16
SECURITY REQUIREMENTS ENGINEERING: APPLYING SQUARE FRAMEWORK By: Ramez Al-Fayez 1

SECURITY REQUIREMENTS ENGINEERING: APPLYING SQUARE FRAMEWORK

Embed Size (px)

Citation preview

Page 1: SECURITY REQUIREMENTS ENGINEERING: APPLYING SQUARE FRAMEWORK

SECURITY REQUIREMENTS ENGINEERING:

APPLYING SQUARE FRAMEWORK

By: Ramez Al-Fayez

1

Page 2: SECURITY REQUIREMENTS ENGINEERING: APPLYING SQUARE FRAMEWORK

Overview

• Definitions

• Business pains

• SQUARE Framework

• Other Frameworks

• Benefits

• Q&A

2

Page 3: SECURITY REQUIREMENTS ENGINEERING: APPLYING SQUARE FRAMEWORK

Definitions• Requirement: “is a condition or capability that

must be met or possessed by a system or system component to satisfy a contract, standard, specification, or other formally imposed documents”

• In general requirement is based on what the product should do not how the product should do.

• Requirements engineering “is the branch of software engineering concerned with the real-world goals for, functions of, and constraints on software systems. It is also concerned with the relationship of these factors to precise specifications of software behavior, and to their evolution over time and across software families”

3

Page 4: SECURITY REQUIREMENTS ENGINEERING: APPLYING SQUARE FRAMEWORK

Definitions

• Security “is measurement or action to prevent hard to a component”

• Security requirements engineering “is about defining the way to achieve security goals - traditionally classified into confidentiality, integrity, and availability (CIA) goals- “

4

Page 5: SECURITY REQUIREMENTS ENGINEERING: APPLYING SQUARE FRAMEWORK

Business pains• 60% of failed project are failed due to lack of

Requirements engineering process or methodology

• 79% of cyber-attacks happened due to not focus on security requirements during implementing the product/project

5

Page 6: SECURITY REQUIREMENTS ENGINEERING: APPLYING SQUARE FRAMEWORK

Top web attacks• Injection• Broken Authentication and Session Management• Cross-Site Scripting (XSS)• Insecure Direct Object References• Security Misconfiguration• Sensitive Data Exposure• Missing Function Level Access Control• Cross-Site Request Forgery (CSRF)• Using Known Vulnerable Components• Un-validated Redirects and Forwards

These can be avoided if security were addressed before starting development.

6

Page 7: SECURITY REQUIREMENTS ENGINEERING: APPLYING SQUARE FRAMEWORK

Hierarchy of security goals

Business

goals

Saftey and security goals

Security requirements

Various architectural and policy recommendations

7

Page 8: SECURITY REQUIREMENTS ENGINEERING: APPLYING SQUARE FRAMEWORK

SQUARE Framework

Agree on definitions

Identify security goals

Develop artifacts

Elicit security requirements

Select elicitation techniques

Perform risk assessment

Categorize requirements

Prioritize requirements

Requirements inspection

8

Page 9: SECURITY REQUIREMENTS ENGINEERING: APPLYING SQUARE FRAMEWORK

SQUARE Steps

# Step Input Techniques Participants Output

1 Agree on definitions Potential definitions• Structured interviews

• focus group

Stakeholders,

requirements team

Agreed-to

definitions

2 Identify security goals

Definitions, candidate goals,

business drivers, policies and

procedures, examples

• Facilitated work session

• Surveys and interviews

Stakeholders,

requirements engineerGoals

3 Develop artifacts Potential artifacts Work session Requirements engineer

Needed artifacts:

scenarios, misuse

cases, models,

templates, forms

4Perform risk

assessment

• Misuse cases,

• Scenarios

• security goals

• Risk assessment method,

• Analysis of anticipated risk

• Threat analysis

Requirements engineer,

risk expert, stakeholders

Risk assessment

results

5Select elicitation

techniques

Goals, definitions, candidate

techniques, expertise of

stakeholders, organizational

style, culture, level of security

needed, cost benefit analysis, etc.

Work session Requirements engineerSelected elicitation

techniques

9

Page 10: SECURITY REQUIREMENTS ENGINEERING: APPLYING SQUARE FRAMEWORK

SQUARE Steps – Continue

# Step Input Techniques Participants Output

6Elicit security

requirements

• Artifacts,

• Risk assessment results

• Selected techniques

Joint Application

Development (JAD),

interviews, surveys, model-

based analysis, checklists, lists

of reusable requirements

types, document reviews

Stakeholders facilitated

by requirements engineer

Initial cut at

security

requirements

7 Categorize requirements• Initial requirements

• ArchitectureWork session

Requirements engineer,

other specialists as

needed

Categorized

requirements

8 Prioritize requirements• Categorized requirements

• Risk assessment results

• Triage

• Win-Win

Stakeholders facilitated

by requirements engineer

Prioritized

requirements

9Requirements

inspection• Prioritized requirements

• Fagan

• Peer reviewsInspection team

List of security

requirements

10

Page 11: SECURITY REQUIREMENTS ENGINEERING: APPLYING SQUARE FRAMEWORK

Other framework

• Secure-i

• Security engineering process using patterns (SEPP)

• Keep all objectives satisfied (KAOS)

• Model-based information system security risk management (ISSRM)

• UMLsec

11

Page 12: SECURITY REQUIREMENTS ENGINEERING: APPLYING SQUARE FRAMEWORK

Comparison between these framework

Criteria

Method

Stakeholder

s views

Multi-

Lateral

System Machines Threats Risks QA Formality

SQUARE X X X X X X X -

Secure-i X X X X X X X -

SEPP - - X X - - X X

KAOS X X X X X - X X

ISSRM X - X X X X - -

UMLsec - - - X X - - X

12

Page 13: SECURITY REQUIREMENTS ENGINEERING: APPLYING SQUARE FRAMEWORK

Benefits of implementing security

requirements engineering

• Protect business identity

• No need to redevelop systems in order to secure it

• Lower percentage of risks

• Result can be reused in the future

• Reduce business downtime

• Documented systems

• Reduced cost

• Quality improvement

13

Page 14: SECURITY REQUIREMENTS ENGINEERING: APPLYING SQUARE FRAMEWORK

Benefits of implementing SQUARE

• Reusable

• Easy to adapt

• More practitioner

• Ability to integrate with development lifecycle

14

Page 15: SECURITY REQUIREMENTS ENGINEERING: APPLYING SQUARE FRAMEWORK

Conclusion

• Implementing Security requirements engineering is a must, if the organization wants to protect its identity

• SQUARE is good framework but it is still missing attributes such monitor and control during the implementation, or reviewing the result after implementing the security requirements list.

15

Page 16: SECURITY REQUIREMENTS ENGINEERING: APPLYING SQUARE FRAMEWORK

Q&A

Thanks…

16