Skip to main content
SpringerLink
Log in

Recommendations for Effective Security Assurance of Software-Dependent Systems

  • Conference paper
  • First Online:
Intelligent Computing (SAI 2020)

Part of the book series: Advances in Intelligent Systems and Computing ((AISC,volume 1230))

Included in the following conference series:

Abstract

Assuring the security of software-dependent systems in the face of cyber-attacks and failures is now among the top priorities for governments and providers of electric, financial, communication, and other essential services. Practical and foundational solutions for systematic, secure, and trustworthy system development are needed to support developers, regulators, and certification bodies in providing assurance that security threats faced by the software systems used in these environments have been adequately mitigated. Using recent experiences reported in the literature as a basis, we discuss the challenges of providing security assurance for software-dependent systems. We also explore the barriers to adoption of existing approaches and techniques which can play an important role in security assurance efforts. Ultimately, we present a set of recommendations which outline a collection of follow-on research directions that can advance the state-of-the-art and support the development of more effective security assurance solutions for critical software-dependent systems.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 169.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 219.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. McLean, J., Heitmeyer, C.L.: High assurance computer systems: a research agenda. In: America in the Age of Information, National Science and Technology Council Committee on Information and Communications Forum (1995)

    Google Scholar 

  2. Mead, N.R.: SEHAS 2003: the future of high-assurance systems. IEEE Secur. Priv. 1, 68–72 (2003)

    Article  Google Scholar 

  3. Government of Canada: National electric grid security and resilience action plan, December 2016. https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/pln-crtcl-nfrstrctr-2014-17/index-en.aspx

  4. U.S.A. Department of Homeland Security: National critical infrastructure security and resilience research and development plan, November 2015

    Google Scholar 

  5. Weinstock, C.B., Lipson, H.F.: Evidence of assurance: laying the foundation for a credible security case. Technical report, Software Engineering Institute, August 2013

    Google Scholar 

  6. Agudo, I., Vivas, J.L., López, J.: Security assurance during the software development cycle. In: International Conference on Computer Systems and Technologies, CompSysTech 2009, pp. 20:1–20:6 (2009)

    Google Scholar 

  7. Winograd, T., McKinley, H.L., Oh, L., Colon, M., McGibbon, T., Fedchak, E., Vienneau, R.: Software Security Assurance: A State-of-the Art Report (SOAR). Information Assurance Technology Analysis Center (IATAC), July 2007

    Google Scholar 

  8. Federal Trade Commission: Internet of things: privacy and security in a connected world. FTC Staff Report, Federal Trade Commission, January 2015

    Google Scholar 

  9. Common Criteria Recognition Arrangement: Common Criteria for Information Technology Security Evaluation (CC). No. CCMB-2009-07, Common Criteria Recognition Arrangement, July 2009

    Google Scholar 

  10. Communications Security Establishment Canada: Annex 2 - Information System Security Risk Management Activities: IT Security Risk Management: A Lifecycle Approach. Communications Security Establishment Canada (2012)

    Google Scholar 

  11. Gilsinn, J.D., Schierholz, R.: Security assurance levels: a vector approach to describing security requirements. NIST, October 2010

    Google Scholar 

  12. Chandra, P.: Software assurance maturity model, a guide to building security into software development, version 1.0 (2009). http://www.opensamm.org/downloads/SAMM-1.0.pdf

  13. Woody, C.C., Ellison, R.J.: Software assurance measurement - establishing a confidence that security is sufficient-establishing a confidence that security is sufficient. J. Cyber Secur. Inf. Syst. 5(3), 28–36 (2017)

    Google Scholar 

  14. Ross, R.S., McEvilley, M., Oren, J.C.: Systems security engineering: considerations for a multidisciplinary approach in the engineering of trustworthy secure systems. Special Publication (NIST SP) 800-160, NIST, November 2016

    Google Scholar 

  15. National Institute of Standards and Technology: Framework for improving critical infrastructure cybersecurity, version 1.1, April 2018. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

  16. GSN Working Group: GSN community standard version 2, January 2018

    Google Scholar 

  17. Rushby, J., Xu, X., Rangarajan, M., Weaver, T.L.: Understanding and evaluating assurance cases. NASA Contractor Report NASA/CR–2015-218802, NASA Langley Research Center, September 2015

    Google Scholar 

  18. Rinehart, D.J., Knight, J.C., Rowanhill, J.: Current practices in constructing and evaluating assurance cases with applications to aviation. NASA Contractor Report NASA/CR–2015-218678, NASA Langley Research Center, January 2015

    Google Scholar 

  19. Rushby, J.: The interpretation and evaluation of assurance cases. Technical report, SRI-CSL-15-01, SRI International, July 2015

    Google Scholar 

  20. Wassyng, A., Maibaum, T., Lawford, M., Bherer, H.: Software certification: is there a case against safety cases? In: Calinescu, R., Jackson, E. (eds.) Monterey Workshop 2010: Foundations of Computer Software. Modeling, Development, and Verification of Adaptive Systems. LNCS, vol. 6662, pp. 206–227. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  21. Alexander, R., Hawkins, R., Kelly, T.: Security assurance cases: motivation and the state of the art. Technical report CESG/TR/2011/1, University of York, April 2011

    Google Scholar 

  22. Weinstock, C.B., Lipson, H.F., Goodenough, J.B.: Arguing security - creating security assurance cases. Technical report, Software Engineering Institute, January 2007

    Google Scholar 

  23. U.S.A. Computer Emergency Readiness Team: Build security in: setting a standard for software assurance (2015). https://www.us-cert.gov/bsi

  24. Jaskolka, J.: Challenges in assuring security and resilience of advanced metering infrastructure. In: 18th Annual IEEE Canada Electrical Power and Energy Conference, EPEC 2018, pp. 1–6 (2018)

    Google Scholar 

  25. U.S.A. Department of Homeland Security: Sector risk snapshots, March 2014

    Google Scholar 

  26. Asghar, M.R., Dán, G., Miorandi, D., Chlamtac, I.: Smart meter data privacy: a survey. IEEE Commun. Surv. Tutor. 19(4), 2820–2835 (2017)

    Article  Google Scholar 

  27. Ibarra, I., Ward, D.: Assurance cases to argue system resilience properties for road vehicles. In: 2013 Workshop on Human Factors in the Safety and Security of Critical Systems, March 2013

    Google Scholar 

  28. Pantazopoulos, P., Haddad, S., Lambrinoudakis, C., Kalloniatis, C., Maliatsos, K., Kanatas, A., Varádi, A., Gay, M., Amditis, A.: Towards a security assurance framework for connected vehicles. In: 19th IEEE International Symposium on A World of Wireless, Mobile and Multimedia Networks, pp. 1–6 (2018)

    Google Scholar 

  29. Wassyng, A., Singh, N.K., Geven, M., Proscia, N., Wang, H., Lawford, M., Maibaum, T.: Can product-specific assurance case templates be used as medical device standards? IEEE Des. Test 32(5), 45–55 (2015)

    Article  Google Scholar 

  30. Jackson, D., Thomas, M., Millett, L.I. (eds.): Software for Dependable Systems: Sufficient Evidence? National Academies Press, Washington, DC (2007)

    Google Scholar 

  31. U.S.A. Department of Defense: Trusted Computer System Evaluation Criteria (TCSEC). No. DoD 5200.28-STD in Defense Department Rainbow Series (Orange Book), Department of Defense/National Computer Security Center, December 1985

    Google Scholar 

  32. Nhlabatsi, A., Laney, R., Nuseibeh, B.: Feature interaction: the security threat from within software systems. Prog. Inform. 5, 75–89 (2008)

    Article  Google Scholar 

  33. Deogun, D., Sawano, D., Bergh Johnsson, D.: Secure by Design. Manning Publications Company, Shelter Island (2018)

    Google Scholar 

  34. Tverdyshev, S.: Security by design: introduction to MILS. In: International Workshop on MILS: Architecture and Assurance for Secure Systems (2017)

    Google Scholar 

  35. Bass, L., Weber, I., Zhu, L.: DevOps: A Software Architect’s Perspective. Addison-Wesley Professional, New York (2015)

    Google Scholar 

  36. Shostack, A.: Threat Modeling: Designing for Security. Wiley, Hoboken (2014)

    Google Scholar 

  37. UcedaVélez, T., Morana, M.M.: Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis, 1st edn. Wiley, Hoboken (2015)

    Book  Google Scholar 

  38. Chong, S., Guttman, J., Datta, A., Myers, A., Pierce, B., Schaumont, P., Sherwood, T., Zeldovich, N.: Report on the NSF workshop on formal methods for security. Technical report (2016). http://arxiv.org/abs/1608.00678

  39. Mandrioli, D.: The role of formal methods in developing high assurance systems: some old and some less old thoughts. In: Workshop on Software Engineering for High Assurance Systems, SEHAS 2003, pp. 29–32 (2003)

    Google Scholar 

  40. Rouland, Q., Hamid, B., Jaskolka, J.: Formalizing reusable communication models for distributed systems architecture. In: 8th International Conference on Model and Data Engineering, MEDI 2018, pp. 198–216 (2018)

    Google Scholar 

  41. International Electrotechnical Commission: IEC Standard: 62351, May 2007. http://www.iec.ch/smartgrid/standards/

  42. The Smart Grid Interoperability Panel–Smart Grid Cybersecurity Committee: Guidelines for smart grid cybersecurity: Volume 1 – smart grid cybersecurity strategy, architecture, and high-level requirements. Interagency Report NISTIR 7628 Revision 1, NIST, September 2014

    Google Scholar 

  43. Dobbing, B., Lautieri, S.: SafSec methodology: Standard 3.1. SafSec: Integration of Safety & Security Certification S.P1199.50.2, Altran Praxis, November 2006

    Google Scholar 

  44. U.S.A. Department of Defense: DoD Instruction 8510.01, Risk Management Framework (RMF) for DoD Information Technology (IT), March 2014. http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

  45. U.K. Department of Trade & Industry: Information Technology Security Evaluation Criteria (ITSEC), COM(90) 314. Department of Trade & Industry, June 1991

    Google Scholar 

  46. Communications Security Establishment Canada: Canadian Trusted Computer Product Evaluation Criteria (CTCPEC). Communications Security Establishment Canada (1993)

    Google Scholar 

  47. Feiler, P.: Automated assurance of security-policy enforcement in critical systems. SEI Blog, February 2018. https://insights.sei.cmu.edu/sei_blog/2018/02/automated-assurance-of-security-policy-enforcement-in-critical-systems.html

  48. Sljivo, I., Gallina, B.: Building multiple-viewpoint assurance cases using assumption/guarantee contracts. In: 10th European Conference on Software Architecture Workshops, ECSAW 2016, pp. 39:1–39:7. ACM (2016)

    Google Scholar 

  49. Hsu, T.H.C.: Hands-On Security in DevOps: Ensure Continuous Security, Deployment, and Delivery with DevSecOps. Packt Publishing Ltd., Birmingham (2018)

    Google Scholar 

Download references

Acknowledgment

This research was supported by the Natural Sciences and Engineering Research Council of Canada (NSERC) grant RGPIN-2019-06306.

Author information

Authors and Affiliations

  1. Systems and Computer Engineering, Carleton University, Ottawa, ON, Canada

    Jason Jaskolka

Authors
  1. Jason Jaskolka
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jason Jaskolka .

Editor information

Editors and Affiliations

  1. Faculty of Science and Engineering, Saga University, Saga, Japan

    Kohei Arai

  2. The Science and Information (SAI) Organization, Bradford, West Yorkshire, UK

    Supriya Kapoor

  3. The Science and Information (SAI) Organization, Bradford, West Yorkshire, UK

    Rahul Bhatia

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Jaskolka, J. (2020). Recommendations for Effective Security Assurance of Software-Dependent Systems. In: Arai, K., Kapoor, S., Bhatia, R. (eds) Intelligent Computing. SAI 2020. Advances in Intelligent Systems and Computing, vol 1230. Springer, Cham. https://doi.org/10.1007/978-3-030-52243-8_37

Download citation

Publish with us

Policies and ethics

Search

Navigation