Toward a secure system engineering methodolgy

This paper presents a methodology for enumerating the vuinerabilities of a system, and determining what countermeasures can best close those vulnerabilities. We first describe how to characterize possible adversaries in terms of their resources, access, and risk tolerance, then we show how to map vulnerabilities to the system throughout its life cycle, and finally we demonstrate how to correlate the attacker's characteristics with the characteristics of the vulnerability to see if an actual threat exists. Countermeasures need to be considered only for the attacks that meet the adversaries' resources and objectives. Viable countermeasures must meet user needs for cost, ease of use, compatibility, performance, and availability. 1998 NSPW 9/96 Chodottsville, VA, USA 1-,58113-168-2/99/0007... * This paper is based on research done by a working group sponsored by the National Security Agency.