ARIS Community - We Love BPM

An Innovative Modeling Approach for Security Testing in Networked Systems

frankwerner's picture
by Frank Werner in Research Projects posted on 2015-07-16

Current existing and conventional tools fail to support industrial needs adequately. Although requirements are very diverse there is a common set of industry generic requirements applicable to a large number of industrial software developing companies. The RASEN project is addressing those, striving to deliver a new methodology and a supportive software environment.

The RASEN project (http://www.rasenproject.eu/) is a European Research Project, which investigates new means of risk management and security testing and their application to large scale networked systems. This modelling approach – or more precisely – this modelling convention is based on extended ARIS models and attributes and capable of picturing an actual software product by its different components and their sub-components. These elements can be classified in pre-defined and manually-defined component types. A component type itself consists of a defined set of weaknesses derived out of the Common Weakness Enumeration (CWEs) Schema [1]. A CWE in turn describes a typical weakness in a software system. This modelling convention is described in detail in the next few lines.

Picture 1: Abstract view of a product model containing a Product, a vignette describing the deployment, and a number of components/sub-components used to classify the product. The model contains “Generic Component Types” – containing a predefined set of weaknesses to a certain components – as well as “User-Specific Component Types” defined by the used.

The illustration above denotes an abstract overall view of a product model. A product model itself describes a software product with a so called vignette and its building blocks namely its components. Therefore a tree-like structure is used. The root element is described by the product itself, components are connected to the product and are represented as nodes on the first level. Components may consist of other components and so on. There is no limitation in terms of depth of the tree. All components have zero to n different component types. To indicate that a component is of a special component type, the component type element is connected to the component element.

 

Product Model

Picture 2: Product Model of a Sample Application

In ARIS a so called Application System Diagram are used to picture a product model in its tree structure. The root element is an Application System. In addition, the vignette defines the deployment scenario of the application. In the RASEN Modeling Framework different reports and macros are included to assist a modeler by creating such models. To create a product model a modeler can use the Create Product report. Using this report the name of the product and the vignette of the product must be specified (cf. vignette section).

 

Component

Picture 3: A product consists of different components, for instance of a Web Interface

A component is modelled as an object of type Module in a manual step by creating the component hierarchy. A modeler just has to place a “Module” with a name in the product model and connect it to its parent either the product root element or another component. In addition, a component type represents the type of component along with its underlying weaknesses.

Generic Component type

Picture 4: A component type providing a generic component of type “Networking” along with an assigned list of applicable CWEs.

The illustration above shows the content of a component type model for type Networking. A component type consists of a defined set of CWEs. Therefore one has to make sure the CWE database is already imported to the ARIS database. To do so the “Import CWE database” report can be used. Component types can be generated by using the “Create Component Type” macro. To use a component type to specify a component, a modeler has to open the component type model and copy the module type object (in Picture 4 “User Controlled Input”) and paste it in the product model. Then he or she just has to connect the component type with the component he or she wants to specify. In the RASEN package a set of predefined generic component types is contained. These component types can be imported by using the “Import Component Types” report. Note that also in this case the CWE database has to be imported first.

 

Picture 5: A component type providing a generic component of type “Networking” along with an assigned list of applicable CWEs.

As denoted in the graphic before, the networking CWE List contains two potential weaknesses (CWE-226, CWE-406) which need to be tested in order to evaluate the risk of the component and consequently the overall risk of the product.

Vignette

A vignette is a table that represents the different impacts of CWEs on different layers. Layers may cover Application Layer, System Layer, Network Layer, or Enterprise Layer. A vignette is created automatically when the Create Product Macro is used. A vignette nevertheless can be modified manually be editing the vignette model. Such a model is displayed in the following figure.

Picture 6: A vignette defining the deployment scenario for the Application Layer
 
The goal of the created product model is to represent which security issues can occur on which level. It is possible to perform an export of the model as a JSON representation. This JSON representation builds an interface to security testing components that evaluate the model and in a final step we will create a possibility to retransfer these results back to the model to give a better overview on how high the security impact is at which component always with the overall product in view.

References

[1] CWE: Common Weakness Enumeration Framework, MITRE, 2015, http://cwe.mitre.org/

21003 Views
4 Likes
4 Comments
Sorry there are no tags
There are no attachments
Manuel Zapp posted on 2015-07-20

To facilitate the use of the RASEN Methodology we illustrate how to prepare the ARIS database for the RASEN modeling approach. We attached some scripts that will make the procedure easy applicable for you.

First you will have to import the scripts "Import CWE Database.arx" and "Import Generic Component Types.arx". To do so, open the Administration Tab in ARIS Designer and go to Evaluations -> Reports. For structural reasons create a new folder "RASEN" and right-click it. Click on "Import Script..." in the context menu and select both scripts.

Now download the latest version of the CWE list from https://cwe.mitre.org/data/ (the latest version is 2.8 as of 20/07/2015). Locate it under "C:\cwec_v2.8.xml" or simply modify the first line of the "Import CWE Database" script.

/** Change this path to your needs **/
var cweXmlFilePath = "C:\\cwec_v2.8.xml";
/***********************************/

Next run the script. Now the list of CWEs should be imported to your database. You can explore the modeling structure just by opening the CWE folder in your database.

In a second step we copy the attached "functional_areas.json" to "C:\functional_areas.json" or simply modify the "Import Generic Component Types" script. The "functional_areas.json" contains a set of pre-defined component types that can be used to specify your components in the final product model.

/** Modify to your needs **/
var genericComponentTypeJsonPath = "C:\\functional_areas.json";
/*************************/

... run the script. Now the component types should be imported to folder "Generic Component Types" on your database and can be explored.
 

That's it. Your database is ready for the use of the RASEN modeling approach.

Manuel Zapp posted on 2015-07-22

Now that our database is prepared we are able to start modeling our product model. As in the last post we attached some helpful scripts that ease the modeling procedure a lot. So we first have to import the scripts "New Product.amx" and "New Component-Type.amx". To do so, open the Administration Tab in ARIS Designer and go to Evaluations -> Macros. For structural reasons create a new folder "RASEN" and right-click it. Click on "Import Script..." in the context menu and select both scripts.

To create a new product model we now just have to select our prepared database and right-click it in the navigation view. In the context menu we select Evaluate->Start macro and select "New Product" from the "RASEN" folder. First we have to define a product name, in a second step we have to fill the product vignette with values from 0-10 to define the relevance of the different impacts.

Now a product model such as a vignette model for the product is created. We can create different components in the product model of which the product itself consists. To do so we place an object of type module with a proper name and connect it to the main product object. To specify the type of the component we can use the component types we have already imported or define our own product types by using the "New Component Type" macro.

We open a manually generated or predefined component type model and copy the main object of type module type. Then we go back to the product model and paste the module type there. Now we just have to connect the placed object with the component we want to specify. Of course we can use multiply component types for a detailed specification.

Also attached: a prepared database with a sample product.

Manuel Zapp posted on 2015-08-03

To utilize our previous work, we want to explain how to export a completed product model to a JSON representation. Attached to this comment you can find a report script "JSON Export". This can be imported the same way we already explained in previous comments.

The script has to be executed on the completed product model. As a result you will obtain the JSON representation of this very model. The export scripts serves as a interface to software testing components of other vendors.

File attachments: 
Frank Werner posted on 2015-11-20

Please find a video of the RASEN Extension in action at:

http://cdn.ariscommunity.com/community2/videos/RASEN-Movie.mp4