RE in Practice - · ”How can it possibly be so hard to apply RE in real world projects” Dominik Richter RE in Practice or

”How can it possibly be so hard to apply RE in real world projects” Dominik Richter

RE in Practiceor

© 2018 International Business Machines Corporation | Page 2

Dominik RichterTechnical Consultant

Computer ScienceM.Sc.

Studies

Project: SecuTABLET

Hobbies

Technical Consultant

Sports• Judo• Freeletics• Running

Organizing summer camps for teenagers

Project: Electronic Health Record(Elektronische Gesundheitsakte)


Final QuizEarn Glory and Honor

Get Ready!Quiz Test Run

Security RequirementsIs that a thing!?

RE & AgileDoes SCRUM solve all

problems?

Agenda

https://kahoot.it

We are going to start today’s session with a short quiz

Is that a thing?Security Requirements

Based on the experiences during the project “SecuTABLET”, which is also introduced in the following.


Who is involved?

SecuTABLET is developed by Secusmart, Blackberry and IBM, in cooperation with Samsung.

Development


Contents

6

User‘s Perspective

Risk Owner‘s Perspective

Developer‘s Perspective

Dealing with those requirements is what what I remembered from this

lecture

The amount of work related to those requirements was quite surprising

• Conceptual Idea• Implementation• Challenges

To understand SecuTABLET, we’ll take a look at three perspectives.


The User‘s Perspective

From the user’s perspective, Secutablet provides an additional “secure space” with higher security.

7

User‘s Perspective


The Risk Owner‘s Perspective

From the risk owner’s perspective, it is crucial that several restrictions are applied to the “secure space”

8

Risk Owner‘s Perspective


Developer’s Perspective (conceptual)

From the developers perspective, SecuCONNECT, SecuSTORE and the SPL build the solution.

9

SecuSTORE

Secure Smartcard

SecuCONNECT

Security Policy Layer Private App

Secure App

Trusted App StoreManages Security SettingsIntegrates SSC

Enforces Security Policies- Encryption- VPN Usage- …

„Unmodified App“- Calls are intercepted- Resigned

Unmodified App

Provides VPN Accessto enterprise backend

Developer‘s Perspective

Ok, I get the idea. So what’s the deal with “security requirements” now. Isn’t that the same as every functional requirement?

Nope.

Federal Office for Information Security

Nope.


Depending on the required security level, there is a

corresponding approval process that needs to be followed.

Nope.


Depending on the required security level, there is a corresponding approval process that needs to be

followed.

Also, the requirements are not only about security features of

the product, but also requirements imposed on the

development process


There are several security levels. SecuTABLET “only” needs “VS-NfD”-approvalSecurity levels. An overview.

Streng geheim(“Top secret”)

Geheim(“Secret”)

Verschlusssache - Vertraulich(“Confidential”)

Verschlusssache – Nur für den Dienstgebrauch

("Restriced")

VS-NfDapproval process

The BSI is a federal office.So I bet the approval process is well

documented.


That‘s right.

… just take care of all requirements one after another.


Device

Software

TOE

Is this secure?

For obvious reasons, we don’t want to discuss the whole process in detail today…VS-NfD approval process: Key concepts – Definition of Security


Device

Software

TOE

Is this secure?

VS-NfD approval process: Key concepts – Definition of Security


How secure is the ?

Device

Software

TOE

VS-NfD approval process: Key concepts – Definition of Security


The approval process imposes many requirements on the development processVS-NfD approval process - breakdown

Even more requirements



Security target

document

Functional Testing


The ST describes what the TOE needs to be protected against.Quick glance at Security Target document (ST) and Functional Testing (ATE_FUN)




Security target document

Functional TestingSecurity Problem Definition

Security Objectives


(ASE_SPD.NfD.1D) The developer shall provide a security problem definition.

(ASE_SPD.NfD.1C) The security problem definition shall describe the threats.

(ASE_SPD.NfD.2C) All threats shall be described in terms of a threat agent, an asset, and an adverse action.

The ST describes what the TOE needs to be protected against.Quick glance at Security Target document (ST) and Functional Testing (ATE_FUN)




Security target document

Functional TestingSecurity Problem Definition

Security Objectives


(ASE_SPD.NfD.1D) The developer shall provide a security problem definition.

(ASE_SPD.NfD.1C) The security problem definition shall describe the threats.

(ASE_SPD.NfD.2C) All threats shall be described in terms of a threat agent, an asset, and an adverse action.

ATE_FUN provides evidence that the desired security requirements are met.Quick glance at Security Target document (ST) and Functional Testing (ATE_FUN)




Security target document Functional Testing

Security Problem Definition

Security Objectives

(ATE_FUN.NfD.1D) The developer shall test the TSF and document the results. …(ATE_FUN.NfD.1C) The test documentation shall consist of test plans, expected test results and actual test results.

(ATE_FUN.NfD.2C) The test plans shall identify the tests to be performed and describe the scenarios for performing each test. [..]

With such a focus on security, where does this leave all other requirements?


While we need to adhere to security requirements, we are on the clients side, supporting features.Definition of Security

Client BSI

Security requirements(imply reduction of functionality)Extension of functionality

We arehere


For security-related products, managing the balance and expectations is even more importantLessons Learned

• “Security Requirements” may define one of two kinds of requirements– Security features of a product– Requirements with respect to the development process, needed for security approval

• Security Requirements need to be defined upfront– What are the attack scenarios?– Whom can I trust?– How high are our security needs?

• User expectations must me managed in accordance and right from the start

Does SCRUM solve all problems?RE & Agile

Based on the experiences during the project “ElektronischeGesundheitsakte” (Electronic Health Record), which is also introduced in the following.


The eGA is realized with apps for iOS & Android plus backend systems. Elektronische Gesundheitsakte (eGA) [electronic health record] at a glance.

eGA Mobile App(iOS / Android)

eGA Backend System

TK Backend system


Agile is hypted a lot. Therefore, a lot of people have too high expectationsWhat does Agile NOT mean

http://dilbert.com/


The Product Owner & Backlog act as valve between two worlds: “Push” & ”Pull”RE in Agile projects

https://www.youtube.com/watch?v=LDPc1fyFVbY


Pressure is what kills effective requirements management (and development, for that matter).Agile RE gone wrong

http://dilbert.com/


Agile has a lot of potential to improve RE in a project (but that doesn’t mean it always does)Lessons learned

• Agile is hypted a lot. Therefore, a lot of people have too high expectations

• Pressure is what kills effective requirements management.– Leads to frequently changing prioritization– Leaves the developers frustrated

• The PO’s role is crucial not only to create & prioritize tasks, but also to make sure stories are not pushed onto the developers

• Agile requires a lot of organizational change, which is why (especially) big companies – both manufacturer’s and clients – struggle with it


© 2016 IBM Corporation 34

Thank you for your attention. Questions?

Dominik [email protected]

Mobile: +49-160-8879183

RE in PracticeDominik Richter

Documents

RE in Practice - · ”How can it possibly be so hard to apply RE in real world projects” Dominik Richter RE in Practice or