COLLABORATIVE SECURITY ASSESSMENTS IN EMBEDDED SYSTEMS DEVELOPMENT - The ESSAF Framework for Structured Qualitative Analysis

Friedrich Köster, Michael Klaas, Hanh Quyen Nguyen, Walter Brenner, Markus Braendle, Sebastian Obermeier

Abstract

The standardization of network protocols and software components in embedded systems development has introduced security threats that have been common before in e-commerce and office systems into the domain of critical infrastructures. The ESSAF framework presented in this paper lays the ground for collaborative, structured security assessments during the design and development phase of these systems. Its three phases system modeling, security modeling and mitigation planning guide software developers in the independent assessment of their product’s security, minimizing the burden on security experts in the collection of security relevant data.

References

  1. Alberts, C. and A. Dorofee (2001). OCTAVE Method Implementation Guide Version 2.0. Pittsburgh, PA, USA.
  2. Alberts, C., A. Dorofee, et al. (2003). "Introduction to the OCTAVE Approach." Retrieved 2007-03-05, from http://www.cert.org/octave/approach_intro.pdf.
  3. Bishop, M. and H. Armstrong (2005). Uncovering Assumptions in Information Security. WISE4 Forth World Conference "Information Security Education". Moscow, Russia, Moscow Engineering Physics Institute (State University): 223-231.
  4. Byres, E. and J. Lowe (2004). 'The Myths and Facts behind Cyber Security Risks for Industrial Control Systems'. VDE Congress. Berlin.
  5. Dzung, D., M. Naedele, et al. (2005). "Security for Industrial Communication Systems," Proceedings of the IEEE, 93 (6): 1152-1177.
  6. Howard, M. and S. Lipner (2006). The Security Development Lifecycle, Microsoft Press, Redmond, WA.
  7. Igure, V. M., S. A. Laughter, et al. (2006). "Security issues in SCADA networks," Computers & Security, 25 (7): 498- 506.
  8. ISO/IEC (2005). 27002:2005 Information Technology. Code of Practice for Information Security Management. Geneva, Switzerland, International Organization for Standardization (ISO).
  9. Kailay, M. P. J., Peter (1995). "RAMeX: a prototype expert system for computer security risk analysis and management," Computers & Security, 14 (5): 449-463.
  10. Ma, Q. (2004). A study on information security objectives and practices. Department of Management. Illinois, Southern Illinois University.
  11. Mell, P., K. Scarfone, et al. (2007). CVSS - A Complete Guide to the Common Vulnerability Scoring System, Version 2.0.
  12. Naedele, M. (2007). Addressing IT Security for Critical Control Systems. 40th Hawaii Int. Conf. on System Sciences (HICSS-40). Hawaii.
  13. Ralston, P. A., J. H. Graham, et al. (2007). "Cyber security risk assessment for SCADA and DCS networks," ISA Transactions, 46 (4): 583-594.
  14. Schuette, R. and T. Rotthowe (2004). "The Guidelines of Modeling - An Approach to Enhance the Quality in Information Models," Lecture Notes in Computer Science, 1507: 240-254.
  15. Standards Australia & Standards New Zealand (SA/SNZ) (2000). AS/NZS 7799.2:2000 Information Security Management. Homebush, Australia; Wellington, NZ, Standards Australia & Standards New Zealand.
  16. Steffan, J. and M. Schumacher (2005). 'Collaborative Attack Modeling'. ACM Symposium on Applied Computing. 2005-03-13.
  17. Swiderski, F. and W. Snyder (2004). Threat Modeling, Microsoft Press, Redmond, WA.
  18. Tolbert, G. D. (2005). "Residual Risk Reduction," Professional Safety, 50 (11): 25-33.
  19. Viega, J., J. T. Bloch, et al. (2000). 'ITS4: A static vulnerability scanner for C and C++ code'. 16th Annual Computer Security Applications Conference (ACSAC'00). New Orleans, Louisiana.
  20. Vraalsen, F., F. den Braber, et al. (2004). The CORAS toolsupported methodology for UML-based security analysis. Trondheim, Norway, SINTEF.
Download


Paper Citation


in Harvard Style

Köster F., Klaas M., Quyen Nguyen H., Brenner W., Braendle M. and Obermeier S. (2009). COLLABORATIVE SECURITY ASSESSMENTS IN EMBEDDED SYSTEMS DEVELOPMENT - The ESSAF Framework for Structured Qualitative Analysis . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2009) ISBN 978-989-674-005-4, pages 305-312. DOI: 10.5220/0002189903050312


in Bibtex Style

@conference{secrypt09,
author={Friedrich Köster and Michael Klaas and Hanh Quyen Nguyen and Walter Brenner and Markus Braendle and Sebastian Obermeier},
title={COLLABORATIVE SECURITY ASSESSMENTS IN EMBEDDED SYSTEMS DEVELOPMENT - The ESSAF Framework for Structured Qualitative Analysis},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2009)},
year={2009},
pages={305-312},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002189903050312},
isbn={978-989-674-005-4},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2009)
TI - COLLABORATIVE SECURITY ASSESSMENTS IN EMBEDDED SYSTEMS DEVELOPMENT - The ESSAF Framework for Structured Qualitative Analysis
SN - 978-989-674-005-4
AU - Köster F.
AU - Klaas M.
AU - Quyen Nguyen H.
AU - Brenner W.
AU - Braendle M.
AU - Obermeier S.
PY - 2009
SP - 305
EP - 312
DO - 10.5220/0002189903050312