A Layered Argument Strategy for Software Security Case Development

It is normally hard to believe in software security claim if we do not know what is meant exactly by "secure" and the reasons to support the claim are not sufficiently provided. Security cases—which document the rationale for believing that a system is adequately secure—are intended to address both these issues. However, due to lack of practical construction method of security case, there has been limited use of security case so far. This paper presents a hierarchical software security case development method. We present a general asset model and a security concept relationship model first, then come up with a hierarchical asset-threat-control measure argument strategy, which is supported by the general asset model and software threat classification to make it explicit. Lastly, we propose several key argument patterns, which are reusable and instrumental for security case development. A case study of an IM (instant messaging) server is used to demonstrate the capability of this method.