2012 20th IEEE International Requirements Engineering Conference (RE)
Full text: Download
Security engineering is primarily concerned with the protection of assets from intentional harm. Identifying and evaluating assets are therefore key to modeling threats and attacks, discovering existing vulnerabilities, and selecting countermeasures necessary to guarantee adequate levels of security. However, despite their central role, assets are often neglected during the development of secure software systems. Moreover, systems are often designed based on fixed security problem boundaries and assumptions, without the possibility to adapt when assets change unexpectedly, new threats arise, or undiscovered vulnerabilities are revealed. To handle such changes, systems should be capable of dynamically enabling different protective countermeasures. This paper promotes assets as first-class entities in engineering secure software systems. An asset model is related to the requirements of a system, expressed through a goal model, and the objectives of an attacker, expressed through a threat model. This model is then used as input to build a causal network to analyze system security in different situations, and enable, when necessary, a set of countermeasures to mitigate the security threat. The causal network is conceived as a runtime entity that tracks the relevant changes that may arise at runtime and enables a new set of countermeasures. We illustrate a working framework supporting our approach and apply it to a substantive example concerned with security for mobile phones.