Leveraging External Data Sources to Enhance Secure System Design
Can we use external vulnerability databases and threat intelligence to automatically validate whether a system's security requirements are adequate?
IEEE Reconciling Data Analytics, Automation, Privacy, and Security: A Big Data Challenge (RDAAPS 2021)
IEEE · 2021
First Place — Data Day 7.1 (General Category)
Carleton University · 2021
A common challenge is the rush to market that commercial development teams face, leaving very little time to design software that is secure as well as functional. The average development team lacks the know-how and the tools to create secure software. Security vulnerabilities in modern software systems make the task of developing secure software especially challenging.
Can we use external vulnerability databases and threat intelligence to automatically validate whether a system's security requirements are adequate?
The Approach
We tackle this question by focusing on how external online data sources for vulnerabilities, attack patterns, threat intelligence, and other security information can be leveraged, using Natural Language Processing (NLP), to produce a report to assist designers in validating the adequacy of their security requirements. This validation is done by determining which requirements map to known threats, which requirements may be extraneous, and which threats may need a closer look.
Figures
NLP-based threat analysis approach diagram
Generated threat analysis report
The Transformation
The output of our approach is a report that supports the architecture design phase of the SDLC in terms of security evaluation and assurance activities, by assisting designers in ensuring that there are adequate requirements to mitigate known threats based on their design decisions.