System assurance is a bit like detective work: Most of the time is spent “out in the streets” gathering evidence—interviewing potential witnesses or searching for a promising cigarette butt. Gathering evidence is important. The evidence contributes to understanding the situation (“facts of the matter”). Evidence drives the investigation (“follow the facts”). Remember, some detective time is spent on planning the investigative actions. Finally evidence is used to present the case in front of the judge and the jury.

System assurance investigates the presence of security vulnerabilities in our systems. Vulnerability is any characteristic of the system that allows an attacker to commit cybercrime. A vulnerability may be something that is built into the system, intentionally or unintentionally, or something that was omitted from the system. A vulnerability may be an incorrectly designed protocol. Often, a vulnerability is very specific to a particular class of systems, while the same behavior is normal for other systems. It is much like we instruct little kids, as when we admonish: “Do not talk to strangers,” while talking to a stranger is a normal behavior for a salesperson. So, a vulnerability is anything that makes a cybersystem susceptible to abuse— anything that leads to the insecurity of the system.

System assurance is like a forensic investigation performed before a cybercrime has been committed. However system assurance gathers evidence to support a much more comprehensive contention that “the system will not allow a certain crime to be committed, guaranteed.” System assurance is one of the processes that is required to make our systems safer and more secure, and more resilient to cybercrime. The risks to cybersystems are very real, and before a new system is put into operation these risks must be understood and accepted. Eventually the public needs to understand and accept the risks they face when using the cybersystems. So, the persons and corporations responsible for launching new cybersystems, the regulatory organizations, and the public are the “jury” in front of which the safety and security of systems ought to be argued. System assurance is about making a clear, comprehensive, and defendable case about the safety and security of a system, to build confidence that the system is safe and secure to operate, and is free from vulnerabilities. Delivering system assurance case means communicating it to the “jury” and opening it up for critical questions by which one builds confidence.

An assurance case is more than a series of claims. Confidence must be justified by evidence. Many things can be gathered as evidence to support claims about the safety and security of systems, and some kinds of evidence offer stronger support than others. For example, a statement from a reputable security expert, such as “I believe that this voting machine is secure,” may be convincing. On the other hand, a statement from an experienced ethical hacker, saying that “I could not get into this system after 5 days of attacking it,” may be even more convincing as it is based on some concrete investigative actions that are directly related to the system of interest rather than on an unqualified expert opinion. What makes the second statement more convincing than the first one is knowledge of the system of interest.

It may seem that the defender community has more knowledge of the systems and is in a good position to prevent vulnerabilities by considering security from the beginning, resulting in resilient systems. However, defenders do not always have sufficient knowledge. Systems include commercial components, legacy components, open-source components, all of unknown security posture and pedigree. Systems of such mixed origins are increasingly vulnerable to defects and subversion. So even when security is considered from the beginning of the system's life cycle, many unknowns exist that are often outside of the developers' control. Also, engineers of systems are not in a good position to anticipate possible vulnerabilities that enable cyberattacks, because they lack the “attack perspective,” if not the “criminal mentality,” that is required to design abuse of the systems that they are trained to build. In addition, system knowledge turns out to have a short shelf life. Knowledge of the system dissipates and even “walks away” as developers change projects. So the code, often the machine code, becomes the only reliable source of knowledge that needs to be rediscovered.

Let's face it: Hackers often know more about our systems than we do. Elite hackers study our systems incessantly and find ingenious ways to abuse them “for fun and profit.” What makes cybercrime an issue is that attackers succeed in sharing this knowledge among themselves and make it available to larger criminals circles, who are more interested in using knowledge of vulnerabilities more for profit than for fun. What makes cybercrime a bigger concern is that the community of attackers can be large and dispersed among all corners of the world, across jurisdictions. Attackers are not only sharing their knowledge of vulnerabilities, but are also making it repeatable and affordable by “weaponizing” it, turning into scripts that require little technical skills to use. The new reality is that the malware that exploits vulnerabilities in our systems is feeding organized crime and is becoming the foundation of a large criminal industry.

Both attackers and defenders favor automated code analysis tools for detecting vulnerabilities. However, here lies a fundamental problem: While attackers are okay with the ad hoc, hit-and-miss vulnerability detection, these methods are not well suited for defenders, who need to be meticulously systematic in understanding risks and designing security mechanisms. Therefore we focus our attention on the field of system assurance as the systematic and justified investigation of the security posture.

How can cyberdefense be made systematic, repeatable, and affordable? The solution is in working together to accumulate common cybersecruity knowledge and build automated capabilities that enable defenders to leverage their advantages and to move significantly ahead of the attackers. There are several aspects to building these collaborative capabilities. First, there is a need for standard protocols for assembling analysis tools that can address the complexities of modern systems. There are often limits to what one company or one security researcher can accomplish, which often leads to limitations, inefficiencies, and compromises in the solutions. There is a need for a larger market of interoperable components, like Lego blocks, supplied by multiple vendors, from which robust analysis solutions can be assembled. Second, there is a need for standard protocols to accumulate and exchange cybersecurity content. Yes, in order to be repeatable and affordable, cybersecurity content, including vulnerability knowledge, must be machine-readable and available to the defenders. In other words, there is a need for an ecosystem of tools as well as machine-readable content for assurance.

We titled the book System Assurance: Beyond Detecting Vulnerabilities because the content for systematic, repeatable, and affordable cyberdefense goes beyond knowledge of vulnerabilities and includes knowledge of the system, knowledge of risks and threats, knowledge of security safeguards, as well as knowledge of the assurance argument, together with the corresponding evidence answering the question why a system is secure. In other words, it is easy to claim that a system is not secure when at least one potential vulnerability is detected and presented as evidence. However, if no vulnerability were detected, does that really mean that the system is secure? Not really. It still requires convincing argument and evidence to that end, including the argument that the tool was applied correctly, that there are no gaps in the understanding of the particular code dialect, that no code was dropped, and so on. System assurance tools go beyond detecting vulnerabilities—such provide evidence to support the claim that the system is secure.

We are privileged to actively participate in several cybersecurity communities that are tackling this agenda. One of these communities is the Object Management Group (OMG)—an international, open membership, not-for-profit computer industry consortium with a mission to develop enterprise integration standards. Our book describes the OMG Software Assurance Ecosystem—a common framework for discovering, integrating, analyzing, and distributing facts about your existing software systems. Its foundation is the standard protocol for exchanging system facts, defined as the OMG Knowledge Discovery Metamodel (KDM). In addition, the Semantics of Business Vocabularies and Business Rules (SBVR) defines a standard protocol for exchanging security policy rules and assurance patterns. Using these standards together, the cybersecurity community can accumulate and distribute machine-readable cybersecurity content and bring automation to protect systems. Finally, the assurance argument is represented as machine-readable content, defined by the forthcoming OMG standard called the Software Assurance Case Metamodel. We describe a unique system assurance methodology that fully utilizes the OMG Software Assurance Ecosystem standards and involves an Integrated System Model, a common representation that is used for system analysis and evidence gathering.

The key to the OMG Software Assurance Ecosystem is the so-called Common Fact Model—a formal approach to building common vocabularies for information exchange, uniform XML interchange formats, and fact-oriented integration.

The book covers a lot of ground. The first part of the book provides an introduction to cybersecurity knowledge, the need for information exchanges for systematic, repeatable, and affordable cyberdefense, and the motivation for the OMG Software Assurance Ecosystem. Then we discuss the nature of system assurance and its difference for vulnerability detection and provide an introduction to the forthcoming OMG standard on Software Assurance Cases. We describe an end-to-end methodology for system assurance in the context of the OMG Software Assurance Ecosystem that brings together risk analysis, architecture analysis, and code analysis in an integrated process that is guided and planned by the assurance argument. The methodology presented in the book is based on the FORSA methodology (Fact-Oriented Repeatable System Assurance) from KDM Analytics.

The second part of the book describes various aspects of cybersecurity knowledge that are required for building cybersecurity arguments. This knowledge includes system knowledge, knowledge related to security threats and risks, and vulnerability knowledge. Finally we describe the new form of cybersecurity content— machine-readable vulnerability patterns. When describing the elements of cybersecurity knowledge, we use the SBVR notation to outline the parts of the common cybersecurity vocabulary developed using the Common Fact Model approach and the SBVR standard.

The third part of the book provides an overview of the protocols of the OMG Software Assurance Ecosystem. First, we discuss the details of the Common Fact Model approach. Then we describe linguistic models and the OMG Semantics of Business Vocabularies and Rules (SBVR) standard. Finally, we describe the OMG Knowledge Discovery Metamodel (KDM). Further details of the OMG standards can be found by reading the specifications themselves.

The fourth part of the book provides an illustration of other material by means of an end-to-end case study. Basically, Chapter 12 provides some fragments of an end-to-end system assurance project by illustrating the steps of the System Assurance Methodology, defined in Chapter 3, the Integrated System Model, and the Assurance Case.

The book also includes an online appendix, with additional details on gathering evidence to the assurance case using the Integrated System Model. The appendix is aimed at a technical audience and contains screenshots of the KDM Workbench tool from KDM Analytics. That's why we decided not to include this material in the main part of the book.

This book is designed and intended for anyone who wants a more detailed understanding of what the field of system assurance is, how to argue the security posture of a system, and how to perform a comprehensive security assessment. The audience for this book includes security professionals who want a more in-depth understanding of the process of architecture-driven security assessment, of building security assurance cases, and of systematic methods of gathering security evidence.

Security professionals will benefit from this book by becoming familiar with the standard-based system assurance methodology that includes process and technology. The information contained in this book provides guidance to the OMG Knowledge Discovery Metamodel, the Common Fact Model, and related standards that will help develop interoperable solutions as well as contribute cybersecurity content that can enable solutions from multiple tool vendors. This can be particularly appealing to security researchers at the universities as well as open-source developers, as more and more components of the OMG Software Assurance Ecosystem become available as open-source projects.

Assurance labs will find this book useful as it provides blueprints for integrating multiple commercial tools into a powerful and highly automated assessment solution, by utilizing the Knowledge Discovery Metamodel and the Common Fact Model approach.

Security tool vendors will learn how to utilize the Ecosystem through simple import/export bridges to plug into end-to-end solutions and in this way expand their market.

Security service consumers will also benefit from reading this book. In addition to being the recipient of better, cheaper, faster, and more comprehensive security assessments, security service consumers will gain an understanding of the common pitfalls of vulnerability detection that is not supported by a clear and defendable argument.

System stakeholders will benefit from reading this book, which will help them to understand the framework for open-standard, collaborative cybersecurity. In that way they can choose best-in-the-class tools for their needs and request additional capabilities to be developed by vendors. This will provide motivation to tool vendors and security researchers to engage in efficient collaborations that are essential to making our systems more secure in the face of cyberattacks.