Security requirement representation method for confidence of systems and networks

Software vulnerability is a key determiner of confidence in computer systems and networks. Usually, software requirements are listed at the beginning of software design, whereas vulnerabilities appear only after development is complete and sometimes only after the system is operational. Therefore, the security requirements during the design stage should address software vulnerabilities. This paper presents a method of representing software vulnerabilities as atomic vulnerabilities (AVs): an AV is an undividable cause-unit of vulnerability, and a set of AVs and the relationships among them represent software vulnerabilities. The AV concept originates from system theory and modeling methodology. AVs and the relationships among them can be used to construct a behavioral model of systems and networks with a focus on vulnerability. The logical relationships among AVs are named vulnerability expressions (VXs). With all the accumulated VXs of the systems and networks, we can set security requirements that resolve or circumvent vulnerabilities effectively and reinforce confidence in system and network robustness. The contribution of this paper is to use the concepts of AV and VX to derive the security requirements considering software vulnerabilities for secure systems and networks. The requirement derived can be used to complement the vulnerable situation caused by software that is developed without cognizance of security consideration.