Hardware security risk assessment: A case study

2016 IEEE International Symposium on Hardware Oriented Security and Trust (HOST) Pub Date : 2016-05-03 DOI:10.1109/HST.2016.7495579

Brent Sherman, David M. Wheeler

{"title":"Hardware security risk assessment: A case study","authors":"Brent Sherman, David M. Wheeler","doi":"10.1109/HST.2016.7495579","DOIUrl":null,"url":null,"abstract":"The security demands on development teams are growing in direct proportion to the security incidents discovered and leveraged in computer crime and cyber warfare every day. There is ongoing research to increase the effectiveness of security defect detection and penetration testing of products, but where the literature is thin, is in actual case studies that apply security assurance processes in a large-scale hardware-centric environment. This paper adds to the literature by providing an actual case study of hardware security assurance practices using a sample size of 151 projects. Furthermore, it documents and analyzes the efficacy of deploying selective automation using quantitative weighted risk ratings of the Security Development Lifecycle (SDL) to hardware projects, including strategic reuse of existing SDL collaterals for derivative projects. The evaluated methodology provided acceptable accuracy and labor savings, but the results indicate that automation focusing on assignment of a quantitative risk scoring introduces a dilution of real security concerns; instead, an approach using qualitative analysis and assignment of security assurance tasks is more beneficial.","PeriodicalId":194799,"journal":{"name":"2016 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)","volume":"12 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-05-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/HST.2016.7495579","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 2

Abstract

The security demands on development teams are growing in direct proportion to the security incidents discovered and leveraged in computer crime and cyber warfare every day. There is ongoing research to increase the effectiveness of security defect detection and penetration testing of products, but where the literature is thin, is in actual case studies that apply security assurance processes in a large-scale hardware-centric environment. This paper adds to the literature by providing an actual case study of hardware security assurance practices using a sample size of 151 projects. Furthermore, it documents and analyzes the efficacy of deploying selective automation using quantitative weighted risk ratings of the Security Development Lifecycle (SDL) to hardware projects, including strategic reuse of existing SDL collaterals for derivative projects. The evaluated methodology provided acceptable accuracy and labor savings, but the results indicate that automation focusing on assignment of a quantitative risk scoring introduces a dilution of real security concerns; instead, an approach using qualitative analysis and assignment of security assurance tasks is more beneficial.

查看原文本刊更多论文

硬件安全风险评估:一个案例研究

对开发团队的安全需求与每天在计算机犯罪和网络战争中发现和利用的安全事件成正比。目前正在进行研究，以提高产品的安全缺陷检测和渗透测试的有效性，但是在文献较少的地方，是在大规模以硬件为中心的环境中应用安全保证过程的实际案例研究中。本文通过使用151个项目的样本大小提供硬件安全保证实践的实际案例研究来补充文献。此外，它记录并分析了使用安全开发生命周期(SDL)的定量加权风险评级对硬件项目部署选择性自动化的有效性，包括对衍生项目的现有SDL抵押品的战略性重用。评估的方法提供了可接受的准确性和劳动力节约，但是结果表明，专注于定量风险评分分配的自动化引入了对实际安全问题的稀释;相反，使用定性分析和安全保证任务分配的方法更有益。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2016 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)

自引率

0.00%

发文量