M2. Integrating Security Engineering and Software Engineering

Traditional practices for developing secure systems were (and still are in many cases) closer to art than to an engineering discipline. Security is still treated as an add-on and is therefore not integrated into software development practices. Experienced security artisans are still key for achieving acceptable levels of security.

Several approaches and research strands have tried to address this situation in order to introduce rigor and engineering approaches in the treatment of security aspects in information systems, mainly focusing on the final development phases or some specific aspects. Still today, one finds in the literature that the main books about security engineering describe isolated techniques and lack systematic and comprehensive treatment of security that covers the complete system lifecycle. The main drawbacks of those approaches is that they fail to provide a reasonable support for systematic engineering since the identification, characterization and specification of the protection goals and threats as well as the selection of appropriate mechanisms and countermeasures depends on the experience of the engineers. Consequently, they represent only minor improvements over the security craftsmanship era. However, they have been used for some time with uneven results.

These considerations lead us to conclude that system engineering processes must evolve in order to integrate security naturally throughout the development cycle instead of relying on it as an add-on or external component to be integrated a posteriori. In this line, recent works carried out both in the US and EU have shown that the state of the art allows us now to finally address the redefinition of security engineering into a fully-fledged proper engineering discipline and to integrate it with current software and system engineering processes. In particular, we highlight the fact that the Executive Order 13636, entitled "Improving Critical Infrastructure Cybersecurity" introduces efforts for "Building a set of current, successful approaches-a framework-for reducing risks to critical infrastructure". This course will present the most solid foundations available for building such framework, and will:

• Provide attendees with the necessary knowledge of the current situation;

• Present a global integrated vision of the security and system engineering activities;

• Present two paradigmatic initiatives for integration of security engineering into software/system engineering: The NIST initiatives for integration of security engineering and software engineering and the SecFutur approach for an integrated model-driven development process for secure systems;

• Provide guidance for the practical application of the course content by attendees; and

• Discuss the impact of the application of these initiatives in relevant emerging computing paradigms.

The central topic of the course is the integration of software and security engineering. Consequently, the overall objective of this course is to provide attendees with a clear vision, well-defined methodologies, and practical knowledge to adopt an integrated treatment of security engineering and software engineering processes in their organizations, thus improving the security of cybersystems. One important consideration from our experience is to design courses with a practical and analytic approach, ensuring that participants get the necessary perspective and can apply the knowledge in practice. We have therefore designed the course to (i) provide attendees with knowledge they can actually apply in their organizations; and (ii) avoid content-oriented approaches, and adopt instead a goal-oriented approach in which all contents are explained as tools for the main objective, which is to help attendees improve the security engineering and software engineering practices in their organizations. We define 4 main goals for the course. After taking this course, attendees should be able to:

1. Understand secure engineering principles, activities and best practices, including the role of each activity in an integrated process, and their interrelations.

2. Know the capabilities and limitations of the state of the art for each of these activities.

3. Understand the NIST and SecFutur initiatives for integration of security and software engineering and, in particular, know how to adopt these methodologies in their organizations.

4. Know the challenges of developing secure systems for emerging computing scenarios, and know how integrated methodologies can help them tackle those challenges.

In summary, by taking the course, attendees will:

• Gain a profound knowledge of the state of the art and of methodologies and tools. To ensure this, contents will be presented not only as a collection of facts, but also from an analytic and practical perspective.

• Practical ready-to-use know-how. The course contains material that will allow attendees to adopt the approaches, methodologies and tools presented in the course in their own organizations.

• Personal consulting. After the course, each attendee will be offered a free 30 min personal consulting session on how to better adopt the presented methodologies in their particular organizations as well as further follow-up by email. Depending on the number of attendees interested in this offer, and their preferences, we will schedule those sessions during the conference, or after it via videoconferencing.

Prerequisites. The course is designed for engineers and developers that need to deal with security aspects when designing and developing software systems. However, the content covered and the presentation strategy allow us to target a wider audience, which includes researchers, people interested in modelling, security solutions developers, etc. The course touches topics that we believe will be of interest of most attendees of ACSAC. In order to fully assimilate the topics covered in the course, attendees should have at least basic experience in system development and security. Background on security solutions and methodologies would be useful, but is not required.

Outline:

1. Security in Systems Engineering Vision: Current approaches to SSE, and Problems (60 minutes)

   The first part of the course introduces the vision and challenges of security in systems engineering. We will explain the importance of adopting robust and integrated security engineering practices using real examples and how an integrated software and security engineering methodology can benefit developers and users by ensuring that security is adequately treated during the whole system lifecycle.

   This part of the course will describe the state of the art and analyze the different engineering approaches, methodologies and artifacts identifying their problems. We will cover: Threat based initiatives, Risk based initiatives, Formal methods based initiatives and Model based initiatives.

2. Integrating Security in Systems Engineering: The big picture (90 minutes)

   This is the first of the two central parts of the course. In this part we provide a global view of the field, and describe its activities, modeling approaches and engineering processes. Contents will deal with: Introduction and models for integration; Engineering activities: risk analysis, requirements (elicitation, specification, traceability, validation), design, secure code development & testing; Security modeling: formal modeling, security patterns, S&D patterns, UML-based approaches; Security in Architecture Frameworks; Monitoring and transparency; Compliance, Certification and Assurance.

3. Current Cyber-security Engineering Initiatives (180 minutes)

   This part will present two pivotal and relevant initiatives for integrating security and software engineering, describing their common and differential aspects, and the keys for their practical application. We also present other related initiatives.

   US: NIST Initiatives. This part will describe the different initiatives ongoing at NIST, covering: Introduction and Objectives; Initiatives, Techniques and Standards developed at NIST; Examples of practical application; and Future Work and Challenges

   EU: SECFUTUR Project. This part will describe an European initiative jointly developed by a set of selected partner organizations across Europe for setting the foundations of an integrated discipline for software and security engineering. Contents will be: Introduction and Objectives; Techniques, Artifacts and Processes; Practical application and supporting tools; and Future Work and Challenges.

4. Relation with relevant current and future computing scenarios (30 minutes)

   The final part of the course will revise the challenges derived from the new computing scenarios that are already taking the industry by storm such as service-oriented computing and cloud computing. In particular, we'll analyze the need for an integrated approach to security engineering and software engineering in: Embedded systems; Internet of things; Service-based systems; and Cloud Computing

About the Instructors:

Prof. Dr. Antonio Maña received his MSc and PhD degrees in Computer Engineering from the University of Malaga in 1994 and 2003, respectively. In 1995 he joined the Department of Computer Science at the University of Malaga where he is currently Professor in the Computer Science Department and leaders of the PROTEUS Research Laboratory. He is also the Research Director at Safe Society Labs. He has more than 15 years of experience working in the field of computer and software security, and on practical application of software engineering. His current research activities include integration of security and software engineering, advanced multi-layered monitoring, information and network security, security in service-based systems and cloud computing, computer-processable security certification, and software protection. He has more than 120 peer-reviewed publications. He has continuously participated in EU funded projects since 2001. He is the Principal Investigator of the PROTEUS research laboratory in FP7 OKKAM, PASSIVE, SECFUTUR, ASSERT4SOA, CUMULUS and PARIS projects, and has previously been involved in the FP6 Serenity, iAccess and GST projects, and FP5 CASENET project. Dr. Maña is member of the editorial board and reviewer for several international journals, and participates in numerous research and education activities.

Dr. Ron Ross is a Fellow at the National Institute of Standards and Technology. He leads the Federal Information Security Management Act Implementation Project, which includes the development of key security standards and guidelines for the federal government, contractors, and the United States critical infrastructure. Dr. Ross has authored numerous cyber security publications and is the principal architect of the NIST Risk Management Framework. Dr. Ross also leads the Joint Task Force Transformation Initiative Working Group, a joint partnership with NIST, the Department of Defense, and the Intelligence Community, to develop a unified information security framework for the federal government. A graduate of the United States Military Academy at West Point, Dr. Ross served in a variety of leadership and technical positions during his twenty-year career in the United States Army. Dr. Ross holds both Masters and Ph.D. degrees in Computer Science from the United States Naval Postgraduate School.

Dr. Carsten Rudolph received his PhD in Computer Science at Queensland University of Technology, Brisbane in 2001. Since then, he is working at the Fraunhofer Institute for Secure Information Technology SIT where he is now the head of the research department on Secure Engineering. His research concentrates on information security, formal methods, security requirements engineering and the integration of hardware-based security solutions. Among other activities he has worked on a security validation of the Trusted Platform Module TPM 1.2 on behalf of the German BSI and he contributes as invited expert to the standardisation of the TPM in the Trusted Computing Group TCG. Lately, he has coordinated the EU FP7 project SecFutur on security engineering for embedded systems and he is involved in various other international and German research initiatives. He also acts as a principal investigator at the Centre for Advanced Security Research Darmstadt CASED.

Mr. Jose Fran. Ruiz is a security researcher engineer at the Fraunhofer SIT. He is currently working on his PhD thesis focused on modeling artefacts for security engineering. His current research activities also include security and software engineering, privacy, information security and software evolution. He has several international peer-reviewed publications. He has worked in several European projects of the FP7 (OKKAM and SecFutur) and was previously involved in the FP6 project Serenity. He was leader of the work package 4 (Security Engineering Process) of the SecFutur project and now is working managing SIT's work in the project. He has served in the organization committee and as reviewer in different conferences and workshops and is member of several international workgroups.