inassessmentview,thoseactivitiesareconsideredwhich
are appropriate for the software and which benefit the cost.
Focusofthisviewisontwothingsi.e.risksandimplementation
cost. Those activities which have low risk and high
implementationcostmaybedeletedinthisview[28,88,66].
CLASP activities are translated into software development
processes.Subsetoftheseactivitiesareassessedandaccepted
inthisphase[28,88,66].
Inthisviewallthesecurityproblemsarecategorized[88,66].
Following twenty four activities [66,88] are performed in CLASP. Some of these
activities can be performed independently whereas to carry out some activities, we
needoutputsofotheractivities.WehaveusedCLwithadigit,inIDfield,inorderto
be able to uniquely identify activities of CLASP from activities of other techniques.
Relative impact of CLASP on several key traditional software engineering activities
such as requirements specification is mentioned in Description field. Steps within
such activities are not materially changed by CLASP [66,88]. Instead, CLASP
recommendsextensionstocommonartifactsandprovidesimplementationguidance
for securityspecific content [66]. Owner in Participant field is the person(s) who
initiateandperformtheactivity.Keycontributorsprovidesignificantsupporttothe
activity.
Table16:CLASPActivities
Step
Number
StepDescription
Input
Participants
Output
Purpose
RiskinOmission
29
CL1
Institutesecurity
awareness
program
(RelativeImpact:
High)
Trainings,
Concepts
Project
manager,
Team
Members
Security
awareness
MonitorSecurity
Metrics
(RelativeImpact:
High)
Organization,
Application
Project
manager
Critical
Vulnerabilitiesare
assessedtoknow
thelevelof
improvementin
security.
Specify
Operational
environment
(RelativeImpact:
Medium)
Operating
Environment
Owner:
Requirement
Specifier,
Key
Contributor:
Architect,
Operational
environment
specification
Identifyglobal
securitypolicy
(RelativeImpact:
Medium)
Organization
Requirement
specifier
Securitybusiness
requirements,
Comparisonof
productsin
organizationsin
ordertocapture
securityposture.
Identify
Resourcesand
trustboundaries.
(RelativeImpact:
Low)
System
Owner:
Architect,
Key
contributors:
Requirement
Specifier
Security
requirements
CL2
CL3
CL4
CL5
Trainingsare
conductedinorderto
ensurethatproject
managersandthe
wholedevelopment
teamknowsabout
theimportanceofthe
securityinthe
software
To identify part of
software
that
requires
more
attention.
By
identifying
those
areas,securitycanbe
improved.
To
identify
the
frequency of the
defects.
Operation
environmentis
identifiedinorderto
assessthesecurity
impact.Assumptions
canbemadeinorder
toidentifythe
operational
environmentor
throughthe
requirementsofthe
systems
By identifying the
global security policy
a comparison can be
made of the security
procedure of the
products related to
the
different
organizations. By this
wecanhaveadefault
base line for security
business
requirements
Thesystemis
introducedasone
moreactors,towhich
existingactors
delegate
responsibilitiesfor
someofthegoalsand
thedependencies
thattheycannot
satisfy.Thedelegated
dependenciesdefine
allthefunctionaland
nonfunctional
requirementsofthe
system.
Teammemberswill
notunderstandthe
conceptand
importanceof
security.
Byomittingthisstep
therewillbeno
concretebaseto
measuresecurity
effort.
Bynotproperly
identifyingthe
operational
environmentwewill
notbeableto
communicateto
userstheimpactof
securityindesign
decisions.
It might create an
hindrance
in
comparing different
security procedure
with
different
organizations
Relationship
betweensecurity
constraintsand
operational
environmentcannot
beunderstood
30
Identifyuserroles
andresource
capabilities
(RelativeImpact:
Medium)
System
Owner:
Architect,Key
contributor:
Requirement
specifier
Systemroles,
resources
Systemrolesandthe
resourcestheseroles
canaccessare
identified.
Document
SecurityRelevant
Requirements
(RelativeImpact:
High)
DetailMisuse
cases
(RelativeImpact:
Low)
Application,
Security
Owner:
Requirement
Specifier,Key
contributor
Functional and
Business
requirementsfor
security
Functional
Requirementsfor
securityare
documented
System,
organization
Owner:
Requirements
specifier,Key
contributors:
Stakeholders.
Owner:
Designer
Risksare
identifiedwhich
canbe
communicatedto
stakeholders
Potentialentry
pointsforattack.
To
communicate
potential risks to the
stakeholder.
CL6
CL7
CL8
IdentifyAttack
Surface
(RelativeImpact:
High)
Application
Design
Applysecurity
principleto
design
(RelativeImpact:
High)
Application
Owner:
Designer
Implementation
strategies,Design
principles
Research
and
assess security
posture
of
technology
solutions
(Relative Impact:
High)
Annotateclass
designswith
security
properties
(RelativeImpact:
Low)
SpecifyDatabase
security
configuration
(RelativeImpact:
MediumtoHigh)
Thirdparty
components,
Technology
Owner:
Designer,
Key
Contributor:
Component
Vendor
SecurityRisksin
technologies.
Datafields,
Classdesign
Owner:
Designer
Detailexplanation
ofsecurity
policies.
Database
resources
Owner:
Database
Designer.
Default
configurationin
ordertosecure
database
resources.
CL9
CL10
CL11
CL12
CL13
By identifying the
attack surface one
can identify the
maximum
entry
pointsforanattackto
the system. This can
be measured by
identifying
the
number of inputs to
theprogram.
Determine
implementation
strategyforsecurity.
Itwillassessrisksin
thirdparty
components.
Determinehow
effectivelya
technologyreduces
risks.
Security policies are
defined for data
fields.
Default
security
configurations
are
identified for the
databases that are
associated
with
implementation.
Identify
recommended
security configuration
for
database
resources
for
databases that are
deployed by a third
party.
Bynotidentifyingthe
roles according to
the
resources
available
might
create hindrance in
the
protection
mechanism
on
resources. Secondly
by not specifying
roles according to
resources available
will create confusion
regarding the access
controlmechanisms.
System services for
security can be
ignoredeasily.
Notapplyingsecurity
principles earlier in
design phase will
result in revisit the
design phase in case
some
security
problem arise in the
implementationpart.
Security problems in
third
party
components
can
potentially
compromise
systemssecurity.
Error
in
implementing access
controlpolicy.
By omitting this
activity will have
security Errors in
database
configuration.
31
PerformSecurity
analysisofsystem
requirementsand
design
(RelativeImpact:
High)
System
Owner:
Security
Auditor,Key
contributor:
Architectand
designer
Systemthreats,
Systemrisks,
Securityimpact
Integratesecurity
analysisinto
source
management
process
(RelativeImpact:
Medium)
Management
process
Owner:
Integrator.
Regularmetrics
data,
implementation
review.
Implement
Interface
contracts
(RelativeImpact:
High)
Program
Interface.
Owner:
Implementer.
ReliabilityErrors
areidentified.
It is used for
validation of inputs.
Reliability Errors are
identified.
Implementand
elaborate
resourcepolicies
andsecurity
technologies
(RelativeImpact:
VeryHigh)
Addressreported
securityIssues
(RelativeImpact:
High)
Specification
Owner:
Implementer.
Security
functionalities
Security
Functionalities
related
to
the
specification will be
implemented by the
implementer.
Software
Owner:
Designer,
Key
contributor:
FaultReporter
SecurityRisk
i.e.tocheck
whetherthe
securityrisks
identifiedare
addressedornot.
PerformSource
Levelsecurity
review
Relative
Impact:(Very
High)
Identify,
implementand
performsecurity
Tests
Relative
Impact:(Medium)
Software,
System
Owner:
Security
Auditor,Key
contributors:
Implementer,
Designer.
Owner:Test
analysts.
Measurementof
healthofsecure
software
development
effort.
It is used to check
whether the risks
identified in the
design phase are
addressed properly in
implementation
phase
Vulnerabilitiesrelated
tosecurityare
identifiedin
implementation.
CL14
CL15
CL16
CL17
CL18
CL19
CL20
CL21
CL22
VerifySecurity
attributesof
Resources
(RelativeImpact:
Medium).
PerformCode
Signing
(RelativeImpact:
Low).
Design
review,
Operational
environment
Security
Problems,
SecurityRisks.
Software
operational
environment.
Owner:Tester
Confirmationof
previously
definedsecurity
policies.
Software
Owner:
Integrator.
Malwareare
omitted
SecurityProblemsare
found which are not
identified in the
implementation part.
Failures
can
be
identified in design,
specification
and
implementation.
Confirm previously
defined
security
policies.
Providethe
stakeholderwitha
meansofvalidating
theoriginand
integrityofsoftware
Willincreaserisks
Risksnotaddressed
inimplementation
willleadtomore
threatsinthe
software.
Thoseriskswhichare
ignoredorskippedin
thedesignphasecan
bereflectedinthe
implementation
phase.
Securityriskswillbe
reflectedin
deployment.
Attackers have a
direct access to the
resources of the
software.
Customer
may
receive illegitimate
software
with
malwares.
32
CL23
CL24
BuildOperational
Guide
(RelativeImpact:
Medium).
Security
functionality,
Software.
Managesecurity
issuedisclosure
process
(RelativeImpact:
Low)
Security
Researchers
Owner:
Integrator,Key
Contributors:
Designer,
Architect,
Implementer
Owner:Project
Manager,Key
Contributor:
Designer
Operational
securitymeasures
document.
Documentationis
providedto
stakeholderrelatedto
operationalsecurity
measures.
Effective
communication.
Communication with
customers
and
security researchers
from outside when
issues are found in
releasedsoftware.
Damage
business
reputation
Allthe24activitiesdefinedabovearegroupedinsevenbestpracticesinCLASP.
RelatedactivitiesofCLASParegroupedintosevenbestpractices,
1. Institute awareness program: Purpose of this activity is to educate everyone
involvedaboutsecurityconceptsandtechniquesusedinorganizationsthrough
trainingsandaccountability.
2. Perform application assessment: The purpose of this practice is to assess the
application by identifying security problems and security risks introduced in
operationalenvironment.
3. Capture Security Requirements: In order to capture security requirements
followingsfactorsmustbeconsidered:
Understand the application in context of usage and attack
scenarios.
Assetsareidentifiedinordertofindthelevelofaccesstheyprovide.
Overallarchitectureoftheapplication.
4. Implementsecuredevelopmentpractices:Goalofthispracticeistoachieve
securedevelopmentpracticesinorganization.Itguidesprojectteamwhen
applyingsecurityprinciplestodesignandelaboratingresourcepolicies.
5. Build vulnerability remediation procedures: Role of this activity is to reduce
risks by defining roles, responsibilities, prioritize steps and remediate
vulnerabilities.
6. Define and monitor metrics: This practice is critical in analyzing the security
posture of an organization, security effort and monitors the overall
performance.
7. Publish operational security guidelines: Documentation is provided to
stakeholderrelatedtooperationalsecuritymeasures.Tasksdefinedabovemust
becommunicatedtodifferentresearchers.
Following Table is inspired from [28] for better understanding of CLASP best
practices.
Table17:CLASPBestPractices
CLASPBestPractices
1. Institutesecurity
awarenessprogram
2. PerformApplication
Assessment
ID
CL1
CLASPActivities
Institutesecurityawarenessprogram
RelatedProjectRoles
ProjectManager
CL14
PerformSecurityanalysisof system
requirementsanddesign
PerformSourceLevelsecurityreview
SecurityAuditor
CL19
CL20
CL21
CL11
3. CaptureSecurity
CL4
Identify,implementandperform
securityTests
VerifySecurityattributesofResources
Researchandassesssecuritypostureof
technologysolutions
Identifyglobalsecuritypolicy
Owner:SecurityAuditor
KeyContributor:Implementer,
designer
Testanalyst
Tester
Owner:Designer
KeyContributor:Component
Vendor
RequirementSpecifier
33
Requirements
CL5
IdentifyResourcesandtrustboundaries
CL6
Identifyuserrolesandresource
capabilities
CL3
SpecifyOperationalenvironment
CL8
CL22
CL24
DetailMisusecases
(RelativeImpact:Low)
IdentifyAttackSurface
DocumentSecurityRelevant
Requirements
Applysecurityprincipletodesign
Annotateclassdesignswithsecurity
properties
Implementandelaborateresource
policiesandsecuritytechnologies
ImplementInterfacecontracts
Integratesecurityanalysisintosource
managementprocess
PerformCodeSigning
Managesecurityissuedisclosureprocess
CL18
AddressreportedsecurityIssues
CL2
MonitorSecurityMetrics
Integrator
Owner:Projectmanager
KeyContributor:Designer
Owner:Designer,
FaultReporter
ProjectManager
CL13
SpecifyDatabasesecurityconfiguration
DatabaseDesigner
CL23
BuildOperationalGuide
Owner:Integrator
KeyContributor:Designer,
Architect,Implementer
CL9
CL7
4. ImplementSecure
developmentpractices
CL10
CL12
CL17
CL16
CL15
5. Buildvulnerability
remediationprocedures
6. Defineandmonitor
metrics
7. PublishOperational
Securityguidelines
3.4
Owner:Architect
KeyContributor:Requirement
Specifier
Owner:Architect
KeyContributor:Requirement
Specifier
Owner:RequirementSpecifier
KeyContributor:Architect
Owner:RequirementSpecifier
KeyContributor:Stakeholder
Designer
Owner:RequirementSpecifier
KeyContributor:Architect
Designer
Designer
Implementer
Implementer
Integrator
Summary
AsfarasSecureTROPOSisconcerned,itusesstrictnotationsanddiagramswhich
arereallydifficulttointegratewithtextualformofactivitydescription(seeFigure4).
The notations like depender, node, constraints, dependee, dependum etc used in
Secure TROPOSareextensionofTroposmethodology.Withoutthesenotationsone
cannot carry out activities of Secure TROPOS. Focus of Secure TROPOS is to secure
thesystem.
Misuse cases have both textual and pictorial form of representation (see Figure
5). Misuse cases represent attacks on a system. Unlike CLASP and Secure TROPOS,
Misusecasesfocusonthreatstoasystem.
Allthe24activitiesofCLASPhavetextualexplanation.Itmeansthatactivitiesof
CLASP are explained in simple and plain language. CLASPs activities and best
practicesfocusonsecuringthesystemthroughoutsoftwaredevelopmentlifecycle.
34
PROPOSEDFRAMEWORK
Wewent throughanumberofactivitiesforproposingaframeworkforsecurity
requirement elicitation using CLASP, Secure TROPOS and Misuse cases. All of these
activitiesarementionedclearlyinthischapter.Itshouldbekeptinmindthatthere
weremanyplaceswhereweremovedsomeconstraintsintheactivitieswhichwere
specific for the technique. These constraints were removed to make the activity
integrateable with other activities. For example: Activities in Secure TROPOS are
sequential and Secure TROPOS uses special notations and diagrams for security
constraints and requirements which makes integration of Secure TROPOS with any
other technique very difficult. We used the basic idea behind such activities and
proposed new activities in our framework. We proposed this framework by
integratingactivitiesfromCLASP,SecureTROPOSandMisuseCases.
4.1
OverlappingActivitiesofCLASPandSecureTROPOS
We compared activities of CLASP and Secure TROPOS and found similarities in
some of the activities on the basis of concept behind the activities. To check
similaritieswelookedintoactualstepsofthetechniques.Asdiscussedearlier,Secure
TROPOS uses graphical notations which are difficult to integrate with techniques
having textual form of representation. Therefore we used the basic concept behind
SecureTROPOSactivities.
Some of activities of CLASP use similar concept as some activities in Secure
TROPOS. For example Activity CL3 says that one must specify operational
environmentinordertoassesssecurityimpact.UsingthesameconceptST5inSecure
TROPOSsaysthattoanalyzesystemoneshouldspecifyoperationalenvironmentin
whichsystemworks.SameisthecasewithCL10andST6,ST7,ST8whicharerelated
to architectural design. We have listed down the overlapping activities to eliminate
repetition of activities (see Table 18). Activities of Secure TROPOS are based upon
languagenotationsanddiagrams.Wehavetakenthebasicideabehindeachactivity
ofSecureTROPOSandignorednotationsanddiagrammaticalrepresentations.
Table18:OverlappingActivitiesofCLASPandSecureTROPOS
CLASP
ActivityID
CL2
CL3
MonitorSecurityMetrics
Specify
Operational
environment
CL10
Applysecurityprincipleto
design
CL5
CL14
CL21
4.2
Description
Secure
TROPOS
ActivityID
ST1
ST5
ST6,
ST7,
ST8,
ST9
ST10
ST11
Description
ConstructionofSecurityreferencediagram
Analysis of system under development within its
operational environment along with relevant
functionsandqualities
These activities are performed to produce an
architecturaldesign
AgentAssignment
Specify agent capabilities and interactions taking
into account the security aspects derived from
previousstepsofanalysis
Validation
BestPracticeSelection
Theme of our thesis is to propose a framework, through which you are able to
elicit security requirements. After analyzing CLASP practices we realized that these
practices are related to different phases of Software Development Lifecycle such as
35
Table19:SelectedBestPracticesforCLASP
CLASPBestPractices
PerformApplication
Assessment
ID
CL14
CL19
CL20
CL21
CL11
CaptureSecurity
Requirements
Identify,implementandperformsecurity
Tests
VerifySecurityattributesofResources
Researchandassesssecuritypostureof
technologysolutions
CL4
CL5
Identifyglobalsecuritypolicy
IdentifyResourcesandtrustboundaries
CL6
Identifyuserrolesandresourcecapabilities
CL3
SpecifyOperationalenvironment
CL8
DetailMisusecases
(RelativeImpact:Low)
IdentifyAttackSurface
DocumentSecurityRelevantRequirements
CL9
CL7
4.3
CLASPActivities
PerformSecurityanalysisofsystem
requirementsanddesign
PerformSourceLevelsecurityreview
RelatedProjectRoles
SecurityAuditor
Owner:SecurityAuditor
KeyContributor:Implementer,
designer
Testanalyst
Tester
Owner:Designer
KeyContributor:Component
Vendor
RequirementSpecifier
Owner:Architect
KeyContributor:Requirement
Specifier
Owner:Architect
KeyContributor:Requirement
Specifier
Owner:RequirementSpecifier
KeyContributor:Architect
Owner:RequirementSpecifier
KeyContributor:Stakeholder
Designer
Owner:RequirementSpecifier
KeyContributor:Architect
ActivitySelection
We further analyzed activities of the two selected best practices and found out
that there are some activities which focus on other than requirement phase of
SoftwareDevelopmentLifecycle.Wedeletedactivitieswhichwereoutofcontextfor
us and kept only those which focus on security requirement capturing phase. We
then revisited the table in which we listed over lapping activities(see Table 18) and
listed down the overlapping activities of CLASP and Secure TROPOS for our finally
selected activities. Our final activities are listed below (see Table 20). It should be
keptinmindthatthoseactivitiesofCLASPandSecureTROPOSwhicharerelatedto
phasesotherthanrequirementelicitationareequallyimportantinordertosecurea
systembutweonlyfocusedontheactivitiesthataddressrequirementelicitationto
stayinthescopeofthethesis.
Activity number CL19, CL20 and CL21 were deleted because they are related to
implementationandTestingphasesoftheSoftwaredevelopmentLifecycle.
Table20:SelectedActivitiesfromCLASP
CLASPBest
Practices
PerformApplication
Assessment
ID
CLASPActivities
CL14
PerformSecurityanalysisofsystemrequirements
anddesign
Researchandassesssecuritypostureoftechnology
solutions
Identifyglobalsecuritypolicy
IdentifyResourcesandtrustboundaries
Identifyuserrolesandresourcecapabilities
SpecifyOperationalenvironment
DetailMisusecases
(RelativeImpact:Low)
IdentifyAttackSurface
DocumentSecurityRelevantRequirements
CL11
CaptureSecurity
Requirements
CL4
CL5
CL6
CL3
CL8
CL9
CL7
Overlappingactivities
fromSecureTROPOS
ST10
ST9
ST5
36
Table21:SelectedActivitiesfromSecureTROPOS
SecureTROPOSActivityID
ST2
ST3
ST4
ST8
4.4
Description
ModelingStakeholdersalongwiththeirgoals,dependencies,andsecurityconstraints.
AnalyzeIndeptheachactorsgoalsandsecurityconstraintsimposedtothem.
IntroduceSecureentities.
Identifysecurecapabilitiesforeachactor.
AdditionalfieldsinMisuseCasesTemplate
In this step we considered those activities of Secure TROPOS that have no
overlappingwithanyoftheactivityofCLASPi.e.ST2,ST3,ST4andST8.
WeintendtomakeaseparateactivityusingST3,ST4andST8becausetheyare
related. Purpose of ST2 is to record Stakeholder information along with their goals,
dependencies,andsecurityconstraints.ItseemsfeasibletoaddthesefieldsinMisuse
CasesTemplate(seeTable14)andrecordthisinformationintheaddedfields.Sowe
addedthreemorefieldsinMisusecasestemplatei.e.(seeTable21)
Table22:AdditionalfieldsinMisuseCaseTemplate
Field
Goal
Dependencies(Relationship):
SecurityConstraints
4.5
Description
Whichgoalofthestakeholderishindered
RelationshipofStakeholderwithotherStakeholder(s)
InformationaboutSecurityconstraintsonStakeholder(s)
SequencingtheSteps
After finalizing the activities that are to be included in the framework, we
sequencedtheactivities onthebasis ofwhatshallbe donefirst(seeTable 22).For
example:CL14isdependentupontheoutputofotheractivities[66]soitshouldbe
keptatlast.
Table23:SequenceofCLASPActivities
ID
CL3
CL4
CL5
CL6
CL9
CL11
CL8
CL7
CL14
ActivityDescription
SpecifyOperationalenvironment
Identifyglobalsecuritypolicy
Identifyresourcesandtrustboundaries
Identifyuserrolesandresourcecapabilities
Identifyattacksurface
Researchandassesssecurityposture
Detailmisusecase
Documentsecurityrelevant requirements
Performsecurityanalysisofsystemrequirementsanddesign.
4.6
AnalysisofSelectedSteps:Activityrevisit
SequencedCLASPactivitieswerethenmergedwiththeactivitiesofMisusecase
andSecureTROPOS(seeTable23).
Table24:Mergedactivitiesfromtechniques
ID
CL3
CL4
CL5
CL6
ST3,ST4,ST8
CL9
CL11
MC1
MC2
MC3
CL7
ActivityDescription
SpecifyOperationalenvironment
Identifyglobalsecuritypolicy
Identifyresourcesandtrustboundaries
Identifyuserrolesandresourcecapabilities
Identifyindepthuserroles,secure capabilities andsecurityconstraints foreachactor
Identifyattacksurface
Researchandassesssecurityposture
Concentrateonnormalactorsandusecases
IntroducemajorMisuseCases
InvestigatePotentialRelationbetweenMisusecasesandUsecases
Documentsecurityrelevant requirements
37
CL14
4.7
Performsecurityanalysisofsystemrequirementsanddesign.
UsingSecurityRequirementCategorization
WhenwelookedatMisuseCaseactivities,westillfacetheproblemthatMisuse
creation depends upon the creativity of the person creating Misuse case. So we
decided to use Security Requirement Categorization by Bogale and Ahmed [11] in
whichtheyhavecategorizedalltheknownsecurityrequirementsandvalidatedtheir
categorizationfromSwedishArmedForces(seeAppendixC).
In order to make sure that maximum security requirements are captured, we
initially assume that all security requirements mentioned in Security Requirement
Categorization [11] are true for all identified entry points, functionalities, assets,
servicesandactors.Therearegoingtobemanyrequirementswhicharenotvalidfor
anentrypoint,functionality,asset,serviceoractor.Wedeleteinvalidrequirements
one by one for each entry point, functionality, asset, service or actor. The left over
security requirements will be valid security requirements for each entry point,
functionality,asset,serviceoractor.
4.8
ProposedFramework
Following steps are proposed after analysis of activities mentioned in earlier
sectionsinthischapter.ItshouldbenotedthatDetailMisuseCaseactivityi.e.Step8
and11arecomprisedofthreesubactivitiesmentionedinTable13andTable23.
Table25:FrameworkSteps
Step
Number
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Description
SpecifyOperationalenvironment
Identifyglobalsecuritypolicy
Identifyresourcesandtrustboundaries
Identifyuserrolesandresourcecapabilities
Identifyindepthuserroles,securecapabilitiesandsecurity constraints
foreachactor
Identifyattacksurface
Researchandassesssecurityposture
Detailmisusecase
Documentsecurityrelevantrequirements
Performsecurityanalysisofsystemrequirementsanddesign.
Updatesecurityrequirementsdocument
Identifyresources,entrypoints,functionalities,assets,servicesand
actorsforthesystem
Supposeallthethreatsmentionedinthecategorizationaretrueforall
resources,entrypoints,functionalities,assets,servicesandactorsfor
thesystem
Validatethreatsforeachresource,entrypoint,functionality,asset,
serviceandactorsforthesystem
Updatethedocument.
ActivityIDfromCLASP,
SecureTROPOSorMisuses
Cases
CL3
CL4
CL5
CL6
ST3,ST4,ST8
CL9
CL11
MC1,MC2,MC3
CL7
CL14
FurtheranalysisoftheframeworkshowedthattherecanbeiterationfromStep8
to Step15. Step 11 and onwards do not belong to any technique. These steps are
includedtofacilitatetheuseofSecurityCategorization(seesection4.7)
4.8.1
HowtoconducteachstepofFramework
Mostpartofthesection4.8.1containstextfrom[66]and[88].Mostofthetext
written in before mentioned section also belongs to [66] because there were many
thingswhichwerebetterexplainedinoriginaltextfrom[66].
It should be noted that first nine activities are decomposition of the system for
Performsecurityanalysisactivityofthesystem.Webreakdowntheapplicationto
38
understanduserroles,entrypoints,exitpointsanddataflowinfirstnineactivitiesof
theframework.Theseactivitiesactasaninputforsecurityanalysisofsystem.
4.8.1.1
SpecifyOperationalenvironment
Thisactivityhelpstheteammembersinunderstandingtheoperationalcontextof
thesystem.Considerationofoperationalcontextfacilitatestheteaminestablishing
securityguidelinesandprinciples[66].
An operational worksheet is provided in Appendix A for this activity. Following
important aspects of this activity should also be looked into while performing this
activity.
Identifyrequirementsandassumptionsrelatedtoindividualhosts
Userrightsandauthorizationrelatedtosoftwaresystemisthefocusofthissub
activity [66]. Security policies defined by the organization regarding the use of
particularsoftwarearelistedhere.Moreoverrisksrelatedtotheplatformonwhich
thesoftwareisinstalledmustalsobehighlighted.Forexample:theremaybesome
componentsofOSthatposerisktotheusagepolicyofasoftware.
Inaddition,alloptionalfunctionalitiesandtheirimpactonsecuritymustalsobe
consideredinthissubactivity[66].
Identifyrequirementsandassumptionsrelatedtonetworkarchitecture
Networkresources,networktopologies,existence andconfigurationoffirewalls
are identified in this subactivity. Those things and factors which have any impact
(negativeorpositive),onsecurity,mustbetakenintoaccount[66].
4.8.1.2
Identifyglobalsecuritypolicy
Baseline security requirements act as a reference for security requirement
specifiers. Organizations security policies and basic security services are defined in
ordertohaveclearunderstandingofinternalsecurityprocedures[66].Samplelistof
globalsecurityrequirementsispresentedinAppendixB.
Every global security requirement should be checked for its applicability in the
system. If a requirement is not relevant to the project, it should be explicitly
documented. Baseline for global security policy is created for protecting data
resources.Theseresourcesarefurtherdividedintocategoriesortechnologieswhich
provide guidance about when to apply these technologies and how to apply them
whentheyareusedinaproject.Globalsecuritypolicyisvaluablesinceitprovidesthe
concrete documentation of internal or external procedures that the documentation
teamshouldfollow.Inlargeorganizationsitisusefultohaveasetofbaselinesecurity
requirements for different projects which ease the job for requirement specifier in
long term and provides a path to compare the security posture of different
applicationinorganization.
Foreachsecuritypolicyfollowingthreechecksmustbeperformed[66].
Is the global requirement already addressed by one or more other system
requirements?
Iftheglobalrequirementcontradictsanyexplicitorimplicitrequirementfor
project.
The global requirement does not contradict any requirement but has not
beenaddressedyet.
39
4.8.1.3
Identifyresourcesandtrustboundaries
This activity provides a structured foundation for understanding the security
requirements of a system [66]. This activity includes following important sub
activities.
Identifynetworkleveldesign
Describe network architecture of the system and identify any components that
are located on different logical platform such as client software, middleware and
databases.Amiddlewareandadatabase,whichbothcanpossiblyliveonaseparate
machine,shouldbeidentifiedaslogicallyseparate.
After describing network components and architecture, trust boundaries are
identified e.g. firewall and Individual hosts. For example, Client machines on the
outside are less trustworthy whereas many multiuser systems can have multiple
trustboundariesinternally."Trustboundariesshouldbemappedtosystemrolesthat
canbegrantedleveloftrust[66].Inthisactivityprotectionmechanismisidentified
for resources and data links in the architecture diagram. Moreover, the diagram
shouldbeannotatedwiththesemechanisms.
IdentifyDataresources
Dataresourcesthatmaybeusedbyaprogramareidentified.Inthenextactivity,
individual capabilities related to each resource are identified e.g. identifying
individual database tables, instead of simply the database as a whole. Outcome of
this activity should be documented separately to facilitate security analysis. The
informationmaybeincludedintobusinessrequirements.
Sampleresourcesinclude[66]:
9 Databasesanddatabasetables
9 Configurationfiles
9 Cryptographickeystores
9 ACLs(AccesscontrolLists)
9 Registrykeys
9 Webpages(staticanddynamic)
9 Auditlogs
9 Networksockets/networkmedia
9 IPC (Inter Process Communication), Services, and RPC (Remote procedure
call)resources
9 Anyotherfilesanddirectories
9 Anyothermemoryresource
"Networkmediaisaresourceofitsown[66].Weneedtospecifyhowtoprotect
that datawhenittraversesthemedia.All thecomponents connected tothemedia
arealsoconsideredsuchasdisksandmemories.
4.8.1.4
Identifyuserrolesandresourcecapabilities
Purpose of this activity is to identify system roles and capabilities/resources a
particularrolecanaccess.Thewordcapabilityheremeansthethingsuser(s)maybe
abletodo.Followingmainsubactivitiesareinvolvedinthisactivity.
Identifydistinctcapabilities
Capabilitiesareinterestingoperationsonresourcesthatshouldbemediatedvia
an authorization/access control mechanism. Capabilities are set of operations that
are applied on resources. Capabilities are defined so that system users can have
proper understanding of the system and can perform these operations. To perform
40
4.8.1.5
Identifyindepthuserroles,securecapabilitiesandsecurityconstraintsforeach
actor
Eachusersabilitiestointeractwiththesystemandresourcesausercanaccess
are identified. Secure capabilities are separated from insecure capabilities and
explicitly mentioned. Security constraints on each actor with their impact are
identified.Securityconstraintsarealsocheckedfortheirsuccessfulimplementation.
4.8.1.6
Identifyattacksurface
Identify all the entry points to facilitate the analysis. Define all the components
attacker can interact with. Define mechanism through which any one can interact
withthesystemregardlessofhis/herroleinthesystem.Documentallthefollowing
[66]
networkportsopened,
placeswherethefilesystemistouched
anylocalUserInterfaceelements,
anyinterproceduralcommunicationpoints
Any public methods that can be called externally while the program is
running
After identifying entry points, map roles to entry points. Next step is to map
resourcestotheentrypoints.Inmappingrolesallrolesthatcanpossiblyaccessentry
pointsareidentified.Afterthatdocumenttheresourcesthatareaccessiblefromthat
entrypoint.
41
4.8.1.7
Researchandassesssecurityposture
Generally, it is very hard to get technology assessment from vendors because
theyarerarelycooperativeinthisregard.Still,youneedtoknowtheriskassociated
with the software components you are using in your system. Selfassessment sheet
basedoninteractionwiththevendor,whichcanbefilledinbyyouorthevendoris
includedinAppendixA.Worksheetisfilledbyconductingstructuredinterviewswith
vendors.
Worksheetshouldbeabletoanswerfollowingpointsinthisactivity[66].
At a high level, what are the trust boundaries, resources, and roles in the
system?
Hasanindependentassessmentbeenperformedbyarespectedthirdparty?
Andifso,whatbusinessrisksdiditidentify,andwhathaschangedsincethe
assessment?
Whatarethesecurityqualificationsofthedevelopmentteam?
Whatarethemajorareasofriskintheproduct?
What were the security requirements that were used for development
(implicitandexplicit)?
Inadditiontoabovementionedpoints,youmustcollectdatafromcustomersand
user reviews. If possible perform security testing on the component. Above
mentionedstepswillhelpyouindecidingwhethertoproceedwiththetechnologyor
not.
4.8.1.8
Detailmisusecase
MisusecasestechniqueissimilartousecaseexcepttheaimwhereMisusecaseis
meanttodetailcommonattemptedabusesofthesystem[66].DeterminingMisuse
caseisabrainstormingactivityandtherearethreegoodpointsforstructuredbrain
storming[66]i.e.
Thepersonperformingtheactivityshoulddescribehowtheattackerwilltake
advantage of a problem using preexisting knowledge of common security
problems.
The person, performing the activity shall construct misuse cases for each
systemresourcebybrainstormingforeachofthebasicsecurityservicese.g.
authentication,confidentiality,accesscontrol,integrity,andavailability.
Theperson,performingtheactivityshallcreatemisusecasesonthebasisofa
set of existing use cases to ensure that the first two steps did not overlook
anyobviousthreats.
Misuse cases should be described visually and should be documented. Defense
mechanism is identified for every Misuse case. Results are then reviewed with the
stakeholders.
AMisusecaseiscreatedusingfollowingsteps
ConcentrateonnormalactorsandusecasesbypreliminaryIdentificationof
weakpointsinUsecases
Introduce major Misuse Cases to express the intentions of misactors who
intendtoharmthesystem
InvestigatePotentialRelationbetweenMisusecasesandUsecasestoidentify
the nature of threat. Many threats to a system can be achieved through
exploitingnormalfunctionalitye.g.DenialofService
42
TohaveaquickunderstandingofMisuseCasesactivities,pleaserefertoTable13.
MisuseCasestemplatewhichisnecessaryforthisactivityisincludedinAppendixJ
4.8.1.9
Documentsecurityrelevantrequirements
All the business level and functionality related security requirements are
documented in this activity. All the requirements must have following basic
properties
Specific: There must be are no ambiguities in the requirement. Consistent
terminologiesshouldbeusedbetweenrequirements.
Measurable:Itshouldbepossibletodeterminewhethertherequirementhas
beenmet,throughtesting.
Reasonable: One should conduct some validation to determine whether
meeting the requirement is physically possible keeping in mind the project
constraints.
Traceable: Requirements should also be isolated to make them easy to
track/validatethroughoutthedevelopmentlifecycle.
Documentexplicitbusinessrequirements
Issues must be communicated to customers earlier in order to avoid problems
after deployment as customers are not always aware of the security problems.
[66,88]:
Recommendedauthenticationsolutions
PersonaldatamustbekeptPrivate(PrivacyConcerns).
RecommendedConfidentialitysolutionsfornetworktraffic.
Confidentialitysolutionsforlongtermstorageofkeydata.
Developfunctionalsecurityrequirements
Specifyprotectionrequirementsrelatedtothebasicsecurityserviceslike
Authorization(accesscontrol):Whatprivilegesondatashouldbegrantedto
thevariousrolesatvarioustimesandwhatmeasureshallbetakentoenforce
thepolicy[66,88].
Consider operating environment resources which need to be protected
suchasadministrativeprivilegesonahostmachine[66,88].
Authenticationandintegrity:HowIdentitydeterminedtogainofaccesstoa
resource? Is, the resource strongly bound to an identity? For example do
individual messages need to have their origin identified, or can data be
anonymousoncommunicationchannels[66]?
Confidentiality (including privacy): Confidentiality mechanisms such as
encryptionareusedtoenforceauthorization.Whenaresourceisexposedtoa
user,whatexactlyisexposed:theactualresourceorsometransformation?
[66]
Availability:Requirementsshouldtakeintoaccounthowavailablearesource
shouldbeforauthorizedusers[66,88].
Accountability(Includingnonrepudiation):Logfilesneedtobespecifiedand
protected.[66,88].
Explicitlylabelrequirementsthatdenotedependencies
43
Determineriskmitigations(compensatingcontrols)foreachresource
Businesslevelresourcesareidentifiedthatneedtobeprotectedi.e.,whatare
theriskstoindividualresourcesandhowtherisksneedtobeaddressed[66,88].
Resolvedeficienciesandconflictsbetweenrequirementsets
Inordertodetermineomissionsandconflicts,setofrequirementsaremappedto
othersetsofrequirements[66,88].
4.8.1.10 Performsecurityanalysisofsystemrequirementsanddesign.
Inordertoperformsecurityanalysisofasystem,followingoutputsfromprevious
activitiesareneededasaninputforthisactivity
Aspecificationoftheoperationalenvironment;
Ahighlevelarchitecturaldiagramindicatingtrustboundaries;
Aspecificationofresourcesandcapabilitiesonthoseresources;thismay
beincorporatedintotherequirements;
A specification of system users and a mapping of users to resource
capabilities;thisalsomaybeincorporatedintotherequirements;
Anattacksurfacespecification,towhateverdegreeelaborated;
Dataflowdiagrams,ifavailable;
Anattackerprofile(again,thismaybepartoftherequirements);and
Misusecases,ifany.[66]
Securityanalysisconsistsofsetofsubactivitiesi.e.
Developanunderstandingofthesystem
Todevelopanunderstandingofthesystembeforesecurityanalysisisimportant.
Documentationshallbereviewedforexistinghighlevelsystem.Itisgenerallybestto
haveaprojectoverviewfromacustomercentricperspectiveontheproject.
DetermineandValidatesecurityrelevantassumptions
Any assumptions that are made about the attacker and environment in which
system is deployed should be validated and then incorporated into project
documentation[66,88].
ReviewNonsecuritysecurityrequirements
Findoutanysecurityimplicationsthatarenotproperlyaddressedinthesecurity
requirements. Also look into requirements that are not explicitly aimed at security.
Throughdataflowdiagramwecanassesstheimpactoneachsecurityservicewhile
tracingresourcesthatarerelevanttoarequirement[66,88].
AssesscompletenessofSecurityrequirements
For each resource and capability, security services must be addressed with
securityrequirements.Thisisdonethroughacorrelationmatrix,whererequirements
areononeaxisandsecurityservicesoncapabilities(orresources)areonanotheraxis
[66].Appropriateboxesforeachsecurityrequirement,whererequirementshavean
impact, are marked in the matrix. This matrix assesses the completeness of
requirements,i.e.ifthesecurityserviceisadequatelyaddressed.
44
IdentifyThreatsonAssets/Capabilities
All potential security threats should be identified and documented for each
securityserviceoneachcapabilitybyiteratingthroughassetsandcapabilities[66,88].
Determinelevelofrisks
Decisionmakingprocessofanattackercanbemodeledusingthreattrees.Look
particularly for ways that multiple conditions can be used together to create
additionalthreats[66].
Determineriskmitigationsforeachresource
Mitigation steps for each threat indentified in the previous activity should be
explicitly mentioned along with any possibility of reproducibility of the particular
threat.
Evaluatefindings
Security auditor should report any security risks that may not have been
adequately addressed in the requirements. Auditor should recommend a preferred
strategy for implementing risk mitigation and should discuss any alternatives that
could be considered. If any conflicts or omissions are brought to light during
requirement review, security auditor should make recommendations that are
consistentwithprojectrequirements.
4.8.1.11 Updatesecurityrequirementsdocument
Based on the evaluation of findings of Security analysis phase, security
requirementdocumentisupdated.Allrequirementsmustbementionedwithallthe
traceabilityinformation.
4.8.1.12 Identifyresources,entrypoints,functionalities,assets,servicesandactorsforthe
system
All
resources,
entrypoints,
functionalities,
assets,
capabilities,
resources,
servicesand
actors
shallbeexplicitlydocumented
4.8.1.13 Supposeallthethreatsmentionedinthecategorizationaretrueforallresources,
entrypoints,functionalities,assets,servicesandactorsforthesystem
Allthreatsmentionedinsecurityrequirementscategorization(seeAppendixC)
shouldbesupposedtrueforeverypointinthelistmentionedinlastactivity.
4.8.1.14 Validatethreatsforeachresource,entrypoint,functionality,asset,serviceand
actorsforthesystem
For each resource, entry point etc. threats which were supposed true are now
validated. For example, threat that is not applicable to a particular resource is
omittedforthatparticularresource.EachthreatshallbeconsideredasaMisusecase
anddocumentedbyfillingMisusecasetemplateforeachthreatseparately.
Above mentioned step is performed in iteration until all the threats are
adequately validated. Threats that are not omitted in the process will be the valid
threatstothesystem.
45
4.8.1.15 Updatethedocument
Securityrequirementsformitigationofeverythreat/Misusecaseinprevious
activitymustbedocumentedwithtraceabilityinformation.
46
EXPERIMENT
WehavefollowedWohlinet.al[91]guidelineforexperiment.InthisSection,we
haveexplainedthedetaildescriptionofexperimentperformedforthisresearch.We
haveexplainedExperimentdefinition,plan,Designandexecutionofourexperiment.
Thisexperimentisperformedtomeasuretheapplicabilityofourframeworks.We
intend to suggest improvements in the framework on the basis of feedback and
resultsfromtheexperiment.
5.1
Experimentdefinition
5.1.1
Objective
5.1.2
Context
Thisexperimentwascompletedintwodaysandinvolvedsixstudentswhowere
divided in three groups i.e. two members per group. All six students were software
engineeringstudentswhohavestudiedrequirementengineeringcourseandhaveat
leasttwoyearsofindustrialexperience.Allsixstudentsweresupposedtoconducta
setofactivitiesinaspecificamountoftime.Theseactivitieswereselectedfromthe
activitiesofourframework,CLASPandMisusecasetechnique.Aftertheexperiment,
allthesixstudentswereaskedtofillafeedbackform(seeAppendixI).
WeconductedtheexperimentwithCLASP(aformaltechnique),MisuseCases(an
informal technique) and Framework. We did not Include Secure TROPOS in the
experimentduetothreemainreasons.
1. Purpose of the experiment was to compare the proposed Framework with a
formalandanInformaltechnique.CLASPbeingaformaltechniqueandMisuse
Casesbeinganinformaltechnique,fulfillthepurposeoftheexperiment.
2. Secure TROPOS, as mentioned earlier, has sequential activities which are
strictlyconnectedtoeachother.
3. In addition, many activities of Secure TROPOS focus on phases other than
requirement gathering of software development life cycle whereas our focus
wasonlyonrequirementelicitation.
ThereforewedidnotincludeSecureTROPOSintheExperiment.
Limitedavailabilityofstudents(subjects)compelledustoselectasmallsystem.
Wesenttwodocumentsi.e.SystemsdetaildescriptionandActivitiesdescriptionto
subjectsviaemailtwodaysbeforeconductingtheexperiment.Purposetosendthe
document was to give brief overview of activities and software system before
experiment. Later we had discussions with our subjects via video conferencing in
ordertoclarifythedoubtsandquestionsregardingsystemandactivities.
Keeping in mind the lack of practice of students (subjects) to perform the
activities, we conducted one hour pilot exercise before conducting the experiment.
Eachactivitywasassignedaspecificamountoftime.
On first day of experiment i.e. 2012March29, the students were randomly
divided in groups of two to perform the activities. It took total 6 hours to perform
firstpartoftheexperiment.
47
5.1.3
SampleSpace
OursamplespaceconsistsofsoftwareengineeringstudentsinBTH.
5.2
Experimentplanning
5.2.1
Purpose
5.2.2
Qualityfocus
5.2.3
Perspective
Thisstudyisbeneficialforsmallandmediumsizesoftwareorganizations.
Softwarecompaniescanbenefitfromtheresultofthisstudy.Attackersperspective
towardssoftwareprovidesdetailunderstandingofvulnerabilitiesinsoftware.
Developingsecuresoftwarecanimprovebusinessreputationandpublicconfidence
insoftware.
5.2.4
Contextselection
5.2.5
Hypothesisformulation
NULLHYPOTHESIS(H0):Formalapproachesdonotproducebetterresultswhen
integratedwithinformalapproachi.e.Misusecases.
ALTERNATIVEHYPOTHESIS(H1):Formalapproachesproducebetterresultswhen
integratedwithinformalapproachi.e.Misusecases.
NULL HYPOTHESIS (H0): The proposed framework is not better than other
securityrequirementelicitationtechniques.
ALTERNATIVE HYPOTHSIS (H1): Proposed framework is significantly better than
theotherrequirementelicitationtechniques.
5.2.6
Variableselection
Independentvariablesinthisexperimentareasfollowing:
FrameworkActivities
FrameworkActivitiesGuidelines.
SoftwareSystem
Misusecasetemplate
Misusecaseguidelines.
ClaspActivities
ClaspGuidelines
DependentVariablesinthisexperimentareasfollowing:
Resources
Trustboundaries
48
UserrolesandResourcecapabilities
SecurityConstraintofeachactor
AttackSurface
Detailmisusecase
SecurityRequirements
SecurityAnalysis
As shown above; independent variables are the inputs to experiment where as
dependentvariablesaretheoutputofexperiment.Asexperimentisconductedin
a controlled environment, dependent variables vary according to inputs of
experiment(Independentvariables).
5.2.7
Subjectselection
5.3
Experimentdesign
5.3.1
Designprinciple
5.3.2
Designtype
Designtypeofourexperimentisonefactorwiththreetreatments.
Table26:Experimentdesigntype
SUBJECT
2
2
2
TREATMENT1
X
TREATMENT2
TREATMENT3
X
X
AccordingtoourExperiment,Treatment1isFrameworkactivities,Treatment2is
CLASPactivitiesandTreatment3isMisusecaseactivities.FactorfortheExperiment
isSecurityRequirements.
49
5.3.3
Instrumentation
Inourexperimentwehaveusedobjects,guidelinesasinstrumenttomonitorand
guideinvolvedparticipants.
Objectwere
Documentation of software system on which activities were to be
performed
Misusecasestemplate.
Guidelineswerehowtoperformactivitiesinallocatedtime.
Descriptionofeachactivityofframework,CLASPandMisusecase
Attheendofexperimentaskedthemtofillaquestionnaire.
InstrumentsusedinourExperimentwere:
StudentsfromBTH
Libraryrooms
Documentsofsoftwaresystem
Misusecasetemplate
Guidelinesofeachactivities
Questionnaire
Trainings
Measurement
NumberofSecurityRequirements
5.3.4
Validityevaluation
Beforeperformingtheexperimentweconductedpilotstudywithtwostudentsto
haveabasicideaabouttimetoconducttheexperimentandfeasibilityoftechniques.
During the pilot study, we observed that the participants must have time to
understand the tasks and ask questions. Moreover; minimum time to conduct the
experimentwithasmallsystemis11hours.Wedesignedourexperimentonthebasis
ofobservationsduringpilotstudies.
Beforeexecutingtheexperimentthereweretwothings,wehadtotakecareof
twothingsi.e.
1. Inourexperiment,frameworkactivitiestakemoretimeascomparedtoother
techniques. One could argue that since framework is taking more time, so
onecanelicitmorerequirementsfromframework.
2. Wearedealingwithhumanbeingswhohavevaryinglevelofcompetencies.
Sowhatistheguaranteethatpeopleworkingwithframework,CLASP,Misuse
Casehavethesamelevelofcompetencytoworkwithrequirements?There
maybeapossibilitythatpeopleworkingwithCLASPhavelessunderstanding
than people working with framework. Therefore we are going to get more
outputfromactivitiesofframework.
In order to ensure transparency and justice with all the three methods i.e. Our
Framework,CLASPandMisusecase,wetooktwostepsi.e.
1. Assignsameamountoftimetothetechniquesi.e.Weassignedthesame
amountoftotaltimetoallthethreemethods.Itisbecausebylooking15
activities of framework, one can easily tell that it requires more time
whereasCLASPwith10andMisusecasewiththreeactivitieswouldtake
far less time. Since we are concerned with the number of security
requirements and not time so we assign equal amount of time to
Framework, CLASP and Misuse case. Each group using one of these
methods has equal amount of time to elicit security requirements (See
Table30andTable31).
50
2. Combine input from Team1 and Team2 and provide it to Team2 for
securityanalysisusingCLASPtechnique(explainedinnextsection).
5.4
Experimentoperation
Total subjects on first day of our experiment are six people which are assigned
Treatments.
On the first day, experiment was conducted in university (BTH) group rooms
H2016, H206C and H206D on 2012 March 29th. Two person i.e. each group was
assignedaseparategrouproom.Weprovidedthemdescriptionofasoftwaresystem
and activities. One group performed activities of framework and the other groups
performed activities related to CLASP and Misuse case. All the groups were given a
totaltimeof5hoursand15minutestoperformtheactivities.
Group performing framework activities were supposed to perform 6 activities.
For first 2 hours they performed 4 activities. Duration of first four activities was 30
minutes each. After the lunch break they were suppose to perform remaining two
activities.Durationoftheremainingtwoactivitieswas1hour.
GroupperformingCLASPactivities,hadtoperformfiveactivitiesandtheduration
wassameasforgroupperformingframeworkactivities.GroupwithMisusecasewas
giventhesameamountoftimealso(SeeTable30andTable31).Weprovidedthem
Misuse case template and the description of activities. There were total three
activities of Misuse case. Team1s first task was to understand the case and the
activities.BasedontheirunderstandingtheyfilledMisusecasetemplate.
On the second day of experiment, we conducted the second part of the
experimentwiththesamesixpeopleagain.TheonlydifferencewasthatTeam2and
Team3 i.e. group working with activities with CLASP and Misuse case were free to
iterate and repeat the procedure of the activities they have performed. Whereas
Team1i.e.thegroupworkingwithframeworkperformedtheremainingactivitiesof
theframework.Ontheseconddayi.e.2012March30thexperimentwasconductedin
university(BTH)grouproomsH2016,H206CandH206D.Team1,Team2andTeam3
were sat in different rooms. In order to neutralize the threat of different level of
competencyofstudents,wedecidedtogivemaximumbenefittoCLASP.
WehavealreadydiscussedthatoutputsoftheactivitiesperformedduringDay1
ofexperimentareinputforsecurityanalysisinCLASPandinframework.Sowegave
maximumadvantagetoCLASPbyprovidingoutputofactivitiesperformedbyTeam1
andTeam2,duringfirstdayoftheexperiment,forsecurityanalysisinCLASP.
The group working with framework continued with what they got after
performingtheactivitiesonDay1.
5.4.1
SoftwareSystemforExperiment
Duetolimitationsinaccesstoindustrialresources,wehadtoselectasoftware
system by using which we can conduct an experiment in a short time. For that
purpose,weconsideredmanysoftwaresystemsandchoicewasdifficult.Wedecided
toselectasystemonwhichasecuritystudyisalreadyconductedwhichwillalsohelp
us in comparing our results with the results from the study. We considered an
examplefrom[66]i.e.
5.4.1.1
5.4.1.1.1
MonolithicMainframe
Glossary
51
CICS:CustomerInformationControlSystemAtransactionserverwhichrunson
IBMmainframeunderz/OS.
z/OS:64bitoperatingsystemformainframeproducedbyIBM.
RAFC:ResourceAccessControlfacility:AnIBMsoftwareproductforsystems
securitythatprovidesauditingfunctionalityandaccesscontrol.
VSAM:VirtualStorageAccessMethod:AnIBMfilesdiskstoragemethod.
3270terminals:IBMdisplaydevicesusedtocommunicatewiththemainframe.
5.4.1.1.2
SystemDescription
A leading insurance company has applications which process claims by its
customers. Application users are customer service representatives who either
createorupdateclaimsinformationbasedontelephoneconversationswiththeir
customers.AllincomingclaimsareprocessedbytheapplicationsonasingleIBM
mainframemachine.
Table27:Activityflow
Step:
Description:
TheuserperformsaninitiallogonandispromptedforuserIDandpassword.
IftheuserIDandpasswordaresuccessfullyentered,aCICSsessionwiththeIBMmainframeisinitiated
TheapplicationuserinvokesthedesiredCICStransaction.
Toobtainauthorizationtorunthetransaction,theCICSdeterminespermissionfortheinvokinguser
Theapplicationuser(i.e.,customerservicerepresentative)requestsaccountinformationforanexisting
customer
Theapplicationreadsaccountrecord(s)forthespecifiedcustomer.Intheprocessofreadingthedata,the
operatingsystemdetermineswhethertheuserispermittedtoreadtherelevantVSAMfile.
IfRACFauthorizationsallowit,therecordisreturnedtotheapplicationfromVSAM.
Thecustomerdataisreturnedtotheapplicationuserandisdisplayedonthe3270terminal
Theapplicationuserentersrequiredinformation eithercreatinganewclaimoraddingfurther
information(asinstructedbythecustomer,specificallyrelatingtotheinsuranceclaim).
10
Theapplicationupdatesaccountrecord(s)forthespecifiedcustomer.Intheprocessofupdatingthedata,
theoperatingsystemdetermineswhethertheuserispermittedtoupdatetherelevantVSAMfile.
11
IfRACFauthorizationsallowit,therecordisupdatedintheVSAMfile.
12
Theapplicationsatisfiestherequestforupdatingthecustomerclaimdataanddisplaysconfirmationofthe
updateonthe3270terminal.
AlsoseeAppendixKandAppendixLtoseeSequencediagramandUseCase
diagramofthesystem.
5.4.2
Experimentexecution
FollowingactivitieswiththesequencedescribedinTable30andTable31,were
performedbythegroupsnamedasTeam1(performingFrameworkactivities),Team2
(CLASPactivities)andTeam3(Misusecaseactivities).
DetailschedulefortwodaysofexperimentisprovidedinTable30andTable31.
Durationofexperimentduringfirstdaywas5hoursand15minutes.Activitiesduring
seconddaytook4hoursand50minutesoftime.
Table28:PlanforDay1ofExperiment
PilotExercise
QuestionandAnswers
Team1 Task
&
SpecifyOperationalEnvironment
Team2 IdentifyGlobalSecurityPolicy
Duration
50Minutes
10Minutes
20Minutes
15Minutes
PilotExercise
QuestionandAnswers
Team3 Task
MisuseCaseActivity1
MisuseCaseActivity2
Duration
50Minutes
10Minutes
20Minutes
55Minutes
52
IdentifyResourcesandTrustBoundaries
Total
LunchBreak
Identifyuserrolesandresourcecapabilities
60Minutes
155Minutes
Identifyindepthuserroles,secure
capabilitiesandsecurityconstraintsforeach
actor(OnlyperformedbyTeam1)
Identifyattacksurface
Researchandassesssecurityposture
Detailmisusecase
Documentsecurityrelevantrequirements
Total
20Minutes
MisuseCaseActivity3
20Minutes
Total
155Minutes
LunchBreak
FillMisusecase
150Minutes
Template
Total
150Minutes
20minutes
20Minutes
30Minutes
60Minutes
60minutes
150Minutes
Table29:PlanforDay2ofExperiment
Team1
Task
Perform
security
analysis
of
system
requirements
anddesign.
Update
security
requirements
document.
Total
Duration
120
Minutes
30
Minutes
150
Minutes
LunchBreak
30min
Team2
Task
Perform
security
analysis
of
system
requirements
anddesign.
Update
security
requirements
document.
Total
Duration
120
Minutes
Iterateallor
anyactivityof
CLASP
100
Minutes
Update the
document.
Fill
Questionnaire
Total
30min
Team3
Task
Iterateallthe
activitiesof
MisuseCase
Duration
160
Minutes
30Minutes
160
Minutes
LunchBreak
Total
160
Minutes
LunchBreak
Iterateallor
anyactivityof
MisuseCase
100
Minutes
70min
30min
10
Minutes
140
Minutes
10Minutes
140
Minutes
Update
the
document.
Fill
Questionnaire
Total
30min
10
Minutes
140
Minutes
ToseeOutputfromMisusecasestechniquealone,refertoAppendixG.
5.4.2.1
OutputduringeachactivityofFramework
Wehavelistedoutputoftheactivities,indocument,insuchawaythatthis
sectioncoversoutputfromallthetechniques.
53
Sincefirst10activitiesoftheframeworkaretakenfromCLASP(except5.4.2.1.5)
itisuselesstorepeattheoutputof9activitiesofCLASPinthedocument.Thereader
canassumethattheoutput5.4.2.1.1upto5.4.2.1.10issameforCLASPand
Framework.FinaloutputfromCLASPisincludedinAppendixDandAppendixE
whereasoutputofMisuseCasesismentionedinAppendixG.
Outputmentionedinsection5.4.2.1.11to5.4.2.1.15istheoutputonlyfrom
Framework.FinaloutputfromFrameworkaloneismentionedinAppendixF.
5.4.2.1.1
SpecifyOperationalEnvironment(Implementationscenario)
The IT organization of the insurance company develops its own applications in
order to gain an advantage in a highly competitive and quickly changing business
environment.TheapplicationsinquestionaredevelopedinCOBOLtorununderCICS
on a z/OS IBM mainframe machine. These customwritten applications enable the
insurance company to respond rapidly to the timecritical needs of its client. The
usersutilize3270terminalsfromwheretheylogondirectlytoCICS.
Itshouldbekeptinmindthatdataonthediscisnotencrypted.
5.4.2.1.2
IdentifyGlobalSecurityPolicy
Customersdataisvaluabletothecompanysoonlyauthorizedpeopleshouldbe
ableviewandeditcustomersdata.Securitybaselineanditsdescriptionare
mentionedinTable32.
Table30:SecurityBaseline
Authorization
Authorizationalsocalledaccesscontrol.Authorizationsaregiventouserstoaccessthesystemonthe
basisofidentityandaregenerallypolicydriven.Policiesareenforcedbyaccesscontrolmechanismto
performoperationsonresources.Policiesdependupontheindividualactionsperformedonresources.
Forexampleaccesscontroldecisionisgenerallytakenonthebasisofuserspecificpolicy.
Authentication
Authenticationisusedtoestablishidentityofcommunicationpartners,owner,creatoretcofdata.
Authenticationmustbeperformedatlogintimefornetworkconnectionsbutonemustalsoperform
ongoingauthenticationsforlifetimeofconnection.Differentcategoriesofauthenticationareasfollows:
Confidentiality
Thingswhichareknownsuchaspasswordsorpassphrases.
ThingsyouhavesuchascreditcardorRSASecureID(Authenticationtokens).
Thingsyouaresuchasfingerprints,voiceprintandretinalscans.
Purposeofconfidentialityistokeepdatasecrettoallunauthorizedparties.Datamustbekeptsecretor
encryptedinbothwayslikewhendataisbeingtransmittedonanetworkandwhenitisbeingstored,
longtermorshortterm.
Integrity
Dataintegritymeanstokeepthedataasinform asitwasintendedtobe.Forexampleinphysicallink
layerontrustedmediawhereerroroccursbutnotrelatedtosecurityerrors.
Availability
Delayofdatacancausetheavailabilityproblemorifproblemisduetomaliciouslyisknownasdenialof
serviceattack.
Accountability
Systemshouldloginformationabouttheoperationsperformedbythesystemuserinordertoreview
thisinformationwhenrequired.Systemusersmustbeaccountablefortheactionstheyperform.
Nonrepudiation
Whenthereistwopartycommunications,eithersidescanprovetothemselveswhetherdatacomes
fromauthenticsource.Problemoccurswhenthirdpartyinvolves.Forthismessagecanbeestablished
fromoriginalsendertothirdpartieswhichiscallednonrepudiatable.
5.4.2.1.3
Identifyresourcesandtrustboundaries
TrustBoundaries
Useri.e.customerservicerepresentativeconnectstoseverthrough3270
terminalbyenteringvalididandpassword.
54
User can view customers information only if the user has authority to
viewcustomersinformation.RACFperformsauthorizationcheckbefore
lettingtheuserviewtheinformation.
Usercanupdatecustomersinformationonlyiftheuserhasauthorityto
update customers information. RACF performs authorization check
beforelettingtheuserupdatetheinformation.
Authorization is called access control and Authentication is used to
establish identity of communication partners. Both authorization and
authenticationchecksareperformedbyRACF.
Thereisnoremoteaccesstoserver.Allusersaccesstheserverthrough
3270terminalswithinsystemboundary.
Identifynetworkleveldesign
Figure7:ComponentArchitectureDiagram
Table31:ComponentArchitecture
55
Component
User
DescriptionofComponent
TheapplicationusersarecustomerservicerepresentativesoftheinsurancecompanywhologontoCICS
runningunderz/OSonasingleIBMmainframe.Theusersarelocatedwithinafacilityoftheorganization
i.e.,noremoteaccessisrequired.
Thisisacustomapplicationdevelopedwithintheorganization i.e.,itisnotapackageapplication.
TheapplicationdatainquestionislocatedinVSAMfileclusteronthesingleIBMmainframemachine.
Theelementsofthesecuritysystemare:
RACFsignonsecurity;
RACFauthorizationtoexecuteCICStransactions;
RACFauthorizationtoread/updateVSAMfilesdata.
Application
Data
Security
System
IdentifyDataresources
Systemsresourcesalongwiththecapabilitiesarementionedinthetablebelow
(seeTable34).Capabilitiesaretheresourcesaresourcesoranactorcanaccess
Table32:Systemresourcesandcapabilities
Resource
Name
CICS
Description
Capabilities
CustomerInformationControlSystem Atransaction
serverwhichrunsonIBMmainframeunderz/OS.
Canaccessandperformoperationon
databaseusingVSAM.Communicates
withRACFthroughz/OS.
Controlsinterprocesscommunication
onMainframei.e.betweenCICSand
RACF.
PerformsAuthenticationandAccess
Controlchecks.Keepslogoftheactivities
performed.
Establishesamechanismtoaccessdata
base.
N/A
z/OS
64bitoperatingsystemformainframeproducedbyIBM.
RAFC
ResourceAccessControlfacility:AnIBMsoftwareproduct
forsystemssecuritythatprovidesauditingfunctionality
andaccesscontrol.
VirtualStorageAccessMethod:AnIBMfilesdiskstorage
method.
IBMdisplaydevicesusedtocommunicatewiththe
mainframe.
Customerservicerepresentative.
VSAM
3270
terminal
User
Network
Medium
Customer
LANi.e.Allstations(3270terminal)areconnectedby
cable(orwireless)toacentralpoint,suchashubora
switchwhichisthenconnectedtoaMainframe
computer.
Apersonwhointeractswiththecustomerservice
representativeoverthephone.
AccessesDatabaseandperforms
operationsondatabasethroughCICS,
using3270terminals.
Actsasamediumcommunication
mediumbetween3270terminaland
Mainframesever.
Theycanrequestcreation,searchand
update,butthistaskishandledby
customerservicerepresentative.
5.4.2.1.4
Identifyuserrolesandresourcecapabilities
Itshouldbenotedthatallcommunicationbetween3270terminaland
mainframe,involvesLocalAreaNetwork.
User(Customerservicerepresentative)
Resources:3270terminals
Table33:User'scapabilities
CAPABILITIES
LOGIN
VALIDATEUSER
READCUSTOMERDATA
UPDATECUSTOMERDATA
RESOURCESINVOLVED
AUTHENTICATEDBYRACF
AUTHENTICATEDBYAPPLICATIONANDRACF
RACF+VSAM
RACF+VSAM
Application(Transactionsystem)
Resources:CICS
Table34:Application'scapabilities
CAPABILITIES
ACCESSCUSTOMERDATA
AUTHENTICATEREQUEST
UPDATECUSTOMERDATA
RESOURCESINVOLVED
RACF
RACF
RACF+VSAM
56
RETURNPROCESSEDDATATO3270
TERMINAL
3270TERMINAL
Accesscontrolmethod(VSAM)
Table35:Accessmethodcapabilities
CAPABILITIES
INITIATEDBYCICS
RESOURCESINVOLVED
RACF,Z/OS,CICS
AttackersProfile
Attackerisaninsiderwhohasphysicalaccesstoterminal3270andMainframe.
Thisinsidermaybeacustomerservicerepresentativeorapersonwhohasaphysical
accesstotheinfrastructure.
Mostprobably,theattackerwillusebruteforcetechniquetoenterthesystemor
trytoexploitabadprogrammingpracticesuchasstack/bufferoverflowattack.
5.4.2.1.5
Identifyindepthuserroles,securecapabilitiesandsecurityconstraintsforeach
actor
Mainroleinthesystemisoftheuseri.e.Customerservicerepresentative.Inan
idealcondition,auserischeckedatthreepointsinthesystemi.e.
1. Atthetimeoflogini.e.Authentication/identitycheck
2. Attempttoviewcustomersdatai.e.Authorizationcheck
3. Attempttoupdatecustomersdatai.e.Authorizationcheck
Abovementionedarethesecurityconstraintsontheuser.
Userssecurecapabilitiesare
Login,
Accesscustomersdata,
Updatecustomersdata
Customerservicerepresentativehaveaccessto3270terminal
Usersinsecurecapabilitiesare
Loginwithoutauthentication
BypassCICS,
BypassRACFandaccessVSAM,
BypassRACFandaccessCICS,
PerformoperationonVSAMwithoutauthenticationandauthorization
5.4.2.1.6
Identifyattacksurface
Mainentrypointsforanattackare3270terminalandphysicalports.
AnybodywhohasphysicalaccesstoMainframecancopydatadirectlyfrom
MainframesincedatastoredinMainframeisnotencrypted.
IfRACFissomehowbypassed,itwillbeeasytoperformoperationonthe
datausingVSAM.Entrypointinthiscasewillbe3270terminal.
Insecurepublicmethodswhichcanbemanipulatedfrom3270terminalscan
poseathreattothesystem.
DisablinginterprocesscommunicationbetweenCICSandRACFmayputthe
systemindanger.
5.4.2.1.7
Researchandassesssecurityposture
57
CertaintechnologieslikeRACF,CICS,VSAMetc.areusedinthesystem.Issues
relatedtothesetechnologiesaregatheredfromonlinereviewsofpeoplewhohave
beenworkingwiththesetechnologies.Issueswiththesetechnologiesaredefinedin
ISSUESColumn.
Table36:Technologiesandproblems
COMPONENTS
RACF
Z/OS
VSAMDiskStorage
CICS
ISSUES
ThestandardRACFproductincludesutilitiesandcommandstohandleMostofthesituations
whichsecurityadministrators,auditors,andtechnicalstaffarelikelytoencounter.However,
someofthesefacilitiesaredifficulttouseortaketoolongtoconsiderusingthemonadaily
basis.Asaresultofthissomeinstallationshavebeenforcedtodeveloptheirownprocedures
fordealingwiththesesituationsandothershavebeenunabletoaffordtheresourcestodeal
withthemonaregularbasis.
ConfigurationIssues.
Neitherz/OSnortheMVSfamilyofoperatingsystemsprovidessecurityaspartoftheoperating
system.TheyrelyonExternalSecurityManagers(ESMs)toprovidesecurity.Whenthe
operatingsystemreceivesarequest,thatrequestisdivertedbytheSecurityAuthorization
Facility(SAF)withinz/OStoanESM.SAFdirectscontroltoeitherorboth:
AnESMsuchasRACForACF2.
Anorganizationsuppliedprocessingroutine.
Unmanageddiskstoragecanresultinsystemoutages.
Costofmanagingstorageis4to10timestheinitialcostofstorageacquisition.
CICShasstoppedrunning.TherearethreemainreasonswhyCICSmightunexpectedlystop
running:
TherecouldbeCICSsystemerrors.
CICScouldbeinawaitstate.Inotherwords,itcouldhavestalled.
Aprogramcouldbeinatightloop.
CICSisrunningslowly.Mainreasonsare:
Systemislightlyloaded;apoorlydesignedtransactioncouldbethecause.
5.4.2.1.8
DetailMisuseCase
ToseeOutputfromMisusecasestechniquealone,refertoAppendixG.
Table37:MisuseCase
Field
Name
Summary
Date
Author
BasicPath
AlternativePath
CapturePoint
ExtensionPoint
Triggers
Preconditions
Assumptions
Postconditions
WorstCaseThreat
Preventionguarantee
Detectionguarantee
RelatedBusinessRule
PotentialMisuserProfile
Stakeholders
Scope
AbstractionLevel
Technology and Data
Variations
Goal
Dependencies
SecurityConstraints
Description
Logininwithoutvalidcredentials
Bypassingsecurityprotocols
120329
Farukh&waqas
3270terminaluser.sendrequesttoCICS.
DirectaccesstoCICSwithout3270terminals.
RACF
Directaccess
DeactivatedRACF
DeactivatedRACF
RACFnotworking,notauthenticatingtherequest.
AccesstoVSAM
Dataintegrityimplications
RACF
CICS
Preventunauthorizedaccess
Accessotherthancustomerrepresentation
Analysts
Plannedcomputerizedinfosystem
Subfunction
LAN
Field
Description
Validation
Analyststocustomerrepresentation
AccessGrant.
Table38:MisuseCase
58
Name
Summary
Date
Author
BasicPath
AlternativePath
CapturePoint
ExtensionPoint
Triggers
Preconditions
Assumptions
Postconditions
WorstCaseThreat
Preventionguarantee
Detectionguarantee
RelatedBusinessRule
PotentialMisuserProfile
Stakeholders
Scope
AbstractionLevel
Technology and Data
Variations
Goal
Dependencies
SecurityConstraints
5.4.2.1.9
CSRUpdate
CSRhasnegativeintentionstoupdatecustomerdata.
120329
Pezhman&Hassan
CSRlogsintothesystemandtampersthedata.
Logintothesysteminanunauthorized way.
Datalogs.
N/A
CSRhasnegativeintentionsandhaveaccesstothesystem
CSRisloggedin
N/A
CSRupdatedcustomerrecordwrongly.
Customerdatacorruption.
Gettoknowpeoplewithnegativeintentionsintheorganization
Datastatisticalanalysis
Dataintegrity
Insider.
Customer,Organization
Data
N/A
Bufferoverflow,SQLinjection
KeepCustomerpersonalinformationsafe
CSRandcustomer
Authorizedlogintosystem
Documentsecurityrelevantrequirements
SeeAppendix(D)
5.4.2.1.10 Performsecurityanalysisofsystemrequirementsanddesign
DevelopanUnderstandingOfTheSystem.
Systemwascompletelyunderstoodthroughdocumentationandoutputsof
previousactivities.
DetermineandValidateSecurityRelevantAssumptions:
BusinessEnvironment:
Thereisnoremoteaccess.
Attacker:
Attackersareoftwotypes:
Itcanbecustomerservicerepresentative.
Someonewhohasphysicalaccesstothesystemoritscomponents.
ReviewNonSecurityrequirements:
Systemhasnotaddressed:
Dataintegrity
Availability
Confidentiality
Nonrepudiation
AssessCompletenessOfSecurityRequirements:
Table39:CorrelationMatrix
Security
requirement
ID
1
2
3
4
5
Authorization
Authentication
Confidentiality
Integrity
Availability
X
X
Accountability
Non
repudiation
59
Other
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
TOTAL
X
X
X
X
X
X
X
X
X
4
IdentifyThreatsOnAssets/Capabilities.
Table40:ThreatsonAssets
ASSETS
CICS
Z/OS
RACF
VSAM
3270TERMINAL
NETWORK
THREATS
WithoutauthenticationcancreateCICsession.
Denialofservice(CICSsession)
DonotallowcommunicationbetweenRACFandZ/OS.
Operatingsystemcanbeoutofservice.
OutofService
Allowunauthorizeduserandnotallowauthorizedusers
DiskStoragecanbecorrupted.AsthereisnotbackupDBfiledatacanbelost.
Outofservice.
MisusedbyCSR.
Usedbyunauthorizeduser.
Asthereisnodataencryption,datacanbemodifiedorreadduringdatatransmission.
Table41:ThreatsonCapabilities
CAPABILITES
Login
ValidateUser
Read/Customerdata/Update.
Readprocessdatato3270terminal
THREATS
Attemptsfromunauthorizedperson
Outofservice
Outputofthefunctionalityismodified.
Donotallowtoread/updatecustomerdata.
Writecustomerdatawithoutauthentication
Donotallowtoreturnprocessdatato3270terminal.
DetermineLevelOfRisks
60
Figure8:ThreatTree
DetermineRiskMitigationsForEachResource.
Risksmitigation:
UsercanonlyinitiateCICsessionafterauthenticloginfrom3270terminal.
Protecttransactionserver(Theremustbelimitedaccess).
Limitthemaximumnumberoffilesorprocessesthatauserisallowed.
VSAMfilemustbestoredasEncryptedform.
Alldatacommunicationsthroughnetworkmustbeencrypted.
EvaluateFindings:
Allthefindingsareevaluatedanddocumentedassecurityrequirementsinthenextactivity.
5.4.2.1.11 UpdateSecurityRequirementsDocument:
SeeAppendix(E)
5.4.2.1.12 IdentifyResources,EntryPoints,Functionalities,Assets,Capabilities,Resources,
ServicesAndActors.
61
Table42:System'sresources/assets
RESOURCES
CICS
FUNCTIONALITIES
Authentication
Z/OS
RACF
ExecutionApplication
Authorization
VSAM
Dataupdate/Read
3270TERMINAL
NETWORK
Searchclaims
CreateNewClaim
ASSETS
CustomerData
CAPABILITIES
Login.
ValidateUser.
Read/Customer
data/Update.
Readprocessdatato
3270terminal.
ACTORS
CustomerService
Representative.
Customer.
5.4.2.1.13 SupposeAllTheThreatsMentionedInTheCategorizationAreTrueForAll
Resources,EntryPoints,Functionalities,Assets,ServicesAndActorsForThe
System.
Aswehavediscussedearlierthatweareusingsecuritycategorizationfrom[11]
(SeeAppendixC).Inthisactivityallthethreatsmentioninthreatcategorization(See
AppendixC)weresupposedtobetrueforeveryentryinTable44.
5.4.2.1.14 Validatethreatsforeachresource,entrypoint,functionality,asset,serviceand
actorsforthesystem
Table45containsthenumberofthevalidthreatsfromthreatcategorization(See
AppendixC).
Table43:ValidThreats
Asset/Resource
CICS,3270TERMINAL
Login,Datastorage,CICS,RACF
CustomerDATA,Application
Network,Datastorage
Mainframe,3270terminal,Network
Application
3270Terminal,Update/Read
CustomerData,Read/Update
RACF,LogFile
3270Terminal,CICS,RACF
Mainframe,Network,3270Terminal,Data
storage
ThreatCategorizationNumber
1A,1B
1C
2
3A
3B,3C
3D
4
5A, 5B,5C,5D
6
7A
8
5.4.2.1.15 UpdateSecurityRequirementsDocument:
SeeAppendix(F)
62
ANALYSISANDINTERPRETATION:
Purpose of this chapter is to analyze and interpret the data obtained from
experiment. We extracted information from experiment and deleted redundancies.
We analyzed results using Vulnerability Comparison and system security baseline
[66,88].
We noticed that the participants of the experiment, especially the group using
Framework, werenot happyabouttheshorttime assignedtotheactivities. Infact,
timepressurewasreallyhelpfulbecauseinthiswaywewereabletosimulatethereal
world circumstances. The experiment, overall was a success because we simulated
the actual circumstances under which security is neglected in industry i.e. Lack of
resourcesorinexperiencedpeopleandTightscheduleforcompletingaproduct.
6.1
Datasetreduction
Bycarefullylookingattheactivitiesofthetechniques,weseethatinFramework,
securityrequirementdocumentisupdatedthrice.Whereastherewasnorestriction
for updating the document in Misuse cases and in CLASP. The security requirement
document was at least updated twice using CLASP and once using Misuse Cases.
During information extraction, we noticed that some security requirements were
repeated in CLASP and Framework. For example; a security requirement which was
alreadydocumentedwasrepeatedinsecondorthirdupdatingactivity.
We decided to delete repeated security requirements. We achieved that by
keeping the former and deleting the latter. It means if a security requirement was
written once and it was repeated in next document updating activity, we removed
thesecurityrequirementfromlatterupdatingactivity.
6.2
Descriptivestatistics
6.2.1
VulnerabilityComparison
As described earlier, Software system used during the experiment was taken
from[66].Fewvulnerabilitiesofthesystemwerealsolistedwiththedescriptionof
the system in [66]. We listed these vulnerabilities in Table 46 below. There may be
other vulnerabilities in the system example (Monolithic Framework) but we have
decidedtolistonlythosevulnerabilitieswhichwerelistedinthedocument[66]from
whichthesoftwaresystemexamplewasselected.
After removing repetitions in the security requirements for each technique, we
compared vulnerabilities covered by techniques with the already known
vulnerabilitiesofthesystem(seeTable46)toseewhichoftheknownvulnerabilities
areremovedbyeachtechnique.
It should be noted that our focus was to elicit security requirements. Therefore
we analyzed the data gathered in the context of research. Our focus was not on
findingvulnerabilitiesbutsecurityrequirements.Securityrequirementswereelicited
fortheotherthreatsfoundinTable45andthedocumentwasupdatedaccordinglyby
the group using Framework (See Appendix F). In Table 46 we have analyzed our
security requirements with respect to known vulnerabilities i.e. whether security
requirementselicitedbythethreetechniquesmitigatethevulnerabilitiesornot.
63
Table44:VulnerabilityandSecurityrequirementcomparison
ID
V1
V2
V3
V4
V5
V6
V7
V8
V9
Total
Vulnerabilities
UsingpasswordSystems
Thefailureofapasswordauthenticationmechanism
willalmostresultinattackersbeingauthorizedas
validuser.
Allowingpasswordaging.
Aspasswordage,theprobabilitythattheyare
compromisedgrows.
Note:RACFmustbecorrectlyconfiguredtoobtain
thecorrectpasswordaging
Notallowingpasswordaging.
Aspasswordage,theprobabilitythattheyare
compromisedgrows.
StoringPasswordsinarecoverableformat.
InthatcaseUserspasswordmayberevealedand
maybereusedelsewheretoimpersonatetheusersin
question.
Note:RACFmustbecorrectlyconfiguredtoobtain
thecorrectpasswordaging
Usingsinglefactorauthentication.
Ifthesecretinasinglefactorauthenticationscheme
getscompromised,fullauthenticationispossible.
Failuretoprotectstoreddatafrommodification.
Theobjectcouldbetamperedwith.
BufferOverflow.
Bufferoverflowsgenerallyleadtocrashes.Other
attacksleadingtolackofavailabilityarepossible,
includingputtingtheprogramintoaninfiniteloop.
Bufferoverflowsoftencanbeusedtoexecute
arbitrarycode,whichisusuallyoutsidethescopeofa
programsimplicitsecuritypolicy.
Whentheconsequenceisarbitrarycodeexecution,
thiscanoftenbeusedtosubvertanyothersecurity
service.
Failuretocheckwhetherprivilegesweredropped
successfully.
Ifprivilegesarenotdropped,neitherareaccess
rightsoftheuser.Oftentheserightscanbe
preventedfrombeingdropped.
Ifprivilegesarenotdropped,insomecasesthe
systemmayrecordactionsastheuserwhichisbeing
impersonatedratherthantheimpersonator.
Trustofsystemeventdata.
Ifonetruststhesystemeventinformationand
executescommandsbasedonit,onecould
potentiallytakeactionsbasedonaspoofedidentity.
MisuseCase
CLASP
FRAMEWORK
8
9
8
9
8
9
1
3
Figure9:Percentagecomparisonwithknownvulnerabilities
64
6.2.2
RequirementTypeswithRespecttoSystemssecurity
baseline
Wheneverwetalkaboutsecurity,questionwhichcomestoourmindiswhatdo
you want to secure. For that purpose we look into global security policy of the
organizationandestablishasecuritybaseline(seeTable32).
Asecuritybaselinewasestablishedfortheexamplesoftwaresystem,beforethe
experiment(seeTable32).Nowweneedtoseewhattypesecuritybaselinefeatures
are covered by each technique. We have 7 security baseline features and three
techniques i.e. Framework, CLASP and Misuse case. We got number of security
requirementsfromeachsecurityrequirementelicitationtechnique.Weneedtosee
thatwhichofthetechniquecoverswhichoftheestablishedbaselinefeaturesinan
effectivemanner.
Thegraphsbelowaresummarizedinthetablebelow
Table45:RequirementanalysiswithrespecttoSecuritybaseline
NumberofRequirements
CLASP
Framework
Security Baseline
Feature
Authorization
MisuseCase
2
Authentication
Confidentiality
DataIntegrity
Availability
Accountability
Nonrepudiation
In the graph below, Xaxis shows the three Techniques and Yaxis shows the
numberofrequirementselicitedfromtheseTechniques.AsyoucanseefromTable
45, Framework elicited more number of security requirements in terms of
authorization, authentication and confidentiality. Whereas in data integrity,
confidentiality and availability CLASP and Framework elicited same number of
requirements. In non repudiation and in accountability framework elicited one
requirementsascomparedtoothers.TherequirementswhichareelicitedbyMisuse
CasesandCLASParecoveredbyframeworkalso.Frameworkelicitedmorenumberof
requirements as compared to CLASP and Misuse cases which are mentioned in
AppendixF.Wedidnotfindanyuniquerequirementotherthanthesecuritybaseline.
65
Figure10:Authorizationrequirements
The graph below, shows the authentication Requirement elicited from Misuse
caseCLASPandFrameworkAsshowningraph(seeFigure11),norequirementwas
elicited using Misuse case. Whereas with CLASP, 5 and with Framework, 6
authenticationrequirementswereelicted.
Figure11:AuthenticationRequirements
Followinggraph(seeFigure12)showsConfidentialityRequirementelicitedusing
threesecuirtyrequirementelicitationtechniques.MisuseCaseelicited2,CLASP3and
Frameworkelicted7Confidentialityrequirements.
Figure12:ConfidentialityRequirements
66
Followinggraph(seeFigure13)shows,DataintegrityRequirementelicited using
the threetechniques.NoneofDataintegrityrequirementwaselicitedusing Misuse
case.4DataintegrityrequirementsareelicitedusingCLASPandFramework.
Figure13:DataintegrityRequirements
Graphbelow(seeFigure14)showsAvailabilityRequirementelicitedusingthree
techniques.Asshowningraph(seeFigure14),MisuseCaseelicited0,CLASP1and
Framework elicted 1 availability requirement. As shown (see Figure 14) CLASP and
FrameworkelicitedsamenumberofAvailabilityrequirements.
Figure14:AvailabilityRequirements
Follwinggraph(seeFigure15)isthecomparisonofNonrepudiationRequirement
elicitedusingthethreetechniques.Asshowningraph(seeFigure15),MisuseCase
elicited0,CLASP0andFrameworkelicted1NonrepudiationRequirement.
67
Figure15:NonRepudiationRequirement
Nextgraph(seeFigure16)showstheAccountabilityRequirementelicitedfrom
usingthreetechniques.Asshowningraph(seeFigure16),MisuseCaseelicited0,
CLASP0andFrameworkelicted1AccountabilityRequirement.
Figure16:AccountabilityRequirements
6.3
ResultsandDiscussions
Vulnerability analysis (in Section 6.2.1) shows that Framework mitigate more
numberofvulnerabilitiesthanCLASPandMisuseCase.Securityrequirementselicited
by Framework mitigated 55% whereas CLASP and Misuse case mitigated 33% and
11%ofthetotalknownvulnerabilitiesinoursoftwaresystem.
Requirement analysis with respect to security baseline shows that CLASP does
not elicit any requirement for Accountability and Availability security baseline
features.ForConfidentiality,numberofrequirementselicitedusingCLASPisfarless
thanthenumberofsecurityrequirementselicitedbyFramework.ForDataintegrity,
numberofsecurityrequirementsbyCLASPandFrameworkissame.
WecanseefromTable44andFigure17thatMisusecaseshaspoorperformance
both in vulnerability analysis and requirement analysis with respect to security
baseline. Major reason of poor performance from Misuse case is because it merely
dependsuponthecreativityofthepersoncreatingaMisusecase.
68
Figure17:RequirementAnalysisw.r.tSecurityBaseline
There is no absolute measure for creativity. Since Misuse case depends upon
creativity of the person executing the technique, we are not sure about the results
we got from Misuse case alone. We can say that the group had a low level of
creativity skills but in the end we were supposed to extract results from what we
actually got. So the result showed that Misuse case did not perform better than
CLASPandFramework.
CLASPontheotherhandhasdefinitenumberofstepsandpredefinedguidelines
whichgivesabetteropportunitytoexploitanddiscoverissues.Wesawthatusingthe
security requirement categorization [11] raised the security requirement elicitation
graphsignificantlyforFramework.
6.4
Returnofinvestmentforeachtechnique.
Thissectionisbasedupontheobservationsduringtheexperiment.Resultmayor
maynotdifferifcircumstancesarechanged.
Weconductedtheexperimentusingthreetechniquesi.e.MisuseCases(informal
technique),CLASP(formaltechnique)andFramework.Outputoftheexperimentwas
three sets of security requirements i.e. from Misuse Cases, from CLASP and from
Framework. If we initially suppose that time invested in each of the technique is
directlyproportionaltotheoutput,it wouldsimplymeanthatthemoretimespent
on a technique leads to increase in number of security requirements. We have
alreadymentionedinsection5.3.4thatweassignedsameamountoftimetoallthe
threetechniques.ResultsshowthatinsameamountoftimeFrameworkelicitsmore
securityrequirementsthanMisuseCasesandCLASP.ThereforeFrameworkhasmore
ReturnofInvestmentthanMisuseCasesandCLASP.
6.5
ValidityThreats
Conductinganexperimentwithsmallsamplespacei.e.Sixstudentsmaybea
questionmarkonourresults.Wecansupposethatwegetsameresultwith
largesamplespacebutwecannotbesureaboutit.Resultinferredisbased
upontheconditionsunderwhichweconductedtheexperiment.
69
6.5.1
Limitations
Lackofresourcestoconducttheexperimenti.e.wewerenotabletofindany
industrial contact to conduct the experiment. Our experiment required
software analysts from industry. Response from industries was not positive
becausesoftwareorganizationshavetheirownongoingprojectsthereforeit
wasnotpossibletoengagesomeonefromindustry.
If we have more time, we should choose more complex method i.e. more
stepsintheframework.Justusingmoretimewithasimplemethodwillnot
improve the number of problems found. We had to select the method
dependingonseveralissuese.g.availabletime.
We have few Data points in our experiment. Few data points may affect
generalization of results. As mentioned earlier, our results and conclusions
areinferredfromonesystemwhichwasrandomlyselected.
Ourframeworkisworkintensiveandwecanseefromtheexperimentthatits
activitiesneedtimetoexecute.Thisunaddressedissuecanbealimitationof
the study. Our motive in the study was to find more number of security
requirements than a formal or informal technique. Reducing activities of
framework would simply be at the cost of security requirements. Making a
less work intensive Framework and testing its applicability becomes out of
scopeforusinthepresentstudy.
70
6.6
AnswerstoResearchQuestions
Ourfirstresearchquestionwas:
RQ1. Do formal approaches produce better results when integrated with
informalapproachi.e.Misusecase?
H0:Formalapproachesdonotproducebetterresultswhenintegrated
withinformalapproachi.e.Misusecase.
H1: Formal approaches produce better results when integrated with
informalapproachi.e.Misusecase.
Our Framework was proposed by combining CLASP, Misuse case and Secure
TROPOS.Ourresultsshowthat,ourFrameworkproducebetterresultthanCLASPand
Misuse case. Since our Framework elicits more number of security requirements
thanaformalandanInformaltechnique,wecansaythatifwecombineformaland
Informal security requirement elicitation technique, we can yield better results. In
other words, we can say that by combining strengths of formal and informal
techniques, we can mitigate their weaknesses. For example, a formal technique is
flexible but has definite number of steps whereas on the other hand informal
techniqueslackproperstructurebuthaveflexibility.Therefore,bycombiningformal
and informal techniques we can produce better results. This proves hypothesis H1
trueforRQ1(undergivencircumstances).
Oursecondresearchquestionwas:
RQ2. What is the practicality of the proposed framework, i.e. up to what
extent and for which types of software systems the framework is
suitable?
At this point, we would like to mention again that our scope was limited to
requirement elicitation. So we are to see the practicality and workability of our
frameworkinthesaidcontext.Ofcoursewedonothavemeasurementscaleforthe
practicality and workability of our framework but the visual analysis we have from
the data we see that it works pretty well than CLASP and Misuse case. CLASP, a
widely used formal technique and Misuse case, a well known informal technique
were tested on a software system along with our framework. We saw that our
framework not only elicits more number of security requirements but cover more
vulnerabilities in the system. Moreover our framework covered all the security
baselinefeaturesofthesoftwaresystem(seeTable47).
We can answer the first part of research question RQ2 here by saying that our
framework is more workable and practical than CLASP (a formal technique) and
Misusecase(aninformaltechnique)intermsofsecurityrequirementelicitationand
invulnerabilitiesmitigation.Moreoverwegatheredfeedbackfromstudentstoknow
the usability of the framework (see Appendix I). Feedback showed that, while
performing the activities of the Framework, participants analyzed the system from
different aspects which are usually are not considered in software development.
Moreover, use of the framework improves the users knowledge about software
securityandsoftwareattackscenarios.
Unfortunately,itwasnotpossibleforustoanswerthesecondpartoftheRQ2i.e.
for which types of software systems the framework is suitable? We did not have
thetimeandresourcestoconductexperimentonmorethanonesoftwaresystemso
it pointless to argue on relationship of the framework with nature of software
71
systems.Wecannotmakecertainclaimsaboutnatureofsoftwaresystemunlessour
frameworkistestedondifferentsystems.
RQ3. On what basis and for which type of software systems, is the proposed
framework better than other widely known security requirement
elicitationtechniques?
H0: The proposed framework is not better than other security
requirementelicitationtechniques.
H1: Proposed framework is significantly better than the other
requirementelicitationtechniques.
Answer to first part of RQ3 i.e. on what basis, the framework is better than
CLASPandMisuseCase,is:
Frameworkshowsbetterperformancethanawidelyusedformalandinformal
techniqueintermsofelicitingmorenumberofsecurityrequirements.
Framework covers the security baseline requirements defined by the
organization.
Framework takes into account, those perspectives of software system which
are not touched in CLASP and Misuse Case e.g. Threats related to
Functionalities and physical integrity of hardware and software. Feedback
from participants of the experiment shows that this framework helps in
analyzingasystemfromdifferentaspectswhichareusuallynotconsideredin
softwaredevelopment(seeAppendixI).
Frameworkprovidesanoptiontoiteratethroughsomeimportantactivitiesby
whichsecurityrequirementscanberecheckedandrefined.
Framework activities breakdown the system into little details and help build
securityintheformofrequirementelicitation.
Asfarassecondpartisconcerned,wehavealreadyansweredthatinRQ2.
6.7
ConclusionandLessonLearned
Securityrequirementelicitationhelpsfocussecurityinsoftwaresystem.Wehave
mentionedbeforethatcostrelatedtofixingsecurityproblemismuchmorethanthe
cost of security requirement elicitation in earliest phase of software development.
The framework we have proposed by combining CLASP, Misuse case and Secure
TROPOS contains the strength of three security requirement elicitation techniques.
To make the framework more effective, we also included security requirement
categorization by Bogale and Ahmed [11]. Including security requirement
categorization was really useful because it helped in eliciting more security
requirements(seeAppendixF).
If we take a quick overview of the Framework, we see that the Framework is
proposed by combining CLASP, Secure TROPOS, Misuse Cases and Security
requirementcategorization.Frameworkconsistsoffifteenactivities.First10activities
are taken from CLASP and Secure TROPOS. Since Secure TROPOS follows complex
graphical notations (as mentioned earlier), we only used the basic idea behind the
activitiesfromSecureTROPOS.MostoftheactivitiesofSecureTROPOSweresimilar
inconcepttotheactivitiesinCLASP(seeTable18andTable20).Foranyoverlapping
activitybetweenCLASPandSecureTROPOS,thatwasselectedfromCLASPorSecure
TROPOS,weusedthetextualdescriptionoftheactivityfromCLASPtodescribethe
activity. CLASP, having textual form of activity description, was easy to integrate as
comparedtoSecureTROPOS.WenotonlyusedalltheactivitiesofMisuseCasesin
the Framework but we also used Security Requirement categorization which was
72
proposed [11] specifically for Misuse Cases. Therefore we can say all the three
techniqueshadequalcontributioninproposingourFramework.
Theframeworkisflexibleandcontainsdefinitenumberofstepstoelicitsecurity
requirements. In addition it also allows iterations to improve security in a system.
This research was an attempt to provide a flexible framework for security
requirement elicitation. We achieved that by mitigating the weaknesses in formal
and informal security requirement elicitation techniques by combing them. In the
questionnaire,whichwasfilledbytheparticipantsoftheexperiment,theparticipants
agreed that using this framework improved their knowledge about importance of
securityinsoftwaresystems.
During this research we learned and discovered that there are many security
requirementelicitationtechniquesproposedbyresearchersbutalmostnoneofthem
areusedinindustryonalargescale.MostofthebigbrandnameslikeIBMandCISCO
have their own, customized, set of steps to ensure security in their product. It is
worth noting that these customized set of steps to ensure security also reflect
organizational structure. Academic research in this field is not used in industry at
large scale. Reason behind not including research outputs in security requirement
engineering field is that small organizations do not have resources for that. Big
organizationshavedevelopedtheirowncustomizedproceduresovertimetohandle
security in their product and it is costly to switch to anything new suddenly.
Thereforeitisunfortunatethatacademicresearchinthisfieldisnotgivenattention
asitdeserves.
It is clear that not every software development organization gives desired
attention to security in software and hacking incidents around the world are the
evidence to our argument. That means, the organizations that produce vulnerable
softwaredonothaveanyformalprocedurestoviewsecurityasamajorconcernina
softwaresystem.Tomakesuchanorganizationrefertotheacademicresearchinthis
regard,wesuggestcreatingademandforsecuresoftwaredevelopment.
Socialawarenessaboutsoftwaresecurityisveryimportantbecauseitwillcreate
ademandforsecuresoftwaresystems.Sincesoftwarehasamajorroletoplayinour
lives today, we suggest that Software vendors, Customers and Researchers must
understand the importance of security in software systems. Demand for systems
whicharesecurefrom customersandvendorsperspectivewill automaticallyforce
bothbigandsmallorganizationstorefertoacademicresearchinsoftwaresecurity,
especially security requirements elicitation. This may also help to bridge the gap
betweenacademiaandindustryinthefieldofsecurityrequirementengineering.
6.8
FutureWork
In our framework we have focused on Requirement phase of Software
Development Lifecycle. We considered only those activities of CLASP and Secure
TROPOSwhichwererelatedtoRequirementelicitation.Infuture,onecanaddmore
activitiestotheframeworkthatarerelatedtoothersoftwaredevelopmentLifecycle
Phases.Thiswillhelptoinvokesecurityinallphasesofdevelopmentlifecycle.
WehavetestedourFrameworkforonesoftwaresystem.Forfutureworkonecan
check the practicality of framework for different systems. In this procedure
improvementsinourframeworkcanbesuggested.
73
7
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
REFERENCES
Agarwal, A. and Gupta, D. Security Requirements Elicitation Using View Points for
Online System, in Emerging Trends in Engineering & Technology, International
Conferenceon,LosAlamitos,CA,USA,2008,vol.0,pp.12381243.
Ahmed, N. and Matuleviius, R. Towards Transformation Guidelines from Secure
TropostoMisuseCases(PositionPaper),2011.
Allen, J., Barnum, S., Ellison, R., McGraw, G., and Mead, N. Software security
engineering:aguideforprojectmanagers.AddisonWesleyProfessional,2008.
Alberts, C.J., Behrens, S.G., Pethia, R.D., and Wilson, W.R. Operationally critical
threat,asset,andvulnerabilityevaluation(OCTAVE)framework,Version1.0,1999.
Alexander,I.Misusecaseshelptoelicitnonfunctionalrequirements.Computing&
ControlEngineeringJournal,2003,vol.14,no.1,pp.4045.
Alexander, I. Initial industrial experience of misuse cases in tradeoff analysis. In
ProceedingIEEEJointInternationalConferenceRequirementsEngineering(2002),pp
6168.
Alhazmi,O.H.,Malaiya,Y.K.,andRay,I.Measuring,analyzingandpredictingsecurity
vulnerabilities in software systems, Computers & Security,2007, vol. 26, no. 3, pp.
219228.
Babar, M.A and Zhang, He. Systematic literature reviews in software engineering:
Preliminaryresultsfrominterviewswithresearchers,in3rdInternationalSymposium
onEmpiricalSoftwareEngineeringandMeasurement.ESEM,2009,pp.346355.
Bagheri,H.InjectingsecurityasaspectableNFRintoSoftwareArchitecture,inAsia
Pacific Software Engineering Conference, Los Alamitos, CA, USA, 2007, vol. 0, pp.
310317.
Boehm, B.W. and Papaccio, P.N. Understanding and controlling software costs,
SoftwareEngineering,IEEETransactionson,1988,vol.14,no.10,pp.14621477.
Bogale, H., Ahmed, Z. A FRAMEWORK FOR SECURITY REQUIREMENTS: SECURITY
REQUIREMENTSCATEGORIZATIONANDMISUSECASES,BTH,Thesisdoc,September,
2011.
Brown, A.W. and Wallnau, K.C. A framework for evaluating software technology,
Software,IEEE,1996,vol.13,no.5,pp.3949.
Buecker, A., Borrett, M., Lorenz, C., Powers, C.Introducing the IBM Security
Frameworks and IBM Security Blueprint to Realize BusinessDriven
Security.Redbooks.2010.
74
[15]
[16]
[17]
[18]
[19]
[20]
[21]
[22]
[23]
[24]
[25]
[26]
[27]
[28]
Chung,L.Dealingwithsecurityrequirementsduringthedevelopmentofinformation
systems,inAdvancedInformationSystemsEngineering,1993,pp.234251.
Chung, L. and do Prado Leite, J. On nonfunctional requirements in software
engineering, Conceptual modeling: Foundations and applications, 2009, pp. 363
379.
Diallo, M.H., RomeroMariona, J., Sim, S.E., and Richardson, D.J. A comparative
evaluationofthreeapproachestospecifyingsecurityrequirements,in12thWorking
Conference on Requirements Engineering: Foundation for Software Quality,
Luxembourg,2006.
Davey, B. and Cope, C. Requirements Elicitation Whats Missing?, Issues in
InformingScience&InformationTechnology,2008,vol.5,pp.543551.
Du, J., Yang, Y., and Wang, Q. An Analysis for Understanding Software Security
Requirement Methodologies, in Secure System Integration and Reliability
Improvement,LosAlamitos,CA,USA,2009,vol.0,pp.141149
El Khoury, P., Mokhtari, A., Coquery, E., Hacid, M.S, An Ontological Interface for
Software Developers to Select Security Patterns, in Database and Expert Systems
Application,2008.DEXA08.19thInternationalWorkshopon,2008,pp.297301.
Fabian, B., Grses, S., Heisel, M., Santen, T., and Schmidt, H. A comparison of
security requirements engineering methods, Requirements engineering, 2010 , vol.
15,no.1,pp.740.
Fuxman, A., Kazhamiakin, R., Pistore, M., and Roveri, M. Formal Tropos: language
andsemantics,UniversityofTrentoandIRST,2003.
Garcia Alcazar, E. and Monzn, A. A process framework for requirements analysis
and specification, in Requirements Engineering. Proceedings. 4th International
Conferenceon,2000,pp.2735.
Giorgini,P.,Mouratidis,H.,andZannone,N.Modellingsecurityandtrustwithsecure
tropos,IntegratingSecurityandSoftwareEngineering:AdvancesandFutureVision,
2006,pp.160189.
Glinz,M.Onnonfunctionalrequirements,inRequirementsEngineeringConference.
RE07.15thIEEEInternational,2007,pp.2126.
Graham,D.IntroductiontotheCLASPProcess,BuildSecurityIn,SecureSoftware,Inc.
2006.
75
[29]
[30]
[31]
[32]
[33]
[34]
[35]
[36]
[37]
[38]
[39]
[40]
[41]
[42]
Gregoire, J., Buyens, K., De Win, B., Scandariato, R.,and Joosen, W.2007.
OntheSecureSoftware Development Process: CLASP and SDL Compared. In SESS
07:Proceedings of the Third International Workshop on Software Engineering for
SecureSystems(Minneapolis,MN,2007),pp.1.
Hadavi, M.A., Sangchi, H., Hamishagi, V., and Shirazi, H. Software security; a
vulnerability activity revisit, in Availability, Reliability and Security. ARES 08. Third
InternationalConferenceon,2008,pp.866872.
Hadavi,M.,Hamishagi,V.,andSangchi,H.SecurityRequirementsEngineering;State
of the Art and Research Challenges, Proceedings of the International
MultiConferenceofEngineersandComputerScientists,2008,vol.1,pp.1921.
Haley,C.,Laney,R.,Moffett,J.,andNuseibeh,B.SecurityRequirementsEngineering:
A Framework for Representation and Analysis, IEEE Transactions on Software
Engineering,2008,vol.34,no.1,pp.133153.
Haley, C.B., Moffett, J.D., Laney, R., and Nuseibeh, B. A framework for security
requirements engineering, in Proceedings of the 2006 international workshop on
Softwareengineeringforsecuresystems,2006,pp.3542.
Hartong, M., Goel, R., and Wijesekera, D. Metamodels for misuse cases, in
Proceedings of the 5th Annual Workshop on Cyber Security and Information
Intelligence Research: Cyber Security and Information Intelligence Challenges and
Strategies,2009,p.33.
Hassan, R., Eltoweissy, M., Bohner, S., and ElKassas, S. Formal analysis and design
for engineering security automated derivation of formal software security
specificationsfromgoalorientedsecurityrequirements,Software,IET,2010,vol.4,
no.2,pp.149160.
Irvine,C.E.andNguyen,T.D.UseofEvaluationCriteriainSecurityEducation.NAVAL
POSTGRADUATESCHOOLMONTEREYCA,2008.
Khan,M.U.A.andZulkernine,M.ASurveyonRequirementsandDesignMethodsfor
Secure Software Development, Technical Report No. 2009 562 , School of
Computing,QueensUniversity,Kingston,Ontario,Canada,August2009.
Kim,J.,Kim,M.,andPark,S.Goalandscenariobaseddomainrequirementsanalysis
environment,JournalofSystemsandSoftware,2006,vol.79,no.7,pp.926938.
76
[43]
[44]
[45]
[46]
[47]
[48]
[49]
[50]
[51]
[52]
[53]
[54]
[55]
[56]
[57]
Kitchenham,B.ProceduresforPerfomingSystematicReview,JointTechnicalReport,
Software Engineering Group, Department of Computer Science Keele University,
United Kingdom and Empirical Software Engineering, National ICT Australia
Ltd.:Australia,2004.
Kruchten,P.TheRationalUnifiedProcessanIntroduction,AddisonWesley.2000.
Kulak,D.,andGuiney,E.UseCases:RequirementsinContext,ACMPress.2000
Matulevicius, R., Mayer, N., and Heymans, P. Alignment of misuse cases with
securityriskmanagement,ARES20083rdInternationalConferenceonAvailability,
Security,andReliability,Proceedings,2008,pp.13971404.
McUmber, W.E. and Cheng, B.H.C. A general framework for formalizing UML with
formal languages, in Proceedings of the 23rd international conference on Software
engineering,2001,pp.433442.
Mead, N.R. and Stehney, T. Security quality requirements engineering (SQUARE)
methodology,vol.30.ACM,2005.
Mead, N.R. How to compare the Security Quality Requirements Engineering
(SQUARE)methodwithothermethods,DTICDocument,2007.
Mead,N.R.Experiencesinelicitingsecurityrequirements,DTICDocument,2006.
Mead,N.R.Requirementsengineeringforsurvivablesystems,2003.
Mead, N.R. and Hough, E.D. Security Requirements Engineering for Software
Systems: Case Studies in Support of Software Engineering Education, in Software
EngineeringEducationandTraining,Conferenceon,LosAlamitos,CA,USA,2006,vol.
0,pp.149158.
Mellado, D., Eduardo FernndezMedina, Mario Piattini. Security Requirements
Variability for Software Product Lines, in Availability, Reliability and security. ARES
08.ThirdInternationalConferenceon,2008,pp.14131420.
Mellado,D.,Blanco,C.,Snchez,L.E.,andFernndezMedina,E.Asystematicreview
ofsecurityrequirementsengineering,ComputerStandards&Interfaces,2010,vol.
32,no.4,pp.153165.
Mishra,D.,Mishra,A.,andYazici,A.Successfulrequirementelicitationbycombining
requirementengineeringtechniques,inApplicationsofDigitalInformationandWeb
Technologies.ICADIWT.FirstInternationalConferenceonthe,2008,pp.258263.
Moffett, J.D., Haley, C.B., and Nuseibeh, B. Core security requirements artefacts,
Department of Computing, The Open University, Milton Keynes, UK, Technical
Report,2004,vol.23.
Mouratidis,H.ExtendingTROPOSMethodologytoAccommodateSecurity.Progress
Report,ComputerScienceDepartment,UniversityofSheffield,October2002.
77
[58]
[59]
[60]
[61]
[62]
[63]
[64]
[65]
[66]
[67]
[68]
[69]
[70]
[71]
Mouratidis, H., Giorgini, P., and Manson, G. Integrating security and systems
engineering: Towards the modelling of secure information systems, in Advanced
InformationSystemsEngineering,2003,p.10311031.
Mouratidis, H. and Giorgini, P. Secure tropos: A securityoriented extension of the
troposmethodology,InternationalJournalofSoftwareEngineeringandKnowledge
Engineering,vol.17,no.2,2007,pp.285309.
Mouratidis,H.SecureTropos:Anagentorientedsoftwareengineeringmethodology
for the development of health and social care information systems, International
JournalofComputerScienceandSecurity(IJCSS),2009,vol.154,no.3,p.241.
Mouratidis, H. A Security Oriented Approach in the Development of Multiagent
Systems:AppliedtotheManagementoftheHealthandSocialCareNeedsofOlder
PeopleinEngland,2004,PhDThesis,UniversityofSheffield.
Mouratidis,H.SecureSoftwareSystemsEngineering:TheSecureTroposApproach,
JournalofSoftware,2011,vol.6,no.3,pp.331339.
Mylopoulos,J.,Fuxman,A.,andGiorgini,P.Fromentitiesandrelationshipstosocial
actors and dependencies, in Proceedings of the 19th international conference on
Conceptualmodeling,2000,pp.2736.
Okubo, T.,Taguchi, K., and Yoshioka, N. Misuse cases + assets + security goals,
Proceedings 12th IEEE International Conference on Computational Science and
Engineering,CSE2009,pp.424429.
OWASP CLASP. CLASP Concepts View, CLASP v1.2, March, 2006.
http://www.lulu.com/items/volume_62/1401000/1401307/3/print/OWASP_CLASP_
v1.2_for_print_LULU.pdf
Pandey, S., Mustafa, K., and Rehman, S. CLASP and SDL Revisited, in Proceedings
SecondInternationalConferenceonInformationProcessing,2008,p.343.
Pauli,J. J. and Xu,D. Misuse casebased design and analysis of secure software
architecture, in Information Technology: Coding and Computing. ITCC 2005.
InternationalConferenceon,vol.2,pp.398403.
RomeroMariona, J., Ziv, H., and Richardson, D.J . Formality of the Security
Specification Process: Benefits Beyond Requirements. Hawaii International
ConferenceonSystemSciences(LosAlamitos,CA,USA,2010),16.
RomeroMariona, J., Ziv, H., and Richardson, D.J. SRRS: a recommendation system
for security requirements, in Proceedings of the 2008 international workshop on
Recommendationsystemsforsoftwareengineering,2008,pp.5052.
RomeroMariona,J.,Ziv,H.,andRichardson,D.SecurityRequirementsEngineering:
ASurvey,TechnicalReportUCIISR082.UniversityofCalifornia,Irvine,2008.
78
[72]
[73]
[74]
[75]
[76]
[77]
[78]
[79]
[80]
[81]
[82]
[83]
[84]
RomeroMariona, J., Ziv, H., and Richardson, D.J., Formality of the Security
Specification Process: Benefits Beyond Requirements, in System Sciences (HICSS),
201043rdHawaiiInternationalConferenceon,2010,pp.16.
Rushby, J. Security requirements specifications: How and what, in Symposium on
RequirementsEngineeringforInformationSecurity(SREIS),2001,vol.441.
Sindre, G., and Opdahl, A.L. Eliciting security requirements with misuse cases,
RequirementsEngineering,Jan,2005,pp.3444.
Sindre,G.,andOpdahl,A.L.CapturingSecurityRequirementsthroughMisuseCases.
13thInternationalWorkingConferenceonRequirementsEngineering:Foundationfor
SoftwareQuality.2007.
Sindre,G.andOpdahl,A.L.Templatesformisusecasedescription,inProc.Seventh
International Workshop on Requirements Engineering: Foundation of Software
Quality(REFSQ2001),2001.
Su,X.,Bolzoni,D.,VanEck,P.,andWieringa,R.Abusinessgoaldrivenapproachfor
understanding and specifying information security requirements, Arxiv preprint
cs/0603129,2006.
Talukder,A.K.,Maurya,V.K.,G,S.B.,Ebenezer,J.,V,M.S.,KP,J.,Samanta,S.,andP,
A.R.SecurityawareSoftwareDevelopmentLifeCycle(SaSDLC)Processesandtools,
inIFIPInternationalConferenceonWirelessandOpticalCommunicationsNetworks,
Cairo,Egypt,2009,pp.15.
Tndel, I., Jensen, J., and Rstad, L. Combining misuse cases with attack trees and
security activity models, in Availability, Reliability, and Security, 2010. ARES10
InternationalConferenceon,2010,pp.438445.
79
[85]
[86]
[87]
[88]
[89]
[90]
[91]
[92]
Tondel,I.A.,Jaatun,M.G.,andMeland,P.H.Securityrequirementsfortherestofus:
Asurvey,IEEESOFTWARE,2008,pp.2027,.
Viega,J.andMcGraw,G.Buildingsecuresoftware:howtoavoidsecurityproblems
therightway.AddisonWesleyProfessional,2001.
Viega,J.. Building security requirements with CLASP, in ACM SIGSOFT Software
EngineeringNotes,2005,vol.30,pp.17.
Viega, J. The CLASP Application Security Process, Secure Software, Inc.,CLASP v1.0
,june,2005.
Whittle, J., Wijesekera, D.,and Hartong, M. Executable misuse cases for modeling
security concerns. In ICSE 08: Proceedings of the 30th international conference on
Softwareengineering,2008,pp.121130.
Wohlin,C.,Runeson,P.,andHst,M.ExperimentationinSoftwareEngineering:An
Introduction,1sted.Springer,1999.
80
APPENDIX
8.1
APPENDIXA
F4:SystemResources
Belowtableshowstheresourcesusedbysysteminternallyorexportsanddifferentmeasuresaretakentopromotesecurity
goals.
Resource
SecurityMeasures
Authentication:
Confidentiality:
Dataintegrity:
AccessControl:
Nonrepudiation:
Accountability:
Authentication:
Confidentiality:
Dataintegrity:
AccessControl:
Nonrepudiation:
Accountability:
8.2
APPENDIXB
CLASPResourcesDdiscussesthecoresecurityservice.Thesearethefundamentalsecuritygoalswhichneedstobeaddressed
effectivelyforresourcesinasystem.
Authorization
Authorizationalsocalledaccesscontrol.Authorizationsaregiventouserstoaccessthesystemonthebasis
ofidentityandaregenerallypolicydriven.Policiesareenforcedbyaccesscontrolmechanismtoperform
operationsonresources.Policiesdependupontheindividualactionsperformedonresources.Forexample
accesscontroldecisionisgenerallytakenonthebasisofuserspecificpolicy.
Authentication Authenticationisusedtoestablishidentityofcommunicationpartners,owner,creatoretcofdata.
Authenticationmustbeperformedatlogintimefornetworkconnectionsbutonemustalsoperform
ongoingauthenticationsforlifetimeofconnection.Differentcategoriesofauthenticationareasfollows:
Thingswhichareknownsuchaspasswordsorpassphrases.
ThingsyouhavesuchascreditcardorRSASecureID(Authenticationtokens).
Thingsyouaresuchasfingerprints,voiceprintandretinalscans.
Confidentiality Purposeofconfidentialityistokeepdatasecrettoallunauthorizedparties.Datamustbekeptsecretor
encryptedinbothwayslikewhendataisbeingtransmittedonanetworkandwhenitisbeingstored,long
termorshortterm.
Integrity
Dataintegritymeanstokeepthedataasinformasitwasintendedtobe.Clasptreatsdataintegrityas
subsetofauthentication.Therearecaseswhereitcanbetakenasseparateserviceasauthentication.For
exampleinphysicallinklayerontrustedmediawhereerroroccursbutnotrelatedtosecurityerrors.
Availability
Delayofdatacancausetheavailabilityproblemorifproblemisduetomaliciouslyisknownasdenialof
serviceattack.
Accountability
Systemshouldloginformationabouttheoperationsperformedbythesystemuserinordertoreviewthis
informationwhenrequired.Systemusersmustbeaccountablefortheactionstheyperform.
Non
Whenthereistwopartycommunications,eithersidescanprovetothemselveswhetherdatacomesfrom
repudiation
authenticsource.Problemoccurswhenthirdpartyinvolves.Forthismessagecanbeestablishedfrom
originalsendertothirdpartieswhichiscallednonrepudiatable.
8.3
APPENDIXC(ThreatsCategorization)
Categories
1.Accesscontrol
a.Identification
Requirements(D.G.
Firesmith,2003)
Description
Identification
requirementsisany
securityrequirementthat
specifiestheextentto
whichabusiness,
application,component
orcentreshallidentify
externalsbefore
interactingwiththem(D.
G.Firesmith,2003)
Examples
PowerStatements
Theapplicationshall
identifyallofitsclient
applicationsbefore
allowingthemtouse
itscapabilities
Anunauthorized
agentattemptsto
intrudeintothe
system/
application/centre
withoutavalid
identity.
PowerMisuseCase
StealInformation
81
b.Authentication
Requirements(D.G.
Firesmith,2003)
Authentication
requirementsisany
securityrequirementthat
specifiestheextentto
whichabusiness,
application,component,
orcentershallverifythe
identityofitsexternals
beforeinteractingwith
them(D.G.Firesmith,
2003)
Anauthorization
requirementisany
securityrequirementthat
specifiestheaccessand
usageprivilegeof
authenticatedusersand
clientapplications(D.G.
Firesmith,2003)
Theapplicationshall
verifytheidentityof
allofitsusersbefore
allowingthemtouse
itscapabilities
Anunauthorized
agentattemptsto
intrudeintothe
system/
application/centre
withoutaverified
identity
Theapplicationshall
alloweachcustomer
toobtainaccesstoall
ofhisorherown
personalaccount
information.
2.Immunity
Requirements(D.G.
Firesmith,2003)
Animmunity
requirementsisany
securityrequirementthat
specifiestheextentto
whichanapplicationor
componentshallprotect
itselffrominfectionby
unauthorizedundesirable
programs(D.G.
Firesmith,2003)
Theapplicationshall
protectitselffrom
infectionbyscanning
allenteredor
downloadeddataand
softwarefor
unknowncomputer
viruses,worms,
Trojanhorsesand
othersimilarharmful
programs(D.G.
Firesmith,2003)
Anunauthorized
agentattemptsto
gainaccesstothe
restricteddata/
services,specific
application,
component
capabilitiesorany
confidential
informationofthe
system/
application/centre
withoutproper
authorization
Anunauthorized
agentattemptsto
infectthedataor
softwareofthe
system/
application/centre
3.Integrity
Requirements
a.DataIntegrity(D.
G.Firesmith,
2003)(DonaldG
Firesmith,2005)
c.Authorization
Requirements(D.G.
Firesmith,2003)
b.Hardware
Integrity(DonaldG
Firesmith,2005)
c.Personal
Integrity
(Communications)
(D.G.Firesmith,
2003)(DonaldG
Firesmith,2005)
Anintegrityrequirement
isthekindofsecurity
requirementthat
specifiestheextentto
whichthehardware,
softwareordata
components,or
communicationsare
securedfromintentional
corruption(e.g.,via
unauthorizedcreation,
modification,deletionor
replay)(DonaldG
Firesmith,2005)
Infectthesystem
(onewaycanbeto
useundesirable
program)
Corruptadata
Theapplicationshall
preventthe
unauthorized
corruptionofdata
collectedfrom
customersandother
externalusers(D.G.
Firesmith,2003)
Theapplicationshall
preventthe
unauthorized
corruptionof
attachedhardware
Theapplicationshall
preventthe
unauthorized
corruptionofemails
thatitsendsto
customersandother
externalusers(D.G.
Firesmith,2003)
Anunauthorized
agentattemptsto
createunauthorized
corruptiontothe
dataor
communicationof
thesystem/
application/centre
82
d.Software
Integrity(DonaldG
Firesmith,2005)
4.Nonrepudiation
andAccountability
Requirements(D.G.
Firesmith,2003)
5Privacy
Requirements
a.Anonymity(D.G.
Firesmith,2003)
Anonrepudiation
requirementisany
securityrequirementthat
specifiestheextentto
whichabusiness,
applicationorcomponent
shallpreventapartyto
oneofitsinteractions
fromdenyinghaving
participatedinallorpart
oftheinteraction(D.G.
Firesmith,2003)
Aprivacyrequirementis
anysecurityrequirement
thatspecifiestheextent
towhichabusiness,
application,component
orcentershallkeepits
sensitivedataand
communicationsprivate
fromunauthorized
individualsandprograms
(D.G.Firesmith,2003)
b.Communications
(D.G.Firesmith,
2003)
c.DataStorage(D.
G.Firesmith,2003)
Confidentiality
Theapplicationshall
preventthe
unauthorized
corruptionofall
communications
passingthrough
networksthatare
externaltoany
protecteddata
centers(D.G.
Firesmith,2003)
Theapplicationshall
preventthe
unauthorized
corruptionofthe
software
Theapplicationshall
makeandstore
tamperproofrecords
ofthefollowing
informationabout
eachorderreceived
fromacustomerand
eachinvoicesenttoa
customer(D.G.
Firesmith,2003)
Theapplicationshall
notstoreany
personalinformation
abouttheusers(D.G.
Firesmith,2003)
Theapplicationshall
notallow
unauthorized
individualsor
programsaccessto
anycommunications
(D.G.Firesmith,
2003)
Theapplicationshall
notallow
unauthorized
individualsor
programsaccessto
anystoreddata(D.G.
Firesmith,2003)
Theapplicationshall
provideaccessto
confidentialdataonly
totheauthorized
userswhohavethe
privilege
Anagent
intentionallytriesto
tampertherecords
ofinteractions
(message,
transactionsetc)of
thesystem/
application/centre
Anunauthorized
agentattemptsto
gainaccesstoany
dataor
communicationof
thesystem/
application/centre
Todenyusage/to
denyaction(thiscan
bedonebydeletethe
datausedasaproof
orCreatesimilar
proof
Get
privilege/disclosure
ofinformation
83
6SecurityAuditing
Requirements(D.G.
Firesmith,2003)
7.Survivabilityand
Availability
Requirements(D.G.
Firesmith,2003)
8.Physical
Protection
Requirements(D.G.
Firesmith,2003)
9.System
Maintenance
Security
Requirements(D.G.
Firesmith,2003)
10.Attack/
HarmDetection
Requirements
(DonaldGFiresmith,
2004)/Intrusion
Detection
requirements(D.G.
Firesmith,2003)
a.Availability
requirements
Asecurityauditing
requirementisany
securityrequirementthat
specifiestheextentto
whichabusiness,
application,component,
orcentershallenable
securitypersonnelto
auditthestatusanduse
ofitssecurity
mechanisms(D.G.
Firesmith,2003)
Asurvivability
requirementisany
securityrequirementthat
specifiestheextentto
whichanapplicationor
centershallsurvivethe
intentionallossor
destructionofa
component(D.G.
Firesmith,2003).Ensuring
timelyandreliableaccess
toanduseof
information.[common
criteria][federal
standards]
Aphysicalprotection
requirementisany
securityrequirementthat
specifiestheextentto
whichanapplicationor
centershallprotectitself
fromphysicalassault(D.
G.Firesmith,2003)
Asystemmaintenance
securityrequirementis
anysecurityrequirement
thatspecifiestheextent
towhichanapplication,
component,orcenter
shallpreventauthorized
modificationsfrom
accidentallydefeatingits
securitymechanisms(D.
G.Firesmith,2003)
AnAttack/harmor
intrusiondetection
requirementisany
securityrequirementthat
specifiestheextentto
whichanapplicationor
componentshalldetect
andrecordattempted
accessormodificationby
unauthorizedindividuals
(D.G.Firesmith,2003)
Anysecurityrequirement
thatisrelatedto
maliciousharm(DonaldG
Firesmith,
2004)(Information&
Systems,1999)
Theapplicationshall
collect,organize,
summarize,and
regularlyreportthe
statusofitssecurity
mechanismsincluding
accesscontrol,
immunity,privacy
andintrusion
detection.
Anagent
maliciouslyattempts
toattackortamper
theauditingprocess
ofthesystems/
applications/
centresstatusand
securitymechanism
Stealtheauditstatus
(tomitigatethisone
weshouldusesome
kindoflawthat
governsthesecurity
personnels)
Theapplicationshall
nothaveasingle
pointoffailure(D.G.
Firesmith,2003).
Theapplicationshall
beaccessibletothe
authorizeduser.
Anunauthorized
agentintentionally
destroysasystems
/applications/
centrescomponent
tocreateitsfailure
ortohamperits
legitimateuserto
accessthe"system.
Denialofservice
Thedatacentershall
protectitshardware
componentsfrom
physicaldamage,
destruction,theftor
surreptitious
replacement(D.G.
Firesmith,2003)
Theapplicationshall
notviolateitssecurity
requirementsasa
resultofthe
upgradingofadata,
hardwareorsoftware
component(D.G.
Firesmith,2003)
Anagenttriesto
intentionallydamage
orharmphysically
thehardwareor
componentsor
personnelofthe
system/
application/centre
Anagent
(authorizedor
accidental)attempts
toviolatethe
security
requirementsduring
theusagephase
(upgrading/
replacement/
removalofdata,
hardwareor
software
component)ofthe
system/
application/centre.
Physicallyassault
Failsecure(the
Upgradingofdata,
software,
hardware)(thesystem
shouldpreserveits
securedstate)
Attemptpossibilities
tointrude
Thesystemshall
detectthepresence
ofatleast99.9%of
denialofservice
attacks
84
b.Confidentiality
Requirements
c.Integrity
Requirements
d.Nonrepudiation
Requirements
Thesystemshall
preventthe
corruptionof
confidentialdataby
atleast99%ofthe
attacksthatlastno
longerthan1hour
andaremadeby
attackerswithprofile
X
Upondetectionof
corrupteddata,the
systemshallnotify
thesecurityengineer
within5secondsat
least99.99%ofthe
time
Thesystemshalluse
virusdefinitionsanda
virusscanenginethat
havebeenupdated
withintheprevious
24hours,ifsuchan
updateexists.
Note:Requirementsareprioritizedaccordingtoscalehighpriority,mediumpriorityandlowpriorityasshownbelow:
8.4
APPENDIXD(CLASPandFrameworkSecurityRelevant
Requirements)
Note:Requirementsareprioritizedaccordingtoscalehighpriority,mediumpriorityandlowpriorityasshownbelow:
PriorityScale(1:High,2:Medium,3:Low)
ID
1
IDENTIFIER
MF_R001
TITLE
NoRemoteaccessed toSystem
REQUIREMENT
Systemshallworkwithinorganization.
RATIONALE
Systemcannotbeaccessremotely.
RESTRICTION
OnlyCSR(Customerservicerepresentative)canaccess
system.
DEPENDENCIES
NA
Type
AuthorizationRequirement.
Actor
3270Terminal
Priority
1
ID
2
IDENTIFIER
MF_R002
TITLE
TimeCritical
REQUIREMENT
Systemshalldisplaycorrectresultwithin5secondsof
makingtherequesttothesystem.
RATIONALE
Customerservicerepresentativemustrespondtocustomer
ineffectivemanner.
RESTRICTION
Inordertoupdate,createorsearchdatacustomerhastocall
CSR.
DEPENDENCIES
4
Type
DataIntegrityRequirement,
Actor
3270Terminal
Priority
1
ID
3
IDENTIFIER
MF_R003
TITLE
Unauthorizedaccess
REQUIREMENT
Thereshallbenoaccesstodatawithoutauthorization.
RATIONALE
Nocustomercanhavedirectaccesstodata.
RESTRICTION
OnlyCSRcanaccessthedata.
DEPENDENCIES
5
85
Type
Actor
Priority
ID
IDENTIFIER
TITLE
REQUIREMENT
RATIONALE
RESTRICTION
DEPENDENCIES
Type
Actor
Priority
ID
IDENTIFIER
TITLE
REQUIREMENT
RATIONALE
RESTRICTION
DEPENDENCIES
Type
Actor
Priority
ID
IDENTIFIER
TITLE
REQUIREMENT
RATIONALE
RESTRICTION
DEPENDENCIES
Type
Actor
Priority
ID
IDENTIFIER
TITLE
REQUIREMENT
RATIONALE
RESTRICTION
DEPENDENCIES
Type
Actor
Priority
ID
IDENTIFIER
TITLE
REQUIREMENT
RATIONALE
RESTRICTION
AuthorizationRequirement.
3270Terminal
1
4
MF_R004
Availabilityofsystem
Systemshallbeavailableallthetimeanditshouldbefault
tolerant.
Customerservicerepresentativemustrespondtocustomer
whenneeded.
OnlyCSRhaveaccesstosystem.
2
AvailabilityRequirement.
3270Terminal
2
5
MF_R005
Validcredentials
Customersrepresentativeshalluseloginandapasswordto
accessthesystem.
Inordertomaintainsecurity,CSRmustuseusernameand
passwordtoinitiateCICS.
OnlyCSRcanhavedirectlyaccesstosystem.
3,9
AuthenticationRequirement.
3270Terminal
2
6
MF_R006
CICSaccessible
CICSShallonlybeaccessiblethrough3270terminal
CSRcaninitiateCICSthrough3270terminal.
OnlyCSRcaninitiatetheCICSthrough3270terminal.
1
AuthorizationRequirement
3270Terminal
2
7
MF_R007
RACFAuthorization
Returnedtoapplicationanddisplayedonthescreenonlyif
RACFauthorizationallows.
RACFcheckswhethertheuserispermittedtoreadthe
relevantfile.
OnlyRACFsystemcangivedatasetandtransaction
permissions.
AuthorizationRequirement
SecurityRequirement
3270Terminal
2
8
MF_R008
UpdateInformation
Applicationusercancreatenewclaimorcanupdate
information.
Applicationmustupdatedataforspecifiedcustomer.
IFRACFallowsit,recordisupdatedinVSAMfile.
86
DEPENDENCIES
Type
Actor
Priority
ID
IDENTIFIER
TITLE
REQUIREMENT
RATIONALE
RESTRICTION
DEPENDENCIES
Type
Actor
Priority
ID
IDENTIFIER
TITLE
REQUIREMENT
RATIONALE
RESTRICTION
DEPENDENCIES
Type
Actor
Priority
ID
IDENTIFIER
TITLE
REQUIREMENT
RATIONALE
RESTRICTION
DEPENDENCIES
Type
Actor
Priority
ID
IDENTIFIER
TITLE
REQUIREMENT
RATIONALE
RESTRICTIONANDRISKS
DEPENDENCIES
Type
Actor
Priority
ID
IDENTIFIER
TITLE
REQUIREMENT
RATIONALE
RESTRICTIONANDRISKS
DEPENDENCIES
Type
Actor
Priority
5
Dataintegrity
3270Terminal
3
9
MF_R009
Loginattempts
Systemshallnotsupportmorethan3loginattempts(incase
ofloginfailures).
Becauseofimprovedsecuritywewishtohave3login
attemptsafterthatsystemwouldnotbeavailable.
Systemshouldnotsupportmorethan3loginattempts.
5
AuthenticationRequirement.
3270Terminal
1
10
MF_R010
CommunicationFailure
Rollbackshallbesupportedincaseofcommunicationfailure
duringtransaction.
Torestorethedatatoitsprevious state.
NA
NA
DataintegrityRequirement.
3270Terminal
1
11
MF_R011
64bitoperatingsystem
Mainframeshouldrununder64bitoperatingsystem.
Oursecurityframeworksupport64bitoperatingsystem
Thiscaseonlysupport64bitoperatingsystem.
NA
SystemRequirement
3270Terminal
3
12
MF_R012
Extraportsclosed
Allportsexceptportsconnecting3270terminalshallbe
closed.
Closeentrypointstorestrictanydirectinteractionwithdata.
Systemshallonlybeaccessiblefrom3270terminal
NA
ConfidentialityRequirement.
3270terminal
1
13
MF_R013
VSAMFile
CICScanonlyaccessVSAMfileafterauthenticatingtheuser
fromRACF.
Restrictunauthorizedaccesstodata
Customerdatacanonlybeaccessedbyauthorizedcustomer
servicerepresentatives
7,6
AuthenticationRequirement
CICS
1
87
ID
IDENTIFIER
TITLE
REQUIREMENT
RATIONALE
RESTRICTIONANDRISKS
DEPENDENCIES
Type
Actor
Priority
8.5
14
MF_R014
PublicMethods
Publicmethodshallbedeclaredasfewaspossible.
Followsecurecodingstandards.
Unauthorizedaccessi.e.usingpublicmethodstoenterthe
systemisnotallowed.
5
AuthorizationRequirement,Authentication
User
1
APPENDIXE(CLASPandFrameworkSecurityAnalysis
Requirements)
Note:Requirementnumber15isofframeworkonly.
ID
IDENTIFIER
TITLE
REQUIREMENT
RATIONALE
RESTRICTIONANDRISKS
DEPENDENCIES
Type
Actor
Priority
ID
IDENTIFIER
TITLE
REQUIREMENT
RATIONALE
RESTRICTIONANDRISKS
DEPENDENCIES
Type
Actor
Priority
ID
IDENTIFIER
TITLE
REQUIREMENT
RATIONALE
RESTRICTIONANDRISKS
DEPENDENCIES
Type
Actor
Priority
ID
IDENTIFIER
TITLE
REQUIREMENT
RATIONALE
RESTRICTIONANDRISKS
DEPENDENCIES
Type
Actor
15
MF_R015
CICSession
UsercanonlyinitiateCICsessionafterauthenticlogin.
Toprotectcustomerdata
OnlyCSRcanloginthesystem
9
Authentication
3270terminal
1
16
MF_R016
Filesandprocesses
Thereshouldbealimittothemaximumnumberoffilesand
processesthatauserisallowed.
CSRisnotallowedkeepthesystemsresourcesunnecessarily
busy.
OnlyCSRcanaccessthesystemfile.
3
Availability
3270terminal
2
17
MF_R017
EncryptedData.
DatamustbestoredinEncryptedform.
Inordertoprotectdata,itmustbestoredinencryptedform.
OnlyCSRcanaccessthesystem
18
ConfidentialityRequirement.
3270terminal.
2
18
MF_R018
Datacommunication
Alldatacommunicationthroughnetworkmustbeencrypted.
Inordertoprotectdata, communicationthroughnetwork
mustbeencrypted.
IBMMainFrame
17
ConfidentialityRequirement
3270Terminal
88
Priority
ID
IDENTIFIER
TITLE
REQUIREMENT
RATIONALE
RESTRICTIONANDRISKS
DEPENDENCIES
Type
Actor
Priority
ID
IDENTIFIER
TITLE
REQUIREMENT
RATIONALE
RESTRICTIONANDRISKS
DEPENDENCIES
Type
Actor
Priority
8.6
2
19
MF_R019
Physicalaccesstomainframe.
Thereshouldbenophysicalaccesstomainframe,network
and3270terminalbyanyunauthorizedperson.
Onlyauthorizedpersoncanaccesstosystem.
OnlyCSRcanloginthesystem
3
AuthorizationRequirement
3270terminal.
2
20
MF_R020
Codingguidelines.
Propercodingguidelinesmustbefollowedtopreventattacks
likebufferoverflowandSQLinjection.
Avoidprogrammingvulnerabilities
OnlyCSRcanexecutetheapplication
NA
DataintegrityRequirement.
3270terminal
3
APPENDIXF(FrameworksfinalupdateRequirements)
ID
IDENTIFIER
TITLE
REQUIREMENT
RATIONALE
RESTRICTIONANDRISKS
DEPENDENCIES
Type
Actor
Priority
ID
IDENTIFIER
TITLE
REQUIREMENT
RATIONALE
RESTRICTIONANDRISKS
DEPENDENCIES
Type
Actor
Priority
ID
IDENTIFIER
TITLE
REQUIREMENT
RATIONALE
RESTRICTIONANDRISKS
DEPENDENCIES
Type
Actor
Priority
21
MF_R021
Accessapplicationsystemfile.
Usermustnotbeallowedtoaccessapplicationsystemfile.
Attackercannotcorruptormanipulateapplication/system
files.
OnlyCSRcanaccessthesystemfile.
3
Authorizationrequirement
3270terminal
1
22
MF_R022
SoftwareInstallation
AnyTypeofsoftwareinstallationshallbestrictlyrestricted.
Softwareinstallationmustberestrictedtoavoidmalware
installation.
IBMMainFrame
23
ConfidentialityRequirement.
3270Terminal
2
23
MF_R023
Downloaddata
Applicationshouldnotallowdownload,copyanykindof
data.
Companypolicy
OnlycanCSRcanloginthesystem
22
ConfidentialityRequirement.
3270terminal.
2
89
ID
IDENTIFIER
TITLE
REQUIREMENT
RATIONALE
RESTRICTIONANDRISKS
DEPENDENCIES
Type
Actor
Priority
ID
IDENTIFIER
TITLE
REQUIREMENT
RATIONALE
RESTRICTIONANDRISKS
DEPENDENCIES
Type
Actor
Priority
ID
IDENTIFIER
TITLE
REQUIREMENT
RATIONALE
RESTRICTIONANDRISKS
DEPENDENCIES
Type
Actor
Priority
ID
IDENTIFIER
TITLE
REQUIREMENT
RATIONALE
RESTRICTIONANDRISKS
DEPENDENCIES
Type
Actor
Priority
8.7
24
MF_R024
Accesstoanycommunication
Applicationshallnotallowaccesstoanycommunication
Attackermustnotbeabletomodifyanyfilesormessages
duringcommunication.
OnlyCSRcanexecutetheapplication
NA
NONrepudiation
3270terminal
2
25
MF_R025
RACFLogFiles
NoaccessshallbeallowedtoRACFLOGfiles.
Operationlogshowsdetailofthetransactionssothata
problemcanbetracedback.
CSRmustnothaveany accesstoRACFlogfiles.
3
Accountability.
3270Terminal.
1
26
MF_R026
Intrusiondetectionmechanism
Intrusiondetectionmechanismshallbeimplementedatall
entrypointsandcommunicationpoints.
Intrusiondetectionmechanismshallbeimplementedatall
entrypointsandcommunicationpointstoprotectcustomer
data.
Portsareblocked.
19
ConfidentialityRequirement.
3270Terminal
1
27
MF_R027
Failureofasystemcomponent
Ifanycomponentofthesystemfailsorstopsresponding,
systemmustnotallowoperationsuntilsystemstarts
functioningnormally
Failureofanycomponentcanmakesystemvulnerable
Theremustnotbeanydirectaccesstodata
19
ConfidentialityRequirement.
3270Terminal
1
APPENDIXG(MisuseCaseRequirements)
ID
IDENTIFIER
TITLE
REQUIREMENT
RATIONALE
RESTRICTIONANDRISKS
DEPENDENCIES
Type
Actor
Priority
ID
M1
MC_R001
EncryptedData.
DatamustbestoredinEncryptedform.
Inordertoprotectdata,itmustbestoredinencryptedform.
OnlyCSRcanaccessthesystem
18
Confidentiality.
3270terminal.
2
M2
90
IDENTIFIER
TITLE
REQUIREMENT
RATIONALE
RESTRICTIONANDRISKS
DEPENDENCIES
Type
Actor
Priority
ID
IDENTIFIER
TITLE
REQUIREMENT
RATIONALE
RESTRICTIONANDRISKS
DEPENDENCIES
Type
Actor
Priority
ID
IDENTIFIER
TITLE
REQUIREMENT
RATIONALE
RESTRICTIONANDRISKS
DEPENDENCIES
Type
MC_R002
NoRemoteaccesstoSystem
Systemshallworkwithinorganization.
Systemcannotbeaccessremotely.
OnlyCSR(Customerservicerepresentative)canaccess
system.
NA
AuthorizationRequirement.
3270Terminal
1
M3
MF_R003
Extraportsclosed
Allportsexceptportsconnecting3270terminalshallbe
closed.
Closeentrypointstorestrictanydirectinteractionwithdata.
Systemshallonlybeaccessiblefrom3270terminal
NA
ConfidentialityRequirement.
3270terminal
1
4
MF_R004
NodirectaccesstoVSAM
CICScanonlyaccessVSAMfileafterauthenticatingtheuser
fromRACF.
Restrictunauthorizedaccesstodata
Customerdatacanonlybeaccessedbyauthorizedcustomer
servicerepresentatives
NA
Authorization
91
8.8
APPENDIXH(Questionnaire)
92
8.9
APPENDIXI(FeedbackForm)
Doyouhaveanyexperienceinworking/elicitingsecurityrequirementsforsoftware?
Response
Chart
Frequency
Yes
60%
No
40%
Totalresponses:6
Haveyoueverusedorhaveanyknowledgeaboutanytechniqueforsecurityrequirementelicitation?
Response
Chart
Frequency
Yes
17%
No
83%
Totalresponses:6
Wastheinformationprovidedaboutthesoftwaresystemenoughtounderstandthesystem?
Response
Chart
Yes
Frequency
67%
No
33%
Totalresponses:6
Whatwasthelevelofunderstandingoftheactivitiesfromthematerialprovidedonthescaleof1to5(1isveryeasyand5is
verydifficult)?
Response
Chart
Frequency
0%
33%
17%
17%
93
Response
Chart
Frequency
33%
Totalresponses:6
Editthisitem
Whatwasthelevelofapplicationoftheactivitiesfromthematerialprovidedonthescaleof1to5(1isveryeasyand5isvery
difficult)?
Response
Chart
Frequency
0%
17%
67%
17%
0%
Totalresponses:6
Doyouthinkthatthetimetoperformtheseactivitiesforprovidedsoftwaresystemwasenough?
Response
Chart
Yes
Frequency
67%
No
33%
Totalresponses:6
Doyouthinkthatifyouperformtheseactivitiesagain,youcanproducebetterresults?
Response
Chart
Yes
Frequency
50%
No
50%
Totalresponses:6
Doyouthinkthatduringtheseactivitiesyouanalyzedthesystemfromdifferentaspectswhichareusuallyarenotconsidered
insoftwaredevelopment?
Response
Chart
Frequency
94
Response
Chart
Frequency
Yes
67%
33%
TotalResponse6
No
ThisExperimentimprovedyourknowledgeaboutsoftwaresecurityandsoftwareattackscenarios?
Response
Chart
Yes
Frequency
67%
No
33%
Totalresponses:6
8.10 APPENDIXJMisuseCaseTemplate
Field
Name
Summary
Date
Author
BasicPath
AlternativePath
CapturePoint
ExtensionPoint
Triggers
Preconditions
Assumptions
Postconditions
WorstCaseThreat
Preventionguarantee
Detectionguarantee
RelatedBusinessRule
PotentialMisuserProfile
Stakeholders
Scope
AbstractionLevel
TechnologyandDataVariations
Goal
Dependencies(Relationship)
SecurityConstraints
Description
MisuseCaseName/Title
ExplanationofMisusecase
DateofcreationofMisusecase
CreatorofMisusecase
Stepswhichamisuserisgoingtotakebeforereachingthegoal
Otherpathsthroughwhichthesamegoalcanbereached
Optionsforhowmisusecanbedetectedandprevented[61].
Optionalpathstakenbymisuse
Conditionthatcaninitiatemisusecase
Thisconditiondescribesthosestatesofthesystemwhichmakemisuse
possible
This condition describes those states of the systems environment
whichmakemisusepossible
Stateofthesystemaftersuccessfulmisusecase
Maximum damage possible in case of a successful misuse case.
Optionalpathsarealsoincluded.
Prevention Guarantee describes the result that would be obtained by
following the Basic or Alternate path if the threat were detected
andminimumthreatmitigationoccurs.[34]
TheDetectionGuaranteedescribestheresultthatwouldbeobtained
ifthemisuseweredetected,butnotmitigated.[34]
RelatedBusinessRulesareusecasebusinessrulesthatarebrokenby
themisusecase[34]
Levelofskillsandintentionsofthemisusemustbeassessedinorderto
beawareoftheseverityofthreat
The people who have concern about what should not happen in the
system
The scope of modeling, e.g., the entire business or just the planned
computerizedinformationsystem[80]
Whatisthelevelofabstractionforthemisusecasee.g.summary,sub
functionetc.
Which various ways and technologies can be used to achieve the
misuse
Whichgoalofthestakeholderishindered
RelationshipofStakeholderwithotherStakeholder(s)
InformationaboutSecurityconstraintsonStakeholder(s)
95
8.11 APPENDIXKSequenceDiagramShowingActivityFlow
96
8.12 APPENDIXLUseCaseDiagramforMonolithicSystem
System
Authentication
(RACF)
Log In
Request to Execute
Application
Application
Request for
customer data
Customer Data
3270 Terminal
To update customer
data
Validate User
Check
Authorization(RACF)
Update customer
data
97