RAAML 1.1 RTF Avatar
  1. OMG Issue

RAAML11 — Augment RAAML risk analysis with foundational security analysis concepts

  • Key: RAAML11-28
  • Status: open  
  • Source: Ford Motor Company ( Mr. Kyle Post)
  • Summary:

    There is a need to augment the RAAML existing concepts with a set of extensions and refinements to accommodate security related information as it impacts the measures that RAAML seeks to model (e.g., safety, reliability).
    There is coordination with the UAF team, by Mary Tolbert (UAF Lead on Security Viewpoints), to ensure there is not any overlap with security concepts. Mary has attended all RAAML technical meetings along with providing support for STPA support for security consistent with SAE J3187 extensions for security.
    In addition, Bob Martin (SAACM Chair), has been involved in the RAAML RTF meeting with the following comments on inclusion of security concepts.
    “The first was the June 2022 meeting in Orlando where we discussed the underlying security concepts - mainly of weaknesses and vulnerabilities - and how weaknesses at the design, architecture, code, or deployment levels can lead to undesired behaviors. These may be undesirable from many perspectives - from a reliability one, a safety one, or a security perspective. The same concept of weaknesses and vulnerabilities underlies the quality work that has come from the Architecture Driven Modernization Task Force and was recently republished by ISO/IEC as ISO/IEC 5055 but is also the underpinnings of the Systems Assurance Task Force's work in the Software Fault Pattern Meta-model.
    This vulnerability and weakness model was created by MITRE in our development of the Common Vulnerabilities and Exposures (CVE) effort which is now captured in ITU-T's X.1520 standard and our creations of the Common Weakness Enumeration (CWE) which is captured in ITU-T's X.1524. I have led MITRE's work in these efforts and their publishing as international standards but also in getting them consistently and compatibly into OMG's work described above and in RAAML.
    The second in-depth meeting I participated in was the one in Chicago where the result of formulating additions to RAAML for security analysis extensions to safety and reliability were presented and approved for adding to the specification resulting in Jira issue RAAML11-31 and the change that resolved it.”

  • Reported: RAAML 1.0 — Mon, 25 Sep 2023 20:03 GMT
  • Updated: Mon, 25 Mar 2024 15:56 GMT
  • Attachments: