Security Requirements for the Prevention of Modern Software Vulnerabilities and a Process for Incorporation into Classic Software Development Lifecycles

Clagett II, Lee Manning

06 January 2010

Software vulnerabilities and their associated exploits have been increasing over the last several years - this research attempts to reverse that trend. Currently, security experts recommend that concerns for security start at the earliest stage possible, generally during the requirements engineering phase. Having a set of security requirements enables the production of a secure design, and product implementation. Approaches for creating security requirements exist, but all have a similar limitation - a security expert is required. This research provides a set of software security requirements that mitigate the introduction of software vulnerabilities, and reduces the need for security expertise. The security requirements can be implemented by software engineers with limited security experience, and be used with any computer language or operating system. Additionally, a tree structure, called the software security requirements tree (SSRT), is provided to support security requirement selection, based on project characteristics. A graphical interface for the SSRT is provided through a prototype Java tool, to support the identification and selection of appropriate software security requirements. This research also provides a set of security artifacts to support a comprehensive verification, validation, and testing (VV&T) strategy. Those artifacts are generic, and represent design and implementation elements reflecting software security requirements. The security artifacts are used in verification strategies to confirm their necessity and existence in the actual design and implementation products. / Master of Science

Access Driven VV&T

Assumptions

Constraints

Requirements

Vulnerabilities

Software Security

Assessing Security Vulnerabilities: An Application of Partial and End-Game Verification and Validation

Frazier, Edward Snead

02 June 2010

Modern software applications are becoming increasingly complex, prompting a need for expandable software security assessment tools. Violable constraints/assumptions presented by Bazaz [1] are expandable and can be modified to fit the changing landscape of software systems. Partial and End-Game Verification, Validation, and Testing (VV&T) strategies utilize the violable constraints/assumptions and are established by this research as viable software security assessment tools. The application of Partial VV&T to the Horticulture Club Sales Assistant is documented in this work. Development artifacts relevant to Partial VV&T review are identified. Each artifact is reviewed for the presence of constraints/assumptions by translating the constraints/assumptions to target the specific artifact and software system. A constraint/assumption review table and accompanying status nomenclature are presented that support the application of Partial VV&T. Both the constraint/assumption review table and status nomenclature are generic, allowing them to be used in applying Partial VV&T to any software system. Partial VV&T, using the constraint/assumption review table and associated status nomenclature, is able to effectively identify software vulnerabilities. End-Game VV&T is also applied to the Horticulture Club Sales Assistant. Base test strategies presented by Bazaz [1] are refined to target system specific resources such as user input, database interaction, and network connections. Refined test strategies are used to detect violations of the constraints/assumptions within the Horticulture Club Sales Assistant. End-Game VV&T is able to identify violation of constraints/assumptions, indicating vulnerabilities within the Horticulture Club Sales Assistant. Addressing vulnerabilities identified by Partial and End-Game VV&T will enhance the overall security of a software system. / Master of Science

Access Driven VV&T

Assumptions

Constraints

Assessment

Vulnerabilities

Software Security