Here are the slides from our talk at Secure360 on our recently published white paper, Behavioral Security Modeling: Functional Security Requirements.
We’ll provide a link to the video when it becomes available.
In my Behavioral Security Modeling talk at OWASP AppSec USA 2011, I promised a white paper on BSM. Since then, I enlisted the aid of Karl Brophey, a friend who has a wealth of experience in software development and architecture, and the result of our collaboration is finally complete! I’m pleased to formally announce the release of the first BSM white paper, “Behavioral Security Modeling: Functional Security Requirements.” Karl and I will be speaking about the paper today at Secure360 in St Paul. Hope to see you there!
Abstract:
Defining functional security requirements is a key component of Behavioral Security Modeling, a method to improve security through accurately modeling human/information interactions in social terms. The paper proposes a practical, SDLC agnostic method for gathering functional security requirements by establishing limits on interactions through a series of questions to identify, clarify, and uncover hidden constraints. Five categories of constraints are presented, along with advice and “requirement patterns” to facilitate discussions with stakeholders and translate business needs into unambiguous security requirements. General advice on improving constraints, implementation considerations, security actions, quality assurance, and documenting post conditions are also discussed.
Version 1.0 disclaimer: this white paper attempts to formally capture our collective knowledge on how to effectively define functional security requirements. The next step is to test the theory by implementing the approach in a number of application development environments.
Paper:
Behavioral Security Modeling: Functional Security Requirements
I spoke today (May 7, 2012) at SIRACon, the first ever conference of the Society of Information Risk Analysts. Here is the description I submitted for the talk – it is fairly close to the final product:
Effective, established Risk Management practices fall into two major categories: management of risk due to accidental damage (safety) and management of risk due to threats (protection). This talk will present the case that these are two distinct methodologies, and all information risk management should be divided into protection functions (like the Secret Service) and safety functions (like the Aviation Industry), staffed by different people if possible, due to the differences in approach, available data, threat behavior, and the cognitive biases of the risk analysts themselves.
I’ve uploaded copies of the talk to my site: Organizing Risk Management Programs, Or, What I learned from the Aviation Industry and the US Secret Service.
I really enjoyed the day’s talks, and appreciated all the different perspectives, they all help with our still-immature business of information risk analysis and information risk management.
I believe there will also be a video of my talk as well, I’ll post a link to that once it becomes available.
Update: URL for the video of the talk: https://vimeo.com/44519848