Extracting security control requirements
Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research
Reasoning about policy noncompliance
Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research
Reducing the footprint of certifiable health software during early stage development
Proceedings of the 3rd Workshop on Software Engineering in Health Care
| Hi-index | 0.00 |
While COTS products can be made secure and reliable within a individual domains, they may introduce security vulnerabilities when integrated with other components due to different security expectations. These problematic interactions within an integrated system can be hidden among the multiple, contributing policy types. Furthermore, security certification criteria governing the integrated system can introduce conflicts with local component policies. Security policies and certification criteria lack a common representation. Security policies use various formats and levels of granularity without comparable attributes. Certification criteria are often text-based checklists. We outline a policy configuration model to represent security policies in a format which can manifest conflicting properties across policy specifications. The model defines security policies according to fundamental attributes of property assertions, observable behaviors, mechanisms, constraints, communication and interaction expectations, dependencies on other policies, system configuration, and component state. We extend model expression concepts to incorporate requirements based on common certification criteria.