A Sample Security Assurance Case Pattern

Abstract

Essentially all systems with software should address security. However, there is no single magic bullet that makes software secure, because security is an emergent property of a system. Tracking and managing the application of the various techniques across the software corpus and throughout the software life cycle can be overwhelming. An assurance case is a widely-recommended practical alternative to other approaches for managing the assurance activities. An assurance case includes a top-level claim for a property of a system or product (or set of claims), systematic argumentation regarding this claim, and the evidence and explicit assumptions that underlie this argumentation. [ISO 15026-2:2011]. Since an assurance case is systematic, it is much easier for people to determine if important areas have been adequately covered, and to understand the ramifications of different decisions. Maintaining an assurance case for security properties (a security assurance case) is a simple idea, but many have found it difficult to create a security assurance case because of the limited number of sample patterns and worked examples. This document provides a sample security assurance case pattern, based on a publicly-available assurance case of a real commercial system. This document also shows how this pattern can be applied to a real system. We hope that many system/software developers and approving authorities will find this sample pattern and application to be a useful place to start when developing their own assurance cases. This document also discusses changes that could be made to deal with different kinds of applications, such as Internet of Things (IoT) or weapon systems. The sample security assurance case pattern provided here is for a system that only requires moderate assurance; higher levels of assurance would call for more rigor. This pattern can make it much easier to create a security assurance case.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Dec 03, 2018
Accession Number
AD1114600

Entities

People

  • David A. Wheeler
  • E. K. Fong

Organizations

  • Institute for Defense Analyses

Tags

Communities of Interest

  • Cyber
  • Engineered Resilient Systems
  • Space

DTIC Thesaurus Topics

  • Authentication
  • Business Administration
  • Computer Access Control
  • Computer Programming
  • Computer Programs
  • Computers
  • Cybersecurity
  • Information Systems
  • Internet Of Things
  • Life Cycles
  • National Security
  • Resource Management
  • Security
  • Systems Engineering
  • Test And Evaluation
  • Verification
  • Weapon Systems

Fields of Study

  • Computer science

Readers

  • Cybersecurity.
  • Software Engineering.
  • Theoretical Analysis.

Technology Areas

  • 5G