Claim Assurance Case #1 - Login Credential Security

[Atmcalpine]

Still working through my claim diagram with evidence, inference, and additional rebuttals/sub-claims to be added. As such, I just wanted to share this image as an update on the current status of the diagram.

[DoomDragoon]

Great start!

[Atmcalpine]

I added an inference rule, but not I need to incorporate the evidence, any relevant undermining callouts, and further evaluate the diagram for additional sub-claims/rebuttals.

[DoomDragoon]

What is the inference rule? I dont remember that from the lectures. Maybe I need to watch them again.

[Atmcalpine]

What is the inference rule? I dont remember that from the lectures. Maybe I need to watch them again.

Inference rules are explicit if-then statements that are at the bottom of the assurance case versus the implicit rules generally described. The professor starts discussing those on slide 92.

[Atmcalpine]

I added some potential evidence that I can leverage, but I want to assess these further for potential undermining opportunities and additional rebuttals/claims that could be evaluated.

Question: Encryption was one of the types of evidence I'm point towards in multiple locations. Do you think these need to be unique to each branch (e.g., E1,E2, etc.) or can I reference the same evidence item for each branch (e.g., E1 for all) -- See E3 and E4?

[Atmcalpine]

Assurance Case versus OSS Comparison: --[Draft of Comparison -- In Progress] Completion of the assurance case diagram, noted above, determined a number of potential weaknesses/controls needed to ensure password management controls are operating effectively that were not originally captured/identified within the OSS diagram. These include database controls... Analysis of this assurance case determined that password management controls were largely effective to prevent unauthorized personnel from accessing user accounts and associated data elements within the ITFLOW application.

[Cojajomaco]

Nice work so far! Did you find all of these evidence pieces for your assurance claims already?

Potential rebuttals... Passwords are sufficiently managed -> Unless access is lost Unless the database is corrupted

Then for Rebuttal R5 you could include the database being encrypted as a sub-claim if you can find sufficient evidence to support this.

[Atmcalpine]

Thanks for the feedback. I pulled my evidence pieces for my claims and have links to where I found each of the pieces within my diagram; however, they don't show up on the picture.

Regarding the potential rebuttals:

• When you say "unless access is lost" - do you mean access to the system such as a network type of issue or are you thinking more of a situation where the user's account is accidentally deleted?
• I'll take look at pulling in database corruption into the diagram. I know one question I had for the professor, is if someone on the team is working on a diagram that would address one of the claims, is there a way we can just reference that separate diagram. My hope is that we can do this to avoid potential duplicative efforts.

That's a good callout for Rebuttal R5. I saw that they have encryption enabled for the database, but I was debating whether it made sense to pull in here.

[Cojajomaco]

Sounds good - and maybe it doesn’t make sense from a software assurance standpoint, but since the application is web based I was thinking from the mindset of if the application is unavailable then how would passwords be managed still? I offset this worry for myself by utilizing backup features to keep encrypted offline copies of my data. On Oct 2, 2023, at 5:18 PM, Atmcalpine @.***> wrote: Thanks for the feedback. I pulled my evidence pieces for my claims and have links to where I found each of the pieces within my diagram; however, they don't show up on the picture. Regarding the potential rebuttals:

When you say "unless access is lost" - do you mean access to the system such as a network type of issue or are you thinking more of a situation where the user's account is accidentally deleted? I'll take look at pulling in database corruption into the diagram. I know one question I had for the professor, is if someone on the team is working on a diagram that would address one of the claims, is there a way we can just reference that separate diagram. My hope is that we can do this to avoid potential duplicative efforts.

That's a good callout for Rebuttal R5. I saw that they have encryption enabled for the database, but I was debating whether it made sense to pull in here.

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you commented.Message ID: @.***>

[Atmcalpine]

Currently, in the process of updating diagram based on comments from professor.

To do: (1) Need to consider how to make claim more specific (2) Need to adjust claims to focus more on the how versus listing features (3) Reference Team diagrams where possible (4) Need to ensure claims are security focused

Potential Issues/Concerns:
(1) I can't seem to find a system integrated control to address the potential risk of not maintaining the access matrix. I see this as falling outside of the system, and reliant on the user/organization leveraging the system, but let me know if you come across something that might address this. (2) There is a concern that files supporting the application can become compromised. I need to assess this further to determine the controls. Since this is a web-based application the risk might be limited; however, as the application can be downloaded within a network there may still be a risk here.

[Atmcalpine]

Attached updated diagram

[DoomDragoon]

The box you have where is says "See database assurance case" should be split off into a circle. It should say something like "Database security assurance case" as the evidence is the assurance case, not the claim.

[Atmcalpine]

Updated references to other assurance cases.

[Atmcalpine]

Completed assurance case diagram and evidence documentation.