Security implementation is essential to provide safe and secure products. Security development life cycle must be considered from the early stages of development through requirement to evaluation with traceability. By using SQuaRE to classify and evaluate security requirements, it is possible to assess the adequacy of product development to meet the requirements of safety and security. This paper proposes a method for implementing the requirements using SQuaRE in SDL.
With new threats appearing every day, the responsibility for application security is only increasing.
According to the Ministry of Internal Affairs and Communications' 2021 White Paper on Information and Communications, the spread of the new coronavirus infection has led to rapid and forceful digitization of society which has been advancing in areas where it was not, telework and online classes. As the use of digital technology increases, the number of devices and applications connected to the Internet is increasing, and their system configurations and usage patterns are diversifying.
With the demand for safe and secure applications, developers are faced with the challenge of how to incorporate security measures into the software development lifecycle. However, security vulnerabilities revealed in the testing process may increase the number of man-hours to deal with them and may even delay the release of the software. Therefore, it is considered necessary to improve the upstream process. Security implementation requires developers to have appropriate skills to do even when they follow the SDL (Security Development Lifecycle). To solve this problem, we believe that the use of tools would provide a way that is less dependent on the skills of individual developers and eliminate the tendency toward personalization. ISO/IEC27034-1 [1] explains SDL, other processes and techniques for building security into product development.
This paper proposes a method of security design using a tool that supports security threat analysis with quality characteristics, realizing a detailed design that includes security measures, and introducing security activities into coding and testing processes in order to reduce return work due to the discovery of vulnerabilities in the late development stage.
The Japanese government's promotion of DX (Digital Transformation) has increased the dependence of businesses on information technology. The number and areas of information assets to be protected continue to increase due to the dispersion of information assets to cloud services and the dispersion of locations due to the spread of teleworking, etc. Information systemrelated accidents are becoming a risk that would threaten even the survival of businesses. For example, business operations may be suspended due to a virus such as ransomware, sales may decrease due to service suspension until a vulnerability is discovered and countermeasures are taken, or social trust may be lost in the case of a data breach.
The requirement of security demanded by users have also changed. For example, 20 years ago, HTTPS encryption was used only for pages that handled personal information on websites, but now it is a function that must be implemented. Security has become a "must be quality" in e-mail and EDI (Electronic Data Interchange) communications as well.
Ensuring security is also required for safety because safety design is to protect human life and property from being threatened using a product or device.
This security has such a great impact on human lives, property, and business continuity. Therefore, it is a social responsibility of companies to properly manage information and prevent its leakage and loss in their business activities.
However, the difficulty of security development is that it requires appropriate skills to do and the cost for expensive countermeasures.
For example, pre-release vulnerability checks using security inspection tools can prevent a product from being released with hidden vulnerabilities. However, if many vulnerabilities are detected in the testing process just before release, a large amount of time will be spent to deal with the vulnerability. This will lead to delivery delay and cost overrun. Even if there is no vulnerability at the time of release, there is a risk that it may become a vulnerability from embedded OSS modules due to the emergence of new unknown attack methods.
To reduce such risks, security measures should be implemented prior to testing and should have process of continuous management of vulnerabilities. By implementing security measures at all stages of SDL, we can prevent vulnerabilities from being discovered just before the release and threats after the release.
Security by Design [2] is defined by the Cabinet Cyber Security Center (NISC) in Japan as "a measure to ensure information security from the planning and design stages", which is a concept to ensure cyber security by incorporating security measures at the planning and design stages, rather than after system installation and operation. SDL is one of the ways to realize this concept. By implementing security measures from the upstream process, it is expected to improve the security and reduce the cost of security measures.
SDL implementations security related activities or practices to meet into V-model or agile process. In the case of the agile process, security requirements are also managed in the backlog, and secure-by-design is achieved through security practices such as secure-bydesign, static analysis, and vulnerability testing within a sprint. These tasks are generally automated as a pipeline.
Threat analysis is performed for security requirements in beginning of SDL. Threat Modeling Tool [3] provides support functions for a threat analysis, and MITRE ATT&CK [4] provides advice on countermeasures against classified threats. The Thread Modeling Tool applies a threat framework to a data flow diagram (DFD) to find potential security problems and analyze threats to systems and software to be built. The tool classifies threats using the STRIDE model, shown as Table-1.
STRIDE is a threat analysis model proposed by Microsoft that can classify various types of threats [5].
Since DFD diagrams can be created after the basic design, the Threat Modeling Tool is suitable for threat analysis at the detailed design stage ().
MITRE ATT&CK is used to improve the accuracy of threat identification by conducting threat analysis using a different approach from the Threat Modeling Tool. MITRE ATT&CK provides a framework that systematically organizes knowledge about attacks to defend against and dealing with attacks. It has a large amount of information on actual examples, mitigation measures, detection methods, and reports from security vendors and white-hat hackers for each tactic's individual attack techniques and methods. It is highly regarded attracting attention by security practitioners.
MITRE ATT&CK provides MITRE ATT&CK Navigator [6] as a tool to explore and visualize a vast number of attack methods. We selected MITRE ATT&CK Navigator, shown as Figure-2, because of its intuitive operation and ease of use as a tool.
Tactics
Technique Figure-2: MITRE ATT&CK Matrix
MITRE ATT&CK provides a matrix to show the specific technical elements required for an attack which consist of Tactics and Technique.
ATT&CK has selected the following 12 tactics. 1. Initial Access 2. Execution 3. Persistence 4. Privilege Escalation 5. Defense Evasion 6. Credential Access 7. Discovery 8. Lateral Movement 9. Collection 10. C&C (Command and Control) 11. Exfiltration 12. Impact
The attackers use the techniques and methods in the initial access to conduct the attack, and when that tactic is achieved, the attacker moves on to the next tactic. The attacker proceeds to the last tactic of impact to achieve the final objective. MITRE ATT&CK Navigator is provided as a web application and is used via a web browser. Users can display only the methods of a particular platform, or highlight the methods used by a particular adversary, or search by keywords. The search function allows users to select from techniques, attacker groups, software, mitigations, etc., as well as to extract attack methods by keyword search. Analysis results can be defined as layers, and the importance of each layer can be assigned as a threat score. Multiple layers can be created and overlaid to visualize overlapping threats. Other features include color-coding of the matrix and the addition of comments. The attack methods in the matrix can be linked to a detailed threat page, where you can see the details of the attack and mitigation measures.
Figure-3 shows security and safety related quality characteristics from quality model in SQuaRE. Mapping requirements of security and safety into selected sub-characteristics are easily judged the requirement is validated or not.
We have mapped security requirements to security quality characteristics and applied SDL to a client-server web system. In order to reflect these quality requirements in the design, a threat analysis is conducted using Threat Modeling Tool and MITRE ATT&CK Navigator.
From the results of the analysis, “risk management checklist" is created by Kusaka et al. [7]. The risk management checklist is a list of threat risks to information assets and functions, their risk assessment, and mitigation measures. The risk management checklist can be used in the detailed design, coding, and testing processes, and is expected to be effective in preventing the creation of vulnerabilities. It can also be used for test.
Developers follow those steps to identify threat and find tactics.
1. Classified security requirements with quality characteristics 2. Creating a DFD drawing and threat analysis by Threat Modeling Tool 3. Listing of analysis results with MITRE
ATT&CK Navigator 4. Risk assessment and risk reduction
The security design here is performed both in the architectural and the detailed design on Vmodel development. In the basic design, system configuration, servers, databases, and other elements are identified, and threat analysis is conducted on these elements, and the results of the analysis are passed to the next stage of detailed design. The detailed design based on the threat analysis is expected to reflect the security activities in the subsequent coding and testing processes. In case of agile process, those security activities execute for practices.
Classify the security and safety requirements of a system or application by mapping them to the security quality sub-characteristics of the product quality model [8]. Also map the data to be used to the data quality characteristics at data quality model [9] and them consider which requirements need to be met.
threat analysis by Threat Modeling
Using the Threat Modeling Tool, create a diagram that represents the data flow in the system configuration based on the basic design and the elements such as clients, servers, databases, network devices, etc. Draw a Trust Boundary to clarify which elements belong to which boundary. A trust boundary is a line that separates areas with different levels of trust. It is a line of defense against threats that occur when the trustworthy and the untrustworthy cross the boundary.
Figure-4 shows a configuration with one client, one client storage, three servers, and three databases.
Figure-4: DFD diagram of the Treat Modeling Tool
After running the analysis from the created DFD diagram, a list of detected threats is shown for each element. The tool exacts results of threat analysis, shown as Figure-5.
In some cases, some of the threats are duplicated because the same threat is detected in each of the three redundant servers. This tool classifies threats by STRIDE and can be used for risk analysis and mitigation assessment. This is accomplished by considering risk mitigation measures for classified threats rather than for the elements themselves.
MITRE ATT&CK Navigator visualizes listed threats. A list of is shown as Figure-6. It supports creating two layers and check for overlapping attack methods. In case of “email” and “web”, layer 1 shows a threat score of 30. Layer 2 is set to the threat score is set to 50. By superimposing the search results of layer 1 and layer 2 with these conditions, the merged results are displayed. Layer 1 is displayed in red, Layer 2 in yellow, and the overlapping items (threat score 30+50=80) in green. From these results, only threats to the system are identified. Also, it is possible to investigate what vulnerabilities have been discovered in products with similar architectures, and to identify possible threats by using CWE (Common Weakness Enumeration) to identify Figure-6: MITRE ATT&CK Search Results these vulnerabilities. MITRE provides CWE list and the description and related CWE with several classifications [10]. 5.4. Risk reduction
Based on the results of threat analysis, a risk management checklist is prepared. The checklist consists of the following items: evaluation of each threat, consideration of risk reduction methods, and evaluation of the implementation of risk reduction methods.
• Information Assets and Function • Threats (STRIDE classification) • Anticipated harm/risk conditions • Risk Estimation and Assessment • Risk reduction methods (mitigation measures) • Evaluation after implementation of risk
reduction methods • Any new hazards/hazardous conditions that have arisen because of the implementation of risk reduction measures • Availability/Reason for response
Since risk assessment for each threat depends on the knowledge and skills of the person in charge and it is difficult to obtain quantitative assessment results, we adopted an open, vendorindependent vulnerability assessment method proposed by FIRST (Forum of Incident Response and Security Teams) [11], CVSS (Common Vulnerability Scoring System) [12]. CVSS is open and vendor-independent vulnerability assessment method proposed by FIRST. CVSS is a common vulnerability scoring system that evaluates the severity of security vulnerabilities based on three criteria: basic evaluation criteria, current state evaluation criteria, and environmental evaluation criteria. By using CVSS, the severity of vulnerabilities can be quantitatively compared under the same criteria.
Risk reduction methods are examined. For example, for "data falsification," we will conduct a final risk assessment by implementing a mitigation method such as "applying security patches.
For threats that require countermeasures, check the "Microsoft Threat Modeling Tool mitigations" based on the STRIDE classification of the Threat Modeling Tool and the MITRE ATT & CK mitigations for each attack method, and then consider and plan tactics.
From the results of the risk assessment, the existence of countermeasures and threats to be prioritized can be identified, and the security requirements can be determined if they have been met by inspecting the threats in testing-related activities.
Using the Threat Modeling Tool, mechanical threat analysis can be performed without any security skills as long as you can draw DFD diagrams. The discussion by looking at the DFD diagrams is also effective to examine where the threats are in the system configuration, and it is commended that the quality requirements are secured from the threat analysis results.
In addition, MITRE ATT&CK can visually identify threats, and when used in conjunction with the Threat Modeling Tool, it is an effective complement to threat analysis. The MITRE ATT&CK can also be used as a database for investigating mitigation measures against attack methods.
The risk management check sheet, which is a deliverable of the design process, can be used as a check sheet for code review in coding and as a vulnerability test item in testing. By implementing security measures upstream, the security activities to be implemented in the subsequent processes have been clarified.
If risk management check sheets had not been prepared in the design process, security activities would have been implemented in other processes without uniformity, and unnecessary man-hours would have been spent due to duplication of work.
In addition, since the CWE of the target threats are clarified, it can be checked against the results of vulnerability testing tools such as sonarqube [13], Fortify [14], etc. to confirm that the target threats have not been detected. You can prove that confidentiality and integrity are ensured.
The implementation of a threat analysis tool is time-consuming due to the large number of analysis results that are detected and scrutinized. Even if the threats can be identified mechanically by tools, it takes time to evaluate and filter them one by one, which requires security skill to do. For example, if there are three servers, the same threats will be output for all three servers. The question is whether to exclude these results as the same threat or treat them as individual threats. The method of filtering and evaluating the analysis results is an issue to be addressed in the future.
In order to deal with threat analysis, it was necessary to educate the staff about security design and architecture as well as on threat analysis methods and tools. Since many developers implicitly feel that security is difficult, it is necessary to eliminate this image by constantly providing appropriate education.
CONCLUSION
Security is "must be quality" and it is possible to classify security requirements by using a quality model in SQuaRE. However, it is difficult to set the goal of how security should be analyzed. There are various methods of threat analysis, and threat analysis needs a lot of costs. In order to solve this problem, it is considered that clarification of security requirements and evaluation of them for each quality subcharacteristic by using a quality model.
It is also considered necessary to set security ranks for the target systems and to create indicators of which security measures should be implemented for each rank and to what extent time and cost should be spent.
In the current situation where new attack methods emerge and threats continue to emerge, continuous security analysis and tactics are necessary, and this also leads to risk management for the entire system by considering which quality is affected at the sub-characteristic level.
By utilizing SDL's security lifecycle and SQuaRE, we expect that continuous security activities can be taken to provide safe and secure products.
[1] ISO/IEC 27034-1:2011 “Information technology — Security techniques — Application security — Part 1: Overview and concepts”. [2] "Manual for Developing Security Requirements in Government Procurement for Information Systems," Cabinet Cyber Security Center (NISC), 2019, in Japanese. [3] Microsoft Threat Modeling Tool, https://docs.microsoft.com/jajp/azure/security/develop/threat-modelingtool . [4] MITRE ATT&CK, https://attack.mitre.org/ . [5] Microsoft Security Update Guide, https://portal.msrc.microsoft.com/enus/security-guidance [6] MITRE ATT&CK® Navigator, https://mitre-attack.github.io/attacknavigator [7] Kusaka H., Nagata, T., Futagawa, Y.: "The Role of QA in SDL Considering Security Quality (Upstream Process)", 2017, https://www.juse.or.jp/sqip/community/buc yo/8/files/shiryou_seika7.pdf, in Japanese. [8] ISO/IEC 25010:2011 “Systems and software engineering — Systems and software Quality Requirements and Evaluation (SQuaRE) — System and software quality models”. [9] ISO/IEC 25012:2008 “ Software engineering — Software product Quality Requirements and Evaluation (SQuaRE) — Data quality model”. [10] CWE, https://cwe.mitre.org/ . [11] FIRST, https://www.first.org/ . [12] CVSS, https://www.first.og/cvss/ . [13] sonarqube, https://www.sonarqube.org/ . [14] Fortify, https://www.microfocus.com/enus/cyberres/application-security/ . [15] Iwasaki,D., Yasuda.K, Kato, D.: Security Design Methodology Considering Threat Analysis in SDL, The 51st Symposium Reliability, Mainteinability and Sefety, 2022, in Japanese.