A new approach to develop a dependable security case by combining real life security experiences (lessons learnt) with D-Case development process

摘要

Our daily life reliance on software systems is growing for the purpose of convenience, efficiency, and security. Modern systems runs for long periods of time and are being constantly improved in service objectives and users' requirements under evolving technologies and changing regulations/standards. At the same time, these systems have become extremely complex. Dependability of these software systems cannot be achieved only by using conventional technologies, such as software processes and/or Formal Methods. It also needs software assurance case, which in this paper we refer to it as dependability (assurance) case or simply D-Case. Most often is the fact that D-Case (an extension form of assurance case) is most commonly associated with the safely aspect of dependability that covers the realm of dependable software application systems, embedded operating systems, information systems and so on. Because of this regard, safety cases are quite well known in comparison to other aspects of dependability like availability, integrity and confidentiality which are all co-related to security. On the other hand, D-Case has never been used in security and therefore holds the motivation behind this paper. By combining our knowledge of networking system together with our research result on the issue of security, it was found that there is guidance available, and there have been some promising experiments on the creation of security cases, although these guidance and experiments are not well documented to cover the realm of information and industrial networking systems, which this paper is about.