CryptSDLC: Embedding Cryptographic Engineering into Secure Software Development Lifecycle

Title

CryptSDLC: Embedding Cryptographic Engineering into Secure Software Development Lifecycle

Authors

Thomas Lorünser (AIT), Thomas Länger (UNIL), Henrich Poehls and Leon Sell (PASSAU)

Abstract

Application development for the cloud is already challenging because of the complexity caused by the ubiquitous, interconnected, and scalable nature of the cloud paradigm. But when modern secure and privacy aware cloud applications require the integration of cryptographic algorithms, developers even need to face additional challenges: An incorrect application may not only lead to a loss of the intended strong security properties but may also open up additional loopholes for potential breaches some time in the near or far future. To avoid these pitfalls and to achieve dependable security and privacy by design, cryptography needs to be systematically designed into the software, and from scratch. We present a system architecture providing a practical abstraction for the many specialists involved in such a development process, plus a suitable cryptographic software development life cycle methodology on top of the architecture. The methodology is complemented with additional tools supporting structured inter–domain communication and thus the generation of consistent results: cloud security and privacy patterns, and modelling of cloud service level agreements. We conclude with an assessment of the use of the Cryptographic Software Design Life Cycle (CryptSDLC) in a EU research project.

Venue

The 5th International Workshop on Software Assurance ARES SAW 2018 (https://www.ares-conference.eu/workshops/saw-2018/)

Place and Date

August 27 – 30, 2018, Hamburg, Germany