Security policy foundations in Context UNITY

M. Todd Gamble, Rose F. Gamble, Matthew L. Hale

Research output: Chapter in Book/Report/Conference proceedingConference contribution

4 Citations (Scopus)

Abstract

Security certification includes assessing an information system to verify its compliance with diverse, pre-selected security controls. The goal of certification is to identify where controls are implemented correctly and where they are violated, creating potential vulnerability risks. Certification complexity is magnified in software composed of systems of systems where there are limited formal methodologies to express management policies, given a set of security control properties, and verify them against the interaction of the participating components and their individual security policy implementations. In this paper, we extend Context UNITY, a formal, distributed, and context aware coordination language to support policy controls. The new language features enforce security controls and provide a means to declare policy specifics in a manner similar to declaring variable types. We use these features in a specification to show how verifying system compliance with selected security controls, such as those found in the NIST SP800-53 document, can be accomplished.

Original languageEnglish (US)
Title of host publicationSESS'11 - Proceedings of the 7th International Workshop on Software Engineering for Secure Systems, Co-located with ICSE 2011
Pages8-14
Number of pages7
DOIs
StatePublished - Jun 29 2011
Event7th International Workshop on Software Engineering for Secure Systems, SESS 2011, Co-located with ICSE 2011 - Waikiki, Honolulu, HI, United States
Duration: May 22 2011May 22 2011

Publication series

NameProceedings - International Conference on Software Engineering
ISSN (Print)0270-5257

Conference

Conference7th International Workshop on Software Engineering for Secure Systems, SESS 2011, Co-located with ICSE 2011
CountryUnited States
CityWaikiki, Honolulu, HI
Period5/22/115/22/11

Fingerprint

Information systems
Specifications
Compliance
System of systems

Keywords

  • Security certification
  • Security controls
  • UNITY

ASJC Scopus subject areas

  • Software

Cite this

Gamble, M. T., Gamble, R. F., & Hale, M. L. (2011). Security policy foundations in Context UNITY. In SESS'11 - Proceedings of the 7th International Workshop on Software Engineering for Secure Systems, Co-located with ICSE 2011 (pp. 8-14). (Proceedings - International Conference on Software Engineering). https://doi.org/10.1145/1988630.1988633

Security policy foundations in Context UNITY. / Gamble, M. Todd; Gamble, Rose F.; Hale, Matthew L.

SESS'11 - Proceedings of the 7th International Workshop on Software Engineering for Secure Systems, Co-located with ICSE 2011. 2011. p. 8-14 (Proceedings - International Conference on Software Engineering).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Gamble, MT, Gamble, RF & Hale, ML 2011, Security policy foundations in Context UNITY. in SESS'11 - Proceedings of the 7th International Workshop on Software Engineering for Secure Systems, Co-located with ICSE 2011. Proceedings - International Conference on Software Engineering, pp. 8-14, 7th International Workshop on Software Engineering for Secure Systems, SESS 2011, Co-located with ICSE 2011, Waikiki, Honolulu, HI, United States, 5/22/11. https://doi.org/10.1145/1988630.1988633
Gamble MT, Gamble RF, Hale ML. Security policy foundations in Context UNITY. In SESS'11 - Proceedings of the 7th International Workshop on Software Engineering for Secure Systems, Co-located with ICSE 2011. 2011. p. 8-14. (Proceedings - International Conference on Software Engineering). https://doi.org/10.1145/1988630.1988633
Gamble, M. Todd ; Gamble, Rose F. ; Hale, Matthew L. / Security policy foundations in Context UNITY. SESS'11 - Proceedings of the 7th International Workshop on Software Engineering for Secure Systems, Co-located with ICSE 2011. 2011. pp. 8-14 (Proceedings - International Conference on Software Engineering).
@inproceedings{d003b140c1e24fc2b82d188f91186581,
title = "Security policy foundations in Context UNITY",
abstract = "Security certification includes assessing an information system to verify its compliance with diverse, pre-selected security controls. The goal of certification is to identify where controls are implemented correctly and where they are violated, creating potential vulnerability risks. Certification complexity is magnified in software composed of systems of systems where there are limited formal methodologies to express management policies, given a set of security control properties, and verify them against the interaction of the participating components and their individual security policy implementations. In this paper, we extend Context UNITY, a formal, distributed, and context aware coordination language to support policy controls. The new language features enforce security controls and provide a means to declare policy specifics in a manner similar to declaring variable types. We use these features in a specification to show how verifying system compliance with selected security controls, such as those found in the NIST SP800-53 document, can be accomplished.",
keywords = "Security certification, Security controls, UNITY",
author = "Gamble, {M. Todd} and Gamble, {Rose F.} and Hale, {Matthew L.}",
year = "2011",
month = "6",
day = "29",
doi = "10.1145/1988630.1988633",
language = "English (US)",
isbn = "9781450305815",
series = "Proceedings - International Conference on Software Engineering",
pages = "8--14",
booktitle = "SESS'11 - Proceedings of the 7th International Workshop on Software Engineering for Secure Systems, Co-located with ICSE 2011",

}

TY - GEN

T1 - Security policy foundations in Context UNITY

AU - Gamble, M. Todd

AU - Gamble, Rose F.

AU - Hale, Matthew L.

PY - 2011/6/29

Y1 - 2011/6/29

N2 - Security certification includes assessing an information system to verify its compliance with diverse, pre-selected security controls. The goal of certification is to identify where controls are implemented correctly and where they are violated, creating potential vulnerability risks. Certification complexity is magnified in software composed of systems of systems where there are limited formal methodologies to express management policies, given a set of security control properties, and verify them against the interaction of the participating components and their individual security policy implementations. In this paper, we extend Context UNITY, a formal, distributed, and context aware coordination language to support policy controls. The new language features enforce security controls and provide a means to declare policy specifics in a manner similar to declaring variable types. We use these features in a specification to show how verifying system compliance with selected security controls, such as those found in the NIST SP800-53 document, can be accomplished.

AB - Security certification includes assessing an information system to verify its compliance with diverse, pre-selected security controls. The goal of certification is to identify where controls are implemented correctly and where they are violated, creating potential vulnerability risks. Certification complexity is magnified in software composed of systems of systems where there are limited formal methodologies to express management policies, given a set of security control properties, and verify them against the interaction of the participating components and their individual security policy implementations. In this paper, we extend Context UNITY, a formal, distributed, and context aware coordination language to support policy controls. The new language features enforce security controls and provide a means to declare policy specifics in a manner similar to declaring variable types. We use these features in a specification to show how verifying system compliance with selected security controls, such as those found in the NIST SP800-53 document, can be accomplished.

KW - Security certification

KW - Security controls

KW - UNITY

UR - http://www.scopus.com/inward/record.url?scp=79959551871&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=79959551871&partnerID=8YFLogxK

U2 - 10.1145/1988630.1988633

DO - 10.1145/1988630.1988633

M3 - Conference contribution

AN - SCOPUS:79959551871

SN - 9781450305815

T3 - Proceedings - International Conference on Software Engineering

SP - 8

EP - 14

BT - SESS'11 - Proceedings of the 7th International Workshop on Software Engineering for Secure Systems, Co-located with ICSE 2011

ER -