View
216
Download
3
Category
Preview:
Citation preview
”How can it possibly be so hard to apply RE in real world projects” Dominik Richter
RE in Practiceor
© 2018 International Business Machines Corporation | Page 2
Dominik RichterTechnical Consultant
Computer ScienceM.Sc.
Studies
Project: SecuTABLET
Hobbies
Technical Consultant
Sports• Judo• Freeletics• Running
Organizing summer camps for teenagers
Project: Electronic Health Record(Elektronische Gesundheitsakte)
© 2018 International Business Machines Corporation | Page 3
Final QuizEarn Glory and Honor
Get Ready!Quiz Test Run
Security RequirementsIs that a thing!?
RE & AgileDoes SCRUM solve all
problems?
Agenda
https://kahoot.it
We are going to start today’s session with a short quiz
Is that a thing?Security Requirements
Based on the experiences during the project “SecuTABLET”, which is also introduced in the following.
© 2018 International Business Machines Corporation | Page 5
Who is involved?
SecuTABLET is developed by Secusmart, Blackberry and IBM, in cooperation with Samsung.
Development
© 2018 International Business Machines Corporation | Page 6
Contents
6
User‘s Perspective
Risk Owner‘s Perspective
Developer‘s Perspective
Dealing with those requirements is what what I remembered from this
lecture
The amount of work related to those requirements was quite surprising
• Conceptual Idea• Implementation• Challenges
To understand SecuTABLET, we’ll take a look at three perspectives.
© 2018 International Business Machines Corporation | Page 7
The User‘s Perspective
From the user’s perspective, Secutablet provides an additional “secure space” with higher security.
7
User‘s Perspective
© 2018 International Business Machines Corporation | Page 8
The Risk Owner‘s Perspective
From the risk owner’s perspective, it is crucial that several restrictions are applied to the “secure space”
8
Risk Owner‘s Perspective
© 2018 International Business Machines Corporation | Page 9
Developer’s Perspective (conceptual)
From the developers perspective, SecuCONNECT, SecuSTORE and the SPL build the solution.
9
SecuSTORE
Secure Smartcard
SecuCONNECT
Security Policy Layer Private App
Secure App
Trusted App StoreManages Security SettingsIntegrates SSC
Enforces Security Policies- Encryption- VPN Usage- …
„Unmodified App“- Calls are intercepted- Resigned
Unmodified App
Provides VPN Accessto enterprise backend
Developer‘s Perspective
Ok, I get the idea. So what’s the deal with “security requirements” now. Isn’t that the same as every functional requirement?
Nope.
Federal Office for Information Security
Nope.
Federal Office for Information Security
Depending on the required security level, there is a
corresponding approval process that needs to be followed.
Nope.
Federal Office for Information Security
Depending on the required security level, there is a corresponding approval process that needs to be
followed.
Also, the requirements are not only about security features of
the product, but also requirements imposed on the
development process
© 2018 International Business Machines Corporation | Page 14
There are several security levels. SecuTABLET “only” needs “VS-NfD”-approvalSecurity levels. An overview.
Streng geheim(“Top secret”)
Geheim(“Secret”)
Verschlusssache - Vertraulich(“Confidential”)
Verschlusssache – Nur für den Dienstgebrauch
("Restriced")
VS-NfDapproval process
The BSI is a federal office.So I bet the approval process is well
documented.
© 2018 International Business Machines Corporation | Page 1616
That‘s right.
… just take care of all requirements one after another.
© 2018 International Business Machines Corporation | Page 1717
Device
Software
TOE
Is this secure?
For obvious reasons, we don’t want to discuss the whole process in detail today…VS-NfD approval process: Key concepts – Definition of Security
© 2018 International Business Machines Corporation | Page 1818
Device
Software
TOE
Is this secure?
VS-NfD approval process: Key concepts – Definition of Security
© 2018 International Business Machines Corporation | Page 1919
How secure is the ?
Device
Software
TOE
VS-NfD approval process: Key concepts – Definition of Security
© 2018 International Business Machines Corporation | Page 20
The approval process imposes many requirements on the development processVS-NfD approval process - breakdown
Even more requirements
Even more requirements
Even more requirements
Security target
document
Functional Testing
© 2018 International Business Machines Corporation | Page 21
The ST describes what the TOE needs to be protected against.Quick glance at Security Target document (ST) and Functional Testing (ATE_FUN)
Even more requirements
Even more requirements
Even more requirements
Security target document
Functional TestingSecurity Problem Definition
Security Objectives
© 2018 International Business Machines Corporation | Page 22
(ASE_SPD.NfD.1D) The developer shall provide a security problem definition.
(ASE_SPD.NfD.1C) The security problem definition shall describe the threats.
(ASE_SPD.NfD.2C) All threats shall be described in terms of a threat agent, an asset, and an adverse action.
The ST describes what the TOE needs to be protected against.Quick glance at Security Target document (ST) and Functional Testing (ATE_FUN)
Even more requirements
Even more requirements
Even more requirements
Security target document
Functional TestingSecurity Problem Definition
Security Objectives
© 2018 International Business Machines Corporation | Page 23
(ASE_SPD.NfD.1D) The developer shall provide a security problem definition.
(ASE_SPD.NfD.1C) The security problem definition shall describe the threats.
(ASE_SPD.NfD.2C) All threats shall be described in terms of a threat agent, an asset, and an adverse action.
ATE_FUN provides evidence that the desired security requirements are met.Quick glance at Security Target document (ST) and Functional Testing (ATE_FUN)
Even more requirements
Even more requirements
Even more requirements
Security target document Functional Testing
Security Problem Definition
Security Objectives
(ATE_FUN.NfD.1D) The developer shall test the TSF and document the results. …(ATE_FUN.NfD.1C) The test documentation shall consist of test plans, expected test results and actual test results.
(ATE_FUN.NfD.2C) The test plans shall identify the tests to be performed and describe the scenarios for performing each test. [..]
With such a focus on security, where does this leave all other requirements?
© 2018 International Business Machines Corporation | Page 25
While we need to adhere to security requirements, we are on the clients side, supporting features.Definition of Security
Client BSI
Security requirements(imply reduction of functionality)Extension of functionality
We arehere
© 2018 International Business Machines Corporation | Page 26
For security-related products, managing the balance and expectations is even more importantLessons Learned
• “Security Requirements” may define one of two kinds of requirements– Security features of a product– Requirements with respect to the development process, needed for security approval
• Security Requirements need to be defined upfront– What are the attack scenarios?– Whom can I trust?– How high are our security needs?
• User expectations must me managed in accordance and right from the start
Does SCRUM solve all problems?RE & Agile
Based on the experiences during the project “ElektronischeGesundheitsakte” (Electronic Health Record), which is also introduced in the following.
© 2018 International Business Machines Corporation | Page 28
The eGA is realized with apps for iOS & Android plus backend systems. Elektronische Gesundheitsakte (eGA) [electronic health record] at a glance.
eGA Mobile App(iOS / Android)
eGA Backend System
TK Backend system
© 2018 International Business Machines Corporation | Page 29
Agile is hypted a lot. Therefore, a lot of people have too high expectationsWhat does Agile NOT mean
http://dilbert.com/
© 2018 International Business Machines Corporation | Page 30
The Product Owner & Backlog act as valve between two worlds: “Push” & ”Pull”RE in Agile projects
https://www.youtube.com/watch?v=LDPc1fyFVbY
© 2018 International Business Machines Corporation | Page 31
Pressure is what kills effective requirements management (and development, for that matter).Agile RE gone wrong
http://dilbert.com/
© 2018 International Business Machines Corporation | Page 32
Agile has a lot of potential to improve RE in a project (but that doesn’t mean it always does)Lessons learned
• Agile is hypted a lot. Therefore, a lot of people have too high expectations
• Pressure is what kills effective requirements management.– Leads to frequently changing prioritization– Leaves the developers frustrated
• The PO’s role is crucial not only to create & prioritize tasks, but also to make sure stories are not pushed onto the developers
• Agile requires a lot of organizational change, which is why (especially) big companies – both manufacturer’s and clients – struggle with it
© 2018 International Business Machines Corporation | Page 33
© 2016 IBM Corporation 34
Thank you for your attention. Questions?
Dominik RichterDominik.Richter@de.ibm.com
Mobile: +49-160-8879183
RE in PracticeDominik Richter
Recommended