Page 1 |
Save page Remove page | Previous | 1 of 125 | Next |
|
small (250x250 max)
medium (500x500 max)
large ( > 500x500)
Full Resolution
All (PDF)
|
This page
All
Subset |
SECURITY FUNCTIONAL REQUIREMENTS ANALYSIS FOR DEVELOPING
SECURE SOFTWARE
by
Dan Wu
A Dissertation Presented to the
FACULTY OF THE GRADUATE SCHOOL
UNIVERSITY OF SOUTHERN CALIFORNIA
In Partial Fulfillment of the
Requirements for the Degree
DOCTOR OF PHILOSOPHY
(COMPUTER SCIENCE)
May 2007
Copyright 2007 Dan Wu
Object Description
| Title | Security functional requirements analysis for developing secure software |
| Author | Wu, Dan |
| Author email | danwu@usc.edu |
| Degree | Doctor of Philosophy |
| Document type | Dissertation |
| Degree program | Computer Science |
| School | Viterbi School of Engineering |
| Date defended/completed | 2007-03-06 |
| Date submitted | 2007 |
| Restricted until | Unrestricted |
| Date published | 2007-04-23 |
| Advisor (committee chair) | Boehm, Barry |
| Advisor (committee member) |
Medvidovic, Neno Steece, Bert |
| Abstract | Research experience shows that security needs to be considered from the beginning of software development life cycle to avoid expensive rework and reduce potential security vulnerabilities. Hence, defining the right set of security functional requirements (SFRs) and evaluated assurance level (EAL) becomes a critical task for developers when developing secure software. Much effort has been put into creating industry standards to provide a shared common base for stakeholders with concerns on security. One of the industry standards, which is used widely in both industry and government sides in many countries, is Common Criteria (CC). However, one of the drawbacks of Common Criteria is the inefficiency of use. Moreover, with limited project information in the early lifecycle phase, it is hard for developers with less security experience to select the right security requirements from what are defined in CC. Extensions on it and experiences from empirical studies on using it are demanded to achieve a better and more efficient use of CC, which also benefits developers by saving their effort on security functional requirements definition.; A thorough analysis has been done on a dataset consisted by the Security Target (ST) files of 242 security products published on common criteria portal website. A mapping between security objectives and SFRs is presented, which can save much development effort by reduce the range of candidate SFRs when developers know the project's security objectives in the early phases. In the cases when developers only know the product domain of this project, SFR patterns for nine different domains of security products are presented based on the statistic result from the published 242 security products, which can be customized or directly used for particular security application. The analysis result of correlations among SFR classes defined in CC and correlations among security objectives provide a good guidance for developers in designing the architecture of security products. A trend shows that EAL tends to increase when the number of SFRs increases. It is not strongly proved by the current dataset, but shows a research direction for further discussion and explorations in the future.; To validate the correctness of the mapping scheme between security objectives and SFRs, each of the ST files is reviewed to find out the consistency and difference between the presented mapping scheme with the actual selected SFRs in 242 security products with certain security objectives. A method is presented to evaluate the effectiveness of these security patterns, which can be used as a factor for developers when to consider applying the patterns for actual use. |
| Keyword | security; software engineering |
| Language | English |
| Part of collection | University of Southern California dissertations and theses |
| Publisher (of the original version) | University of Southern California |
| Place of publication (of the original version) | Los Angeles, California |
| Publisher (of the digital version) | University of Southern California. Libraries |
| Type | texts |
| Legacy record ID | usctheses-m446 |
| Rights | Wu, Dan |
| Repository name | Libraries, University of Southern California |
| Repository address | Los Angeles, California |
| Repository email | http://www.usc.edu/isd/libraries/services/ask_a_librarian/email/ |
| Filename | etd-Wu-20070423 |
| Archival file | uscthesesreloadpub_Volume51/etd-Wu-20070423.pdf |
Description
| Title | Page 1 |
| Full text | SECURITY FUNCTIONAL REQUIREMENTS ANALYSIS FOR DEVELOPING SECURE SOFTWARE by Dan Wu A Dissertation Presented to the FACULTY OF THE GRADUATE SCHOOL UNIVERSITY OF SOUTHERN CALIFORNIA In Partial Fulfillment of the Requirements for the Degree DOCTOR OF PHILOSOPHY (COMPUTER SCIENCE) May 2007 Copyright 2007 Dan Wu |
Comments
Post a Comment for Page 1
