Software Security Mapping Framework: Operationalization of Security Requirements
- URL: http://arxiv.org/abs/2506.11051v1
- Date: Thu, 22 May 2025 06:34:48 GMT
- Title: Software Security Mapping Framework: Operationalization of Security Requirements
- Authors: Sung Une Lee, Liming Dong, Zhenchang Xing, Muhammad Ejaz Ahmed, Stefan Avgoustakis,
- Abstract summary: The Software Security Mapping Framework is a structured solution designed to operationalize security requirements across hierarchical levels.<n>The framework systematically maps 131 refined security requirements to over 400 actionable operational steps spanning the software development lifecycle.<n>It is grounded in four core security goals: Secure Software Environment, Secure Software Development, Software Traceability, and Vulnerability Management.
- Score: 12.04694982718246
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: The escalating complexity of modern software development environments has heightened concerns around supply chain security. However, existing frameworks often fall short in translating abstract security principles into concrete, actionable practices. This paper introduces the Software Security Mapping Framework, a structured solution designed to operationalize security requirements across hierarchical levels -- from high-level regulatory standards (e.g., ISM, Australia cybersecurity standard published by the Australian Signals Directorate), through mid-level frameworks (e.g., NIST SSDF, the U.S. Secure Software Development Framework), to fine-grained technical activities (e.g., SLSA, a software supply chain security framework). Developed through collaborative research with academic experts and industry practitioners, the framework systematically maps 131 refined security requirements to over 400 actionable operational steps spanning the software development lifecycle. It is grounded in four core security goals: Secure Software Environment, Secure Software Development, Software Traceability, and Vulnerability Management. Our approach leverages the KAOS goal modeling methodology to establish traceable linkages between strategic goals and tactical operations, enhancing clarity, accountability, and practical implementation. To facilitate adoption, we provide a web-based navigation tool for interactive exploration of the framework. A real-world case study based on the Log4j vulnerability illustrates the framework's utility by generating a tailored checklist aligned with industry best practices. Additionally, we offer a structured, machine-readable OSCAL Catalog Model of the Software Security Mapping Framework, enabling organizations to automate implementation, streamline compliance processes, and respond effectively to evolving security risks.
Related papers
- OpenAgentSafety: A Comprehensive Framework for Evaluating Real-World AI Agent Safety [58.201189860217724]
We introduce OpenAgentSafety, a comprehensive framework for evaluating agent behavior across eight critical risk categories.<n>Unlike prior work, our framework evaluates agents that interact with real tools, including web browsers, code execution environments, file systems, bash shells, and messaging platforms.<n>It combines rule-based analysis with LLM-as-judge assessments to detect both overt and subtle unsafe behaviors.
arXiv Detail & Related papers (2025-07-08T16:18:54Z) - Enhancing Software Supply Chain Security Through STRIDE-Based Threat Modelling of CI/CD Pipelines [1.3535770763481907]
This study applies a structured threat modeling approach to identify and mitigate risks throughout the Continuous Integration/ Continuous Deployment lifecycle.<n>Threats are documented and to comprehensive security controls drawn from standards like NIST SP 800-218, Top 10 CI/CD risks, and the SLSA framework.<n>This approach provides a pragmatic roadmap for enhancing CI/CD pipeline security against evolving software supply chain threats.
arXiv Detail & Related papers (2025-06-06T19:06:59Z) - Towards provable probabilistic safety for scalable embodied AI systems [79.31011047593492]
Embodied AI systems are increasingly prevalent across various applications.<n> Ensuring their safety in complex operating environments remains a major challenge.<n>We introduce provable probabilistic safety, which aims to ensure that the residual risk of large-scale deployment remains below a predefined threshold.
arXiv Detail & Related papers (2025-06-05T15:46:25Z) - LLM Agents Should Employ Security Principles [60.03651084139836]
This paper argues that the well-established design principles in information security should be employed when deploying Large Language Model (LLM) agents at scale.<n>We introduce AgentSandbox, a conceptual framework embedding these security principles to provide safeguards throughout an agent's life-cycle.
arXiv Detail & Related papers (2025-05-29T21:39:08Z) - Designing Control Barrier Function via Probabilistic Enumeration for Safe Reinforcement Learning Navigation [55.02966123945644]
We propose a hierarchical control framework leveraging neural network verification techniques to design control barrier functions (CBFs) and policy correction mechanisms.<n>Our approach relies on probabilistic enumeration to identify unsafe regions of operation, which are then used to construct a safe CBF-based control layer.<n>These experiments demonstrate the ability of the proposed solution to correct unsafe actions while preserving efficient navigation behavior.
arXiv Detail & Related papers (2025-04-30T13:47:25Z) - Integrating DAST in Kanban and CI/CD: A Real World Security Case Study [2.3480418671346164]
Web application attacks and exploited vulnerabilities are rising.<n>It is increasingly crucial to integrate security into modern development practices.<n>It is challenging to adopt security practices and activities in modern development practices.
arXiv Detail & Related papers (2025-03-27T19:46:05Z) - Operationalizing Cybersecurity Knowledge: Design, Implementation & Evaluation of a Knowledge Management System for CACAO Playbooks [0.29998889086656577]
cybersecurity playbooks are key enablers, providing a structured, reusable, and continuously improving approach to incident response.<n>The emerging Collaborative Automated Course of Action Operations (CACAO) standard defines a common machine-processable schema for cybersecurity playbooks.<n>This work presents the design, development, and evaluation of a Knowledge Management System (KMS) for managing CACAO cybersecurity playbooks.
arXiv Detail & Related papers (2025-03-07T07:54:43Z) - AISafetyLab: A Comprehensive Framework for AI Safety Evaluation and Improvement [73.0700818105842]
We introduce AISafetyLab, a unified framework and toolkit that integrates representative attack, defense, and evaluation methodologies for AI safety.<n> AISafetyLab features an intuitive interface that enables developers to seamlessly apply various techniques.<n>We conduct empirical studies on Vicuna, analyzing different attack and defense strategies to provide valuable insights into their comparative effectiveness.
arXiv Detail & Related papers (2025-02-24T02:11:52Z) - Integrating Cybersecurity Frameworks into IT Security: A Comprehensive Analysis of Threat Mitigation Strategies and Adaptive Technologies [0.0]
The cybersecurity threat landscape is constantly actively making it imperative to develop sound frameworks to protect the IT structures.<n>This paper aims to discuss the application of cybersecurity frameworks into the IT security with focus placed on the role of such frameworks in addressing the changing nature of cybersecurity threats.<n>The discussion also singles out such technologies as Artificial Intelligence (AI) and Machine Learning (ML) as the core for real-time threat detection and response mechanisms.
arXiv Detail & Related papers (2025-02-02T03:38:48Z) - Securing the Open RAN Infrastructure: Exploring Vulnerabilities in Kubernetes Deployments [60.51751612363882]
We investigate the security implications of and software-based Open Radio Access Network (RAN) systems.
We highlight the presence of potential vulnerabilities and misconfigurations in the infrastructure supporting the Near Real-Time RAN Controller (RIC) cluster.
arXiv Detail & Related papers (2024-05-03T07:18:45Z) - An Introduction to Adaptive Software Security [0.0]
This paper presents an innovative approach integrating the MAPE-K loop and the Software Development Life Cycle (SDLC)
It proactively embeds security policies throughout development, reducing vulnerabilities from different levels of software engineering.
arXiv Detail & Related papers (2023-12-28T20:53:11Z) - Evaluating Model-free Reinforcement Learning toward Safety-critical
Tasks [70.76757529955577]
This paper revisits prior work in this scope from the perspective of state-wise safe RL.
We propose Unrolling Safety Layer (USL), a joint method that combines safety optimization and safety projection.
To facilitate further research in this area, we reproduce related algorithms in a unified pipeline and incorporate them into SafeRL-Kit.
arXiv Detail & Related papers (2022-12-12T06:30:17Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.