Vulnerability and Risk Analysis Methods and Application in Large Scale Development of Secure Systems

Since software products are heavily used in today’s connected society, design and implementation of such software products to make them resilient to security threats become crucial. This thesis addresses some of the challenges faced by software vendors when developing secure software. The approach is to reduce the risk of introducing security weaknesses to software products by providing solutions that support software developers during the software lifecycle. Software developers are usually not security experts. However, there are methods and tools, such as the ones introduced in this thesis, that can help developers build more secure software. The research is performed with a design science approach, where the risk reducing method is the artifact that is iteratively developed. Chronologically, the research is divided into two parts. The first part provides security models as a means of developing a detailed understanding of the extent of potential security issues and their respective security mitigation activities. The purpose is to lower the risk of introducing vulnerabilities to the software during its lifecycle. This is facilitated by the Sustainable Software Security Process (S3P), which is a structured and generally applicable process aimed at minimizing the effort of using security models during all phases of the software development process. S3P achieves this in three steps. The first step uses a semi-formal modeling approach and identifies causes of known vulnerabilities in terms of defects and weaknesses in development activities that may introduce the vulnerability in the code. The second step identifies measures that if in place would address the causes and eliminate the underlying vulnerability and support selection of the most suitable measures. The final step ensures that the selected measures are adopted into the development process to reduce the risk of having similar vulnerabilities in the future. Collaborative tools can be used in this process to ensure that software developers who are not security experts benefit from application of the S3P process and its components. For this thesis, proof-of-concept versions of collaboration tools were developed to support the three steps of the S3P. We present the results of our empirical evaluations on all three steps of S3P using various methods such as surveys, case studies and asking for expert opinion to verify that the method is fully understandable and easy to perform and is perceived by developers to provide value for software security. The last contribution of the first part of research deals with improving product security during requirements engineering through integration of parts of S3P into Common Criteria (CC) and in this way to improve the accuracy of CC through systematically identifying the security objectives and proposing solutions to meet those objectives using S3P. The review and validation by an industrial partner leading in the CC area demonstrate improved accuracy of CC. Based on the findings in the first part of the research, the second part focuses on early phases of software development and vulnerability causes originating from requirements engineering. We study the challenges associated with introducing a specific security activity, i.e., Security Risk Assessment (SRA), into the requirements engineering process in a large-scale software development context. Specific attention is given to the possibility of bridging the gap between developers and security experts when using SRA and examines the pros and cons of organizing personnel working with SRA in a centralized, distributed, or semi-distributed unit. As the journey of changing the way of working in a large corporation takes time and involves many factors, it was natural to perform a longitudinal case study - all the way from pilot studies to full-scale, regular use. The results of the case study clarify that introduction of a specific security activity to the development process must be evolved over time in order to achieve the desired results. The present design of the SRA method shows that it is worthwhile to work with risk assessment in the requirements phase with all types of requirements, even at a low level of abstraction. The method aligns well with a decentralized, agile development method with many teams working on the same product. During the study, we observed an increase in security awareness among the developers in the subject company. However, it was also observed that involvement of security experts to ensure acceptable quality of the risk assessment and to identify all risks cannot be totally eliminated.Funding agencies: National Graduate School of Computer Science in Sweden (CUGS) and the European Community’s Seventh Framework Program (FP7/2007-2013, grant agreement no 215995).