eXtreme Security Engineering K O N S T A N T I N B E Z N O S O V - - PowerPoint PPT Presentation

T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A

eXtreme Security Engineering

K O N S T A N T I N B E Z N O S O V

D E P A R T M E N T O F E L E C T R I C A L A N D C O M P U T E R E N G I N E E R I N G http://www.ece.ubc.ca/~beznosov/

31 October 2003 eXtreme Security Engineering @ BizSec 2

What’s security engineering?

Development/integration of “security- intensive” solutions Examples

– Smart card device – Enterprise security

31 October 2003 eXtreme Security Engineering @ BizSec 3

What’s “good enough security”?

• “good enough” risk analysis
• “good enough” requirements

engineering

• “good enough” modeling
• “good enough” design,

development, composition

• “good enough” testing
• “good enough” assurance

Customer is comfortable with

31 October 2003 eXtreme Security Engineering @ BizSec 4

Premises and beliefs

• Customers cannot afford and/or

don’t want “absolute security”

– “good enough security” cannot be defined well enough a priory – No “good enough common criteria”!

• Uncertainty and change are

inevitable in security engineering projects

– “how to manage”, not “how to limit”

31 October 2003 eXtreme Security Engineering @ BizSec 5

Key points

• “good enough security”

– don’t define a priory – define as you go – let the customer(s) “define” and change it

• How?
• eXtreme Security Engineering (XSE)

– adoption of XP – benefits

• project success rate
• customer satisfaction
• “define” and adjust “good enough security” just-in-time
• position (i.e., speculation)

31 October 2003 eXtreme Security Engineering @ BizSec 6

Reasoning

• Why XP?

– ASD/XP

• “good enough” software
• short feedback loop

– software eng. ≈ security eng. – iterative and incremental development (IID) in non-software manufacturing

• XSE applicability

– scope – anticipated dificulties

31 October 2003 eXtreme Security Engineering @ BizSec 7

What’s XP?

small releases planning game user stories metaphor simple design tests refactoring pair programming continuous integration collective ownership

• nsite customer

31 October 2003 eXtreme Security Engineering @ BizSec 8

How short is feedback loop in XP?

31 October 2003 eXtreme Security Engineering @ BizSec 9

Why software eng. ≈ security eng.?

• 1. A system’s users seldom know exactly what

they want and cannot articulate all they know.

• 2. Even if we could state all requirements, there

are many details that we can only discover

• nce we are well into implementation.
• 3. Even if we knew all these details, as humans,

we can master only so much complexity.

• 4. Even if we could master all this complexity,

external forces lead to changes in requirements, some of which may invalidate earlier decisions.

Parnas and Clements, “A Rational Design Process: How and Why to Fake It”

31 October 2003 eXtreme Security Engineering @ BizSec 10

What’s XSE applicability scope?

• nonsafety-critical projects

– volatile requirements – development teams

• small
• skilled
• collocated
• Boehm and Turner

– size, criticality, dynamism, personnel, culture – incorporate agile and plan-driven approaches

31 October 2003 eXtreme Security Engineering @ BizSec 11

Anticipated difficulties

• analysis and testing
• refactoring

– COTS and hardware – “distributed undo”

• “no map”

31 October 2003 eXtreme Security Engineering @ BizSec 12

Conclusions

• adoption of XP to security eng.
• “embrace” changes

– extremely short feedback loop – higher success rate – better customer satisfaction

• customers drive “good enough security”
• benefits and applicability extrapolated

from XP

• expected difficulties
• idea/speculation