-
Using Process Models to understand Security Standards
Authors:
Fabiola Moyón,
Daniel Méndez,
Kristian Beckers,
Sebastian Klepper
Abstract:
Many industrial software development processes today have to comply with security standards such as the IEC~62443-4-1. These standards, written in natural language, are ambiguous and complex to understand. This is especially true for non-security experts. Security practitioners thus invest much effort into comprehending standards and, later, into introducing them to development teams. However, our…
▽ More
Many industrial software development processes today have to comply with security standards such as the IEC~62443-4-1. These standards, written in natural language, are ambiguous and complex to understand. This is especially true for non-security experts. Security practitioners thus invest much effort into comprehending standards and, later, into introducing them to development teams. However, our experience in the industry shows that development practitioners might very well also read such standards, but nevertheless end up inviting experts for interpretation (or confirmation). Such a scenario is not in tune with current trends and needs of increasing velocity in continuous software engineering.
In this paper, we propose a tool-supported approach to make security standards more precise and easier to understand for both non-security as well as security experts by applying process models. This approach emerges from a large industrial company and encompasses so far the IEC62443-4-1 standard. We further present a case study with 16 industry practitioners showing how the approach improves communication between development and security compliance practitioners.
△ Less
Submitted 27 May, 2021;
originally announced May 2021.
-
How to Integrate Security Compliance Requirements with Agile Software Engineering at Scale?
Authors:
Fabiola Moyón,
Daniel Méndez Fernández,
Kristian Beckers,
Sebastian Klepper
Abstract:
Integrating security into agile software development is an open issue for research and practice. Especially in strongly regulated industries, complexity increases not only when scaling agile practices but also when aiming for compliance with security standards. To achieve security compliance in a large-scale agile context, we developed S2C-SAFe: An extension of the Scaled Agile Framework that is c…
▽ More
Integrating security into agile software development is an open issue for research and practice. Especially in strongly regulated industries, complexity increases not only when scaling agile practices but also when aiming for compliance with security standards. To achieve security compliance in a large-scale agile context, we developed S2C-SAFe: An extension of the Scaled Agile Framework that is compliant to the security standard IEC~62443-4-1 for secure product development.
In this paper, we present the framework and its evaluation by agile and security experts within Siemens' large-scale project ecosystem. We discuss benefits and limitations as well as challenges from a practitioners' perspective. Our results indicate that \ssafe contributes to successfully integrating security compliance with lean and agile development in regulated environments. We also hope to raise awareness for the importance and challenges of integrating security in the scope of Continuous Software Engineering.
△ Less
Submitted 27 May, 2021;
originally announced May 2021.
-
Integration of Security Standards in DevOps Pipelines: An Industry Case Study
Authors:
Fabiola Moyón Constante,
Rafael Soares,
Maria Pinto-Albuquerque,
Daniel Méndez,
Kristian Beckers
Abstract:
In the last decade, companies adopted DevOps as a fast path to deliver software products according to customer expectations, with well aligned teams and in continuous cycles. As a basic practice, DevOps relies on pipelines that simulate factory swim-lanes. The more automation in the pipeline, the shorter a lead time is supposed to be. However, applying DevOps is challenging, particularly for indus…
▽ More
In the last decade, companies adopted DevOps as a fast path to deliver software products according to customer expectations, with well aligned teams and in continuous cycles. As a basic practice, DevOps relies on pipelines that simulate factory swim-lanes. The more automation in the pipeline, the shorter a lead time is supposed to be. However, applying DevOps is challenging, particularly for industrial control systems (ICS) that support critical infrastructures and that must obey to rigorous requirements from security regulations and standards. Current research on security compliant DevOps presents open gaps for this particular domain and in general for systematic application of security standards. In this paper, we present a systematic approach to integrate standard-based security activities into DevOps pipelines and highlight their automation potential. Our intention is to share our experiences and help practitioners to overcome the trade-off between adding security activities into the development process and keeping a short lead time. We conducted an evaluation of our approach at a large industrial company considering the IEC 62443-4-1 security standard that regulates ICS. The results strengthen our confidence in the usefulness of our approach and artefacts, and in that they can support practitioners to achieve security compliance while preserving agility including short lead times.
△ Less
Submitted 27 May, 2021;
originally announced May 2021.
-
When Interactive Graphic Storytelling Fails
Authors:
James Barela,
Tiago Espinha Gasiba,
Santiago Reinhard Suppan,
Marc Berges,
Kristian Beckers
Abstract:
Many people are unaware of the digital dangers that lie around each cyber-corner. Teaching people how to recognize dangerous situations is crucial, especially for those who work on or with computers. We postulated that interactive graphic vignettes could be a great way to expose professionals to dangerous situations and demonstrate the effects of their choices in these situations. In that way, we…
▽ More
Many people are unaware of the digital dangers that lie around each cyber-corner. Teaching people how to recognize dangerous situations is crucial, especially for those who work on or with computers. We postulated that interactive graphic vignettes could be a great way to expose professionals to dangerous situations and demonstrate the effects of their choices in these situations. In that way, we aimed to inoculate employees against cybersecurity threats.
We used the Comic-BEE platform to create interactive security awareness vignettes and evaluated for how employees of a major industrial company perceived them. For analysing the potential of these comics, we ran an evaluation study as part of a capture-the-flag (CTF) event, an interactive exercise for hacking vulnerable software. We evaluated whether the comics fulfilled our requirements based on the responses of the participants. We showed the comics, on various cybersecurity concepts, to 20 volunteers. In the context of a CTF event, our requirements were not fulfilled. Most participants considered the images distracting, stating a preference for text-only material.
△ Less
Submitted 6 January, 2021;
originally announced January 2021.
-
On the Requirements for Serious Games geared towards Software Developers in the Industry
Authors:
Tiago Espinha Gasiba,
Kristian Beckers,
Santiago Suppan,
Filip Rezabek
Abstract:
Teaching industry staff on cybersecurity issues is a fundamental activity that must be undertaken in order to guarantee the delivery of successful and robust products to market. Much research attention has been devoted to this topic over the last years. However, the research which has been done has not focused on developing secure code in industrial environments. In this paper we take a look at th…
▽ More
Teaching industry staff on cybersecurity issues is a fundamental activity that must be undertaken in order to guarantee the delivery of successful and robust products to market. Much research attention has been devoted to this topic over the last years. However, the research which has been done has not focused on developing secure code in industrial environments. In this paper we take a look at the constraints and requirements for delivering a training, by means of cybersecurity challenges, that covers secure coding topics from an industry perspective. Using requirements engineering, we aim at understanding the design requirements for such challenges. Along the way, we give details on our experience of delivering cybersecurity challenges in an industrial setting and show the outcome and lessons learned. The proposed requirements for cybersecurity challenges geared towards software developers in an industrial environment are based on systematic literature review, interviews with security experts from the industry and semi-structured evaluation of participant feedback.
△ Less
Submitted 6 January, 2021;
originally announced January 2021.
-
Identifying Relevant Information Cues for Vulnerability Assessment Using CVSS
Authors:
Luca Allodi,
Sebastian Banescu,
Henning Femmer,
Kristian Beckers
Abstract:
The assessment of new vulnerabilities is an activity that accounts for information from several data sources and produces a `severity' score for the vulnerability. The Common Vulnerability Scoring System (\CVSS) is the reference standard for this assessment. Yet, no guidance currently exists on \emph{which information} aids a correct assessment and should therefore be considered.
In this paper w…
▽ More
The assessment of new vulnerabilities is an activity that accounts for information from several data sources and produces a `severity' score for the vulnerability. The Common Vulnerability Scoring System (\CVSS) is the reference standard for this assessment. Yet, no guidance currently exists on \emph{which information} aids a correct assessment and should therefore be considered.
In this paper we address this problem by evaluating which information cues increase (or decrease) assessment accuracy.
We devise a block design experiment with 67 software engineering students with varying vulnerability information and measure scoring accuracy under different information sets.
We find that baseline vulnerability descriptions provided by standard vulnerability sources provide only part of the information needed to achieve an accurate vulnerability assessment. Further, we find that additional information on \texttt{assets}, \texttt{attacks}, and \texttt{vulnerability type} contributes in increasing the accuracy of the assessment; conversely, information on \texttt{known threats} misleads the assessor and decreases assessment accuracy and should be avoided when assessing vulnerabilities. These results go in the direction of formalizing the vulnerability communication to, for example, fully automate security assessments.
△ Less
Submitted 20 March, 2018;
originally announced March 2018.
-
An Exploratory Survey of Hybrid Testing Techniques Involving Symbolic Execution and Fuzzing
Authors:
Saahil Ognawala,
Ana Petrovska,
Kristian Beckers
Abstract:
Recent efforts in practical symbolic execution have successfully mitigated the path-explosion problem to some extent with search-based heuristics and compositional approaches. Similarly, due to an increase in the performance of cheap multi-core commodity computers, fuzzing as a viable method of random mutation-based testing has also seen promise. However, the possibility of combining symbolic exec…
▽ More
Recent efforts in practical symbolic execution have successfully mitigated the path-explosion problem to some extent with search-based heuristics and compositional approaches. Similarly, due to an increase in the performance of cheap multi-core commodity computers, fuzzing as a viable method of random mutation-based testing has also seen promise. However, the possibility of combining symbolic execution and fuzzing, thereby providing an opportunity to mitigate drawbacks in each other, has not been sufficiently explored. Fuzzing could, for example, expedite path-exploration in symbolic execution, and symbolic execution could make seed input generation in fuzzing more efficient. There have only been, in our view, very few hybrid solution proposals with symbolic execution and fuzzing at their centre. By analyzing 77 relevant and systematically selected papers, we (1) present an overview of hybrid solution proposals of symbolic execution and fuzzing, (2) perform a gap analysis in research of hybrid techniques to improve both, plain symbolic execution and fuzzing, (3) propose new ideas for hybrid test-case generation techniques.
△ Less
Submitted 19 December, 2017;
originally announced December 2017.
-
ACCBench: A Framework for Comparing Causality Algorithms
Authors:
Simon Rehwald,
Amjad Ibrahim,
Kristian Beckers,
Alexander Pretschner
Abstract:
Modern socio-technical systems are increasingly complex. A fundamental problem is that the borders of such systems are often not well-defined a-priori, which among other problems can lead to unwanted behavior during runtime. Ideally, unwanted behavior should be prevented. If this is not possible the system shall at least be able to help determine potential cause(s) a-posterori, identify responsibl…
▽ More
Modern socio-technical systems are increasingly complex. A fundamental problem is that the borders of such systems are often not well-defined a-priori, which among other problems can lead to unwanted behavior during runtime. Ideally, unwanted behavior should be prevented. If this is not possible the system shall at least be able to help determine potential cause(s) a-posterori, identify responsible parties and make them accountable for their behavior. Recently, several algorithms addressing these concepts have been proposed. However, the applicability of the corresponding approaches, specifically their effectiveness and performance, is mostly unknown. Therefore, in this paper, we propose ACCBench, a benchmark tool that allows to compare and evaluate causality algorithms under a consistent setting. Furthermore, we contribute an implementation of the two causality algorithms by Gößler and Metayer and Gößler and Astefanoaei as well as of a policy compliance approach based on some concepts of Main et al. Lastly, we conduct a case study of an Intelligent Door Control System, which exposes concrete strengths and weaknesses of all algorithms under different aspects. In the course of this, we show that the effectiveness of the algorithms in terms of cause detection as well as their performance differ to some extent. In addition, our analysis reports on some qualitative aspects that should be considered when evaluating each algorithm. For example, the human effort needed to configure the algorithm and model the use case is analyzed.
△ Less
Submitted 10 October, 2017;
originally announced October 2017.