Model the System from Adversary Viewpoint: Threats Identification and Modeling

Security attacks are hard to understand, often expressed with unfriendly and limited details, making it difficult for security experts and for security analysts to create intelligible security specifications. For instance, to explain Why (attack objective), What (i.e., system assets, goals, etc.), and How (attack method), adversary achieved his attack goals. We introduce in this paper a security attack meta-model for our SysML-Sec framework, developed to improve the threat identification and modeling through the explicit representation of security concerns with knowledge representation techniques. Our proposed meta-model enables the specification of these concerns through ontological concepts which define the semantics of the security artifacts and introduced using SysML-Sec diagrams. This meta-model also enables representing the relationships that tie several such concepts together. This representation is then used for reasoning about the knowledge introduced by system designers as well as security experts through the graphical environment of the SysML-Sec framework.Comment: In Proceedings AIDP 2014, arXiv:1410.322

Role-Based Access-Control for Databases

Liikudes üha enam paberivaba ari suunas, hoitakse üha enam tundlikku informatsiooni andmebaasides. Sellest tulenevalt on andmebaasid ründajatele väärtuslik sihtmärk. Levinud meetod andmete kaitseks on rollipõhine ligipääsu kontroll (role-based access control), mis piirab süsteemi kasutajate õiguseid vastavalt neile omistatud rollidele. Samas on turvameetmete realiseerimine arendajate jaoks aeganõudev käsitöö, mida teostatakse samaaegselt rakenduse toimeloogika realiseerimisega. Sellest tulenevalt on raskendatud turva vajaduste osas kliendiga läbirääkimine projekti algfaasides. See omakorda suurendab projekti reaalsete arenduskulude kasvamise riski, eriti kui ilmnevad turvalisuse puudujäägid realisatsioonis. Tänapäeva veebirakendustes andmebaasi ühenduste puulimine (connec-tion pooling ), kus kasutatakse üht ja sama ühendust erinevate kasutajate teenindamiseks, rikub vähima vajaliku õiguse printsiipi. Kõikidel ühendunud kasutajatel on ligipääs täpselt samale hulgale andmetele, mille tulemusena võib lekkida tundlik informatsioon (näiteks SQLi süstimine (SQL injection ) või vead rakenduses). Lahenduseks probleemile pakume välja vahendid rollipõhise ligipääsu kontorolli disainimiseks tarkvara projekteerimise faasis. Rollipõhise ligipääsu kontorolli modelleerimiseks kasutame UML'i laiendust SecureUML. Antud mudelist on võimalik antud töö raames valminud vahenditega genereerida koodi, mis kontrollib ligipääsu õiguseid andmebaasi tasemel. Antud madaltasemekontroll vähendab riski, et kasutajad näevad andmeid, millele neil ligipääsu õigused puuduvad. Antud töös läbiviidud uuring näitas, et mudelipõhine turvalisuse arendamise kvaliteet on kõrgem võrreldes programmeerijate poolt kirjutatud koodiga. Kuna turvamudel on loodud projekteerimise faasis on selle semantiline täielikkus ja korrektsus kõrge, millest tulenevalt on seda kerge lugeda ja muuta ning seda on lihtsam kasutada arendajate ja klientide vahelises suhtluses.With the constant march towards a paperless business environment, database systems are increasingly being used to hold more and more sensitive information. This means they present an increasingly valuable target for attackers. A mainstream method for information system security is Role-based Access Control (RBAC), which restricts system access to authorised users. However the implementation of the RBAC policy remains a human intensive activity, typically, performed at the implementation stage of the system development. This makes it difficult to communicate security solutions to the stakeholders earlier and raises the system development cost, especially if security implementation errors are detected. The use of connection pooling in web applications, where all the application users connect to the database via the web server with the same database connection, violates the the principle of minimal privilege. Every connected user has, in principle, access to the same data. This may leave the sensitive data vulnerable to SQL injection attacks or bugs in the application. As a solution we propose the application of the model-driven development to define RBAC mechanism for data access at the design stages of the system development. The RBAC model created using the SecureUML approach is automatically translated to source code, which implements the modelled security rules at the database level. Enforcing access-control at this low level limits the risk of leaking sensitive data to unauthorised users. In out case study we compared SecureUML and the traditional security model, written as a source code, mixed with business logic and user-interface statements. The case study showed that the model-driven security development results in significantly better quality for the security model. Hence the security model created at the design stage contains higher semantic completeness and correctness, it is easier to modify and understand, and it facilitates a better communication of security solutions to the system stakeholders than the security model created at the implementation stage

A framework for computer-aided validation

This paper presents a framework to incorporate computer-based validation techniques to the independent validation and verification (IV&V) of software systems. The framework allows the IV&V team to capture its own understanding of the problem and the expected behavior of any proposed system for solving the problem via an executable system reference model, which uses formal assertions to specify mission- and safety-critical behaviors. The framework uses execution-based model checking to validate the correctness of the assertions and to verify the correctness and adequacy of the system under test.Approved for public release; distribution is unlimited

Software security requirements management as an emerging cloud computing service

© 2016 Elsevier Ltd. All rights reserved.Emerging cloud applications are growing rapidly and the need for identifying and managing service requirements is also highly important and critical at present. Software Engineering and Information Systems has established techniques, methods and technology over two decades to help achieve cloud service requirements, design, development, and testing. However, due to the lack of understanding of software security vulnerabilities that should have been identified and managed during the requirements engineering phase, we have not been so successful in applying software engineering, information management, and requirements management principles that have been established for the past at least 25 years, when developing secure software systems. Therefore, software security cannot just be added after a system has been built and delivered to customers as seen in today's software applications. This paper provides concise methods, techniques, and best practice requirements engineering and management as an emerging cloud service (SSREMaaES) and also provides guidelines on software security as a service. This paper also discusses an Integrated-Secure SDLC model (IS-SDLC), which will benefit practitioners, researchers, learners, and educators. This paper illustrates our approach for a large cloud system Amazon EC2 service

A Natural Language Programming Approach for Requirements-based Security Testing

To facilitate communication among stakeholders, software security requirements are typically written in natural language and capture both positive requirements (i.e., what the system is supposed to do to ensure security) and negative requirements (i.e., undesirable behavior undermining security). In this paper, we tackle the problem of automatically generat- ing executable security test cases from security requirements in natural language (NL). More precisely, since existing approaches for the generation of test cases from NL requirements verify only positive requirements, we focus on the problem of generating test cases from negative requirements. We propose, apply and assess Misuse Case Programming (MCP), an approach that automatically generates security test cases from misuse case specifications (i.e., use case specifications capturing the behavior of malicious users). MCP relies on natural language processing techniques to extract the concepts (e.g., inputs and activities) appearing in requirements specifications and generates executable test cases by matching the extracted concepts to the members of a provided test driver API. MCP has been evaluated in an industrial case study, which provides initial evidence of the feasibility and benefits of the approach

Developing System Security through Business Process Modelling

Äriprotsesside arusaam ja modelleerimine on üks olulisematest aspektidesttänapäevases süsteemiarenduses. Infosüsteemide modeleerimiseks on loodud erinevaid käsitlusi ning äriprotsesside modeleerimisnotatsioon on üks nendest. On teada, et BPMN aitab äriprotsesse kirjeldada, modelleerida ja optimeerida. Keerulisem on mõista kuidas saab selle käsitluse raames juhtida äriprotsesside turvalisust ning analüüüsida infosüsteemi turvariske. See aspekt muutub kaasaegsetes infosüsteemides veel komplitseeritumaks, kuna turvatud süsteemi loomiseks peavad nii äriprotsessid kui ka selle turvalisuse küsimused olema vaadeldud parallellselt, see tähendab koostoimes. Käesoleva uurimistöö eesmärgiks on analüüsida BPMN ja infosüsteemi turvariskide juhtimise vastastikkust koosmõju. BPMN’i võtmeaspektide väljaselgitamiseks ja antud modelleerimissüsteemi turvanäitajate, riskide ja riskide juhtimise mõistmiseks on antud töös kasutatud struktureeritud lähenemist. Töös uuritakse kuidas modelleerija saab BPMN’i abil väljastada turvatud süsteemi komponente, riske või riskide juhtimist. Töös ühtlustatakse BPMN keele põhikonstruktsioonid ISSRM mudeli kontseptiga. Antud uurimistöös on BPMN-i käsitluse rakendausvõimalusi vaadeldud ühe internetikaupluse näitel. Meie uurimistöö pakkub infosüsteemi analüütikule või arhitektile võimalust mõista äriprotsesse ja turvakomponente ühe modelleerimiskeele abil. Analüüs on tehtud ainult esimese keele, Descriptive modelling, tasemel. Sellega avatakse uurijale võimalus tuua paralelle erinevate modeleerimiskeelte vahel, et uurida mustreid ISSRM perekonda kuuluvate mudelite loomises.Business process modelling is one of the major aspects in the modern system development. Recently business process model and notation (BPMN) has become a standard technique to support this activity. Although BPMN is a good approach to understand business processes, there is a limited work to understand how it could deal with business security and security risk management. This is a problem, since both business processes and security concerns should be understood in parallel to support a development of the secure systems. In this paper we analyse BPMN with respect to the domain model of the IS security risk management (ISSRM). We apply a structured approach to understand key aspects of BPMN and how modeller could express secure assets, risks and risk treatment using BPMN. We align the main BPMN constructs with the key concepts of the ISSRM domain model. We show applicability of our approach on a running example related to the Internet store. Our proposal would allow system analysts to understand how to develop security requirements to secure important assets defined through business processes. In addition we open a possibility for the business and security model interoperability and the model transformation between several modelling approaches (if these both are aligned to the ISSRM domain model)

A Comparison of Security Modelling Languages used for Security Risk

Tänapaeval kõik firmad, mis omavad väärtuslikke varasid, püüavad oma aktiva ja pasiva kaitsta. Kahjuks ei ole võimalik reageerida kõikidele varade turvalisust puudutavaid ähvardustele. Selliste võimalike ohtude leevendamiseks olid laiendatud modelleerimiskeeled turvariskide halduse kasutamiseks. Sobiva keele valik võib aga olla keeruline otsus, kuna see on iseenesest ränk küsimus, kuidas need keeled omavahel võrrelda ning otsustada kumb lahendus on rentaabel. Iga turvateenusel on oma hind, kuigi firmad on oma eelarvega piiratud. Konkreetne valitud keel turvariski haldamiseks peab vastama firma vajadustele, kuna see on tähtis positiivse “ROI” (investeeringu risk) suhtes. Samas turvariski haldus asub infosüsteemi arendamise varajasel staadiumil ja keele valik, mis ei vasta firma vajadustele, võib viita aja kaotusele või isegi süsteemi turvaaukudele. Selle probleemi lahenduseks on meie tehniline panus võrrelda modelleerimiskeel: “BPMN”, “Secure Tropos”, “Misuse case” ja “Mal-activity” diagramm. On tähtis määratlema, kuidas need keeled toimivad infosüsteemi turvariskide haldamine (ingl. ISSRM) domeeni mudeliga. Juhtumisel ja empiitilisel analüüsil põhinev võrdlus oli tehtud selleks, et selgust saada turvalisuse probleeme puudutavatest keeltest ja nende semiootilisest selgusest. Empiiriline analüüs juhtumi analüüsiga võimaldab välja selgitada, mismoodi üks keel toimib paremini kui teine “ISSRM” suhtes. Valitud modeleerimiskeeled turvariskide halduseks on mingil määral piiratud semiootilise selguse suhtes, kuna need pole olnud esialgu mõeldud tegelema turvariskide haldusega, pigem “ISSRM” kasutamiseks ning selleks, et aidata ohud leevendada infosüsteemi arendamise varajasel staadiumil.Nowadays, every company that has valuable assets has an urge to protect them. Unfortunately, it is impossible to act on every single security threat. To mitigate these threats Security Modelling Languages were extended to use for Security Risk Management. However, choosing suitable language can be a difficult decision, because it can be a problem to compare those languages and decide which one would bring the most cost-effective solution. Every security solution has its cost and companies have limited resources. The chosen language that will be used for Security Risk Management must suit the company’s needs, as it is important in terms of getting positive ROI (Risk on investment). In addition, Security Risk Management takes place on early stages of IS development and choosing security modelling language that does not suit the company’s needs will result in a loss of time as well as possible system vulnerabilities. Our technical contribution to the solution to this problem is a comparison of these Security Modelling Languages: BPMN, Secure Tropos, Misuse cases and Mal-activity diagrams. It is important to determine how these languages act with Information System Security Risk Management (ISSRM) domain model. The comparison is made based on the case study and empirical research in order to understand the semiotic clarity of these languages used to express the security concerns. The empirical research within the case study will allow us to point out in which ways one language acts better than another regarding ISSRM. The chosen security modelling languages contain limitations regarding the semiotic clarity, as they were not designed to deal with the security risk management at the first place, but used in terms of ISSRM, they help to mitigate risks starting from early stages of IS development