SQUARE-Lite: Case Study on VADSoft Project

iii


List of Tables
SQUARE Steps

Introduction
In September 2007, Carnegie Mellon University and VAD Corporation came together to pilot the SQUARE-Lite methodology on the VAD Corporation's VADSoft project.The SQUARE team and VAD Corporation staff met on a number of occasions from September 2007 through the end of February 2008.The SQUARE team members are listed as authors of this report.The primary contact point at VAD Corporation was from the Information Security Department.He was frequently joined by members of the VADSoft development team as we worked through the pilot activity.The remainder of this report discusses the results of the SQUARE-Lite pilot and lessons learned from the project.

VAD CORPORATION AND VADSOFT
VAD Corporation is a privately held, medium-sized commercial organization.The VADSoft project is a financial application.User functionality is determined by the client and user roles and functions that are defined by their security model.

SQUARE
The SQUARE methodology [Mead 2005] begins with the requirements engineering team and project stakeholders agreeing on technical definitions that serve as a baseline for all future communication.Next, business and security goals are outlined.Third, artifacts and documentation are created, which are necessary for a full understanding of the relevant system.A structured risk assessment determines the likelihood and impact of possible threats to the system.Following this work, the requirements engineering team determines the best method for eliciting initial security requirements from stakeholders, which is dependent on several factors, including the stakeholders involved, the expertise of the requirements engineering team, and the size and complexity of the project.Once a method has been established, the participants rely on artifacts and risk assessment results to elicit an initial set of security requirements.Two subsequent stages are spent categorizing and prioritizing these requirements for management's use in making tradeoff decisions.Finally, an inspection stage is included to ensure the consistency and accuracy of the security requirements that have been generated.
Table 1 details the steps involved in the SQUARE process [Mead 2008].

SQUARE-LITE
Over the course of the SQUARE case studies, it became clear that SQUARE required a significant commitment on the part of the organizations that used it.Execution of the full SQUARE process could take up to two to three months, and many organizations were not able to make that time commitment.
Therefore we studied the SQUARE process to see which steps might fit into an existing requirements engineering process.We also wanted to come up with a streamlined approach that could provide at least some benefit to organizations that were not prepared to invest in the full SQUARE process.The case study discussed in this report provided us a more precise picture of the benefits of SQUARE-Lite.
SQUARE-Lite consists of four steps extracted from the SQUARE process, Steps 1, 2, 6, and 8.The steps in the SQUARE-Lite process are summarized in Table 2 [Mead 2008].

Agree on Definitions
To guarantee effective and clear communication throughout the requirements engineering process, the requirements engineers and the project stakeholders must first agree on terms and definitions.The set of terms and definitions chosen by the VADSoft team is shown in the appendix.

Security Goals
The security goals were elicited from the VADSoft team and documented.The security goals are as follows: • Implement user authentication and access control.
• Protect private customer information from data leaks.
• Ensure that there is no compromise of financial data or actual checks produced by the system.

Risk Assessment
The purpose of assessing risks is to identify the vulnerabilities and threats that the VADSoft project may face and the likelihood that the threats will materialize as real attacks.Therefore the risks pertaining to the VADSoft project were assessed by the team members and the SQUARE team.This step was carried out in addition to the four SQUARE-Lite steps, as it was critical to assess the risks in the project to obtain clarity in the security requirements.A risk matrix and prioritized lists of risks were the outcomes targeted.To facilitate the VADSoft team in eliciting and prioritizing risks, the SQUARE team provided them with a list of risks that the project may face based on the VADSoft requirements documents and inputs from meetings.The VADSoft team then could update this list with other risks that they anticipated.The risk list is shown in Table 3.

R18
Since VADSoft is a database driven application, risk of database being exposed to threat through SQL injection

RISK MATRIX
A risk matrix [ioMosaic 2002] was also prepared and provided by the SQUARE team to the VADSoft team to help them assess the risk exposure of the project.The matrix is filled with the risk IDs from the risk list based on the impact of the risk on the project and on the probability of occurrence.The risk matrix is shown in Table 4.

Risk Rank List
Risk rank can be determined from the risk matrix and filled in on the risk rank list.This results in a list of prioritized risks.
Risk ID Risk Exposure (High/Low/Medium) Rank (in Numbers)

ELICIT SECURITY REQUIREMENTS
Security requirements were elicited from the VADSoft team during several elicitation sessions held at VAD Corporation.Certain requirements were taken from the business requirements document for the VADSoft project.The list of security requirements collected is as follows: • Access to different functionalities of the software should be limited and based on authorization.

•
The authorization process should be automatic to improve the usability of the software and should tie to the active directory to ensure that impersonations are not possible.Also with this approach, compromise of user names and passwords can be well managed

•
Automate security authorizations for usability purposes.
• Ensure that the right people are given the right access.
• Ensure that only the super user of the system has the right to assign roles and permissions.
No other role should have the authorization or the ability to assign permissions and functionality to roles.

•
The ability of the customer to view data should be specific to his profile as mentioned in the Customer Maintenance Screen.
• Each customer in the system and his ability to use the system is tailored to his profile.Every customer's profile should be maintained in detail.
• All payment checks issued should be verified.

•
Positive pay functionality should be tested on a daily basis to catch fraudulent customerissued checks.
• Checks should be printed only once.Ensure that checks cannot be saved locally on any machine.
• Securely store cached information.
• Store passwords securely in the system.

PRIORITIZE SECURITY REQUIREMENTS
The VADSoft team had to prioritize the security requirements identified in the previous step.A traceability matrix that maps security requirements to test cases and risks was also prepared.

Traceability Matrix
The traceability matrix maps the security requirements to test cases and risks.This is to ensure that all the security requirements are addressed by the VADSoft team.Customer Maintenance Screen and will be unique for each customer Each customer in the system and his ability to use the system is tailored to his profile.Every customer's profile should be maintained in detail.
Positive pay is an anti-fraud component that utilizes an FTP server to send and verify a list of checks cut that day.
All payment checks issued should be verified.
Positive pay will be tested by sending a list of checks cut on that day, via FTP, to the bank with which we are doing business.A return message verifying the content will be received.This should be tested for both positive and negative results (i.e., the list matches or the list does not match.) Positive pay functionality should be tested on a daily basis to catch fraudulent customer-issued checks.
Checks should be printed only once.Ensure that checks cannot be saved locally on any machine.
Risk of a copy of a check generated by the tool being stored in someone's machine and reprinted (R6).
Securely store cached information.
Risk of information leak or exposure due to local storage of security-critical data like SSN to improve performance (R7).
Store passwords securely in the system.
Risk of access to passwords that are not hashed and stored outside the database (R8).
Risk of developers getting access to the system due to their ability to create roles through the application (R9).

REFLECTIONS
1.The SQUARE team saw a need for a defined process to appropriately incorporate the steps of the SQUARE-Lite methodology.
2. SQUARE fits best when the project is in the initial phases of the software development life cycle.This is because applying SQUARE-Lite results in the identification of prioritized security risks that should influence the development of the software.But in this collaboration with VAD Corporation, the VADSoft project was already in the production phase.The value of SQUARE-Lite's outcome was not realized to its fullest during this phase of development; however, the prioritized requirements list was useful for verifying whether their security requirements were addressed and what further consideration the team should give for the improvement of the product's security.
SQUARE-Lite contains four major steps extracted from the full SQUARE methodology.While applying SQUARE-Lite in the VADSoft project, an additional step for identifying risks was necessary to help identify the security requirements.Hence SQUARE-Lite was slightly modified to incorporate a risk assessment step as defined in SQUARE.The steps in this modified SQUARE-Lite process were

Prioritize requirements
Applying SQUARE-Lite required commitment from both the SQUARE team and the VADSoft project team.Steps like identifying risks and prioritizing the requirements depended on input from the members of the VADSoft project team.Since VADSoft was in the production phase and the members were busy in development, there was a delay in completion of the SQUARE-Lite process.This throws light on the fact that cooperation from both ends is necessary for successful and timely delivery of the prioritized security requirements list.authentication The process of determining whether someone or something is, in fact, who or what it is declared to be [SearchSecurity 2008].

authorization
The process of granting a person, computer process, or device access to certain information, services, or functionality.Authorization is derived from the identity of the person, computer process, or device requesting access, which is verified through authentication [Tulloch 2003].

availability
The property of a system or a system resource that ensures it is accessible and usable upon demand by an authorized system user.Availability is one of the core characteristics of a secure system [Tulloch 2003].9 back door A hardware or software-based hidden entrance to a computer system that can be used to bypass the system's security policies [Tulloch 2003].An attempt by a malicious (or unwitting) user, process, or system to prevent legitimate users from accessing a resource (usually a network service) by exploiting a weakness or design limitation in an information system.Examples of DoS attacks include flooding network connections, filling disk storage, disabling ports, and removing power [Tulloch 2003].disaster recovery plan A plan that helps a company recover data and restore services after a disaster [Tulloch 2003].disclosure A component of the notice principle, wherein a company should make available its data handling practices, including notices on how it collects, uses, and shares personally identifiable information [Tulloch 2003].disgruntled employee A person in an organization who deliberately abuses or misuses computer systems and their information [Alberts 2003].encryption The cryptographic transformation of data (called "plaintext") into a form (called "cipher text") that conceals the data's original meaning to prevent it from being known or used [SANS 2003].fault tolerance A computer system or component designed so that, in the event that a component fails, a backup component or procedure can immediately take its place with no loss of service.Fault tolerance can be provided with software, embedded in hardware, or provided by some combination [SearchSecurity 2008].firewall A security solution that segregates one portion of a network from another portion, allowing only authorized network traffic to pass through according to traffic-filtering rules [Tulloch 2003].hacker Someone who engages in the activity of hacking computer programs, systems, or networks [Tulloch 2003].integrity For data, the property that data has not been changed, destroyed, or lost in an unauthorized or accidental manner [Allen 1999].intrusion An attempt to compromise a system or network [Tulloch 2003].intrusion detection system A combination of hardware and software that monitors and collects system and network information and analyzes it to determine if an attack or an intrusion has occurred.Some ID systems can automatically respond to an intrusion [Allen 1999].malware Programming or files that are developed for the purpose of doing harm.Thus, malware includes computer viruses, worms, and Trojan horses [Webopedia 2008].man-in-the-middle attack A computer attack during which the cyber criminal funnels communication between a consumer and a legitimate organization through a fake website.In these attacks, neither the consumer nor the organization is aware that the communication is being illegally monitored.The criminal is, in effect, in the middle of a transaction between the consumer and his or her bank, credit card company, or retailer [BSA 2008].

non-repudiation
A technique used to ensure that someone performing an action on a computer cannot falsely deny that they performed that action [Tulloch 2003].patching The process of updating software to a new version that fixes bugs in a previous version [SANS 2003].recovery A system's ability to restore services after an intrusion has occurred.Recovery also contributes to a system's ability to maintain essential services during intrusion [Ellison 2003].risk The product of the level of threat with the level of vulnerability.Anything that gives an attacker the opportunity to perform an exploit.liability The responsibility of someone for damage or loss [West-Brown 2003].
| CMU/SEI-2008-SR-017 luring attack A type of elevation of privilege attack where the attacker "lures" a more highly privileged component to do something on his or her behalf.The most straightforward technique is to convince the target to run the attacker's code in a more privileged security context [Brown 2005].mail relaying A practice in which an attacker sends email messages from another system's email server in order to use its resources and/or make it appear that the messages originated from the other system.malicious code Software that fulfills the deliberately harmful intent of an attacker when run.For example, viruses, worms, and Trojan horses are malicious code.malicious user A user who accesses a system with the intent to cause harm to the system or to use it in an unauthorized manner.masquerade Attempts to fool other machines on the network into accepting the imposter as an original, either to lure the other machines into sending it data or to allow it to alter data [Howard 1998].modification Situation in which an unauthorized party not only gains access to but tampers with an asset [Howard 1997].non-essential services Services to users of a system that can be temporarily suspended to permit delivery of essential services while the system is dealing with intrusions and compromises [Ellison 1997 Authorization to perform operations associated with a specific shared resource, such as a file, directory, or printer.Permissions must be granted by the system administrator to individual user accounts or administrative groups.physical security Security measures taken to protect systems, buildings, and related supporting infrastructure against threats associated with their physical environment [Guttman 1995].port scanning The act of systematically scanning a computer's ports [Webopedia 2008].privacy The quality or condition of being secluded from the presence or view of others [Dictionary.com 2008].privacy policy An organization's requirements for complying with privacy regulations and directives.The policy is expressed in a privacy statement.procedure The implementation of a policy in the form of workflows, orders, or mechanisms [West- Brown 2003].recognition The capability of a system to recognize attacks or the probing that precedes attacks [Ellison 2003 The capability of a system to complete its mission in a timely manner, even if significant portions are compromised by attack or accident.The system should provide essential services in the presence of successful intrusion and recover compromised services in a timely manner after intrusion occurs [Mead 2003].target The object of an attack, especially host, computer, network, system, site, person, organization, nation, company, government, or other group [Allen 1999].threat assessment The identification of the types of threats that an organization might be exposed to [SANS 2003].threat model Used to describe a given threat and the harm it could to do a system if it has a vulnerability [SANS 2003].toolkits A collection of tools with related purposes or functions, e.g., antivirus toolkit, disk toolkit [RUsecure].

Trojan
A program that appears to be useful or harmless but that contains hidden code designed to exploit or damage the system on which it is run.Trojan horse programs are most commonly delivered to users through e-mail messages that misrepresent the program's purpose and function.Also called Trojan code [Microsoft 2005].upgrade A software package that replaces an installed version with a newer version of the same software.The upgrade process typically leaves existing customer data and preferences intact while replacing the existing software with the newer version.user profile Settings that define customization preferences for a particular user, such as desktop settings, persistent network connections, personally identifiable information, website use, or other behaviors and demographics data.user rights Tasks that a user is permitted to perform on a Windows-based computer or domain.
There are two types of user rights: privileges and logon rights.An example of a privilege is the right to shut down the system.An example of a logon right is the right to log on to a computer interactively.Both types are assigned by administrators to individual users or groups as part of the security settings for the computer.victim That which is the target of an attack.An entity may be a victim of either a successful or unsuccessful attack [SANS 2003].virus A hidden, self-replicating section of computer software, usually malicious logic, that propagates by infecting-i.e., inserting a copy of itself into and becoming part ofanother program.A virus cannot run by itself; it requires that its host program be run to make it active [SANS 2003].worm Self-propagating malicious code that can automatically distribute itself from one computer to another through network connections.A worm can take harmful action, such as consuming network or local system resources, possibly causing a denial-of-service attack [Microsoft 2005].Compare virus.

Table 1 :
SQUARE Steps

Table 3 :
Risk List R9Risk of developers getting access to the system due to their ability to create roles through the application R10 Risk of inflicting data loss/corruption due to virus/Trojan attack R11 Risk of stealing confidential information due to virus/Trojan attack R12 Risk of user information gathered through the Internet by spyware

Table 4 :
Risk Matrix ]. patch A small update released by a software manufacturer to fix bugs in an existing program [SANS 2003].penetration Intrusion, trespassing, or unauthorized entry into a system [RUsecure 2008].penetration testing The execution of a testing plan, the sole purpose of which is to attempt to hack into a system using known tools and techniques [RUsecure 2008].permissions 017 script kiddieThe more immature but unfortunately often dangerous exploiter of security lapses on the Internet.The typical script kiddie uses existing and frequently well-known and easy-tofind techniques and programs or scripts to search for and exploit weaknesses in other computers on the Internet-often randomly and with little regard or perhaps even understanding of the potentially harmful consequences[SearchSecurity 2008].