1. InfoconDB
  2. OWASP
  3. AppSec USA 2012
  4. Building Predictable Systems using Behavioral Security Modeling: Functional Security Requirements

Building Predictable Systems using Behavioral Security Modeling: Functional Security Requirements

Presented at AppSec USA 2012, Oct. 25, 2012, 10 a.m. (45 minutes)

Behavioral Security Modeling (BSM), first presented at AppSec USA 2011 in Minneapolis, was conceived as a way of modeling interactions between information and people in terms of socially defined roles and the expected behaviors of the system being designed. By reducing the difference between the expected system behaviors and the actual system behaviors, we can manage the vulnerabilities that are inevitably introduced when the expected and actual system behaviors are out of alignment. BSM asserts that robust, secure information systems are best achieved through carefully modeling human/information interactions in social terms. Modeling human/information interactions starts with requirements gathering. While traditional security requirements describe how to "keep the bad guys from messing with our stuff," BSM functional requirements seek to define "what the good guys are allowed to do." To address this gap, we have developed a practical, SDLC agnostic method for gathering functional security requirements by defining limits on interactions through a series of questions to identify and clarify constraints, as well as uncover hidden constraints. We will discuss the development of the methodology and demonstrate its use, as described in our white paper, including early experiences implementing the approach.

Presenters:

  • John Benninghoff - Security Consultant - Transvasive Security
    John Benninghoff started Transvasive Security to develop Behavioral Information Security, a new philosophy of security that draws on knowledge of how people behave and interact with information. He has spoken at national and regional security conferences, and writes regularly for his company blog at transvasive.com. John began his information security career when he was asked to build and deploy a Network IDS using free software (SHADOW) after returning from a SANS conference in 1998. John has experience in security policy, program management, incident response, identity management, and network security. John's accomplishments include developing a comprehensive vulnerability management program that effectively eliminated business outages due to network worms after it was implemented in 2001.

Links:

Similar Presentations: