Assurance Cases Overview
May 2013 • White Paper
Howard F. Lipson
In this paper, Howard Lipson introduces the concepts and benefits of developing and maintaining assurance cases for security.
Our objective for the Assurance Cases (AC) content area of the Build Security In (BSI) Web site is to raise awareness about emerging methods and tools for assuring security properties of systems. In this content area, we introduce the concepts and benefits of developing and maintaining assurance cases for security. In particular, we describe the benefits of integrating assurance cases for security into the software development life cycle (SDLC) by “building assurance in” from the outset.
Elsewhere on the BSI Web site, the reader can learn about best practices, tools, and techniques that can help developers build security into their software. But the mere existence or claimed use of one or more of these best practices, tools, or techniques does not constitute an adequate assurance case. For example, in support of an overarching security claim (e.g., that a system is acceptably secure), security assurance cases must provide evidence that particular best practices, tools, and techniques were properly applied and must indicate by whom they were applied and their extent of coverage. Moreover, unlike many product certifications that quickly grow stale because they are merely snapshots in time of an infrequently applied certification process, a security assurance case should provide evidence that the practices, tools, or techniques being used to improve security were actually applied to the currently released version of the software (or that the results were invariant to any of the code changes that subsequently occurred).
A security assurance case uses a structured set of arguments and a corresponding body of evidence to demonstrate that a system satisfies specific claims with respect to its security properties. The case should be amenable to review by a wide variety of stakeholders. Although tool support is available, the creation and documentation of a security case can be a demanding and time-consuming process. Yet, similarities may exist among different security cases in the structure and other characteristics of the claims, arguments, and evidence used to construct the cases. A catalog of patterns (i.e., templates) for security assurance cases can facilitate the process of creating and documenting an individual case. Moreover, assurance case patterns offer the benefits of reuse and repeatability of process, as well as providing some notion of coverage or completeness of the evidence.