MANAGING SECURITY AND

CHANGES AT MODEL LEVEL

(SECURE CHANGE)

Fabio Massacci,

UNITN,

Federica Paci,

UNITN

Stephane Paul,

THALES

SECURE CHANGE PROJECT

� Challenge: support evolution while maintaining security at all

levels of the software development process

� Solution: Change driven security engineering process

� Interplay between risk assessment and different phases of software

engineering process

�Models as basic unit of change

� Change propagation is supported by identifying mappings at conceptual

level and orchestrating the respective analysis process

02/08/2011 2

SECURITY ENGINEERING PROCESS

� Interplay between software life-cycle phases and risk assessment activities

� Change management artefacts and methodologies are sprinkled throughout the whole

phases

02/08/2011 3

CHANGE PROPAGATION

� Concepts are mapped amongst the requirement and risk domains

� The mapped concepts are the basis for processes orchestration

and change propagation

� When a change affects a concept of the interface, the change is

propagated to the other domain.

02/08/2011 4

A POSSIBLE INSTANTIATION

� Requirements models are Si* models – goal oriented

requirements language by UNITN

� Risk Models are RA DSML models – domain specific language

for risk analysis by THALES

� Mapped concepts

� Rem. Business Object - Risk. Essential Elements

� Rem.Goal - Risk.Security Objective

� Rem.Security Goal – Risk.Security Requirement

� Rem.Process – Risk Security Solution

02/08/2011 5

AN EXAMPLE – BEFORE REQUIREMNT MODEL

02/08/2011 6

Evolution in ATM Domain - Introduction of a new tool to support the controllers during approach phase

AN EXAMPLE –EVOLUTION IN ATM

� Risk analyst identifies a new risk

� Failure in the provisioning of correct or optimal arrival information due to ATCO

mistakes

� Two security objectives are defined:

� The system shall be computed automatically by an Arrival Manager system

� The update of the system should be handled through a dedicated role of Sequence

Manager

� Security objectives are refined into security requirements:

� The system should integrate an AMAN

� The organization should integrate a SQM

02/08/2011 7

AN EXAMPLE – AFTER REQUIREMENT MODEL

02/08/2011 8

More details about the project at

www.securechange.eu

02/08/2011 9