Security functional requirements analysis for developing secure software

Research experience shows that security needs to be considered from the beginning of software development life cycle to avoid expensive rework and reduce potential security vulnerabilities. Hence, defining the right set of security functional requirements (SFRs) and evaluated assurance level (EAL) becomes a critical task for developers when developing secure software. Much effort has been put into creating industry standards to provide a shared common base for stakeholders with concerns on security. One of the industry standards, which is used widely in both industry and government sides in many countries, is Common Criteria (CC). However, one of the drawbacks of Common Criteria is the inefficiency of use. Moreover, with limited project information in the early lifecycle phase, it is hard for developers with less security experience to select the right security requirements from what are defined in CC. Extensions on it and experiences from empirical studies on using it are demanded to achieve a better and more efficient use of CC, which also benefits developers by saving their effort on security functional requirements definition. A thorough analysis has been done on a dataset consisted by the Security Target (ST) files of 242 security products published on common criteria portal website. A mapping between security objectives and SFRs is presented, which can save much development effort by reduce the range of candidate SFRs when developers know the project's security objectives in the early phases. In the cases when developers only know the product domain of this project, SFR patterns for nine different domains of security products are presented based on the statistic result from the published 242 security products, which can be customized or directly used for particular security application. The analysis result of correlations among SFR classes defined in CC and correlations among security objectives provide a good guidance for developers in designing the architecture of security products. A trend shows that EAL tends to increase when the number of SFRs increases. It is not strongly proved by the current dataset, but shows a research direction for further discussion and explorations in the future. To validate the correctness of the mapping scheme between security objectives and SFRs, each of the ST files is reviewed to find out the consistency and difference between the presented mapping scheme with the actual selected SFRs in 242 security products with certain security objectives. A method is presented to evaluate the effectiveness of these security patterns, which can be used as a factor for developers when to consider applying the patterns for actual use.

[1]  Ellis Horowitz,et al.  An Overview of the COCOMO 2.0 Software Cost Model , 1995 .

[2]  Ralph Johnson,et al.  design patterns elements of reusable object oriented software , 2019 .

[3]  Norman E. Fenton,et al.  Software Metrics: A Rigorous Approach , 1991 .

[4]  Marianne M. Swanson,et al.  Standards for Security Categorization of Federal Information and Information Systems , 2004 .

[5]  Joseph W. Yoder,et al.  Architectural Patterns for Enabling Application Security , 1998 .

[6]  Stuart H. Zweben,et al.  Measuring the quality of structured designs , 1981, J. Syst. Softw..

[7]  Markus Schumacher,et al.  Security Engineering with Patterns: Origins, Theoretical Models, and New Applications , 2003 .

[8]  Joseph S. Sherif,et al.  Software security checklist for the software life cycle , 2003, WET ICE 2003. Proceedings. Twelfth IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, 2003..

[9]  Joan Hash,et al.  SP 800-65. Integrating IT Security into the Capital Planning and Investment Control Process , 2005 .

[10]  Marianne Swanson,et al.  SP 800-18 Rev. 1. Guide for Developing Security Plans for Federal Information Systems , 2006 .

[11]  Chris F. Kemerer,et al.  Towards a metrics suite for object oriented design , 2017, OOPSLA '91.

[12]  Ramesh Nagappan,et al.  Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management , 2005 .

[13]  F KemererChris,et al.  Towards a metrics suite for object oriented design , 1991 .

[14]  Max Jacobson,et al.  A Pattern Language: Towns, Buildings, Construction , 1981 .

[15]  Daniel Noah Port,et al.  Balancing Discipline and Flexi-bility with The Spiral Model and MBASE , 2001 .

[16]  Barry W. Boehm,et al.  Model-based (systems) architecting and software engineering (MBASE) , 2000, SOEN.

[17]  Timothy Grance,et al.  Security Considerations in the Information System Development Life Cycle , 2003 .

[18]  David A. Wheeler,et al.  Secure Programming for Linux and Unix HOWTO , 2003 .

[19]  Will Tracz,et al.  DSSA (Domain-Specific Software Architecture): pedagogical example , 1995, SOEN.

[20]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[21]  J. Brian Gray,et al.  Applied Regression Including Computing and Graphics , 1999, Technometrics.

[22]  John N. Buxton,et al.  Craft of software engineering , 1987, International computer science series.

[23]  Joan Hash,et al.  Building an Information Technology Security Awareness and Training Program , 2003 .

[24]  B. F. Castro Buschmann, Frank; Meunier, Regine; Rohnert, Hans; Sommerlad, Peter; Stal, Michael. Pattern-oriented software architecture: a system of patterns, John Wiley & Sons Ltd, 1996 , 1997 .

[25]  Eduardo B. Fernandez,et al.  Even more patterns for secure operating systems , 2006, PLoP '06.

[26]  Philippe Lalanda,et al.  A Domain-Specific Software Architecture for Adaptive Intelligent Systems , 1995, IEEE Trans. Software Eng..

[27]  Gerard G. Meszaros,et al.  A pattern language for pattern writing , 1997 .

[28]  Eduardo B. Fernandez,et al.  The Authenticator Pattern , 1999 .

[29]  Barry W. Boehm,et al.  Using the WinWin Spiral Model: A Case Study , 1998, Computer.

[30]  Command Processor,et al.  Pattern-Oriented Software Architecture: A System of Patterns, Buschman, Meunier, Rohnert, , 1996 .

[31]  Norman L. Kerth,et al.  Using Patterns To Improve Our Architectural Vision , 1997, IEEE Softw..

[32]  B. J. Ferro Castro,et al.  Pattern-Oriented Software Architecture: A System of Patterns , 2009 .

[33]  Christopher Alexander,et al.  The Timeless Way of Building , 1979 .

[34]  Debra S. Herrmann,et al.  Using the Common Criteria for IT Security Evaluation , 2002 .