=Paper=
{{Paper
|id=Vol-3356/paper7
|storemode=property
|title=Proposal for the Use of Quality Characteristics in Security Design Methodologies
|pdfUrl=https://ceur-ws.org/Vol-3356/paper-07.pdf
|volume=Vol-3356
|authors=Daiju Kato,Daisuke Iwasaki
|dblpUrl=https://dblp.org/rec/conf/apsec/KatoI22
}}
==Proposal for the Use of Quality Characteristics in Security Design Methodologies==
https://ceur-ws.org/Vol-3356/paper-07.pdf
Proposal for the Use of Quality Characteristics in Security Design
Methodologies
Daiju Kato1 , Daisuke Iwasaki 1
1
Nihon Knowledge Co,, Ltd., JS Building 9F 3-9-15, Kotobuki, Taito-ku, Tokyo, 111-0042, Japan
Abstract
Security implementation is essential to provide safe and secure products. Security development
life cycle must be considered from the early stages of development through requirement to
evaluation with traceability. By using SQuaRE to classify and evaluate security requirements,
it is possible to assess the adequacy of product development to meet the requirements of safety
and security. This paper proposes a method for implementing the requirements using SQuaRE
in SDL.
Keywords 1
SDL, threats analysis, secure by design, risk management, vulnerability, SQuaRE
1. Introduction Security implementation requires developers
to have appropriate skills to do even when they
follow the SDL (Security Development Lifecycle).
With new threats appearing every day, the
To solve this problem, we believe that the use of
responsibility for application security is only
tools would provide a way that is less dependent
increasing.
on the skills of individual developers and
According to the Ministry of Internal Affairs
eliminate the tendency toward personalization.
and Communications' 2021 White Paper on
ISO/IEC27034-1 [1] explains SDL, other
Information and Communications, the spread of
processes and techniques for building security
the new coronavirus infection has led to rapid and
into product development.
forceful digitization of society which has been
This paper proposes a method of security
advancing in areas where it was not, telework and
design using a tool that supports security threat
online classes. As the use of digital technology
analysis with quality characteristics, realizing a
increases, the number of devices and applications
detailed design that includes security measures,
connected to the Internet is increasing, and their
and introducing security activities into coding and
system configurations and usage patterns are
testing processes in order to reduce return work
diversifying.
due to the discovery of vulnerabilities in the late
With the demand for safe and secure
development stage.
applications, developers are faced with the
challenge of how to incorporate security measures
into the software development lifecycle. However, 2. SECURITY AND RISK
security vulnerabilities revealed in the testing MANAGEMENT
process may increase the number of man-hours to
deal with them and may even delay the release of
The Japanese government's promotion of DX
the software. Therefore, it is considered necessary
(Digital Transformation) has increased the
to improve the upstream process.
dependence of businesses on information
technology. The number and areas of information
4th International Workshop on Experience with SQuaRE Series and
its Future Direction, December 06, 2022, Tokyo, Japan
EMAIL: d-kato@know-net.co.jp (A. 1); iwasaki@know-net.co.jp
(A. 2)
ORCID: 0000-0001-9904-8554 (A. 1); none (A. 2)
© 2022 Copyright for this paper by its authors. Use permitted under Creative
Commons License Attribution 4.0 International (CC BY 4.0).
CEUR
Wor
Pr
ks
hop
oceedi
ngs
ht
I
tp:
//
ceur
-
SSN1613-
ws
.or
0073
g
CEUR Workshop Proceedings (CEUR-WS.org)
�assets to be protected continue to increase due to Security by Design [2] is defined by the
the dispersion of information assets to cloud Cabinet Cyber Security Center (NISC) in Japan as
services and the dispersion of locations due to the "a measure to ensure information security from
spread of teleworking, etc. Information system- the planning and design stages", which is a
related accidents are becoming a risk that would concept to ensure cyber security by incorporating
threaten even the survival of businesses. For security measures at the planning and design
example, business operations may be suspended stages, rather than after system installation and
due to a virus such as ransomware, sales may operation. SDL is one of the ways to realize this
decrease due to service suspension until a concept. By implementing security measures
vulnerability is discovered and countermeasures from the upstream process, it is expected to
are taken, or social trust may be lost in the case of improve the security and reduce the cost of
a data breach. security measures.
The requirement of security demanded by SDL implementations security related
users have also changed. For example, 20 years activities or practices to meet into V-model or
ago, HTTPS encryption was used only for pages agile process. In the case of the agile process,
that handled personal information on websites, security requirements are also managed in the
but now it is a function that must be implemented. backlog, and secure-by-design is achieved
Security has become a "must be quality" in e-mail through security practices such as secure-by-
and EDI (Electronic Data Interchange) design, static analysis, and vulnerability testing
communications as well. within a sprint. These tasks are generally
Ensuring security is also required for safety automated as a pipeline.
because safety design is to protect human life and Threat analysis is performed for security
property from being threatened using a product or requirements in beginning of SDL. Threat
device. Modeling Tool [3] provides support functions for
This security has such a great impact on human a threat analysis, and MITRE ATT&CK [4]
lives, property, and business continuity. Therefore, provides advice on countermeasures against
it is a social responsibility of companies to classified threats. The Thread Modeling Tool
properly manage information and prevent its applies a threat framework to a data flow diagram
leakage and loss in their business activities. (DFD) to find potential security problems and
analyze threats to systems and software to be built.
3. THREAT PREVENTION IN SDL The tool classifies threats using the STRIDE
model, shown as Table-1.
However, the difficulty of security
Table-1: STREIDE MODEL
development is that it requires appropriate skills
Spoofing
to do and the cost for expensive countermeasures.
For example, pre-release vulnerability checks Tampering
using security inspection tools can prevent a Repudiation
product from being released with hidden Information Disclosure
vulnerabilities. However, if many vulnerabilities Denial of Service
are detected in the testing process just before Elevation of Privilege
release, a large amount of time will be spent to STRIDE is a threat analysis model proposed
deal with the vulnerability. This will lead to by Microsoft that can classify various types of
delivery delay and cost overrun. Even if there is threats [5].
no vulnerability at the time of release, there is a Since DFD diagrams can be created after the
risk that it may become a vulnerability from basic design, the Threat Modeling Tool is suitable
embedded OSS modules due to the emergence of for threat analysis at the detailed design stage ().
new unknown attack methods. MITRE ATT&CK is used to improve the
To reduce such risks, security measures should accuracy of threat identification by conducting
be implemented prior to testing and should have threat analysis using a different approach from the
process of continuous management of Threat Modeling Tool. MITRE ATT&CK
vulnerabilities. By implementing security provides a framework that systematically
measures at all stages of SDL, we can prevent organizes knowledge about attacks to defend
vulnerabilities from being discovered just before against and dealing with attacks. It has a large
the release and threats after the release. amount of information on actual examples,
�mitigation measures, detection methods, and last tactic of impact to achieve the final objective.
reports from security vendors and white-hat MITRE ATT&CK Navigator is provided as a web
hackers for each tactic's individual attack application and is used via a web browser. Users
techniques and methods. It is highly regarded can display only the methods of a particular
attracting attention by security practitioners. platform, or highlight the methods used by a
particular adversary, or search by keywords. The
search function allows users to select from
techniques, attacker groups, software, mitigations,
etc., as well as to extract attack methods by
keyword search. Analysis results can be defined
as layers, and the importance of each layer can be
assigned as a threat score. Multiple layers can be
created and overlaid to visualize overlapping
threats. Other features include color-coding of the
matrix and the addition of comments. The attack
methods in the matrix can be linked to a detailed
threat page, where you can see the details of the
Figure-1: Thread Modeling Tool attack and mitigation measures.
MITRE ATT&CK provides MITRE Figure-3 shows security and safety related
ATT&CK Navigator [6] as a tool to explore and quality characteristics from quality model in
visualize a vast number of attack methods. We SQuaRE. Mapping requirements of security and
selected MITRE ATT&CK Navigator, shown as safety into selected sub-characteristics are easily
Figure-2, because of its intuitive operation and judged the requirement is validated or not.
ease of use as a tool.
Tactics
Technique
Figure-2: MITRE ATT&CK Matrix
MITRE ATT&CK provides a matrix to show
the specific technical elements required for an
attack which consist of Tactics and Technique.
ATT&CK has selected the following 12 tactics.
1. Initial Access Figure-3: Quality characteristics related with
2. Execution security and safety
3. Persistence
4. Privilege Escalation
5. Defense Evasion 4. IMPLEMENTATION SUMMARY
6. Credential Access
7. Discovery We have mapped security requirements to
8. Lateral Movement security quality characteristics and applied SDL
9. Collection to a client-server web system. In order to reflect
10. C&C (Command and Control) these quality requirements in the design, a threat
11. Exfiltration analysis is conducted using Threat Modeling Tool
12. Impact and MITRE ATT&CK Navigator.
The attackers use the techniques and methods From the results of the analysis, “risk
in the initial access to conduct the attack, and management checklist" is created by Kusaka et al.
when that tactic is achieved, the attacker moves [7]. The risk management checklist is a list of
on to the next tactic. The attacker proceeds to the threat risks to information assets and functions,
�their risk assessment, and mitigation measures. different levels of trust. It is a line of defense
The risk management checklist can be used in the against threats that occur when the trustworthy
detailed design, coding, and testing processes, and and the untrustworthy cross the boundary.
is expected to be effective in preventing the Figure-4 shows a configuration with one client,
creation of vulnerabilities. It can also be used for one client storage, three servers, and three
test. databases.
Developers follow those steps to identify
threat and find tactics.
1. Classified security requirements with
quality characteristics
2. Creating a DFD drawing and threat
analysis by Threat Modeling Tool
3. Listing of analysis results with MITRE
ATT&CK Navigator Figure-4: DFD diagram of the Treat Modeling Tool
4. Risk assessment and risk reduction After running the analysis from the created
The security design here is performed both in DFD diagram, a list of detected threats is shown
the architectural and the detailed design on V- for each element. The tool exacts results of threat
model development. In the basic design, system analysis, shown as Figure-5.
configuration, servers, databases, and other
elements are identified, and threat analysis is
conducted on these elements, and the results of the
analysis are passed to the next stage of detailed
design. The detailed design based on the threat
analysis is expected to reflect the security
activities in the subsequent coding and testing
Figure-5: Extracted threat analysis results
processes. In case of agile process, those security
activities execute for practices. In some cases, some of the threats are
duplicated because the same threat is detected in
5. IMPLEMENTATION DETAILS each of the three redundant servers. This tool
classifies threats by STRIDE and can be used for
5.1. Classified security risk analysis and mitigation assessment. This is
requirements with quality accomplished by considering risk mitigation
characteristics measures for classified threats rather than for the
elements themselves.
Classify the security and safety requirements
of a system or application by mapping them to the 5.3. Listing of analysis results with
security quality sub-characteristics of the product MITRE ATT&CK Navigator
quality model [8]. Also map the data to be used to
the data quality characteristics at data quality MITRE ATT&CK Navigator visualizes listed
model [9] and them consider which requirements threats. A list of is shown as Figure-6. It supports
need to be met. creating two layers and check for overlapping
attack methods. In case of “email” and “web”,
5.2. Creating a DFD drawing and layer 1 shows a threat score of 30. Layer 2 is set
threat analysis by Threat Modeling to the threat score is set to 50. By superimposing
the search results of layer 1 and layer 2 with these
Tool conditions, the merged results are displayed.
Layer 1 is displayed in red, Layer 2 in yellow, and
Using the Threat Modeling Tool, create a the overlapping items (threat score 30+50=80) in
diagram that represents the data flow in the system green. From these results, only threats to the
configuration based on the basic design and the system are identified. Also, it is possible to
elements such as clients, servers, databases, investigate what vulnerabilities have been
network devices, etc. Draw a Trust Boundary to discovered in products with similar architectures,
clarify which elements belong to which boundary. and to identify possible threats by using CWE
A trust boundary is a line that separates areas with (Common Weakness Enumeration) to identify
� Figure-6: MITRE ATT&CK Search Results
these vulnerabilities. MITRE provides CWE list evaluates the severity of security vulnerabilities
and the description and related CWE with several based on three criteria: basic evaluation criteria,
classifications [10]. current state evaluation criteria, and
environmental evaluation criteria. By using CVSS,
5.4. Risk Assessment and risk the severity of vulnerabilities can be
quantitatively compared under the same criteria.
reduction Risk reduction methods are examined. For
example, for "data falsification," we will conduct
Based on the results of threat analysis, a risk a final risk assessment by implementing a
management checklist is prepared. The checklist mitigation method such as "applying security
consists of the following items: evaluation of each patches.
threat, consideration of risk reduction methods, For threats that require countermeasures,
and evaluation of the implementation of risk check the "Microsoft Threat Modeling Tool
reduction methods. mitigations" based on the STRIDE classification
• Information Assets and Function of the Threat Modeling Tool and the MITRE ATT
• Threats (STRIDE classification) & CK mitigations for each attack method, and
• Anticipated harm/risk conditions then consider and plan tactics.
• Risk Estimation and Assessment From the results of the risk assessment, the
• Risk reduction methods (mitigation measures)
existence of countermeasures and threats to be
• Evaluation after implementation of risk
reduction methods prioritized can be identified, and the security
• Any new hazards/hazardous conditions that requirements can be determined if they have been
have arisen because of the implementation of met by inspecting the threats in testing-related
risk reduction measures activities.
• Availability/Reason for response
Since risk assessment for each threat depends
on the knowledge and skills of the person in
6. IMPLEMENTATION RESULTS
charge and it is difficult to obtain quantitative
assessment results, we adopted an open, vendor- Using the Threat Modeling Tool, mechanical
independent vulnerability assessment method threat analysis can be performed without any
proposed by FIRST (Forum of Incident Response security skills as long as you can draw DFD
and Security Teams) [11], CVSS (Common diagrams. The discussion by looking at the DFD
Vulnerability Scoring System) [12]. CVSS is diagrams is also effective to examine where the
open and vendor-independent vulnerability threats are in the system configuration, and it is
assessment method proposed by FIRST. CVSS is commended that the quality requirements are
a common vulnerability scoring system that secured from the threat analysis results.
� In addition, MITRE ATT&CK can visually solve this problem, it is considered that
identify threats, and when used in conjunction clarification of security requirements and
with the Threat Modeling Tool, it is an effective evaluation of them for each quality sub-
complement to threat analysis. The MITRE characteristic by using a quality model.
ATT&CK can also be used as a database for It is also considered necessary to set security
investigating mitigation measures against attack ranks for the target systems and to create
methods. indicators of which security measures should be
The risk management check sheet, which is a implemented for each rank and to what extent
deliverable of the design process, can be used as a time and cost should be spent.
check sheet for code review in coding and as a In the current situation where new attack
vulnerability test item in testing. By implementing methods emerge and threats continue to emerge,
security measures upstream, the security activities continuous security analysis and tactics are
to be implemented in the subsequent processes necessary, and this also leads to risk management
have been clarified. for the entire system by considering which quality
If risk management check sheets had not been is affected at the sub-characteristic level.
prepared in the design process, security activities By utilizing SDL's security lifecycle and
would have been implemented in other processes SQuaRE, we expect that continuous security
without uniformity, and unnecessary man-hours activities can be taken to provide safe and secure
would have been spent due to duplication of work. products.
In addition, since the CWE of the target threats
are clarified, it can be checked against the results 8. References
of vulnerability testing tools such as sonarqube
[13], Fortify [14], etc. to confirm that the target
[1] ISO/IEC 27034-1:2011 “Information
threats have not been detected. You can prove that
technology — Security techniques —
confidentiality and integrity are ensured.
Application security — Part 1: Overview and
concepts”.
7. REMAINING ISSUES [2] "Manual for Developing Security
Requirements in Government Procurement
The implementation of a threat analysis tool is for Information Systems," Cabinet Cyber
time-consuming due to the large number of Security Center (NISC), 2019, in Japanese.
analysis results that are detected and scrutinized. [3] Microsoft Threat Modeling Tool,
Even if the threats can be identified mechanically https://docs.microsoft.com/ja-
by tools, it takes time to evaluate and filter them jp/azure/security/develop/threat-modeling-
one by one, which requires security skill to do. For tool .
example, if there are three servers, the same [4] MITRE ATT&CK, https://attack.mitre.org/ .
threats will be output for all three servers. The [5] Microsoft Security Update Guide,
question is whether to exclude these results as the https://portal.msrc.microsoft.com/en-
same threat or treat them as individual threats. The us/security-guidance
method of filtering and evaluating the analysis [6] MITRE ATT&CK® Navigator,
results is an issue to be addressed in the future. https://mitre-attack.github.io/attack-
In order to deal with threat analysis, it was navigator
necessary to educate the staff about security [7] Kusaka H., Nagata, T., Futagawa, Y.: "The
design and architecture as well as on threat Role of QA in SDL Considering Security
analysis methods and tools. Since many Quality (Upstream Process)", 2017,
developers implicitly feel that security is difficult, https://www.juse.or.jp/sqip/community/buc
it is necessary to eliminate this image by yo/8/files/shiryou_seika7.pdf, in Japanese.
constantly providing appropriate education. [8] ISO/IEC 25010:2011 “Systems and software
CONCLUSION engineering — Systems and software Quality
Security is "must be quality" and it is possible Requirements and Evaluation (SQuaRE) —
to classify security requirements by using a System and software quality models”.
quality model in SQuaRE. However, it is difficult [9] ISO/IEC 25012:2008 “ Software engineering
to set the goal of how security should be analyzed. — Software product Quality Requirements
There are various methods of threat analysis, and and Evaluation (SQuaRE) — Data quality
threat analysis needs a lot of costs. In order to model”.
�[10] CWE, https://cwe.mitre.org/ .
[11] FIRST, https://www.first.org/ .
[12] CVSS, https://www.first.og/cvss/ .
[13] sonarqube, https://www.sonarqube.org/ .
[14] Fortify, https://www.microfocus.com/en-
us/cyberres/application-security/ .
[15] Iwasaki,D., Yasuda.K, Kato, D.: Security
Design Methodology Considering Threat
Analysis in SDL, The 51st Symposium
Reliability, Mainteinability and Sefety, 2022,
in Japanese.
�