A Sample Security Assurance Case Pattern

December, 2018
IDA document: P-9278
FFRDC: Systems and Analyses Center
Type: Documents
Division: Information Technology and Systems Division
E. Kenneth Hong Fong, Project Leader, David A. Wheeler See more authors
Essentially all systems with software should address security. However, there is no single “magic bullet” that makes software secure, because security is an emergent property of a system. Tracking and managing the application of the various techniques across the software corpus and throughout the software life cycle can be overwhelming. An assurance case is a widely-recommended practical alternative to other approaches for managing the assurance activities. An assurance case “includes a top-level claim for a property of a system or product (or set of claims), systematic argumentation regarding this claim, and the evidence and explicit assumptions that underlie this argumentation.” [ISO 15026-2:2011]. Since an assurance case is systematic, it is much easier for people to determine if important areas have been adequately covered, and to understand the ramifications of different decisions. Maintaining an assurance case for security properties (a “security assurance case”) is a simple idea, but many have found it difficult to create a security assurance case because of the limited number of sample patterns and worked examples. This document provides a sample security assurance case pattern, based on a publicly available assurance case of a real commercial system. This document also shows how this pattern can be applied to a real system. We hope that many system/software developers and approving authorities will find this sample pattern and application to be a useful place to start when developing their own assurance cases. This document also discusses changes that could be made to deal with different kinds of applications, such as Internet of Things (IoT) or weapon systems. The sample security assurance case pattern provided here is for a system that only requires moderate assurance; higher levels of assurance would call for more rigor. This pattern can make it much easier to create a security assurance case.