Abstract

A security case bears considerable resemblance to a legal case, and demonstrates that security claims about a given system are valid. Persuasive argumentation plays a major role, but the credibility of the arguments and of the security case itself ultimately rests on a foundation of evidence. This article describes and gives examples of several of the kinds of evidence that can contribute to a security case. Our main focus is on how to understand, gather, and generate the kinds of evidence that can build a strong foundation for a credible security case. ACKNOWLEDGEMENTS: Reviews by Debra Herrmann, Andy Moore, Julian Rrushi, and Melanie Smith are gratefully acknowledged. We also wish to thank Pamela Curtis for her skillful technical editing and Sheila Rosenthal for library services support. INTRODUCTION “[T]here are two ways of constructing a software design: One way is to make it so simple that there are obviously no deficiencies and the other way is to make it so complicated that there are no obvious deficiencies.” (C.A.R. Hoare, 1980 Turing Award Lecture) As modern software-intensive systems become more complex and difficult to analyze, there is an increasing tendency to treat them as natural phenomena rather than as artificial constructs that are engineered by humans. Thus we try to assess the security, safety, survivability, or other critical properties of such systems through observation and experiment rather than by direct analysis or an examination of the manner in which the system was constructed. Evaluating the security properties of a system through penetration testing, or by noting the number (or absence) of security-related incidents, or the number and type of vulCharles B. Weinstock Howard F. Lipson