CCARCH: Architecting Common Criteria Security Requirements

As technology continues to evolve, so do different entities that threaten the security of this technology. We believe that in order to build dependable software security should be treated just as any other important aspect of a system; to do this we must emphasize it at the beginning of our development cycle and be able to carry these security requirements down the cycle. We focus on a technique known as the Common Criteria, which allows for the development of security requirements. We extend the capabilities of Common Criteria beyond the requirements phase, to allow us to take security requirements into further stages of the cycle. In this paper we describe CCARCH, a technique accompanied by a set of tools, that takes Common Criteria expressed security requirements to the architectural level. Our approach aids in making the usage of Common Criteria more beneficial and applicable.

[1]  Bart De Decker,et al.  Developing secure software. A survey and classification of common software vulnerabilities , 2001, IICIS.

[2]  Robin A. Gandhi,et al.  Common criteria requirements modeling and its uses for quality of information assurance (QoIA) , 2005, ACM Southeast Regional Conference.

[3]  Marshall D. Abrams Application of the Protection Profile to Define Requirements for a Telecommunications Services Contract , 2001 .

[4]  D. Pinto Secrets and Lies: Digital Security in a Networked World , 2003 .

[5]  Matthias Jarke,et al.  Scenario usage in system development: a report on current practice , 1998, Proceedings of IEEE International Symposium on Requirements Engineering: RE '98.

[6]  James E. Rumbaugh,et al.  Getting Started: Using Use Cases to Capture Requirements , 1994, J. Object Oriented Program..

[7]  Andrew P. Moore,et al.  Attack Modeling for Information Security and Survivability , 2001 .

[8]  Susan Elliott Sim,et al.  A Comparative Evaluation of Three Approaches to Specifying Security Requirements , 2006 .

[9]  Gary Stoneburner,et al.  SP 800-27 Rev. A. Engineering Principles for Information Technology Security (A Baseline for Achieving Security), Revision A , 2004 .

[10]  D. L. Lough,et al.  A taxonomy of computer attacks with applications to wireless networks , 2001 .

[11]  Pramod K. Varshney,et al.  Protecting Wireless Networks against a Denial of Service Attack Based on Virtual Jamming , 2003 .

[12]  Ivar Jacobson,et al.  Object-oriented software engineering - a use case driven approach , 1993, TOOLS.

[13]  Nitin H. Vaidya,et al.  Detection and handling of MAC layer misbehavior in wireless networks , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[14]  Daryl Kulak,et al.  Use cases: requirements in context , 2000, SOEN.

[15]  Janusz Zalewski,et al.  Object-oriented software engineering. A use case driven approach , 1993 .