Architectural Risk Analysis - Building Secure Software - Lecture Slides, Slides of Software Engineering

Download Architectural Risk Analysis - Building Secure Software - Lecture Slides and more Slides Software Engineering in PDF only on Docsity!

Architectural Risk Analysis

Application of Touchpoints

Requirement andUse cases Architectureand Design Test Plans Code (^) Test ResultsTests and Feedback fromthe Field

5. Abuse cases 6. Security Requirements 2. Risk Analysis

External Review

4. Risk-Based Security Tests 1. Code Review (Tools) 2. Risk Analysis 3. Penetration Testing 7. Security Operations

Software Requirement Specification

• Functional requirements
  • Features a software has
  • Implied requirements
• Non-Functional requirements
  • Performance, reliability, security, etc.
  • Effects quality of product
• Regulatory requirements
  • Law, standards, organizational regulation, contract, etc.
• External interface requirements
  • Interaction with other software and hardware
• Acceptance criteria
  • Confirm that the software is working according to the client’s specification

Review SRS

• Cost effective: getting the requirements right
• Manual review: team of experts (at least 3) for 1.5- 2 hours/session
• Detection rate of good review: 60-90%
• More cost effective to do requirement review than code testing alone

Security Risk Analysis

• Risk analysis: identifying and ranking risks
• Risk management: number of discrete risk analysis exercises, tracking risk, mitigating risks
• Need: understanding of business impact

Security Risk Analysis

• Learn about the target of analysis
• Discuss security issues
• Determine probability of compromise
• Perform impact analysis
• Rank risks
• Develop mitigation strategy
• Report findings

Discuss security issues

• Argue about how the product works, areas of disagreement
• Identify possible vulnerabilities (lists, tools)
• Identify exploits and protection
• Understand security controls (current, planned)

Determine probability of

compromise

• Attack scenarios
• Historical data
• Balance control against threat

Rank risk

• Connect to business goals
• Regulatory requirements
• Customer’s needs
• Capabilities

Develop mitigation strategy

• Countermeasures
  • Technical
  • Societal
  • Ecomonics
• Capabilities and preferences

Traditional Risk Analysis

• Financial loss-based
  • Balance cost vs. loss
• Mathematically derived “risk rating”
  • Threat, probability, and impact
• Qualitative assessment
  • Knowledge-driven or anecdotal factors
  • Social Impact

Terminology

• Asset: object of protection
• Risk: probability that the asset will suffer an attack
• Threat: the actor (agent) who is the source of danger
• Vulnerability: defect or weakness in the system
• Countermeasures or safeguards: management, operational, and technical control to protect confidentiality, integrity, and availability
• Impact: impact on the organization
• Probability: likelihood that the event will occur (high, medium, low)

Risk Calculation

• Financial loss: ALE = SLE x ARO
  • ALE – annualized loss expectancy
  • SLE – single loss expectancy
  • ARO – annualized rate of occurrence
• Distinguish between attacks based on frequency of occurance
• Qualitative risk assessment (e.g., loss of reputation, loss of trust, etc.)
• ROI: return-on-investment
  • Note: security is more like insurance… it will never hit a “big payoff”

Limitations of Traditional Approaches

• Hard to find correct data for statistical distribution
• Do not necessarily provide an easy guide
• Modern applications are complex: contextual variability of risk