Upload
ramez-al-fayez
View
86
Download
0
Embed Size (px)
Citation preview
SECURITY REQUIREMENTS ENGINEERING:
APPLYING SQUARE FRAMEWORK
By: Ramez Al-Fayez
1
Overview
• Definitions
• Business pains
• SQUARE Framework
• Other Frameworks
• Benefits
• Q&A
2
Definitions• Requirement: “is a condition or capability that
must be met or possessed by a system or system component to satisfy a contract, standard, specification, or other formally imposed documents”
• In general requirement is based on what the product should do not how the product should do.
• Requirements engineering “is the branch of software engineering concerned with the real-world goals for, functions of, and constraints on software systems. It is also concerned with the relationship of these factors to precise specifications of software behavior, and to their evolution over time and across software families”
3
Definitions
• Security “is measurement or action to prevent hard to a component”
• Security requirements engineering “is about defining the way to achieve security goals - traditionally classified into confidentiality, integrity, and availability (CIA) goals- “
4
Business pains• 60% of failed project are failed due to lack of
Requirements engineering process or methodology
• 79% of cyber-attacks happened due to not focus on security requirements during implementing the product/project
5
Top web attacks• Injection• Broken Authentication and Session Management• Cross-Site Scripting (XSS)• Insecure Direct Object References• Security Misconfiguration• Sensitive Data Exposure• Missing Function Level Access Control• Cross-Site Request Forgery (CSRF)• Using Known Vulnerable Components• Un-validated Redirects and Forwards
These can be avoided if security were addressed before starting development.
6
Hierarchy of security goals
Business
goals
Saftey and security goals
Security requirements
Various architectural and policy recommendations
7
SQUARE Framework
Agree on definitions
Identify security goals
Develop artifacts
Elicit security requirements
Select elicitation techniques
Perform risk assessment
Categorize requirements
Prioritize requirements
Requirements inspection
8
SQUARE Steps
# Step Input Techniques Participants Output
1 Agree on definitions Potential definitions• Structured interviews
• focus group
Stakeholders,
requirements team
Agreed-to
definitions
2 Identify security goals
Definitions, candidate goals,
business drivers, policies and
procedures, examples
• Facilitated work session
• Surveys and interviews
Stakeholders,
requirements engineerGoals
3 Develop artifacts Potential artifacts Work session Requirements engineer
Needed artifacts:
scenarios, misuse
cases, models,
templates, forms
4Perform risk
assessment
• Misuse cases,
• Scenarios
• security goals
• Risk assessment method,
• Analysis of anticipated risk
• Threat analysis
Requirements engineer,
risk expert, stakeholders
Risk assessment
results
5Select elicitation
techniques
Goals, definitions, candidate
techniques, expertise of
stakeholders, organizational
style, culture, level of security
needed, cost benefit analysis, etc.
Work session Requirements engineerSelected elicitation
techniques
9
SQUARE Steps – Continue
# Step Input Techniques Participants Output
6Elicit security
requirements
• Artifacts,
• Risk assessment results
• Selected techniques
Joint Application
Development (JAD),
interviews, surveys, model-
based analysis, checklists, lists
of reusable requirements
types, document reviews
Stakeholders facilitated
by requirements engineer
Initial cut at
security
requirements
7 Categorize requirements• Initial requirements
• ArchitectureWork session
Requirements engineer,
other specialists as
needed
Categorized
requirements
8 Prioritize requirements• Categorized requirements
• Risk assessment results
• Triage
• Win-Win
Stakeholders facilitated
by requirements engineer
Prioritized
requirements
9Requirements
inspection• Prioritized requirements
• Fagan
• Peer reviewsInspection team
List of security
requirements
10
Other framework
• Secure-i
• Security engineering process using patterns (SEPP)
• Keep all objectives satisfied (KAOS)
• Model-based information system security risk management (ISSRM)
• UMLsec
11
Comparison between these framework
Criteria
Method
Stakeholder
s views
Multi-
Lateral
System Machines Threats Risks QA Formality
SQUARE X X X X X X X -
Secure-i X X X X X X X -
SEPP - - X X - - X X
KAOS X X X X X - X X
ISSRM X - X X X X - -
UMLsec - - - X X - - X
12
Benefits of implementing security
requirements engineering
• Protect business identity
• No need to redevelop systems in order to secure it
• Lower percentage of risks
• Result can be reused in the future
• Reduce business downtime
• Documented systems
• Reduced cost
• Quality improvement
13
Benefits of implementing SQUARE
• Reusable
• Easy to adapt
• More practitioner
• Ability to integrate with development lifecycle
14
Conclusion
• Implementing Security requirements engineering is a must, if the organization wants to protect its identity
• SQUARE is good framework but it is still missing attributes such monitor and control during the implementation, or reviewing the result after implementing the security requirements list.
15
Q&A
Thanks…
16