Journal article
BridgeSec: facilitating effective communication between security engineering and systems engineering
- Abstract:
- We increasingly rely on systems to perform reliably and securely. Therefore, it is imperative that security aspects are properly considered when designing and maintaining systems. However, achieving the security by design ideal is challenging. Security information is typically unstructured, dispersed, hard to communicate, and its assessment is somewhat subjective and tacit. Additionally, the inclusion of security information within design requires integrating the efforts of two knowledge-intensive disciplines: security engineering and systems engineering. In this paper, we introduce BridgeSec, a novel conceptual information-exchange interface to systemise the communication of security information between these two disciplines. The main contribution of BridgeSec lies in its explicit identification of concepts related to vulnerability management, which allows systems engineering and security engineering teams to codify pertinent information. The disciplines involved in the system design can thus coordinate policies, implementations and, ultimately, the security posture. Furthermore, based on the newly unveiled interface, an automated reasoning mechanism is specified. This mechanism allows to reason about the vulnerability posture of systems in a scalable and systematic way. First, we describe and formalise the information-exchange interface BridgeSecand how it can be used to reason about the security of systems designs. Next, we present an open-source prototype– integrated into a threat modelling tool– which rigorously implements the interface and the reasoning mechanism. Finally, we detail two diverse and prominent applications of the interface for communicating security aspects of systems designs. These applications show how BridgeSec can rigorously support the design of systems’ security in two representative scenarios: in coordinating security features and policy during design, and in coordinating mitigation to disclosed implementation vulnerabilities.
- Publication status:
- Published
- Peer review status:
- Peer reviewed
Actions
Access Document
- Files:
-
-
(Preview, Version of record, pdf, 4.1MB, Terms of use)
-
- Publisher copy:
- 10.1016/j.jisa.2024.103954
Authors
- Publisher:
- Elsevier
- Journal:
- Journal of Information Security and Applications More from this journal
- Volume:
- 89
- Article number:
- 103954
- Publication date:
- 2025-01-06
- DOI:
- EISSN:
-
2214-2126
- Language:
-
English
- Keywords:
- Pubs id:
-
2077454
- Local pid:
-
pubs:2077454
- Deposit date:
-
2025-01-12
- ARK identifier:
Terms of use
- Copyright holder:
- Shaked and Messe
- Copyright date:
- 2025
- Rights statement:
- © 2024 The Authors. Published by Elsevier Ltd. This is an open access article under the CC BY license (http://creativecommons.org/licenses/by/4.0/).
- Licence:
- CC Attribution (CC BY)
If you are the owner of this record, you can report an update to it here: Report update to this record