Software Engineering for Security a Roadmap

1
Software Engineering for Security a Roadmap

• Paper by
• Premkumar T. Devanbu Stuart Stubbelbine
• Presented by
• Shankarr Kalyanaraaman

2
Warm up.

• Our dependence, Risk range and criticality.
• Challenges..COTS, Mobile code, etc.
• Solution - Security in software engineering.

3
Agenda

• Requirements and policies
• Architecture and design of security systems
• Software piracy protection
• Trusting software components
• Verification of systems
• Secure software deployment
• Secure computations, not secure computers
• Conclusion Remarks

4
Requirements and policies

• Security a non functional requirement, an
  afterthought ?
• Security models lessons learnt
• Challenge - Unifying security with systems
  engineering.
• Rational functional requirements engineering.
• Expense, Resource availability and best of both
  worlds
• But how ???? - Remarks
• Challenge - Unifying security and system models.
• Use of models current trend.
• Security is not a component of qualitative system
  modeling.
• Approaches, advantages and challenges ? Research
  areas.
• SecureUML1 An approach

5
Architecture and Design

• Reengineering software systems for security
  poor planning and scenario changes.
• Challenge Legacy security mismatches.
• Impedance mismatch Legacy and Standards.
• Research areas platform independent policy and
  security systems.
• Can web-services and standards like SOAP, XML be
  used, maybe. discuss !!!
• Challenge Separating the security Aspect.
• Difficulty in reengineering legacy systems ?
  evolvable security.
• Aspect oriented programming.
• Use of architectural connectorsdoes anything
  strike.?

6
Software piracy protection

• Economic benefits in pirating Adversary
  Economics.
• Approaches
• Hardware and software tokens. ineffective.
• Dynamic decryption of code
• Watermarking static dynamic
• Code partitioning
• Challenge Attacker cost models.

7
Trusting software components

• Risks involved with COTS based systems.
• Black box approach.
• Grey box approach.
• Cryptographic techniques.
• Tamper resistant hardware.
• Challenges more grey box approaches.

8
Verification of systems

• Security features and assurance requirement
  standards.
• COTS, Common Criteria Technology.
• Formal methods Automatic verification.
• Challenge Implementation based verification.

9
Secure software deployment

• Successive version problem
• PDCM Post Deployment Configuration Management.
• Challenge - Controlled Delegation.
• Challenge privacy protection.

10
Secure computations, not secure computers

• Test oracles Proof checkers.
• Use of secure data structures and proof carrying
  answers.

11
Remarks

• Remarks
• Paper is effective in communicating issues.
• Clarity in presentation of topics and neat
  organization.
• Targets a wide range of security problems.
• Issues
• lacks better explanation for complex technical
  concepts

12
Relation to Embedded systems

• Safety critical systems require more security
  than any other.
• Embedded systems require stricter verification
  due to higher levels of composition (Hardware
  Software).