Engineering Secure Systems April 24, 2019 Andrew Mobbs | Software Architect More About This Author > Systems The word “system” comes from the Greek σύστημα, a whole thing made of parts, or a composition. When we discuss the behaviour of systems, we’re discussing the emergent behaviour arising from the interaction of many elements that the system is composed of and the interactions between the system and its environment. Ensuring that systems behave only how a designer intends is a central aspect of security. A security-enforcing system will take the context of available information measured against policy to determine whether an operation should be permitted or denied. An attacker may try to manipulate policy enforcement to perform an operation that should be denied …or in the case of a denial-of-service, to deny an operation that should be permitted. Systems engineering and software Systems engineering is the interdisciplinary approach to realizing systems that meet desired goals. It was developed over the 20th century to enable the successful realization of more complex engineering projects; from telephony to military, space and automotive domains. Traditional engineering approaches have often been perceived by software practitioners as cumbersome and inflexible. The term “software engineer” has been, at times, deliberately muddled with “programmer”, “developer” or “coder” with the activity often involving very little engineering. Complexity in software is handled through abstraction and layering, and unintended interactions between system elements or the emergent side-effects of intended interactions are not considered. Experienced and skilled programmers often avoid such unintended consequences by building a deep internalized understanding of the system they’re working with, and employ practices like test-driven development in addition to traditional testing to help discover or avoid problems. However, developing complex software systems with large teams is still a fallible, expensive and inconsistent exercise. Safety-critical software systems such as avionics and some high assurance security-critical systems have always had strong engineering requirements. As many software systems govern important aspects of life and are exposed to security risks by being connected to the internet, the same robust engineering approaches need to be applied. This means the software industry needs to adopt better tools and processes for communicating about and understanding the systems they build. This will ensure they are secure enough for use in applications that have real-world consequences if the systems are misused. Model-Based Systems Engineering Modern systems engineering involves techniques that address many of the concerns around the inflexible and arduous processes that were previously inherent in document-centric approaches. These techniques are encompassed in “model-based systems engineering (MBSE). MBSE “is the formalized application of modelling to support system requirements, design, analysis, verification and validation activities beginning in the conceptual design phase and continuing throughout development and later lifecycle phases”. A full introduction to MBSE can be found on the INCOSE web site. By creating models that accurately abstract the complexity of a real-world system, we can reason specific aspects of system behaviour in a consistent manner without losing important characteristics of the whole system. MBSE is fully compatible with modern approaches to software architecture such as ISO 42010:2011. In software architecture, we often use models to describe the layers and interactions of software elements. MBSE introduces a strong consistency both internally within the model and between the model and the real system. This allows for stronger reasoning based on the model alone and the designer can trust that the model and the system will behave in the same way. MBSE and security engineering To fully realize the security benefits from MBSE in a software system, the approach needs to be fully integrated into the whole system lifecycle. Views should be provided that explicitly consider the security engineering world of threats, controls, misuse cases, assets and so on. Additionally, appropriate security aspects should be brought into the general system engineering views so they’re an integral part of system design. MBSE ensures the specialist and generalist views remain consistent. MBSE improves communication between specialists and generalists by constraining the vocabulary used to describe characteristics, and by providing clear definitions of the terms used for model elements and their relationship to other model elements. By providing a framework of interdependent viewpoints for describing the system, specialists and generalists are able to collaborate on the same model of a system. In conclusion, MBSE helps us to design, build and operate complex systems that are more secure because we understand how they will behave both when used as intended and when misused by attackers. For more information, please visit our Horizons research portal.