Upload File

functional security requirements

20
Functional Security Requirements Building Predictable Systems using Behavioral Security Modeling Transparent and Pervasive Security

Upload: others

Post on 25-Oct-2021

21 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Functional Security Requirements

Functional Security Requirements

Building Predictable Systems using Behavioral Security

Modeling

Transparent and Pervasive Security

Page 2: Functional Security Requirements

KNOWNS AND UNKNOWNS

“[T]here are known knowns; there are things we know that we know. There are known unknowns; that is to say there are things that, we now know we don't know. But there are also unknown unknowns – there are things we do not know we don't know.” – United States Secretary of Defense, Donald Rumsfeld

Page 3: Functional Security Requirements

“I don’t care about security.”

Page 4: Functional Security Requirements

Everyone “I just set up this new folder, and want to give everyone access” Everyone… •  on my team? •  in IT? •  in the company? •  who is able to access

this directory, even anonymously?

Page 5: Functional Security Requirements

Security Requirements Gap Traditional Requirements •  Security Architecture •  Non-Functional •  Threats •  Exploits •  Defense in Depth •  Misuse Cases •  Known Unknowns

Well-covered in current literature “Keep the bad guys from messing with our stuff.”

Functional Requirements •  Business Controls •  Functional •  Least-Privilege •  Abuse •  Quality •  Constraints •  Unknown Unknowns

Missing from current literature “What are the good guys allowed to do?”

Page 6: Functional Security Requirements

Behavioral Security Modeling

a method for describing and organizing security requirements

Page 7: Functional Security Requirements

Functional requirements for robust and secure information

systems must define all human/information interactions

permitted by the system.

Page 8: Functional Security Requirements

BSM Approach

•  Constraints •  Checklist of

Questions •  Requirement

Patterns •  Go-Path and

No-Go Path

Page 9: Functional Security Requirements

BSM Approach

•  Constraints •  Checklist of

Questions •  Requirement

Patterns •  Go-Path and

No-Go Path

•  Social •  Information •  Location •  Temporal •  Input

Page 10: Functional Security Requirements

BSM Approach

•  Constraints •  Checklist of

Questions •  Requirement

Patterns •  Go-Path and

No-Go Path

Page 11: Functional Security Requirements

BSM Approach

•  Constraints •  Checklist of

Questions •  Requirement

Patterns •  Go-Path and

No-Go Path

Page 12: Functional Security Requirements

BSM Approach

•  Constraints •  Checklist of

Questions •  Requirement

Patterns •  Go-Path and

No-Go Path

Page 13: Functional Security Requirements

Example: Broker Financial

ClientsClients

Operations

Associate

Broker Broker

Page 14: Functional Security Requirements

Example: Broker Financial •  New Financial

Services Firm •  Web-based books &

records system •  Broker, Associate,

Operations •  Two Offices •  Alternate Universe Clients

Operations

Associate

Broker

Page 15: Functional Security Requirements

Example: Broker Financial Social Constraints •  Role-Based Access:

Broker, Associate, Operations

•  Attribute-Based Access: Licensing (Trading Functions for Associates, Brokers)

•  No-Go Path: Trading Clients

Operations

Associate

Broker

Page 16: Functional Security Requirements

Example: Broker Financial Information Constraints •  Role Based Data

Access (Clients) •  Dual Controls

(Checks) •  “My Data” (Clients) •  No-Go Path: Clients

Clients

Operations

Associate

Broker

Page 17: Functional Security Requirements

Example: Broker Financial Location and Temporal Constraints •  On-Premise Only

(Operations) •  During Business

Hours (Trading Functions)

•  No-Go Path: Trading Clients

Operations

Associate

Broker

Page 18: Functional Security Requirements

Example: Broker Financial Input Constraints •  Role-Based

Transaction Limits (Trading Limits)

•  Input Validation (many)

•  No-Go Path: Trading Clients

Operations

Associate

Broker

Page 19: Functional Security Requirements

Behavioral Security Modeling – What’s Next?

•  White Paper on http://transvasive.com/ •  Field testing: If you’re interested, please

let us know! •  Question Checklist (summary, one-page) •  Patterns Website (Wiki) •  Training, Tools, Extend approach later into

the development lifecycle

Page 20: Functional Security Requirements

Thank You! John Benninghoff

[email protected] http://transvasive.com/ Twitter: @transvasive

Karl Brophey [email protected]

Transparent and Pervasive Security


Non-Functional Requirements Non-Functional Requirements

IFX CCI 001Fh SecurityTargetLite - Common Criteria · 2019-07-03 · 7.6 Assignment of Security Functional Requirements to TOE’s Security Functionality ... Security Guidelines v1.00-1792,

Non -Functional Constrains Constrains Functional …€¦ ·  · 2011-11-17Holistic Requirements Model shown in Figure 1. Non -Functional Performance Requirements Functional

FUNCTIONAL & NON-FUNCTIONAL REQUIREMENTS Lecture 6

SECURITY CORE FUNCTION AND DEFINITION REPORT · security core function and definition report ... 2.1 security core functional and non-functional requirements ... this report documents

ATMS User Requirements & ATMS Functional Requirements

The “Functional Requirements family” Functional Requirements for Bibliographic Records Functional Requirements for Authority Data Functional Requirements

 · Non-Functional Requirements Non-Functional Requirements Security File System Security Input Filtering Database Security Password Encryption Cross Site Scripting, XSS Impersonation

DRAFT Cyber Security Electronic Security Perimeter(s)...scope of the applicability of the CIP Cyber Security Requirements. Section ^4.1. Functional Entities is a list of NER functional

المحاضرة الثالثة. Software Requirements Topics covered Functional and non-functional requirements User requirements System requirements Interface specification

FUNCTIONAL REQUIREMENTS FOR DEVELOPMENT OF SPECIFICATION ... C1... · FUNCTIONAL REQUIREMENTS FOR DEVELOPMENT OF SPECIFICATION OF ... functional, design requirements by the ... functional

business requirements functional and non functional

Functional Requirements Catalogue 30 March 2011 · 2012-12-21 · Functional Requirements Catalogue 30 March 2011 Operational Requirements 1.4. The operational functional requirements

RSA Security Analytics v10.6.1 Security Target · Security Functional Requirements ... ATD Automated Threat Detection CC Common Criteria EAL Evaluation Assurance Level EPS Events

Introduction to Non-Functional Requirements on a Web ... · Requirements Non-Functional Requirements Security File System Security Input ... Cross Site Scripting, XSS Impersonation

Security Target: API Technologies ION SA5600 v1.3.1 … · Security Target: API Technologies ION SA5600 v1.3.1 with PRIISMS v2.8.1 ... 6.1 Security Functional Requirements ... Password-based

Functional Requirements

SailPoint - niap-ccevs.org · PDF file5.1 Extended Security Functional Requirements ..... 20 5.2 Extended Security Assurance Requirements ... [14] SailPoint IdentityIQ Direct Connectors

OWASP The OWASP Foundation · 2020-01-17 · Security Requirements Encompasses both functional requirements for security controls and risk mitigation driven requirements from the

SafeGuard Enterprise Device Encryption - Common Criteria · PDF file9.2.1 Security Functional Requirements .....43 9.2.2 Security Requirements for the Environment

Secure Development Processes - OWASP · Touchpoint 4: Security testing Test security functionality –Cover non-functional requirements –Security software probing Risk-based testing

Security Target Lite NGSIEM LogICA5 7.1 Security Target Lite · TABLA 7: SECURITY FUNCTIONAL REQUIREMENTS RATIONALE Security functional requirements rationale justifica que los requerimientos

Security Target Lite MAV31S Open Platform JCS CoreG_LC Security Functional Requirements ..... 48 8.1.1.1 Firewall Policy ... 72 8.3 SECURITY R

Functional & Technical Requirements Document Template...This Functional and Technical Requirements Document outlines the functional, performance, security and other system requirements

Guidance Software EnCase Enterprise Security Target · • Security Functional Requirements – Part 2 of the CC defines the approved set of operations that may be applied to functional

Requirements-based Test Generation Functional Testingparis.utdallas.edu/.../07-Requirements-based-Functional-Testing-one... · generating tests for functional ... functional) requirements

CS 325: Software Engineering January 22, 2015 Software Requirements Elicitation Eliciting Requirements Functional Requirements Non-Functional Requirements

XProtect Professional Plus Open CSI A&E Specification€¦  · Web viewDescription, architectural and functional requirements, data security requirements, operational capabilities,

Software Requirements Lecture # 3. 2 Kinds of Software Requirements Functional requirements Non-functional requirements Domain requirements Inverse requirements

LABELED SECURITY PROTECTION PROFILEThe Common Criteria (CC) Labeled Security Protection Profile, hereafter called LSPP, specifies a set of security functional and assurance requirements

VMware AirWatch Mobile Device Management · Identification and Authentication ... 5.1 Extended Security Functional Requirements ... including access to Password and Security settings,

SPECIFYING SYSTEM SECURITY REQUIREMENTS - · PDF fileSpecifying System Security ... Functional Requirement ... 3.0 Personnel Data Management 4.0 Software Development 5.0 System Security

Lecture 6: Non-Functional Requirements (NFRs) · What are Non-functional Requirements? Functional vs. Non-Functional !Functional requirements describe what the system should do "

Requirements - Cal Poly · IEEE Definition of Requirement ... Functional Requirements Specification Functional Requirements Document . Requirements Problems • Insufficient User

Non-functional Requirements. Objectives To introduce non-functional requirements To explain the schemes used to classify non- functional requirements