Security and Safety in the System Development Life Cycle - Introduction

Prepared by Carol Woody

1/15/04

Why are Security and Safety Important?

Just getting bits of information from one point to another is not sufficient.  The information must also be accurate and complete with an appropriate level of confidentiality.  Unfortunately few development efforts consider these simple yet complex issues.  Safety and security are grouped into quality requirements within the realm of software development along with dependability, productivity, reliability, maintainability, interoperability, and many other important qualities frequently referred to as the "-ilities" because most share an "ility" ending. Unlike functional requirements which are primarily defined and controlled by the users and represent specific results or actions that are to happen, the "-ilities" more closely describe the manner in which a system is to perform.  Quality requirements describe expected traits of the target system implementation.

Security and safety are often treated as synonymous within the realm of technology.  In order to be secure, information and processes must be safe from harm.  Some sources refer to issues of malicious intent as security related and issues linked to accidental harm as safety related.  This distinction may not be useful when the impact of either intent is the same.  Furthermore, other sources link security issues to the realm of technology and safety to the physical realm.  As the physical world becomes increasingly dependent on technology and the technology becomes increasingly exposed to physical intrusion, many of these distinctions lose their value.

When considering safety and security issues, it is the impact of failure that must be the focus. The safety or security failure will be triggered by an event (i.e. hacker attack or power failure) with some degree of certainty or likelihood.  It may be useful to distinguish between accidental and malicious intent of the event trigger if the impact and available protection options differ.  Survivability, keeping an implemented system functioning even though degraded by an event, is another quality requirement that is closely linked to security and safety.  Additional information on survivability research can be found at the CERT®/CC Web site (http://www.cert.org/nav/index_purple.html).

Isn't this Primarily an Operational Issue? 

Operations support (titles may vary in each organization) is responsible for maintaining the technology infrastructure and communications environment for an organization. These roles may be handled internally or outsourced to a vendor or managed service provider.  Security and safety needs usually form a major part of the operations support role, however there is vast inconsistency in the application of standards and practices.  Standards such as ISO17799, issued by the Internation Standards Organization, define good operational security practices that are necessary but not sufficient.  The challenges and limitations of operational protection are summarized by Richard D. Pethia, Director of CERT®/CC, in a recent congressional testimony ( http://www.cert.org/congressional_testimony/Pethia-Testimony-9-10-2003).

Internet connectivity is the common denominator for expanded communication opportunities and wide-ranging exploit potential.  The infrastructure of the Internet was designed to inter-connect a vast group of participants into a fast, low-cost, easy-to-use communication environment.  Operational security options (i.e. encryption and authentication mechanisms) were added as an after-thought when the high level of trust among all participants proved inappropriate.

For each of the past eight years, the Computer Security Institute (CSI) in collaboration with the San Francisco Federal Bureau of Investigation's Computer Intrusion Squad published the Computer Crime and Security Survey documenting the high risk of cyber attacks in U.S. corporations, government agencies, financial institutions, medical institutions, and universities (http://www.gocsi.com).

Analysis reports from the CERT®/CC, a program within the Software Engineering Institute at Carnegie Mellon University, indicate substantial growth in the level of impact for each major attack based on increasingly sophisticated attack tools available to a wide ranging base of participants. Additional information on incident and vulnerability trends is available on the CERT Web site (http://www.cert.org/present/cert-overview-trends/).  

Building Systems for Security and Safety

Design and coding vulnerabilities have been in software since the first code was developed, but techniques to exploit these vulnerabilities with wide-spread impact are recent phenomena.  Exploitation tools are improving at the same time as implemented systems are increasing in complexity. 

An implemented system has become a collection of components linked together to share data and manage a wide array of organizational functions.  The components can include vendor supplied tools such as database management systems, document management systems, business rules engines, and reporting tools.  Vendor developed products such as accounting packages and billing packages may be combined with Web pages, remote mounted files, and interface modules to handle a business process.  These components may be distributed across several operational environments and provide functionality to local, remote, and mobile users.  Each component has a set of features and errors that can allow failure for security and safety if triggered by the right set of circumstances and events.  The entire system must be designed to maintain appropriate security and safety requirements across all of the components or a failure at one point will compromise all components.

Just as no physical lock can resist a determined crook, there is no perfect security or safety that will withstand any possible combination of events.  Appropriate security and safety requirements must include means to recognize, resist, and recover from a compromising event.  The system must be designed to work within the operational support environment where it is to reside.  Otherwise techniques used by operational support staff to perform their role may counteract internal system mechanisms resulting in overall increased vulnerability.  Operational support can no longer provide sufficient levels of security and safety unless systems are designed to meet specific safety and security requirements.

Mechanisms for Improving Safety and Security at Implementation

Increased consideration of security and safety within each step of the development process can reduce the impact of safety or security events at a reduced cost. 

Tools and techniques used within the operational environment such as risk and vulnerability assessments can be tailored to apply within the development environment and increase the likelihood of improvement. 

At the start, clearly define the security and safety requirements for a system.  Consider the following types of questions. 

• Can anyone be harmed (physical, financial, reputation, etc.) by actions performed within the system?

• Can anyone be harmed (physical, financial, reputation, etc.) by inappropriate use of the system processes or information contained within the system?

• What information must be kept confidential and who is allowed to view and maintain this data? 

• What are the possible impacts to the organization (fines, legal penalties, loss of productivity, reputation, etc.) should the confidentiality requirements be violated? 

Be sure and include resources familiar with the challenges and limitations of operational support for the target infrastructure in the requirements development process.

A risk assessment of the planned operational system should be performed prior to the acquisition of critical software components.  It is not sufficient for each individual component to have good security and safety capabilities.  All of the components must work together to provide an effective level of security and safety across the entire system.

Evaluate the known vulnerabilities for vendor developed components planned for use in the target system.  Determine with operational support if an acceptable level of security and safety can be established prior to selection.

Remove potential security and safety loopholes by eliminating coding errors and constructing code that executes with predictability and dependability.

Incorporate sufficient validation of system security and safety requirements in pre-implementation testing.  The test environment must include the actual components to be used in the target implementation.  Testing resources must have sufficient security and safety expertise to construct and validate effective test cases.

Aim for Prevention

While it is not easy, efforts to improve the security and safety of systems before implementation are extremely important.  Information is included in this section of IEEE Online to assist you in this endeavor.