"Developing More Secure Software Systems"

 Curtis Busby-Earle

Department of Computing 

Software security requirements are seldom explicitly stated at the outset of a project. Although a requirements engineer has the task of specifying what an intended software system should do, the engineer is not expected to be a security expert. Security is usually grouped with, and considered as, a non-functional requirement. Non-functional requirements have traditionally been included during the coding, implementation or maintenance stages of software development, that is, at the end of the development process. Studies have shown that addressing security and other concerns at the earliest stages of software development reduces the time, cost and effort required to integrate these features into software systems at the time of creation.

Security considerations in software development have necessitated the specificity in meaning of terms when developing requirements and, in particular, for the process of identifying potential vulnerabilities in software systems during requirements engineering. In this research project, Dr. Busby-Earle suggests that such specificity can be achieved using a consistent description of requirements terms. The number and variety of terms are, however, potentially large owing to synonymity. For example, "edit", "change" and "modify" all have similar meanings. Therefore, rather than attempt to describe every term, the researcher recommends a model that will specify the terms used by a requirements engineer that incorporates security considerations.

The primary issue with incorporating aspects related to the security of a system during the requirements engineering process is that they typically remain unstated or unrecorded, that is, they are included implicitly. A system's security requirements, therefore, tend to remain excluded from requirements specifications, or are the subject of many an assumption by members of development teams. What engineers and developers alike assume, in part due to implicit requirements, can (and often does) lead to varied interpretations of explicit requirements. Implicit requirements should be made explicit.

The researcher has developed a technique that provides a means by which the knowledge of security experts can be captured, retained, used, refined and shared among requirements engineers and other software engineering practitioners. The expertise is captured in the form of a type of dependency between requirements, a dependency that the researcher has imposed. The technique is incorporated into a less subjective approach developed to uncover potential vulnerabilities that can augment those that require human expertise. This approach is based on the discovery of loopholes, using an algorithm which the researcher has developed. Loopholes are unknown, reachable paths that would exist if a system were to be developed in accordance with the requirements document prior to the application of the algorithm. 

The initial results of this project have demonstrated that the technique can assist engineers in their task of considering security concerns at the earliest stages of software development. A prototype tool that automates the steps of this algorithm has been built. It is envisioned that the technique and its tool will provide a means by which practitioners can develop more secure and robust software systems. An important feature to be included in the tool's list of features is the ability to provide a security assurance rating of proposed systems. This rating will assert that the requirements engineers of a proposed system have satisfactorily considered and addressed particular classes of vulnerabilities during the design process.

Most recently, Dr. Busby-Earle has partnered with colleagues at Colorado State University, USA to further develop the technique. From this collaboration a technical paper on the research was published in November 2013.

Dr Curtis Busby-Earle is a Lecturer in the Department of Computing. His primary areas of research interest are in Software Engineering and Software Security.