Case Studies II

Chair: Paul Black

• Title TBD, Scott W. Tousley (DHS)

  The ACSAC community is familiar with the many kinds of computer security challenges the United States and its economy and society face today. The recent Cybersecurity Framework, developed via NIST per the guidance of EO13636/PPD-21, may help address these computer security challenges, although the Framework is composed largely of risk and engineering guidance already known to the ACSAC community. Meanwhile, the pervasive digitization and networking continues throughout the infrastructures of our economy and society, in areas such as medical systems, distributed electricity generation and delivery, and communications.

  The nation's commercial aviation systems are also moving towards major changes, via the Next Generation Air Transportation System (NextGen) and the networking of commercial aircraft systems. While there are some interesting questions at the intersection of complex system safety vice security analysis, let us stipulate that the FAA as the aviation regulatory authority will address well the changing nature of the safety oversight of networked aircraft. With respect to the security of NextGen and networked commercial aircraft systems:

  • How will the FAA expand its capabilities to address the changing security challenges?

  • How will DHS (TSA, NPPD and S&T in particular) expand their capabilities to address a new area of cyber and infrastructure security and protection?

  • How will aircraft manufacturers and operators achieve a complex operational risk management challenge?

  The security engineering of NextGen and networked commercial aircraft systems will involve the same kinds of networking and security systems that have proven incompletely successful in use across our many different kinds of systems and infrastructures. Our national air transportation systems rely on a very high degree of trust and expectations throughout this industry. A networked, digital commercial aviation industry represents a significant national technical, risk management and governance challenge.

• A Process of Security Assurance Properties Unification for Application Logic, Faisal Nabi (Islami Roohani Mission University)

  For the last decade, security experts have concentrated on the traditional information security practices such as secure protocols (SSL/TSL) and Intrusion Detection Systems like Honey Pot. These can only secure network level problems. However, these are security functional requirement based techniques, not security assurance requirements. It is also observed that current vulnerability analysis techniques are focused on traditional old methods. That is, those that have been in practice for the last decade for traditional software engineering, such as White Box and Black Box penetration. These practices can only detect threats based on a check list of security policies. These can fall short of identifying design flaws through traditionally available intrusion detection tools or vulnerability analyzing tools. This research paper focuses on how to represent A Process of Security Assurance Properties Unification for Component-ware Risks related to Application Logic to deal logical vulnerability in e-commerce system.