Security Specification

Question 1

What is meant by Security Specification?

Answer 1

Meaning: A security specification is a set of guidelines that outline how to implement security measures to protect data and ensure confidentiality and integrity.

Note: In common with safety requirements specification – concern is to avoid something bad
happening.

Four Major Differences:
1. Safety problems are accidental – the software is not operating in a hostile environment. In security, you must assume that attackers have knowledge of system weaknesses.

2. When safety failures occur, you can look for the root cause or weakness that led to the failure. When failure results from a deliberate attack, the attacker may conceal the cause of the failure.
3. Shutting down a system can avoid a safety-related failure. Causing a shut down may be the aim of an attack.
4. Safety-related events are not generated from an intelligent adversary. An attacker can probe defences over time to discover weaknesses.

Question 2

What is meant by Security Policy?

Answer 2

Meaning: A document that applies to all systems and sets out what should and should not be allowed.

For example, a military policy might be:
* Readers may only examine documents whose classification is the same as or below the readers vetting/security level.

• A security policy sets out the conditions that must be maintained by a security system and so helps identify system security requirements.

Question 3

Name and Describe each part of the security risk assessment process? (8 parts)

Answer 3

Asset Identification:
Identify the key system assets (or services) that have to be protected.

Asset Value assessment:
Estimate the value of the identified assets.

Exposure Assessment:
Assess the potential losses associated with each asset.

Threat Identification:
Identify the most probable threats to the system assets.

Attack Assessment:
Decompose threats into possible attacks on the system and the ways that these may occur.

Control Identification:
Propose the controls that may be put in place to protect an asset.

Feasibility Assessment:
Assess the technical feasibility and cost of the controls.

Security Requirements Definition:
Security requirements can be infrastructure or application system requirements.

Question 4

Note on Software Dependability?

Answer 4

• Software customers expect all software to be dependable.
• However, for non-critical applications, they may be willing to accept some system failures.
• Some critical systems have very high dependability requirements and special software engineering techniques may be used to achieve this.
  • Medical systems
  • Telecommunications and power
    systems
  • Aerospace systems

Question 5

What are the three key areas to achieving software dependability?

Answer 5

Fault Avoidance:
- The system is developed in such a way that human error is avoided and thus system faults are minimised.
- The development process is organised so that faults in the system are detected and repaired
before delivery to the customer.

Fault Detection:
- Verification and validation techniques are used to discover and remove faults in a system before it is deployed.

Fault Tolerance:
- The system is designed so that faults in the delivered software do not result in system failure

Question 6

Note / Recap on Regulation

Answer 6

• Many critical systems are regulated systems, which means that their use must be approved by an external regulator before the systems go into service.
  
  • Nuclear systems
  • Air traffic control systems
  • Medical devices
• A safety and dependability case has to be approved by the regulator. Therefore, critical systems development has to create the evidence to convince a regulator that the system is dependable, safe and secure.

Question 7

Why can’t we always trust software dependability cases?

Answer 7

Economical or technological reasons might make a manufacturer interested
in the software slightly deviating from its main objective.

Example: Volkswagen’s exhaust emission scandal, etc.

Question 8

What is meant by Redundancy and Diversity in relation to dependability.

Answer 8

Redundancy:
Meaning: Keep more than 1 version of a critical component available so that if one fails then
a backup is available.

Diversity:
Meaning: Provide the same functionality in different ways so that they will not all fail in the
same way.

Note: diversity adds complexity – more chance of errors.

Question 9

An example of Diversity and Redundancy examples

Answer 9

• Redundancy
  
  • Where availability is critical (e.g.
    in e-commerce systems),
    companies normally keep backup
    servers and switch to these
    automatically if failure occurs.
• Diversity
  
  • To provide resilience against
    external attacks, different servers
    may be implemented using
    different operating systems (e.g.
    Windows and Linux)

Question 10

What is meant by a dependable process?

Answer 10

Meaning: A well-defined, repeatable processes that can be carried out by different people.

Note: To ensure a minimal number of software faults, it is important to have a well-defined, repeatable software process.

Note: A well-defined repeatable process is one that does not depend entirely on individual skills; rather can be enacted by different people.

Note: Regulators use information about the process to check if good software engineering practice has been used.

Note: For fault detection, it is clear that the process activities should include significant effort devoted to verification and validation.

Question 11

Name and Describe each attribute attribute of dependable processes?

Answer 11

Documentable:
* There should be a defined process model that sets out the process activities and the documentation that is to be produced during
these activities.

Standardised:
* There should be a defined process model that sets out the process activities and the documentation that is to be produced during
these activities.

Auditable:
* The process should be understandable by people apart from process participants, who can check that process standards are being
followed and make suggestions for process improvement.

Diverse:
* The process should include redundant and diverse verification and validation activities.

Robust:
* The process should be able to recover from failures of individual process activities

Question 12

Note on Process Diversity and Redundancy

Answer 12

• Process activities, such as validation, should not depend on a single approach, such as testing, to validate the system
• Rather, multiple different process activities that complement each other and allow for cross-checking help to avoid process errors, which may lead to errors in the software

Types:
* Reviews
* Automated analysis
* Testing

Question 13

Name Different Types of Validation Activities

Answer 13

• Requirements reviews.
• Requirements management.
• Formal specification.
• System modelling
• Design and code inspection.
• Static analysis.
• Test planning and management.

Question 14

What is meant by dependable programming?

Answer 14

Meaning; Good programming practices can are adopted to help reduce the incidence of program faults.

These programming practices support
* Fault avoidance
* Fault detection
* Fault tolerance

Question 15

Name examples of good practice guidelines for dependable programming?

Answer 15

• Limit the visibility of information in a program
• Check all inputs for validity
• Provide a handler for all exceptions
• Minimise the use of error-prone constructs
• Provide restart capabilities
• Check array bounds
• Include timeouts when calling external components
• Name all constants that represent real-world values

Question 16

Summary of Topic (Security Specification)

Answer 16

• Dependability in a program can be achieved by avoiding the introduction of faults, by detecting and removing faults before system deployment, and by including fault tolerance facilities.
• The use of redundancy and diversity in hardware, software processes and software systems is essential for the development of dependable systems.
• The use of a well-defined, repeatable process is essential if faults in a system are to be minimised.
• Dependable programming relies on the inclusion of redundancy in a program to check the validity of inputs and the values of program variables.