This is the presentation slides on the paper "Safe & Sec Case Patterns" at ASSURE 2015. This research investigate how to integrate safety and security from process patterns and show an integrated assurance case for both.
This document describes a threat analysis tool called cp/TARA that was originally developed under a Japanese government research project on automotive cybersecurity. cp/TARA provides a common platform to integrate various threat analysis methods and risk assessment criteria using models. It supports threat analysis and risk assessment based on attack trees. cp/TARA models security features using extended SysML diagrams and can identify assets, attack surfaces, threats and derive security requirements to analyze threats in an automotive system.
Verification of IVI Over-The-Air using UML/OCLSeungjoo Kim
Verification of IVI Over-The-Air using UML/OCL @ ICCC 2019 (International Common Criteria Conference), which is a major conference for the community of experts involved in security evaluation
Assurance-Level Driven Method for Integrating Security into SDLC ProcessSeungjoo Kim
Sooyoung Kang, Seungyeon Jeong, and Seungjoo Kim, "Assurance-Level Driven Method for Integrating Security into SDLC Process”, Proc. of The 18th CCUF Workshop 2020, The 18th Common Criteria Users Forum Workshop, Virtual (online) Conference, November 12, 2020.
Application of theorem proving for safety-critical vehicle softwareAdaCore
The document discusses applying formal verification techniques like theorem proving to automotive software for safety-critical functions. It provides background on software safety requirements and discusses fault avoidance versus fault tolerance approaches. The document then presents a case study where theorem proving is used to verify a software function for autonomous vehicle control. It explains the process of breaking the software into portions and verifying each portion using logical proofs of pre and post conditions. The document highlights benefits of theorem proving over testing in providing a logical proof that software is bug-free, but also notes limitations like not verifying timing behavior.
This document describes a threat analysis tool called cp/TARA that was originally developed under a Japanese government research project on automotive cybersecurity. cp/TARA provides a common platform to integrate various threat analysis methods and risk assessment criteria using models. It supports threat analysis and risk assessment based on attack trees. cp/TARA models security features using extended SysML diagrams and can identify assets, attack surfaces, threats and derive security requirements to analyze threats in an automotive system.
Verification of IVI Over-The-Air using UML/OCLSeungjoo Kim
Verification of IVI Over-The-Air using UML/OCL @ ICCC 2019 (International Common Criteria Conference), which is a major conference for the community of experts involved in security evaluation
Assurance-Level Driven Method for Integrating Security into SDLC ProcessSeungjoo Kim
Sooyoung Kang, Seungyeon Jeong, and Seungjoo Kim, "Assurance-Level Driven Method for Integrating Security into SDLC Process”, Proc. of The 18th CCUF Workshop 2020, The 18th Common Criteria Users Forum Workshop, Virtual (online) Conference, November 12, 2020.
Application of theorem proving for safety-critical vehicle softwareAdaCore
The document discusses applying formal verification techniques like theorem proving to automotive software for safety-critical functions. It provides background on software safety requirements and discusses fault avoidance versus fault tolerance approaches. The document then presents a case study where theorem proving is used to verify a software function for autonomous vehicle control. It explains the process of breaking the software into portions and verifying each portion using logical proofs of pre and post conditions. The document highlights benefits of theorem proving over testing in providing a logical proof that software is bug-free, but also notes limitations like not verifying timing behavior.
Information Technology Security Techniques Evaluation Criteria For It Secrit...Vishnu Kesarwani
This document describes Part 3 of ISO/IEC 15408 (Common Criteria), which defines security assurance requirements. It establishes evaluation criteria for Protection Profiles and Security Targets, and presents Evaluation Assurance Levels (EALs) from EAL1 to EAL7 that define the ISO/IEC 15408 assurance scale. The document outlines the objectives, components, and increasing assurance provided at each EAL. The goal is to provide consumers, developers and evaluators a standard way to express and evaluate assurance requirements for IT systems and products.
Securing the Future of Safety and Security of Embedded SoftwareAdaCore
Daniel Rohrer, VP of Software Product Security at NVIDIA, discussed NVIDIA's journey to adopting the SPARK subset of the Ada programming language and the AdaCore tooling for improving software security and safety. NVIDIA was motivated by increasing complexity of systems, criticality of failures, and limitations of existing techniques. They selected SPARK and AdaCore due to the decidable nature of the language, credible ecosystem, emphasis on provability over testing, ability to scale, and responsiveness of AdaCore. NVIDIA piloted the use of SPARK on firmware to gain security and safety benefits while targeting a small codebase. The presentation covered benefits of SPARK for verification and alternatives considered.
This document discusses the Common Criteria standard for information technology security evaluation (SNI ISO/IEC 15408). It provides an overview of the speaker's background and experience in information security standards. It then explains the Common Criteria standard, including the different parts that make up the ISO 15408 series (functional requirements, assurance requirements, etc.). It also discusses other related standards that could be included in Indonesia's national standards, such as frameworks for assurance and evaluation methodology.
Spark / Ada for Safe and Secure Firmware DevelopmentAdaCore
The document discusses using SPARK for secure and safe firmware development. It notes that firmware is written mostly in C, which is prone to security vulnerabilities. SPARK aims to address this by using formal verification methods, improved static analysis, and developer contracts to find and prevent bugs. The document outlines NVIDIA's usage of SPARK for security processors and safety-critical code. While SPARK faces challenges regarding adoption due to its differences from C, NVIDIA is taking a phased approach to adoption by starting with proof of concepts and increasing usage over time for its most critical firmware components.
An approach towards sotif with ansys medini analyzeBernhard Kaiser
This presentation motivates what's so different about safety for automated vehicles and introduces the concept of SOTIF (Safety of the Intended Functionality) and the upcoming first industry standard PAS 21448 on SOTIF. After that, some ideas are given how the lessons from this new discipline can be put into an industry-applicable development process for automated driving functions, and how the safety engineering tool medini analyze can help engineers succeeding in their practical work. After the first set of intended safety analysis realisations in medini analyze has been presented, the slide show concludes with an outlook on possible future extensions, also involving a close integration of medin analyze with ANSYS' simulation capabilities for automated driving functions.
This document provides an overview of functional safety and the IEC 61511 standard. It discusses key aspects of IEC 61511 like safety integrity levels (SIL) which help provide protection against random and systematic failures. The document also summarizes exida, an expert in functional safety certification, and explains their various tools and services. It introduces the IEC 61511 safety lifecycle which includes phases for management and planning, analysis, realization, and operation and maintenance.
Would you like to know how SOTIF addresses possible hazards caused by intended behavior? Discuss the first draft of the SOTIF standard with international working group members and functional safety experts during the SOTIF Conference. Find out more here: http://bit.ly/SOTIF_Agenda_2019
This document provides an overview of the DIAMONDS project, which aimed to develop and apply multi-domain security testing technologies. It describes eight industrial case studies conducted across six domains to evaluate different security testing techniques, including risk analysis, fuzz testing, active testing, and autonomous monitoring. The case studies are evaluated using Security Testing Improvement Profiles (STIP) to analyze progress across key areas like risk assessment, test design, and test automation. The document highlights improvements achieved in all case studies and the project's contributions to research, commercialization, and standardization.
The document discusses safety instrumentation and safety integrity levels (SILs). It provides examples of major industrial accidents from 1974 to 2005 and their causes. These include failures of safety systems and instrumentation. The document then discusses key aspects of safety instrumented systems (SIS) such as their hardware components, separation from process controls, definition, and role in risk reduction. It introduces SIL ratings from 1 to 4 which define the reliability of a SIS based on its risk reduction factor and probability of failure on demand.
This document provides an introduction to methodologies for evaluating the safety integrity level (SIL) of safety instrumented functions (SIF) through determining the probability of failure on demand (PFD) of the SIF. It describes the safety lifecycle model and how SIL evaluation fits in. The document focuses on performance-based approaches for SIL evaluation and provides examples of SIS architectures without promoting any single methodology. It evaluates the whole SIF from sensors to final elements. The user is cautioned to understand the assumptions and limitations of the methodologies described.
The document describes a seminar on software for embedded safety critical systems held in Toulouse, France in January 2014. The seminar included 10 sessions covering various topics related to software in safety critical domains such as aeronautics, automotive, space, etc. The sessions addressed issues like software assurance levels, standards, development processes, verification, and new technologies. Experts from companies like Airbus, Continental, and ONERA presented on topics specific to their domains. The seminar aimed to discuss challenges in developing software for critical systems and recognize best practices defined in international standards.
Complying with New Functional Safety StandardsDesign World
The document is a presentation on complying with new functional safety standards. It discusses what functional safety is, what is happening in the functional safety market, what standards should be used for machines, and how to determine safety levels and perform calculations according to standards like ISO 13849-1 and IEC 62061. It provides an example of applying the standards to a dual channel emergency stop application and calculating the resulting safety integrity level.
The document discusses Safety Instrumented Systems (SIS) and the Safety Life Cycle as defined by ANSI/ISA 84.00.01-2004. It outlines the steps in the Safety Life Cycle from initial Hazard and Risk Assessment to determine Safety Instrumented Functions (SIFs) and required Safety Integrity Levels (SILs), to design, installation, and ongoing maintenance of SIS including functional proof testing. The Safety Life Cycle is meant to guide safety systems through all stages from initial assessment to eventual decommissioning to minimize risk in industrial processes.
Safety instrumented systems angela summers Ahmed Gamal
This document discusses safety instrumented systems (SIS), which are designed to respond to hazardous conditions in industrial plants. An SIS monitors for conditions that could become hazardous and responds by taking actions to prevent or mitigate hazards. Examples provided include a furnace that shuts off fuel valves in response to high pressure and a reactor that opens a coolant valve when temperature rises too high. The document outlines standards for good engineering practices in designing, implementing, and maintaining SIS according to lifecycle phases from planning and design to operations and auditing. Key aspects covered are managing risks to people and procedures, assessing and mitigating risk through assigning safety integrity levels, and proving that SIS designs achieve the desired safety functionality.
This position paper of the SIL Platform (www.nen.nl) indicates that it is common practice to operate process plants at maximum performance, optimum capacity and minimum risk levels. A Safety Integrity Level (SIL) is often determined through e.g. a Layer of Protection Analysis (LOPA) [1] [2]
[3], which is a means to quantify risks. However, LOPA is usually not the starting point for quantifying risks. This is often done with the use of a Risk Assessment Matrix (RAM). Contrary to LOPA and SIL, the use and type of RAM is not clearly pre-scribed or defined.
The intention of this guide is to provide guidance on RAM and show the relations between RAM, LOPA and SIL levels. What are the pitfalls? What is usually applied? What is often missed? It is not the intention to explain in detail the various available risk assessment techniques.
How to arrive at a SIL level in the correct manner leading to a qualitatively proper design and implementation is described in the EN-IEC 61511 standard [4]. Achieving a SIL requires amongst other aspects:
Correct identification of Safety Instrumented Functions (SIF)
Correct determination of required SIL rating of the various SIFs.
This guide strives to improve this quality by improving the quality of the risk assessment(s) providing input to the SIL determination. The targeted audience of this guide is the Dutch Process Industry Sector.
The document provides guidelines for developing safety cases to demonstrate that automotive systems are acceptably safe to operate. It discusses key concepts like argument layers and evidence tables that structure the safety argument. The guidelines are intended to help with ISO 26262 compliance by providing a common framework for explicit safety arguments, which lay out the rationale for safety requirements and evidence that the requirements are complete and implemented correctly. This approach aids communication, consistency, and third-party assessment of a system's safety.
A New Security Management Approach for Agile EnvironmentsPECB
The traditional approach for security management fails in agile development projects. We summarize the cause of this failure and propose a new Agile Security Engagement Model (ASEM) to solve the issues. This model is risk-driven, supportive and robust. It embraces important innovations, such as a security services catalogue and continuous monitoring. This way of working helps organizations to properly address information security in agile environments.
Main points that have been covered are:
• Four false assumptions that make the traditional security approach fail
• ‘Feet in the mud’ with the Agile Security Engagement Model (ASEM)
• Explanation of the innovations in this Agile Security approach
Presenter:
Pascal de Koning is qualified as Information Security professional. He has the wide experience as a consultant and fills in the role of the security officer at various companies. Pascal is an active member of the Security Forum of The Open Group.
Link of the recorded session published on YouTube: https://youtu.be/08Se5Ta65v8
A model based security requirements engineering frameworkiaemedu
This document presents a framework for security requirements engineering. It discusses how security requirements are often not properly considered early in the development process. It reviews related work on security requirements engineering, including a previous framework by Haley et al. that defined criteria for adequate security requirements. The proposed framework aims to improve on previous approaches by integrating security requirements elicitation and analysis into the core requirements engineering activities from the start. It then compares the proposed framework to Haley's framework, highlighting differences in how security requirements are handled.
A model based security requirements engineering frameworkIAEME Publication
This document presents a framework for security requirements engineering. It discusses how security requirements are often not properly considered early in the development process. It reviews related work on security requirements engineering, including a previous framework by Haley et al. that defined criteria for adequate security requirements. The proposed framework aims to improve on previous approaches by integrating security requirements elicitation and analysis into mainstream requirements activities from the beginning. It then compares the proposed framework to Haley's framework.
A model based security requirements engineering frameworkiaemedu
This document presents a framework for security requirements engineering. It discusses how security requirements are often not properly considered early in the development process. It reviews related work on security requirements engineering, including a previous framework by Haley et al. that defined criteria for adequate security requirements. The proposed framework aims to improve on previous approaches by integrating security requirements elicitation and analysis into the core requirements engineering activities from the start. It then compares the proposed framework to Haley's framework, highlighting differences in how security requirements are treated.
Information Technology Security Techniques Evaluation Criteria For It Secrit...Vishnu Kesarwani
This document describes Part 3 of ISO/IEC 15408 (Common Criteria), which defines security assurance requirements. It establishes evaluation criteria for Protection Profiles and Security Targets, and presents Evaluation Assurance Levels (EALs) from EAL1 to EAL7 that define the ISO/IEC 15408 assurance scale. The document outlines the objectives, components, and increasing assurance provided at each EAL. The goal is to provide consumers, developers and evaluators a standard way to express and evaluate assurance requirements for IT systems and products.
Securing the Future of Safety and Security of Embedded SoftwareAdaCore
Daniel Rohrer, VP of Software Product Security at NVIDIA, discussed NVIDIA's journey to adopting the SPARK subset of the Ada programming language and the AdaCore tooling for improving software security and safety. NVIDIA was motivated by increasing complexity of systems, criticality of failures, and limitations of existing techniques. They selected SPARK and AdaCore due to the decidable nature of the language, credible ecosystem, emphasis on provability over testing, ability to scale, and responsiveness of AdaCore. NVIDIA piloted the use of SPARK on firmware to gain security and safety benefits while targeting a small codebase. The presentation covered benefits of SPARK for verification and alternatives considered.
This document discusses the Common Criteria standard for information technology security evaluation (SNI ISO/IEC 15408). It provides an overview of the speaker's background and experience in information security standards. It then explains the Common Criteria standard, including the different parts that make up the ISO 15408 series (functional requirements, assurance requirements, etc.). It also discusses other related standards that could be included in Indonesia's national standards, such as frameworks for assurance and evaluation methodology.
Spark / Ada for Safe and Secure Firmware DevelopmentAdaCore
The document discusses using SPARK for secure and safe firmware development. It notes that firmware is written mostly in C, which is prone to security vulnerabilities. SPARK aims to address this by using formal verification methods, improved static analysis, and developer contracts to find and prevent bugs. The document outlines NVIDIA's usage of SPARK for security processors and safety-critical code. While SPARK faces challenges regarding adoption due to its differences from C, NVIDIA is taking a phased approach to adoption by starting with proof of concepts and increasing usage over time for its most critical firmware components.
An approach towards sotif with ansys medini analyzeBernhard Kaiser
This presentation motivates what's so different about safety for automated vehicles and introduces the concept of SOTIF (Safety of the Intended Functionality) and the upcoming first industry standard PAS 21448 on SOTIF. After that, some ideas are given how the lessons from this new discipline can be put into an industry-applicable development process for automated driving functions, and how the safety engineering tool medini analyze can help engineers succeeding in their practical work. After the first set of intended safety analysis realisations in medini analyze has been presented, the slide show concludes with an outlook on possible future extensions, also involving a close integration of medin analyze with ANSYS' simulation capabilities for automated driving functions.
This document provides an overview of functional safety and the IEC 61511 standard. It discusses key aspects of IEC 61511 like safety integrity levels (SIL) which help provide protection against random and systematic failures. The document also summarizes exida, an expert in functional safety certification, and explains their various tools and services. It introduces the IEC 61511 safety lifecycle which includes phases for management and planning, analysis, realization, and operation and maintenance.
Would you like to know how SOTIF addresses possible hazards caused by intended behavior? Discuss the first draft of the SOTIF standard with international working group members and functional safety experts during the SOTIF Conference. Find out more here: http://bit.ly/SOTIF_Agenda_2019
This document provides an overview of the DIAMONDS project, which aimed to develop and apply multi-domain security testing technologies. It describes eight industrial case studies conducted across six domains to evaluate different security testing techniques, including risk analysis, fuzz testing, active testing, and autonomous monitoring. The case studies are evaluated using Security Testing Improvement Profiles (STIP) to analyze progress across key areas like risk assessment, test design, and test automation. The document highlights improvements achieved in all case studies and the project's contributions to research, commercialization, and standardization.
The document discusses safety instrumentation and safety integrity levels (SILs). It provides examples of major industrial accidents from 1974 to 2005 and their causes. These include failures of safety systems and instrumentation. The document then discusses key aspects of safety instrumented systems (SIS) such as their hardware components, separation from process controls, definition, and role in risk reduction. It introduces SIL ratings from 1 to 4 which define the reliability of a SIS based on its risk reduction factor and probability of failure on demand.
This document provides an introduction to methodologies for evaluating the safety integrity level (SIL) of safety instrumented functions (SIF) through determining the probability of failure on demand (PFD) of the SIF. It describes the safety lifecycle model and how SIL evaluation fits in. The document focuses on performance-based approaches for SIL evaluation and provides examples of SIS architectures without promoting any single methodology. It evaluates the whole SIF from sensors to final elements. The user is cautioned to understand the assumptions and limitations of the methodologies described.
The document describes a seminar on software for embedded safety critical systems held in Toulouse, France in January 2014. The seminar included 10 sessions covering various topics related to software in safety critical domains such as aeronautics, automotive, space, etc. The sessions addressed issues like software assurance levels, standards, development processes, verification, and new technologies. Experts from companies like Airbus, Continental, and ONERA presented on topics specific to their domains. The seminar aimed to discuss challenges in developing software for critical systems and recognize best practices defined in international standards.
Complying with New Functional Safety StandardsDesign World
The document is a presentation on complying with new functional safety standards. It discusses what functional safety is, what is happening in the functional safety market, what standards should be used for machines, and how to determine safety levels and perform calculations according to standards like ISO 13849-1 and IEC 62061. It provides an example of applying the standards to a dual channel emergency stop application and calculating the resulting safety integrity level.
The document discusses Safety Instrumented Systems (SIS) and the Safety Life Cycle as defined by ANSI/ISA 84.00.01-2004. It outlines the steps in the Safety Life Cycle from initial Hazard and Risk Assessment to determine Safety Instrumented Functions (SIFs) and required Safety Integrity Levels (SILs), to design, installation, and ongoing maintenance of SIS including functional proof testing. The Safety Life Cycle is meant to guide safety systems through all stages from initial assessment to eventual decommissioning to minimize risk in industrial processes.
Safety instrumented systems angela summers Ahmed Gamal
This document discusses safety instrumented systems (SIS), which are designed to respond to hazardous conditions in industrial plants. An SIS monitors for conditions that could become hazardous and responds by taking actions to prevent or mitigate hazards. Examples provided include a furnace that shuts off fuel valves in response to high pressure and a reactor that opens a coolant valve when temperature rises too high. The document outlines standards for good engineering practices in designing, implementing, and maintaining SIS according to lifecycle phases from planning and design to operations and auditing. Key aspects covered are managing risks to people and procedures, assessing and mitigating risk through assigning safety integrity levels, and proving that SIS designs achieve the desired safety functionality.
This position paper of the SIL Platform (www.nen.nl) indicates that it is common practice to operate process plants at maximum performance, optimum capacity and minimum risk levels. A Safety Integrity Level (SIL) is often determined through e.g. a Layer of Protection Analysis (LOPA) [1] [2]
[3], which is a means to quantify risks. However, LOPA is usually not the starting point for quantifying risks. This is often done with the use of a Risk Assessment Matrix (RAM). Contrary to LOPA and SIL, the use and type of RAM is not clearly pre-scribed or defined.
The intention of this guide is to provide guidance on RAM and show the relations between RAM, LOPA and SIL levels. What are the pitfalls? What is usually applied? What is often missed? It is not the intention to explain in detail the various available risk assessment techniques.
How to arrive at a SIL level in the correct manner leading to a qualitatively proper design and implementation is described in the EN-IEC 61511 standard [4]. Achieving a SIL requires amongst other aspects:
Correct identification of Safety Instrumented Functions (SIF)
Correct determination of required SIL rating of the various SIFs.
This guide strives to improve this quality by improving the quality of the risk assessment(s) providing input to the SIL determination. The targeted audience of this guide is the Dutch Process Industry Sector.
The document provides guidelines for developing safety cases to demonstrate that automotive systems are acceptably safe to operate. It discusses key concepts like argument layers and evidence tables that structure the safety argument. The guidelines are intended to help with ISO 26262 compliance by providing a common framework for explicit safety arguments, which lay out the rationale for safety requirements and evidence that the requirements are complete and implemented correctly. This approach aids communication, consistency, and third-party assessment of a system's safety.
A New Security Management Approach for Agile EnvironmentsPECB
The traditional approach for security management fails in agile development projects. We summarize the cause of this failure and propose a new Agile Security Engagement Model (ASEM) to solve the issues. This model is risk-driven, supportive and robust. It embraces important innovations, such as a security services catalogue and continuous monitoring. This way of working helps organizations to properly address information security in agile environments.
Main points that have been covered are:
• Four false assumptions that make the traditional security approach fail
• ‘Feet in the mud’ with the Agile Security Engagement Model (ASEM)
• Explanation of the innovations in this Agile Security approach
Presenter:
Pascal de Koning is qualified as Information Security professional. He has the wide experience as a consultant and fills in the role of the security officer at various companies. Pascal is an active member of the Security Forum of The Open Group.
Link of the recorded session published on YouTube: https://youtu.be/08Se5Ta65v8
A model based security requirements engineering frameworkiaemedu
This document presents a framework for security requirements engineering. It discusses how security requirements are often not properly considered early in the development process. It reviews related work on security requirements engineering, including a previous framework by Haley et al. that defined criteria for adequate security requirements. The proposed framework aims to improve on previous approaches by integrating security requirements elicitation and analysis into the core requirements engineering activities from the start. It then compares the proposed framework to Haley's framework, highlighting differences in how security requirements are handled.
A model based security requirements engineering frameworkIAEME Publication
This document presents a framework for security requirements engineering. It discusses how security requirements are often not properly considered early in the development process. It reviews related work on security requirements engineering, including a previous framework by Haley et al. that defined criteria for adequate security requirements. The proposed framework aims to improve on previous approaches by integrating security requirements elicitation and analysis into mainstream requirements activities from the beginning. It then compares the proposed framework to Haley's framework.
A model based security requirements engineering frameworkiaemedu
This document presents a framework for security requirements engineering. It discusses how security requirements are often not properly considered early in the development process. It reviews related work on security requirements engineering, including a previous framework by Haley et al. that defined criteria for adequate security requirements. The proposed framework aims to improve on previous approaches by integrating security requirements elicitation and analysis into the core requirements engineering activities from the start. It then compares the proposed framework to Haley's framework, highlighting differences in how security requirements are treated.
A model based security requirements engineering frameworkiaemedu
This document presents a framework for security requirements engineering. It discusses how security requirements are often not properly considered early in the development process. It reviews related work on security requirements engineering, including a previous framework by Haley et al. that defined criteria for adequate security requirements. The proposed framework aims to improve on previous approaches by integrating security requirements elicitation and analysis into the core requirements engineering activities from the start. It then compares the proposed framework to Haley's framework, highlighting differences in how security requirements are handled.
The document discusses challenges with traditional security management approaches in agile development environments. It proposes a new Agile Security Engagement Model (ASEM) to address these challenges. ASEM involves making security experts part of the development team, adding security-related user stories, providing security building blocks through a service catalog, implementing detailed security policies when needed, classifying security measures to automate decisions, conducting daily automated security tests, and establishing continuous independent monitoring of the development process. The goal of ASEM is to take a hands-on approach to security and provide reusable security services, patterns and continuous monitoring to help address risks in an agile context where not all can be fully addressed.
Dynamic Validity Period Calculation of Digital Certificates Based on Aggregat...ijcisjournal
The paper proposes a method based on different security-related factors to dynamically calculate the validity period of digital certificates. Currently validity periods are most often defined statically without scientific justification. This approach is not sufficient to objectively consider the actual need for security. Therefore the approach proposed in this paper considers relevant security criteria in order to calculate a meaningful validity period for digital certificates. This kind of security assessment can be executed periodically in order to dynamically respond to changing conditions. Especially in the context of complex systems and infrastructures that have an increased need for security, privacy and availability this issue is highly relevant.
Comparitive Analysis of Secure SDLC ModelsIRJET Journal
The document compares three secure software development lifecycle (SDLC) models: McGraw's Touchpoints, OWASP's CLASP, and Microsoft's Security Development Lifecycle (SDL). It summarizes each model, noting that Touchpoints has 7 activities, CLASP has 24 activities, and SDL has 16 core activities. The document then compares the models based on number of activities, activity dependence, nature (heavyweight vs lightweight), and suitability for organization size. Overall, it provides a high-level overview and comparison of three approaches to incorporating security practices into the SDLC.
Enumerating software security design flaws throughout the SSDLCJohn M. Willis
A tool and methodology to enumerate security functional requirements arising in the solution space is described. A proof of concept tool for use by security architects and security engineers is described. The tool facilitates use of community-developed security requirements packages, security functional requirements, threat model taxonomy including mitigations. A risk-based decision making process is facilitated. Tool outputs used for change checklist, new test requirements, system security plan, risk decision documentation, deferred controls, and inherited controls.
Enumerating software security design flaws throughout the ssdlc cosac - 201...John M. Willis
A tool and methodology to enumerate security functional requirements arising in the solution space is described. A proof of concept tool for use by security architects and security engineers is described. The tool facilitates use of community-developed security requirements packages, security functional requirements, threat model taxonomy including mitigations. A risk-based decision making process is facilitated. Tool outputs used for change checklist, new test requirements, system security plan, risk decision documentation, deferred controls, and inherited controls.
This document provides a critical review of security certification from an economic perspective. It analyzes security certification using theories of transaction cost economics and principal-agent theory to understand information asymmetries in markets. The document also examines experiences with certification in other domains and assesses how current industrial automation security certification initiatives address past failures. It argues that while certification can help reduce information asymmetries, proper contractual incentives are also needed to fully address issues of adverse selection, moral hazard, and hidden intentions.
Security has always been a great concern for all software systems due to the increased incursion of the wireless devices in recent years. Generally software engineering processes tries to compel the security measures during the various design phases which results into an inefficient measure. So this calls for a new process of software engineering in which we would try to give a proper framework for integrating the security requirements with the SDLC, and in this requirement engineers must discover all the security requirements related to a particular system, so security requirement could be analyzed and simultaneously prioritized in one go. In this paper we will present a new technique for prioritizing these requirement based on the risk measurement techniques. The true security requirements should be easily identified as early as possible so that these could be systematically analyzed and then every architecture team can choose the most appropriate mechanism to implement them.
Application of the Common Criteria to Building Trustworthy Automotive SDLCSeungjoo Kim
Seungyeon Jeong, Sooyoung Kang, and Seungjoo Kim, "Application of the Common Criteria to Building Trustworthy Automotive SDLC", Proc. of The 19th ICCC 2020, The 19th International Common Criteria Conference, Virtual (online) Conference, November 16-18, 2020.
Security Introspection for Software ReuseIRJET Journal
1) The document examines the relationship between software reuse and security vulnerabilities by analyzing 1244 open-source projects.
2) The results indicate that the number of potential vulnerabilities in native and reused code is related to the scale of development. Additionally, the number of dependencies is closely related to the number of vulnerabilities.
3) Software reuse is neither a panacea that fully addresses vulnerabilities nor does it inherently lead to an excessive number; the relationship between reuse and security vulnerabilities depends on factors like the scale of the project.
The project title for this task force is “Cyber Security Maturity Model for Organizations”. Some of the
key things that you are going to learn from this presentation is:
The user organizations will learn, how to easily adapt a cyber security maturity assessmentmodel based on the widely accepted frameworks such as NIST CSF and ISO27001:2013
The readers will learn about the core information security domains and how to plan forsecurity activities around those core domains
The readers will learn how to prioritize the security budget and draw out the securitycontrol implementation roadmap for their organization
The readers will learn to apply a risk informed approach to information security for theirorganizations which can be used to educate about and sell security to their CEO’s and board members.
This document discusses safety standards for critical systems and proposes a new concept called Assured Reliability and Resilience Level (ARRL). It notes that while safety standards aim to reduce risk, their requirements differ across domains. The document argues that Safety Integrity Levels (SIL) alone are not sufficient and that Quality of Service is a more holistic criterion. It also notes standards provide little guidance on composing systems from components. The ARRL concept aims to address these issues and complement SIL by considering factors like component trustworthiness and fault behavior. The document suggests ARRL could help foster cross-domain safety engineering.
This document discusses security standards and methodologies. It provides an overview of organizations that create standards, what types of topics standards may cover, and why there are so many standards. It then summarizes some specific security standards and methodologies like ISO 17799, COBIT, OCTAVE, and others. The document aims to give an introduction to common security standards and considerations in developing standards.
The document provides security-focused stories and tasks for agile development teams to incorporate security into their processes. Section 2a lists 36 security stories with associated security tasks mapped to roles like architect, developer, and tester. The tasks are derived from common weaknesses and cover topics like input validation, output encoding, buffer management, and exception handling. Section 2b lists 17 ongoing operational security tasks classified by required/recommended. Section 3 lists 12 advanced tasks typically requiring security expert guidance.
SECURE SERVICES: INTEGRATING SECURITY DIMENSION INTO THE SA&D cscpconf
Services security is often assimilated to a set of software solutions (Firewall, data encryption.) but rarely consider the organizational security rules as a fundamental part of the Services security policy. With the increasing use of new Services architectures (Open Services architecture, distributed database, multi web server, multi-tier application servers) security leaks become crucial and every security problem is harmful to the organization business continuity. To reduce and detect major security risks at an earlier step of the Services project, our approach is based on different knowledge exchange between end users, analyst, designers and developers collaborating at the Services project. The knowledge is mainly oriented to the detection of weak signals inside the organization. In this paper, we present the different knowledge surroundings an Services project and a knowledge pattern structure that can be used for the formalization aspects of the established exchange that should be established during the Services project between the different participants
Similar to Safe & Sec Case Patterns (ASSURE 2015) (20)
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdfflufftailshop
When it comes to unit testing in the .NET ecosystem, developers have a wide range of options available. Among the most popular choices are NUnit, XUnit, and MSTest. These unit testing frameworks provide essential tools and features to help ensure the quality and reliability of code. However, understanding the differences between these frameworks is crucial for selecting the most suitable one for your projects.
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxSitimaJohn
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
Trusted Execution Environment for Decentralized Process MiningLucaBarbaro3
Presentation of the paper "Trusted Execution Environment for Decentralized Process Mining" given during the CAiSE 2024 Conference in Cyprus on June 7, 2024.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Tatiana Kojar
Skybuffer AI, built on the robust SAP Business Technology Platform (SAP BTP), is the latest and most advanced version of our AI development, reaffirming our commitment to delivering top-tier AI solutions. Skybuffer AI harnesses all the innovative capabilities of the SAP BTP in the AI domain, from Conversational AI to cutting-edge Generative AI and Retrieval-Augmented Generation (RAG). It also helps SAP customers safeguard their investments into SAP Conversational AI and ensure a seamless, one-click transition to SAP Business AI.
With Skybuffer AI, various AI models can be integrated into a single communication channel such as Microsoft Teams. This integration empowers business users with insights drawn from SAP backend systems, enterprise documents, and the expansive knowledge of Generative AI. And the best part of it is that it is all managed through our intuitive no-code Action Server interface, requiring no extensive coding knowledge and making the advanced AI accessible to more users.
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfChart Kalyan
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Safe & Sec Case Patterns (ASSURE 2015)
1. Kenji Taguchi@AIST
3rd International Workshop on Assurance Cases for Software-intensive Systems
(ASSURE) 2015
Safe & Sec Case Patterns
2015 September 22
National Institute of Advanced Industrial Science and Technology
Information Technology Research Institute
Software Analytics Research Group
Kenji Taguchi, Daisuke Souma, Hideaki Nishihara
2. Kenji Taguchi@AIST
General Background
• Many industrial sectors, which manufacture safety intensive systems
e.g., automotive, railway, etc., now face technical challenges how to
integrate and harmonize issues on safety in addition to security for
their systems.
• After the stuxnet incident, any safety critical systems, even not linked
to any network are under the imminent threats for security
vulnerabilities.
• Can we treat safety and security separately? Are there any interactions
between safety and security? The answer is YES and we need to
tackle issues how to integrate them.
• From safety point of view, security is of great importance. Since some
(safety-related) hazardous events (such as car crash, derailing, etc,.)
could be caused by hardware/software failures and/or malicious
attacks, thereby we need to identify and analyze potential
hazards/threats, their combinations and their associated risks in a
systematic way, and build a new assurance framework for safety and
security.
3. Kenji Taguchi@AIST
Background: Security in Automotive Industry
• The automotive industry has been experiencing sudden changes of
security demands.
– Markey report 2014
– Class action against Ford, GM and Toyota 2015
– Recall of Chrysler Jeep Cherokee 2015
– Spy Car Act bill 2015
Markey report Spy Car Act Bill
Class action Recall
4. Kenji Taguchi@AIST
• Many industrial sectors are standardizing safety and security standards.
• There are several critical issues in those standardizations:
• In most cases, harmonization of the both standards are neither well considered nor well
understood.
• Major stakeholders are becoming to aware that there are many critical issues involved in
how to harmonize both standards.
ARP 4754A
Safety
DO-326A
Security
ISO 26262
Safety
?
Security
IEC 62278
RAMS
IEC 62280
Security
Background: Security and Safety Standards
5. Kenji Taguchi@AIST
Background: Integrating standards for Automotive Case
ISO 26262
Safety
?
Security
IEC 62443 ISO/IEC 15408
J3061
Cybersecurity
Guidebook (SAE)
VDA (German Association
of the Automotive industry)
• Harmonized style is required
• Dual certification would be a challenge
Or
ISO 26262
Safety
Incorporate
Security features
• Interference analysis could not be sufficient.
• Certification cost would be more than doubled.
There are several possibilities at
what level this integration could be
achieved.
Otherwise
6. Kenji Taguchi@AIST
Background: SafSec Methodology and Automotive case
Def-Stan 00-56
Safety
ISO/IEC 15408
Security
Assurance Framework based on Dependability Case
ISO 26262
Safety Security
J3061
Cybersecurity
Guidebook (SAE)
Safety Case Cybersecurity Case
Possible Future
SafSec Standard/Guideline
Need a new assurance framework
based on Safety and Security
Cases?
+
7. Kenji Taguchi@AIST
Aims of Our Research
• Provide process patterns for the guidance on the design of the system development
process, which integrates safety and security engineering processes.
– There is no well-accepted development process which includes both safety and security
engineering so we presented some current practice/proposals in patterns.
– Process patterns are derived from an extensive survey on existing safety/security
standards/guidelines and research, and our experience with industrial partners in railway (and
automotive) industry.
– Limitations:
• Only dealt with at the early stage of the system development lifecycle.
• No evaluation has not been done yet.
• Provide case patterns derived from the process patterns, which provide the insight on
how a safety case and a security case could be constructed/integrated.
– Some assumption:
• In near future, many security standards would demand the submission of security cases.
– E.g., J-3061 “Cybersecurity guidebook for Cyber-physical automotive systems” by
SAE mentions on a cyber-security case.
• There would be a critical issue on how to integrate a safety case mandated by a safety
standard and a security case mandated by a security standard.
8. Kenji Taguchi@AIST
Assumption: Process level
• Only a part of safety concept phase is dealt with in this paper.
– E.g., Part 3 of ISO 26262, the safety concept phase.
Safety
concept
phase
ISO 26262
9. Kenji Taguchi@AIST
Basic Process Pattern
• Basic process is a very generic process commonly found in functional safety standards.
• No interactions between the security and safety processes.
• Assumption:
– Security process may have a identical process (functional security view).
10. Kenji Taguchi@AIST
Subordinate Process Pattern
• Some of activities related to security are subordinate to its counterparts in safety.
– Requirements:
• Need methodological supports, e.g, safety analysis method which also can analyze security threats.
• This view appears to be predominant in the safety critical systems community.
The above tree represents a methodological
support for the subordinate approach, which
integrates Fault Tree (FT) analysis with
Attack Tree (AT) analysis.
Steiner, M., Liggesmeyer, P.: Combination of Safety and Security Analysis - Find-
ing Security Problems That Threaten The Safety of a System.
11. Kenji Taguchi@AIST
Uni-Directional Reference Process Pattern
• Security and safety processes are separated but the security part will refer to some results of the safety part.
• This process pattern can be witnessed in the airworthiness security standard DO-326A.
• This process pattern is also safety pre-dominant, since information flows from safety to security.
– Remark:
• Bi-directional Reference Process Pattern could be possible, but it would be the most complex and the worst cost-effective process.
12. Kenji Taguchi@AIST
Interrelated (Independent) Process Pattern
• Security and safety processes run independently, but the trade-off analysis on risk reduction measures
(safety requirements) and mitigation methods (security requirements) should be carried out.
– It is witnessed in FP7 SESAMO Project.
• The aim of the analysis is to identify potential feature interaction between functional safety requirements
and security requirements.
– For instance, timing constraints on a functional safety requirement may be interfered by time-consuming encryption
mechanism of security requirement.
13. Kenji Taguchi@AIST
SafSec Process Pattern
• This process pattern is derived from the SafSec standard/guidelines by UK MOD and Praxis.
• The aim of this standard/guideline is to certify military equipment under the Def-Stan 00-56 (software
safety) and Common Criteria (security).
• It converges hazards and threats as losses, which is carried out at the Loss Op meeting, where security
experts and safety experts get together to merge hazards and threats.
14. Kenji Taguchi@AIST
Process Patterns (Remaining Issues)
• Evaluations on each process pattern is on-going work.
– This classification shows there would be several options how to integrate safety and
security engineering processes.
– Some evaluation criteria should be established.
• There are some other issues which do not explicitly appear in these
patterns.
– Integration of safety analysis and security analysis
– Integration of safety and security assessments.
• How can we uniformly assess safety risks and security risks even they are based on
different matrixes (integrity levels)?
– Analysis on feature interaction between safety and security
• For instance, could we effectively perform the trade-off analysis at this early stage?
• Since at this stage, safety and security requirements are still abstract and feature
interactions between them might not be clearly identified yet.
15. Kenji Taguchi@AIST
Safe & Sec Case Patterns
• *-cases are required for more than one system attribute.
– Existing *-cases
• Safety case
• Reliability and maintainability case
• Dependability case
• (Cyber) security case
• If more then one case is required, how to integrate them is of
great importance to practitioners.
• We will show how cases called Safe & Sec Case Patterns
could be provided which reflect process patterns presented on
the previous slides.
– These patterns are represented at the abstract level.
• The Safe & Sec Case Patterns are represented in GSN (Goal
Structuring Notation).
16. Kenji Taguchi@AIST
GSN (Goal Structuring Notation)
• A graphical notation for representing an argument (T. Kelly)
– GSN Community Standard Ver. 1.0
• Defines the full-specification of GSN
• Goal
•Goal which the systems should ensure
•Goal is further decomposed to sub-goals
•Context
•Any material (e.g., documents) under which
the argument holds
•Strategy
•Indicates how a goal is decomposed
•Solution
•Evidence which support the argument
Solution
Strategy
Goal Context
17. Kenji Taguchi@AIST
Subordinate Case Pattern
• This pattern is derived from the subordinate process pattern.
Safety analysis
Includes threat
analysis
All threat which
may cause hazards
are identified.
19. Kenji Taguchi@AIST
Related work
• Many works on safety cases
– No need to mention.
• A few work security cases
– Alexander, R., Hawkins, R., Kelly, T.: Security assurance cases:
Motivation and the state of the art
– Goodenough, J., Lipson, H.F.,Weinstock, C.B.: Arguing security -
creating security assurance cases.
• Interactions between safety case and security case
– Bloomfield, R.E., Netkachova, K., Stroud, R.J.: Security-informed
safety: If it‘s not secure, it's not safe.
• Build a safety case first and analyze the impact on that safety case from
security.
Our approach does not provide any means to analyze feature interactions between safety
and security, and only provides possible combinations in process and case patterns.
20. Kenji Taguchi@AIST
Conclusion
Our contributions are twofold:
Process patterns are provided which show how safety and security
processes could be integrated based on survey on existing standards
and research.
Case patterns are then derived from those process patterns.
These patterns would help practitioners working on safety critical
systems how to develop their own safety/security engineering
processes and what critical issues they should address.
Future work
In railway standards, it is not yet certain how a safety case (EN
50126/IEC 62278) could include security features. Our case patterns
show some baseline to fill this gap.
Currently we are planning to incorporate security features into CAA (The
Civil Aviation Authority)‘s safety case in a subordinate approach
IN-2014/184: Small Unmanned Aircraft: Congested Areas Case (CAOSC).
Operating Safety