Augment RAAML risk analysis with foundational security analysis concepts
-
Key: RAAML11-28
-
Status: closed
-
Source: Ford Motor Company ( Mr. Kyle Post)
-
Summary:
There is a need to augment the RAAML existing concepts with a set of extensions and refinements to accommodate security related information as it impacts the measures that RAAML seeks to model (e.g., safety, reliability).
There is coordination with the UAF team, by Mary Tolbert (UAF Lead on Security Viewpoints), to ensure there is not any overlap with security concepts. Mary has attended all RAAML technical meetings along with providing support for STPA support for security consistent with SAE J3187 extensions for security.
In addition, Bob Martin (SAACM Chair), has been involved in the RAAML RTF meeting with the following comments on inclusion of security concepts.
“The first was the June 2022 meeting in Orlando where we discussed the underlying security concepts - mainly of weaknesses and vulnerabilities - and how weaknesses at the design, architecture, code, or deployment levels can lead to undesired behaviors. These may be undesirable from many perspectives - from a reliability one, a safety one, or a security perspective. The same concept of weaknesses and vulnerabilities underlies the quality work that has come from the Architecture Driven Modernization Task Force and was recently republished by ISO/IEC as ISO/IEC 5055 but is also the underpinnings of the Systems Assurance Task Force's work in the Software Fault Pattern Meta-model.
This vulnerability and weakness model was created by MITRE in our development of the Common Vulnerabilities and Exposures (CVE) effort which is now captured in ITU-T's X.1520 standard and our creations of the Common Weakness Enumeration (CWE) which is captured in ITU-T's X.1524. I have led MITRE's work in these efforts and their publishing as international standards but also in getting them consistently and compatibly into OMG's work described above and in RAAML.
The second in-depth meeting I participated in was the one in Chicago where the result of formulating additions to RAAML for security analysis extensions to safety and reliability were presented and approved for adding to the specification resulting in Jira issueRAAML11-31and the change that resolved it.” -
Reported: RAAML 1.0 — Mon, 25 Sep 2023 20:03 GMT
-
Disposition: Resolved — RAAML 1.1
-
Disposition Summary:
Augment RAAML risk analysis with foundational security analysis concepts
Add foundational concepts to support security risk analysis methods by adding a security library and profile along with tieing them into the existing STPA method.
Add "Weakness", "Vulnerability", and "Threat" to a general security concept library to support security risk analysis and assessment methods which builds upon the RAAML common core.
Add "Limitation" to the general concept library to bridge between "Weakness" and "Vulnerability". Add "Threat", "PresentedBy", "Impacts", "Asset", "SecurityActor", and "Valuates" stereotypes to the general security profile.
Revise STPA method to move common elements to the general library/profile for use by other security methods and update STPA to include STPA-Sec.
-
Updated: Mon, 17 Jun 2024 13:38 GMT
-
Attachments:
- AbstractCause.png 4 kB (image/png)
- AbstractCause_old.png 15 kB (image/png)
- Early.png 2 kB (image/png)
- Late.png 2 kB (image/png)
- NotProvided.png 2 kB (image/png)
- OutOfSequence.png 2 kB (image/png)
- Provided.png 2 kB (image/png)
- RAAML-11-28-STPAProfileElements.docx 14 kB (application/vnd.openxmlformats-officedocument.wordprocessingml.document)
- RAAML-11-28-Views-General Security.docx 67 kB (application/vnd.openxmlformats-officedocument.wordprocessingml.document)
- RAAML11-28-Factor.docx 17 kB (application/vnd.openxmlformats-officedocument.wordprocessingml.document)
- RAAML11-28-General Security.docx 53 kB (application/vnd.openxmlformats-officedocument.wordprocessingml.document)
- RAAML11-28-Hazard-Items.docx 42 kB (application/vnd.openxmlformats-officedocument.wordprocessingml.document)
- RAAML11-28-Limitation.docx 15 kB (application/vnd.openxmlformats-officedocument.wordprocessingml.document)
- RAAML11-28-Loss.docx 18 kB (application/vnd.openxmlformats-officedocument.wordprocessingml.document)
- RAAML11-28-STPALibraryElements.docx 15 kB (application/vnd.openxmlformats-officedocument.wordprocessingml.document)
- RAAML11-28-UnsafeControlAction.docx 19 kB (application/vnd.openxmlformats-officedocument.wordprocessingml.document)
- STPA_Library.png 121 kB (image/png)
- STPA_Profile.png 24 kB (image/png)
- TooLong.png 2 kB (image/png)
- TooShort.png 2 kB (image/png)