TY - JOUR
T1 - CIA-level driven secure SDLC framework for integrating security into SDLC process
AU - Kang, Sooyoung
AU - Kim, Seungjoo
N1 - Funding Information:
This work was supported by Institute of Information & communications Technology Planning & Evaluation (IITP) grant funded by the Korea government(MSIT) (No.2018-0-00532,Development of High-Assurance(≥ EAL6) Secure Microkernel).
Publisher Copyright:
© 2021, The Author(s), under exclusive licence to Springer-Verlag GmbH Germany, part of Springer Nature.
PY - 2022
Y1 - 2022
N2 - From the early 1970s, the U.S. government began to recognize that simple penetration testing could not assure the security quality of products. The results of penetration testing such as identified vulnerabilities and faults can vary depending on the capabilities of the team. In other words, the penetration testing team cannot assure that “vulnerabilities are not found” is equal to “product does not have any vulnerabilities”. So the U.S. government realized that in order to improve the security quality of products, the development process itself should be managed in a strict, systematic manner. The US government began to publish various standards related to development methodology and evaluation procurement systems, embedding the “Security-by-Design” concept from the 1980s. Security-by-Design involves reducing a product’s complexity by considering security from the early phase of the development life-cycle such as during the product requirements analysis and design phase to ultimately achieve trustworthiness of the product. Since then, the Security-by-Design concept has spread to the private sector, since 2002 this has often come in the form of Secure SDLC by Microsoft and IBM, this system is currently being used in various fields such as automotive and advanced weapon systems. However, the problem is that it is not easy to implement in the field because the standards or guidelines related to Secure SDLC contain only abstract and declarative content. Therefore, in this paper, we present a new framework that specifies the level of Secure SDLC desired by enterprises. We propose the CIA (functional Correctness, safety Integrity, security Assurance)-level based Security-by-Design framework which combines an evidence-based security approach standard with existing Secure SDLC. By using our methodology, we can quantitatively show any differences in Secure SDLC process level employed between the company in question one of its competitors. In addition, our framework is very useful when you want to build Secure SDLC in the field because you can easily derive detailed security activities and documents to build the desired level of Secure SDLC.
AB - From the early 1970s, the U.S. government began to recognize that simple penetration testing could not assure the security quality of products. The results of penetration testing such as identified vulnerabilities and faults can vary depending on the capabilities of the team. In other words, the penetration testing team cannot assure that “vulnerabilities are not found” is equal to “product does not have any vulnerabilities”. So the U.S. government realized that in order to improve the security quality of products, the development process itself should be managed in a strict, systematic manner. The US government began to publish various standards related to development methodology and evaluation procurement systems, embedding the “Security-by-Design” concept from the 1980s. Security-by-Design involves reducing a product’s complexity by considering security from the early phase of the development life-cycle such as during the product requirements analysis and design phase to ultimately achieve trustworthiness of the product. Since then, the Security-by-Design concept has spread to the private sector, since 2002 this has often come in the form of Secure SDLC by Microsoft and IBM, this system is currently being used in various fields such as automotive and advanced weapon systems. However, the problem is that it is not easy to implement in the field because the standards or guidelines related to Secure SDLC contain only abstract and declarative content. Therefore, in this paper, we present a new framework that specifies the level of Secure SDLC desired by enterprises. We propose the CIA (functional Correctness, safety Integrity, security Assurance)-level based Security-by-Design framework which combines an evidence-based security approach standard with existing Secure SDLC. By using our methodology, we can quantitatively show any differences in Secure SDLC process level employed between the company in question one of its competitors. In addition, our framework is very useful when you want to build Secure SDLC in the field because you can easily derive detailed security activities and documents to build the desired level of Secure SDLC.
KW - SDL (Security Development Lifecycle)
KW - SDLC (Software Development Life Cycle)
KW - Secure SDLC (Secure Software Development Life Cycle)
KW - Security engineering
KW - Security-by-Design
UR - http://www.scopus.com/inward/record.url?scp=85125752457&partnerID=8YFLogxK
U2 - 10.1007/s12652-021-03450-z
DO - 10.1007/s12652-021-03450-z
M3 - Article
AN - SCOPUS:85125752457
JO - Journal of Ambient Intelligence and Humanized Computing
JF - Journal of Ambient Intelligence and Humanized Computing
SN - 1868-5137
ER -