Assurance Cases Overview

Abstract

Our objective for the Assurance Cases (AC) content area of the Build Security In (BSI) Web site is to raise awareness about emerging methods and tools for assuring security properties of systems. In this content area, we introduce the concepts and benefits of developing and maintaining assurance cases for security. In particular, we describe the benefits of integrating assurance cases for security into the software development life cycle (SDLC) by "building assurance in" from the outset. Elsewhere on the BSI Web site, the reader can learn about best practices, tools, and techniques that can help developers build security into their software. But the mere existence or claimed use of one or more of these best practices, tools, or techniques does not constitute an adequate assurance case. For example, in support of an overarching security claim (e.g., that a system is acceptably secure),security assurance cases must provide evidence that particular best practices, tools, and techniques were properly applied and must indicate by whom they were applied and their extent of coverage. Moreover, unlike many product certifications that quickly grow stale because they are merely snapshots in time of an infrequently applied certification process, a security assurance case should provide evidence that the practices, tools, or techniques being used to improve security were actually applied to the currently released version of the software (or that the results were invariant to any of the code changes that subsequently occurred). A security assurance case uses a structured set of arguments and a corresponding body of evidence to demonstrate that a system satisfies specific claims with respect to its security properties. The case should be amenable to review by a wide variety of stakeholders. Although tool support is available, the creation and documentation of a security case can be a demanding and time-consuming process.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jan 01, 2007
Accession Number
AD1153802

Entities

People

  • Howard F. Lipson

Organizations

  • Carnegie Mellon University

Tags

DTIC Thesaurus Topics

  • Abstracts
  • Best Practices
  • Copyrights
  • Cycles
  • Department Of Defense
  • Department Of Homeland Security
  • Engineering
  • Governments
  • Guarantees
  • Homeland Security
  • Law
  • Life Cycles
  • Materials
  • Performance Tests
  • Security
  • Software Development
  • United States
  • Universities
  • Websites

Fields of Study

  • Computer science

Readers

  • Educational Psychology
  • Software Engineering.
  • Strategic Security Studies