Sécurité par la conception : une approche basée sur les assets pour réduire le fossé entre les architectes et les experts de sécurité

The security requirement should be taken into account at all stages of the software developmentlife cycle. One of the most important approaches for doing this is threat modelling. This approach involves the collaboration of several actors, in particular software architects and security experts, during brainstorming sessions. Actually, even though architects are familiar with the design artifacts they handle, and they have good expertise in assembly practices, they are not always well-trained in security. Unfortunately, it is not always possible to involve these security experts at every stage of the development life cycle due to several constrains such as availability, time or budget limitations. Even when this collaboration is possible, due to the lack of guides and the absence of a sufficiently formalized processes, these actors often have difficulties when interacting. Therefore, brainstorming sessions are often not carried out in an optimal manner and require significant efforts. The outcome is also highly dependent on the level of security awareness and expertise of all the involved actors.In order to improve threat modeling approaches, and more generally the considerations of security concerns at the architectural design stage, we propose to define in this thesis a security assistance based on the concept of >. This assistance is dedicated to architects and helps them to design secure systems even if they have only limited security knowledge. The process enables the identification of both relevant and vulnerable assets, which facilitates threat enumeration during the brainstorming sessions.L’exigence sécurité doit être prises en compte dans toutes les étapes du développement d’un logiciel. L'une des approches les plus importantes pour ce faire est celle de la modélisation des menaces. Cette approche implique la collaboration lors de séances de brainstorming de plusieurs acteurs et tout particulièrement les architectes logiciels et les experts en sécurité. Car si les architectes connaissent bien les artefacts de conception qu’ils manipulent et les bonnes pratiques d’assemblage, ils ne sont pas toujours bien formés en matière de sécurité. Il n’est malheureusement pas toujours possible d'impliquer à chaque étape d’un développement ces experts en sécurité et cela pour des contraintes de disponibilité, de temps ou de budget. Même quand cette collaboration est possible, en raison du manque de guides, de l'absence d'un processus suffisamment formalisé, ces acteurs éprouvent souvent des difficultés à interagir. Les sessions de brainstorming sont donc souvent menées de manière non optimale et exigent des efforts importants. Le résultat est également dépendant du niveau de sensibilisation et d’expertise en sécurité de tous les acteurs impliqués. Pour améliorer cette approche et la prise en compte de la préoccupation sécurité, nous proposons de définir dans cette thèse une assistance à la sécurité qui s’appuie sur le concept de « biens ». Cette assistance est dédiée aux architectes et les aide à concevoir des systèmes sécurisés même s’ils ne disposent que d’une connaissance limitée en matière de sécurité. Le processus permet d'identifier les biens à la fois pertinents et vulnérables, ce qui facilite l'énumération des menaces lors du brainstorming

Sécurité par la conception : une approche basée sur les assets pour réduire le fossé entre les architectes et les experts de sécurité

The security requirement should be taken into account at all stages of the software developmentlife cycle. One of the most important approaches for doing this is threat modelling. This approach involves the collaboration of several actors, in particular software architects and security experts, during brainstorming sessions. Actually, even though architects are familiar with the design artifacts they handle, and they have good expertise in assembly practices, they are not always well-trained in security. Unfortunately, it is not always possible to involve these security experts at every stage of the development life cycle due to several constrains such as availability, time or budget limitations. Even when this collaboration is possible, due to the lack of guides and the absence of a sufficiently formalized processes, these actors often have difficulties when interacting. Therefore, brainstorming sessions are often not carried out in an optimal manner and require significant efforts. The outcome is also highly dependent on the level of security awareness and expertise of all the involved actors.In order to improve threat modeling approaches, and more generally the considerations of security concerns at the architectural design stage, we propose to define in this thesis a security assistance based on the concept of >. This assistance is dedicated to architects and helps them to design secure systems even if they have only limited security knowledge. The process enables the identification of both relevant and vulnerable assets, which facilitates threat enumeration during the brainstorming sessions.L’exigence sécurité doit être prises en compte dans toutes les étapes du développement d’un logiciel. L'une des approches les plus importantes pour ce faire est celle de la modélisation des menaces. Cette approche implique la collaboration lors de séances de brainstorming de plusieurs acteurs et tout particulièrement les architectes logiciels et les experts en sécurité. Car si les architectes connaissent bien les artefacts de conception qu’ils manipulent et les bonnes pratiques d’assemblage, ils ne sont pas toujours bien formés en matière de sécurité. Il n’est malheureusement pas toujours possible d'impliquer à chaque étape d’un développement ces experts en sécurité et cela pour des contraintes de disponibilité, de temps ou de budget. Même quand cette collaboration est possible, en raison du manque de guides, de l'absence d'un processus suffisamment formalisé, ces acteurs éprouvent souvent des difficultés à interagir. Les sessions de brainstorming sont donc souvent menées de manière non optimale et exigent des efforts importants. Le résultat est également dépendant du niveau de sensibilisation et d’expertise en sécurité de tous les acteurs impliqués. Pour améliorer cette approche et la prise en compte de la préoccupation sécurité, nous proposons de définir dans cette thèse une assistance à la sécurité qui s’appuie sur le concept de « biens ». Cette assistance est dédiée aux architectes et les aide à concevoir des systèmes sécurisés même s’ils ne disposent que d’une connaissance limitée en matière de sécurité. Le processus permet d'identifier les biens à la fois pertinents et vulnérables, ce qui facilite l'énumération des menaces lors du brainstorming

RQCODE – Towards Object-Oriented Requirements in the Software Security Domain

International audienceFor the last 20 years, the number of vulnerabilities has increased near 20 times, according to NIST statistics. Vulnerabilities expose companies to risks that may seriously threaten their operations. Therefore, for a long time, it has been suggested to apply security engineering-the process of accumulating multiple techniques and practices to ensure a sufficient level of security and to prevent vulnerabilities in the early stages of software development, including establishing security requirements and proper security testing. The informal nature of security requirements makes it uneasy to maintain system security, eliminate redundancy and trace requirements down to verification artifacts such as test cases. To deal with this problem, Seamless Object-Oriented Requirements (SOORs) promote incorporating formal requirements representations and verification means together into requirements classes. This article is a position paper that discusses opportunities to implement the Requirements as Code (RQCODE) concepts, SOORs in Java, applied to the Software Security domain. We argue that this concept has an elegance and the potential to raise the attention of developers since it combines a lightweight formalization of requirements through security tests with seamless integration with off-the-shelf development environments, including modern Continuous Integration/Delivery platforms. The benefits of this approach are yet to be demonstrated in further studies in the VeriDevOps project

Security Requirements Formalization with RQCODE in

International audienc

Development of Secure System of Systems Needing a Rapid Deployment

International audienceIn certain cases, such as secure humanitarian corridors in a conflict zone, a special type of SoS, needing a rapid deployment, has to be developed. Because of the tense time constraint, usually only a domain expert is responsible with this development. However, many such SoSs also have to take into account the security aspect. How to help a domain expert integrate the security aspect into the rapid development of an SoS? In this proposal paper, we present an approach and a tool suite that help the domain expert tag business assets using security properties, which are then used to identify vulnerabilities and to propose possible security control mechanisms. We illustrate our proposal on a case study

Asset-Oriented Threat Modeling

International audienceThreat modeling is recognized as one of the most important activities in software security. It helps to address security issues in software development. Several threat modeling processes are widely used in the industry such as the one of Microsoft SDL. In threat modeling, it is essential to first identify assets before enumerating threats, in order to diagnose the threat targets and spot the protection mechanisms. Asset identification and threat enumeration are collaborative activities involving many actors such as security experts and software architects. These activities are traditionally carried out in brainstorming sessions. Due to the lack of guidance, the lack of a sufficiently formalized process, the high dependence on actors' knowledge, and the variety of actors' background, these actors often have difficulties collaborating with each other. Brainstorming sessions are thus often conducted sub-optimally and require significant effort. To address this problem, we aim at structuring the asset identification phase by proposing a systematic asset identification process, which is based on a reference model. This process structures and identifies relevant assets, facilitating the threat enumeration during brainstorming. We illustrate the proposed process with a case study and show the usefulness of our process in supporting threat enumeration and improving existing threat modeling processes such as the Microsoft SDL one

An Asset-Based Assistance for Secure by Design

International audienceWith the growing numbers of security attacks causing more and more serious damages in software systems, security cannot be added as an afterthought in software development. It has to be built in from the early development phases such as requirement and design. The role responsible for designing a software system is termed an "architect", knowledgeable about the system architecture design, but not always well-trained in security. Moreover, involving other security experts into the system design is not always possible due to time-to-market and budget constraints. To address these challenges, we propose to define an asset-based security assistance in this paper, to help architects design secure systems even if these architects have limited knowledge in security. This assistance helps alert threats, and integrate the security controls over vulnerable parts of system into the architecture model. The central concept enabling this assistance is that of asset. We apply our proposal on a telemonitoring case study to show that automating such an assistance is feasible