acm-header
Sign In

Communications of the ACM

Communications of the ACM

Taxonomy of Security Considerations and Software Quality


Today's software often has countless intricate interdependencies on modern operating systems, other enterprise applications (including databases and legacy systems), and the high-speed networking infrastructure. It is within such highly integrated information technology environments that software security is becoming a focal point for designing, developing, and deploying software applications [2, 4, 7].

With such intertwined dependencies between various enterprise application components, a security compromise in any one of the components adversely affects the operating functionality of the software. Software security, therefore, needs to be considered from the very beginning of the software development cycle. Security of all dependencies needs to be considered within the context of risks assessed and the necessary quality and architectural analysis undertaken. Contemporary enterprises can no longer afford to consider software security only after the application has been constructed: irreparable security compromises may have already been exposed, and fixing such problems requires tremendous effort and resources [3, 8].

Recent security compromises to widely distributed software such as various Web browsers, operating systems, and application software have caused widespread enterprisewide outages and are closely monitored. The majority of the security compromises can be attributed to one or more weaknesses within the integral components that make up the software. For instance, the SSL secret-key generation (deSSL, [7]) can be attributed to the assumptions about the random seed used, and perceived degree of randomness of key seeds as provided by the operating system (Unix variants). The random-key generation scheme itself was theoretically strong with the exposure coming from the supporting data.


Contemporary enterprises can no longer afford to consider software security only after the application has been constructed.


Back to Top

Dimensions of Software Quality

In order to properly discuss the threat of security related risks to the overall quality of the target software system, we must first delineate the various aspects of quality that may be affected. For the purpose of our analysis, we adopt the commonly used McCall's framework of software quality factors, as shown in the figure on the preceding page [6].

Security considerations need to be evaluated throughout the entire software development process, the quality factors outlined within the McCall's software quality factors that apply to the security risks are exclusively operational. Aspects of software quality such as portability and flexibility are crucial to the study of overall software quality, but security threats and risks specifically target the software operational capabilities. The categories shown in the lower portion of the figure are described in further detail as follows. Correctness is the extent to which a program satisfies its specification and fulfills the customer's functional objectives so that the system is behaving correctly given the prescribed situation. Reliability is the extent to which a program can be expected to perform its intended function with required precision and is available at the expected time periods. Efficiency is the amount of computing resources and interactions required by a program to perform its function. Integrity is the extent to which access to software or data by unauthorized persons will be controlled, and that the software or data will be verifiable throughout its lifetime. Usability is the time and resources required to learn, operate, prepare input, and interpret output of a program.

Back to Top

Security Risks

Our study outlines various classes of security-related risks and threats that need to be considered during the design phase of the software development process. The universe of software risks and threats is divided into three categories based on their target of attack: Application layer, Platform layer, and Network layer. Application-layer compromises are a class of security risks that focus on attacking application software itself. Well-known examples of such threats include HTTP-based denial-of-service attacks that attempt to disable a Web server's ability to handle any legitimate requests. Platform-layer compromises include all risks and attacks that focus on the underlying platform or operating layer, such as attempts to gain unauthorized administrator access on Unix or Windows NT-based systems [9]. Network-layer threats and risks generally deal with the underlying telecommunication and network elements such as routers, switches, and gateways. Examples of this class of threat include forging the origination IP address and attempts to flood a network with large amounts of bogus packets in the hope of disabling the entire network at the network router element (for example, SynFlood [5]).

Application-layer risks and threats include:

  • Credential Theft describes the type of threat in which an attacker gains unauthorized access to the application without consent by the entity responsible.
  • Functional Manipulation is the type of attack in which the intruder manipulates the functionality of the software in such a manner as to be able to access functionality to which the intruder is not entitled.
  • Data Exposure/Manipulation is the type of risk in which sensitive data or information is accessible or modified by entities not entitled to be interacting with such information.
  • Application Denial of Service is the type of risk in which an intruder can either disable or dramatically reduce the performance of the application.

Platform-layer risks and threats include:

  • Unauthorized Administration Access is the type of attack in which unauthorized access gains administrative access, and therefore becomes able to modify or access managerial responsibilities.
  • System Denial of Service is the type of threat in which an intruder can either disable or dramatically reduce the overall performance of the underlying system.
  • Application Modification is the type of attack in which malicious parties modify the data or the execution code of an application so that the application does not behave as intended.

Network-layer risks and threats include:

  • Network Denial of Service refers to an attack in which the underlying network is either disabled or dramatically reduced.
  • Network Exposure is the type of threat in which network traffic is accessible by parties not normally entitled to have such type of access.
  • Network Credential Theft is intrusion in which an unauthorized device gains access to the network without consent of the administrative entity.

Back to Top

Security Risks and Their Impact on Quality Factors

In Table 1, we evaluate the individual security risks and their impact on the quality factors as outlined previously. It is important to software architects and designers that within any particular software project one or more of the risks may not be applicable to the particular application domain, hence their impact on the quality factors would need to be discounted due to their low likelihood of occurrence.

The impacts characterized in Table 1 are denoted by the following symbols: A single asterisk (*) indiactes risk will have a negative effect on the quality factor, but not to the point of irreparable damage; a double asterisk (**) indicates the security risk will have a strong negative effect on the quality factor, to the point of causing irreparable harm to such factor.

Back to Top

Current Approaches to Addressing Security Risks

A wide variety of industry standards and technologies have emerged in recent years to address the set of software-related risks and their impact on the various software quality aspects as described previously. Here, we outline and study a representative collection of current security approaches by evaluating their effectiveness in addressing the relevant security risks. Our choices of current security technologies are by no means complete; they merely serve as examples of current industry security standards and recommendations. Should new technologies and approaches (such as IP traffic pattern analysis tools) emerge; such approaches need to be assessed against our security quality, risk, and technology framework to further enhance the classes of security technologies that are covered. Our framework aims to provide a means by which the appropriate approaches to protect against the class of risks can be made.

Current security approaches are divided into four categories, Standards and Policies, Library and Tools, Administrative and System Management, and Physical Tools. Standards and policies are the emerging industry best practices and approaches that if applied would be able to address specific security risks. Demonstrative standards include IPSec; a standard aimed at dealing with IP network-level security using public-key cryptography. Libraries and tools include the technologies that would be able to provide protection against risks if integrated into the software to be developed. Examples include VeriSign digital certificates utilized by specific application for the purpose of enabling strong authentication. Administrative and management technologies include tools and software that would be utilized by system administrators to safeguard against security attacks. Examples include SSH (Secure Shell), which provides secure remote access at the system level. Devices include physical and external hardware designed for the specific purpose of security protection; examples include SmartCard.

Our evaluation of the individual security technology approaches and their effectiveness in dealing with the applicable security threats and risks is presented in three levels, denoted by the following symbols in Table 2: A single plus sign (+) indicates the particular technology or approach is applicable to the security risk; a double plus sign (++) indicates the particular technology or approach is effective against the particular security risk; a triple plus sign (+++) indicates the technology or approach is extremely effective, providing a virtually complete safeguard against the occurrence of such a security risk.

Back to Top

Conclusion

Our analysis emphasizes the crucial need for the design of a properly secured system to take into consideration the risks and security approaches from the very beginning. There are three layers of security risk threats that need to be considered within the context of the software. From a software design point of view, the operational software quality factors are threatened by security risks. By taking into consideration security risks and threats and their impact on the quality of the target system, software architects and designers need to select protection mechanisms via the application of appropriate security technologies and approaches to provide necessary safeguards.

We hope our work will provide today's software professionals with a systematic framework for thinking about the software quality, risks, technologies and offer an integrated approach to design for security. Our study provides today's security professionals with an understanding of the context in which their technologies relate to the entire software system and provide for software security design requirements to be fully analyzed. The software systems of the near future must be nimble and agile, as well as able to provide continuous sustainable capabilities in any business situation, even under the constant threat of security risks.

Back to Top

References

1. Bowen, T.F. and Segal, M.E. Remediation of application-specific security vulnerabilities at runtime. IEEE Software (Sept./Oct. 2000), 59–67.

2. Forrest, S., Hofmeyr, S., and Somayaji, A. Computer immunology. Commun. ACM 40, 10 (Oct. 1997), 88–96.

3. Joshi, J., Ghafoor, A., Aref, W.G., and Spafford, E.H. Digital government security infrastructure design challenges. IEEE Computer (Feb. 2001), 66–72.

4. Michener, J.R. System insecurity in the Internet age. IEEE Software 16, 4 (July/Aug. 1999), 62–69.

5. Paulson, L.D. Hacker launches cyberattack from security site. IEEE Computer (Apr. 2001).

6. Pressman, R.S. Software Engineering: A Practitioner's Approach. McGraw-Hill, 1992.

7. Schneier, B. Secrets and Lies: Digital Security in a Networked World. Wiley, NY, 2001.

8. Shimeal, T.J. and McDermott, J.J. Software security in an Internet world: An executive summary. IEEE Software (July/August 1999), 58–61.

9. Viega, J., Konho, T., and Potter, B. Trust (and mistrust) in secure applications. Commun. ACM 44, 2 (Feb. 2001), 31–36.

Back to Top

Authors

Huaiqing Wang ([email protected]) is an associate professor in the Department of Information Systems at the City University of Hong Kong.

Chen Wang ([email protected]) is a vice president of Architecture at Merrill Lynch in Jersey City, NJ.

Back to Top

Figures

UF1Figure. McCall's software quality factors.

Back to Top

Tables

T1Table 1. Individual security risks and their impact on quality factors (* = negative effect, no irreparable damage; ** = strong negative effect, causing irreparable harm).

T2Table 2. Individual security technology approaches and their effectiveness in dealing with security threats and risks.

Back to top


©2003 ACM  0002-0782/03/0600  $5.00

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

The Digital Library is published by the Association for Computing Machinery. Copyright © 2003 ACM, Inc.


 

No entries found