Proposal for the Use of Quality Characteristics in Security Design Methodologies Daiju Kato1 , Daisuke Iwasaki 1 1 Nihon Knowledge Co,, Ltd., JS Building 9F 3-9-15, Kotobuki, Taito-ku, Tokyo, 111-0042, Japan Abstract Security implementation is essential to provide safe and secure products. Security development life cycle must be considered from the early stages of development through requirement to evaluation with traceability. By using SQuaRE to classify and evaluate security requirements, it is possible to assess the adequacy of product development to meet the requirements of safety and security. This paper proposes a method for implementing the requirements using SQuaRE in SDL. Keywords 1 SDL, threats analysis, secure by design, risk management, vulnerability, SQuaRE 1. Introduction Security implementation requires developers to have appropriate skills to do even when they follow the SDL (Security Development Lifecycle). With new threats appearing every day, the To solve this problem, we believe that the use of responsibility for application security is only tools would provide a way that is less dependent increasing. on the skills of individual developers and According to the Ministry of Internal Affairs eliminate the tendency toward personalization. and Communications' 2021 White Paper on ISO/IEC27034-1 [1] explains SDL, other Information and Communications, the spread of processes and techniques for building security the new coronavirus infection has led to rapid and into product development. forceful digitization of society which has been This paper proposes a method of security advancing in areas where it was not, telework and design using a tool that supports security threat online classes. As the use of digital technology analysis with quality characteristics, realizing a increases, the number of devices and applications detailed design that includes security measures, connected to the Internet is increasing, and their and introducing security activities into coding and system configurations and usage patterns are testing processes in order to reduce return work diversifying. due to the discovery of vulnerabilities in the late With the demand for safe and secure development stage. applications, developers are faced with the challenge of how to incorporate security measures into the software development lifecycle. However, 2. SECURITY AND RISK security vulnerabilities revealed in the testing MANAGEMENT process may increase the number of man-hours to deal with them and may even delay the release of The Japanese government's promotion of DX the software. Therefore, it is considered necessary (Digital Transformation) has increased the to improve the upstream process. dependence of businesses on information technology. The number and areas of information 4th International Workshop on Experience with SQuaRE Series and its Future Direction, December 06, 2022, Tokyo, Japan EMAIL: d-kato@know-net.co.jp (A. 1); iwasaki@know-net.co.jp (A. 2) ORCID: 0000-0001-9904-8554 (A. 1); none (A. 2) © 2022 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). CEUR Wor Pr ks hop oceedi ngs ht I tp: // ceur - SSN1613- ws .or 0073 g CEUR Workshop Proceedings (CEUR-WS.org) assets to be protected continue to increase due to Security by Design [2] is defined by the the dispersion of information assets to cloud Cabinet Cyber Security Center (NISC) in Japan as services and the dispersion of locations due to the "a measure to ensure information security from spread of teleworking, etc. Information system- the planning and design stages", which is a related accidents are becoming a risk that would concept to ensure cyber security by incorporating threaten even the survival of businesses. For security measures at the planning and design example, business operations may be suspended stages, rather than after system installation and due to a virus such as ransomware, sales may operation. SDL is one of the ways to realize this decrease due to service suspension until a concept. By implementing security measures vulnerability is discovered and countermeasures from the upstream process, it is expected to are taken, or social trust may be lost in the case of improve the security and reduce the cost of a data breach. security measures. The requirement of security demanded by SDL implementations security related users have also changed. For example, 20 years activities or practices to meet into V-model or ago, HTTPS encryption was used only for pages agile process. In the case of the agile process, that handled personal information on websites, security requirements are also managed in the but now it is a function that must be implemented. backlog, and secure-by-design is achieved Security has become a "must be quality" in e-mail through security practices such as secure-by- and EDI (Electronic Data Interchange) design, static analysis, and vulnerability testing communications as well. within a sprint. These tasks are generally Ensuring security is also required for safety automated as a pipeline. because safety design is to protect human life and Threat analysis is performed for security property from being threatened using a product or requirements in beginning of SDL. Threat device. Modeling Tool [3] provides support functions for This security has such a great impact on human a threat analysis, and MITRE ATT&CK [4] lives, property, and business continuity. Therefore, provides advice on countermeasures against it is a social responsibility of companies to classified threats. The Thread Modeling Tool properly manage information and prevent its applies a threat framework to a data flow diagram leakage and loss in their business activities. (DFD) to find potential security problems and analyze threats to systems and software to be built. 3. THREAT PREVENTION IN SDL The tool classifies threats using the STRIDE model, shown as Table-1. However, the difficulty of security Table-1: STREIDE MODEL development is that it requires appropriate skills Spoofing to do and the cost for expensive countermeasures. For example, pre-release vulnerability checks Tampering using security inspection tools can prevent a Repudiation product from being released with hidden Information Disclosure vulnerabilities. However, if many vulnerabilities Denial of Service are detected in the testing process just before Elevation of Privilege release, a large amount of time will be spent to STRIDE is a threat analysis model proposed deal with the vulnerability. This will lead to by Microsoft that can classify various types of delivery delay and cost overrun. Even if there is threats [5]. no vulnerability at the time of release, there is a Since DFD diagrams can be created after the risk that it may become a vulnerability from basic design, the Threat Modeling Tool is suitable embedded OSS modules due to the emergence of for threat analysis at the detailed design stage (). new unknown attack methods. MITRE ATT&CK is used to improve the To reduce such risks, security measures should accuracy of threat identification by conducting be implemented prior to testing and should have threat analysis using a different approach from the process of continuous management of Threat Modeling Tool. MITRE ATT&CK vulnerabilities. By implementing security provides a framework that systematically measures at all stages of SDL, we can prevent organizes knowledge about attacks to defend vulnerabilities from being discovered just before against and dealing with attacks. It has a large the release and threats after the release. amount of information on actual examples, mitigation measures, detection methods, and last tactic of impact to achieve the final objective. reports from security vendors and white-hat MITRE ATT&CK Navigator is provided as a web hackers for each tactic's individual attack application and is used via a web browser. Users techniques and methods. It is highly regarded can display only the methods of a particular attracting attention by security practitioners. platform, or highlight the methods used by a particular adversary, or search by keywords. The search function allows users to select from techniques, attacker groups, software, mitigations, etc., as well as to extract attack methods by keyword search. Analysis results can be defined as layers, and the importance of each layer can be assigned as a threat score. Multiple layers can be created and overlaid to visualize overlapping threats. Other features include color-coding of the matrix and the addition of comments. The attack methods in the matrix can be linked to a detailed threat page, where you can see the details of the Figure-1: Thread Modeling Tool attack and mitigation measures. MITRE ATT&CK provides MITRE Figure-3 shows security and safety related ATT&CK Navigator [6] as a tool to explore and quality characteristics from quality model in visualize a vast number of attack methods. We SQuaRE. Mapping requirements of security and selected MITRE ATT&CK Navigator, shown as safety into selected sub-characteristics are easily Figure-2, because of its intuitive operation and judged the requirement is validated or not. ease of use as a tool. Tactics Technique Figure-2: MITRE ATT&CK Matrix MITRE ATT&CK provides a matrix to show the specific technical elements required for an attack which consist of Tactics and Technique. ATT&CK has selected the following 12 tactics. 1. Initial Access Figure-3: Quality characteristics related with 2. Execution security and safety 3. Persistence 4. Privilege Escalation 5. Defense Evasion 4. IMPLEMENTATION SUMMARY 6. Credential Access 7. Discovery We have mapped security requirements to 8. Lateral Movement security quality characteristics and applied SDL 9. Collection to a client-server web system. In order to reflect 10. C&C (Command and Control) these quality requirements in the design, a threat 11. Exfiltration analysis is conducted using Threat Modeling Tool 12. Impact and MITRE ATT&CK Navigator. The attackers use the techniques and methods From the results of the analysis, “risk in the initial access to conduct the attack, and management checklist" is created by Kusaka et al. when that tactic is achieved, the attacker moves [7]. The risk management checklist is a list of on to the next tactic. The attacker proceeds to the threat risks to information assets and functions, their risk assessment, and mitigation measures. different levels of trust. It is a line of defense The risk management checklist can be used in the against threats that occur when the trustworthy detailed design, coding, and testing processes, and and the untrustworthy cross the boundary. is expected to be effective in preventing the Figure-4 shows a configuration with one client, creation of vulnerabilities. It can also be used for one client storage, three servers, and three test. databases. Developers follow those steps to identify threat and find tactics. 1. Classified security requirements with quality characteristics 2. Creating a DFD drawing and threat analysis by Threat Modeling Tool 3. Listing of analysis results with MITRE ATT&CK Navigator Figure-4: DFD diagram of the Treat Modeling Tool 4. Risk assessment and risk reduction After running the analysis from the created The security design here is performed both in DFD diagram, a list of detected threats is shown the architectural and the detailed design on V- for each element. The tool exacts results of threat model development. In the basic design, system analysis, shown as Figure-5. configuration, servers, databases, and other elements are identified, and threat analysis is conducted on these elements, and the results of the analysis are passed to the next stage of detailed design. The detailed design based on the threat analysis is expected to reflect the security activities in the subsequent coding and testing Figure-5: Extracted threat analysis results processes. In case of agile process, those security activities execute for practices. In some cases, some of the threats are duplicated because the same threat is detected in 5. IMPLEMENTATION DETAILS each of the three redundant servers. This tool classifies threats by STRIDE and can be used for 5.1. Classified security risk analysis and mitigation assessment. This is requirements with quality accomplished by considering risk mitigation characteristics measures for classified threats rather than for the elements themselves. Classify the security and safety requirements of a system or application by mapping them to the 5.3. Listing of analysis results with security quality sub-characteristics of the product MITRE ATT&CK Navigator quality model [8]. Also map the data to be used to the data quality characteristics at data quality MITRE ATT&CK Navigator visualizes listed model [9] and them consider which requirements threats. A list of is shown as Figure-6. It supports need to be met. creating two layers and check for overlapping attack methods. In case of “email” and “web”, 5.2. Creating a DFD drawing and layer 1 shows a threat score of 30. Layer 2 is set threat analysis by Threat Modeling to the threat score is set to 50. By superimposing the search results of layer 1 and layer 2 with these Tool conditions, the merged results are displayed. Layer 1 is displayed in red, Layer 2 in yellow, and Using the Threat Modeling Tool, create a the overlapping items (threat score 30+50=80) in diagram that represents the data flow in the system green. From these results, only threats to the configuration based on the basic design and the system are identified. Also, it is possible to elements such as clients, servers, databases, investigate what vulnerabilities have been network devices, etc. Draw a Trust Boundary to discovered in products with similar architectures, clarify which elements belong to which boundary. and to identify possible threats by using CWE A trust boundary is a line that separates areas with (Common Weakness Enumeration) to identify Figure-6: MITRE ATT&CK Search Results these vulnerabilities. MITRE provides CWE list evaluates the severity of security vulnerabilities and the description and related CWE with several based on three criteria: basic evaluation criteria, classifications [10]. current state evaluation criteria, and environmental evaluation criteria. By using CVSS, 5.4. Risk Assessment and risk the severity of vulnerabilities can be quantitatively compared under the same criteria. reduction Risk reduction methods are examined. For example, for "data falsification," we will conduct Based on the results of threat analysis, a risk a final risk assessment by implementing a management checklist is prepared. The checklist mitigation method such as "applying security consists of the following items: evaluation of each patches. threat, consideration of risk reduction methods, For threats that require countermeasures, and evaluation of the implementation of risk check the "Microsoft Threat Modeling Tool reduction methods. mitigations" based on the STRIDE classification • Information Assets and Function of the Threat Modeling Tool and the MITRE ATT • Threats (STRIDE classification) & CK mitigations for each attack method, and • Anticipated harm/risk conditions then consider and plan tactics. • Risk Estimation and Assessment From the results of the risk assessment, the • Risk reduction methods (mitigation measures) existence of countermeasures and threats to be • Evaluation after implementation of risk reduction methods prioritized can be identified, and the security • Any new hazards/hazardous conditions that requirements can be determined if they have been have arisen because of the implementation of met by inspecting the threats in testing-related risk reduction measures activities. • Availability/Reason for response Since risk assessment for each threat depends on the knowledge and skills of the person in 6. IMPLEMENTATION RESULTS charge and it is difficult to obtain quantitative assessment results, we adopted an open, vendor- Using the Threat Modeling Tool, mechanical independent vulnerability assessment method threat analysis can be performed without any proposed by FIRST (Forum of Incident Response security skills as long as you can draw DFD and Security Teams) [11], CVSS (Common diagrams. The discussion by looking at the DFD Vulnerability Scoring System) [12]. CVSS is diagrams is also effective to examine where the open and vendor-independent vulnerability threats are in the system configuration, and it is assessment method proposed by FIRST. CVSS is commended that the quality requirements are a common vulnerability scoring system that secured from the threat analysis results. In addition, MITRE ATT&CK can visually solve this problem, it is considered that identify threats, and when used in conjunction clarification of security requirements and with the Threat Modeling Tool, it is an effective evaluation of them for each quality sub- complement to threat analysis. The MITRE characteristic by using a quality model. ATT&CK can also be used as a database for It is also considered necessary to set security investigating mitigation measures against attack ranks for the target systems and to create methods. indicators of which security measures should be The risk management check sheet, which is a implemented for each rank and to what extent deliverable of the design process, can be used as a time and cost should be spent. check sheet for code review in coding and as a In the current situation where new attack vulnerability test item in testing. By implementing methods emerge and threats continue to emerge, security measures upstream, the security activities continuous security analysis and tactics are to be implemented in the subsequent processes necessary, and this also leads to risk management have been clarified. for the entire system by considering which quality If risk management check sheets had not been is affected at the sub-characteristic level. prepared in the design process, security activities By utilizing SDL's security lifecycle and would have been implemented in other processes SQuaRE, we expect that continuous security without uniformity, and unnecessary man-hours activities can be taken to provide safe and secure would have been spent due to duplication of work. products. In addition, since the CWE of the target threats are clarified, it can be checked against the results 8. References of vulnerability testing tools such as sonarqube [13], Fortify [14], etc. to confirm that the target [1] ISO/IEC 27034-1:2011 “Information threats have not been detected. You can prove that technology — Security techniques — confidentiality and integrity are ensured. Application security — Part 1: Overview and concepts”. 7. REMAINING ISSUES [2] "Manual for Developing Security Requirements in Government Procurement The implementation of a threat analysis tool is for Information Systems," Cabinet Cyber time-consuming due to the large number of Security Center (NISC), 2019, in Japanese. analysis results that are detected and scrutinized. [3] Microsoft Threat Modeling Tool, Even if the threats can be identified mechanically https://docs.microsoft.com/ja- by tools, it takes time to evaluate and filter them jp/azure/security/develop/threat-modeling- one by one, which requires security skill to do. For tool . example, if there are three servers, the same [4] MITRE ATT&CK, https://attack.mitre.org/ . threats will be output for all three servers. The [5] Microsoft Security Update Guide, question is whether to exclude these results as the https://portal.msrc.microsoft.com/en- same threat or treat them as individual threats. The us/security-guidance method of filtering and evaluating the analysis [6] MITRE ATT&CK® Navigator, results is an issue to be addressed in the future. https://mitre-attack.github.io/attack- In order to deal with threat analysis, it was navigator necessary to educate the staff about security [7] Kusaka H., Nagata, T., Futagawa, Y.: "The design and architecture as well as on threat Role of QA in SDL Considering Security analysis methods and tools. Since many Quality (Upstream Process)", 2017, developers implicitly feel that security is difficult, https://www.juse.or.jp/sqip/community/buc it is necessary to eliminate this image by yo/8/files/shiryou_seika7.pdf, in Japanese. constantly providing appropriate education. [8] ISO/IEC 25010:2011 “Systems and software CONCLUSION engineering — Systems and software Quality Security is "must be quality" and it is possible Requirements and Evaluation (SQuaRE) — to classify security requirements by using a System and software quality models”. quality model in SQuaRE. However, it is difficult [9] ISO/IEC 25012:2008 “ Software engineering to set the goal of how security should be analyzed. — Software product Quality Requirements There are various methods of threat analysis, and and Evaluation (SQuaRE) — Data quality threat analysis needs a lot of costs. In order to model”. [10] CWE, https://cwe.mitre.org/ . [11] FIRST, https://www.first.org/ . [12] CVSS, https://www.first.og/cvss/ . [13] sonarqube, https://www.sonarqube.org/ . [14] Fortify, https://www.microfocus.com/en- us/cyberres/application-security/ . [15] Iwasaki,D., Yasuda.K, Kato, D.: Security Design Methodology Considering Threat Analysis in SDL, The 51st Symposium Reliability, Mainteinability and Sefety, 2022, in Japanese.