mdh.sePublications
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Using argumentation to evaluate software assurance standards
Mälardalen University, School of Health, Care and Social Welfare.ORCID iD: 0000-0002-6352-4368
University of York.
2013 (English)In: Information and Software Technology, ISSN 0950-5849, Vol. 55, no 9, 1551-1562 p.Article in journal (Refereed) Published
Abstract [en]

Context: Many people and organisations rely upon software safety and security standards to provide confidence in software intensive systems. For example, people rely upon the Common Criteria for Information Technology Security Evaluation to establish justified and sufficient confidence that an evaluated information technology product's contributions to security threats and threat management are acceptable. Is this standard suitable for this purpose? Objective: We propose a method for assessing whether conformance with a software safety or security standard is sufficient to support a conclusion such as adequate safety or security. We hypothesise that our method is feasible and capable of revealing interesting issues with the proposed use of the assessed standard. Method: The software safety and security standards with which we are concerned require evidence and discuss the objectives of that evidence. Our method is to capture a standard's evidence and objectives as an argument supporting the desired conclusion and to subject this argument to logical criticism. We have evaluated our method by case study application to the Common Criteria standard. Results: We were able to capture and criticise an argument from the Common Criteria standard. Review revealed 121 issues with the analysed use of the standard. These range from vagueness in its text to failure to require evidence that would substantially increase confidence in the security of evaluated software. Conclusion: Our method was feasible and revealed interesting issues with using a Common Criteria evaluation to support a conclusion of adequate software security. Considering the structure of similar assurance standards, we see no reason to believe that our method will not prove similarly valuable in other applications. © 2013 Elsevier B.V. All rights reserved.

Place, publisher, year, edition, pages
2013. Vol. 55, no 9, 1551-1562 p.
Keyword [en]
Assessing standards, Assurance arguments, Common Criteria, Safety standards, Security standards
National Category
Engineering and Technology
Identifiers
URN: urn:nbn:se:mdh:diva-18676DOI: 10.1016/j.infsof.2013.02.008ISI: 000321168700002Scopus ID: 2-s2.0-84893682104OAI: oai:DiVA.org:mdh-18676DiVA: diva2:613505
Available from: 2013-03-28 Created: 2013-03-28 Last updated: 2014-06-16Bibliographically approved

Open Access in DiVA

No full text

Other links

Publisher's full textScopus

Search in DiVA

By author/editor
Graydon, Patrick
By organisation
School of Health, Care and Social Welfare
In the same journal
Information and Software Technology
Engineering and Technology

Search outside of DiVA

GoogleGoogle Scholar

Altmetric score

Total: 50 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf