Testing Formally Specified Software Requirements for Cybersecurity Regulatory Compliance

Abstract

Testing Formally Specified Software Requirements for Cybersecurity Regulatory ComplianceExecutive SummaryAssuring quality of complex software systems is critical for meeting quality of service (QoS) requirements, including those imposed in federal contracting regulations. Despite the importance of QoS, most regulatory compliance researchers have focused on extracting or eliciting requirements from regulations with the assumption that once these requirements were formally specified, they could then be tested like other software requirements. Herein, we propose to evaluate this assumption and determine whether and howregulatory requirements related to data privacy and security require additional support for demonstrating regulatory compliance.Our research would use a formal requirements specification language, like Eddy [1], to translate the cybersecurity requirements of NIST Special Publication 800-171 [4] into formal software requirements and then use those formal software requirements to generate test cases to test a software system. The significanceof the proposed research is in being able to provide and evaluate the utility of a systematic link between regulations, software requirements, and test cases???a chain of software engineering activities that have not been previously studied. Organizations can use our proposed test case definitions, proof of concept studies, and automated test case generation tools to create test cases for their applications that are required to follow regulations, where the domain could be a regulated domain such as health care or finance. The research would draw on the deep technical expertise at UMBC and the regulatory expertise at USNA, and it would rely on collaboration between USNA midshipmen and undergraduate and graduate students at UMBC.The proposed research fits into the following thrusts of the Cyber Security and Complex Systems Program at ONR: ??? Principles for Correctness and Security Properties ,??? as we are working towards building a frameworkto verify security regulations compliance through testing complex software systems, and the thrust ??? Secure Information Management, Sharing and Interaction ,??? as the proposed research seeks to establish systematicbridges between the government which writes regulations???the information producers, and the software developers and testers???the consumers who are expected to follow regulations in the software they develop.Broader ImpactsSoftware organizations and software engineers have a responsibility to deliver regulation compliant software. Verifying compliance is complicated due to ambiguity in law that results in imprecise and varied representations. Software engineering as a field has little support for software developers to verifycompliance--most of the compliance efforts have focused on generating formal requirements that meet regulations and not enough research on, how to verify compliance as the system is being developed or once it has been built. Our proposed research will provide developers and testers with a formal, experimentally evaluated technique to verify compliance in later lifecycle phases of software development, like the testing phase. Education is a grassroots approach by which change can be affected. In this research, by traininggraduate and undergraduate students on understanding regulations, formal requirements, specification languages, and systematic testing, we hope to embed in future software engineers the need for regulation compliance in software development as deeply as other established software engineering concepts.

Document Details

Document Type

DoD Grant Award

Publication Date

Jul 10, 2018

Source ID

N000141812451

Entities

Tags