Koen Buyens

On the secure software development process: CLASP, SDL and Touchpoints compared

Development processes for software construction are common knowledge and mainstream practice in most development organizations. Unfortunately, these processes offer little support in order to meet security requirements. Over the years, research efforts have been invested in specific methodologies and techniques for secure software engineering, yet dedicated processes have been proposed only recently. In this paper, three high-profile processes for the development of secure software, namely OWASPs CLASP, Microsofts SDL and McGraws Touchpoints, are evaluated and compared in detail. The paper identifies the commonalities, discusses the specificity of each approach, and proposes suggestions for improvement.

Empirical and statistical analysis of risk analysis-driven techniques for threat management

One of the challenges of secure software construction (and maintenance) is to get control over the multitude of threats in order to focus mitigation efforts on the most relevant ones. Risk analysis is one class of techniques for achieving threat reduction, but few studies are available that evaluate the quality of these techniques. In this paper, a selected set of risk analysis techniques have been evaluated and compared based on a realistic case study. The foundations for this analysis were threefold: we defined a set of high-level criteria, we compared the results of the different methods and we used statistical analysis techniques for studying additional characteristics. This analysis was performed on an independently developed case study of a significant size. For this experiment, the benefits of applying of these methods were limited for the categorization and the reduction of threats. Therefore, we also suggest ways to improve or complement these methods

Resolving least privilege violations in software architectures

Supporting a security principle, such as least privilege, in a software architecture is difficult. Systematic rules are lacking, no guidance explains how to apply the principle in practice. As a result, security principles are often neglected. This lowers the overall security level of the software system and the cost of fixing such problems later on in the development cycle is high. We propose an improvement in supporting least privilege in software architectures. We have identified architectural transformations that reduce violations to the principle of least privilege. These transformations have been implemented. We have applied the solution on a case study.

Process Activities Supporting Security Principles

Security principles, like least privilege, are among the few resources in the body of knowledge for security that survived the test of time. Over the last few years, several secure software development processes have emerged that mention security principles and acknowledge their importance. Nevertheless, support for principles in security processes does not appear to be satisfactory. This paper analyzes a forefront security process (CLASP) and elicits both explicit and hidden relationships between process activities and security principles.

Least privilege analysis in software architectures

Due to the lack of both precise definitions and effective software engineering methodologies, security design principles are often neglected by software architects, resulting in potentially high-risk threats to systems. This work lays the formal foundations for understanding the security design principle of least privilege in software architectures and provides a technique to identify violations against this principle. The technique can also be leveraged to analyze violations against the security design principle of separation of duties. The proposed approach is supported by tools and has been validated in four case studies, two of which are presented in detail in this paper.

Automated detection of least privilege violations in software architectures

Due to the lack of both precise definitions and effective software engineering methodologies, security principles are often neglected by software architects, resulting in potentially high-risk threats to the systems. This work lays the formal foundations for the understanding of the least privilege (LP) principle in software architectures and provides a technique to identify LP violations. The proposed approach is supported by tools and has been validated in four case studies, one of which is presented in detail in this paper.

Measuring the interplay of security principles in software architectures

Security principles like least privilege and attack surface reduction play an important role in the architectural phase of security engineering processes. However, the interplay between these principles and the side effects of the application of these secure design strategies on architectural qualities like maintainability have not been studied so far. Therefore it is hard to make informed trade-off decisions between security principles and between security and other qualities. This paper tackles this problem from a quantitative perspective by presenting the experimental results in the context of three case studies.

Identifying and Resolving Least Privilege Violations in Software Architectures

Security principles, like least privilege, are among the resources in the security body of knowledge that survived the test of time. The implementation of these principles in a software architecture is difficult, as there are no systematic rules on how to apply them in practice. As a result, they are often neglected, which lowers the overall security level of the software system and increases the cost necessary to fix this later in the development life-cycle.This paper improves the support for least privilege in software architectures by (i) defining the foundations to identify potential violations of the principle herein and (ii) elicitating architectural transformations that positively impact the security properties of the architecture, while preserving the semantics thereof. These results have been implemented and validated in a number of case studies.

A Software Architecture to Facilitate the Creation of DRM Systems

Although various publications confirm the need for a generic DRM software architecture, we observe that current efforts to define a DRM architecture do not always provide sufficient support to enable the creation and management of DRM systems and content distribution applications. This is a considerable problem that implies a crucial challenge for the evolution of DRM, given the impact of a software architecture on the functional and non-functional qualities of the implemen- tation. This paper (1) presents a generic DRM architecture, (2) evaluates it in the context of interoperability, extendability, and modifiability, and (3) compares it to related work in the Digital Media Project (DMP). To the best of our knowledge, the proposed architecture is more detailed than related work published so far.

Composition of least privilege analysis results in software architectures (position paper)

Security principles are often neglected by software architects, due to the lack of precise definitions. This results in potentially high-risk threats to systems. Our own previous work tackled this by introducing formal foundations for the least privilege (LP) principle in software architectures and providing a technique to identify violations to this principle. This work shows that this technique can scale by composing the results obtained from the analysis of the sub-parts of a larger system. The technique decomposes the system into independently described subsystems and a description listing the interactions between these subsystems. These descriptions are thence analyzed to obtain LP violations and subsequently composed to obtain the violations of the overall system.