Immunity Requirements
An
immunity requirement is any
security
requirement that specifies a required amount of immunity,
which is a
quality factor that is defined as follows:
- Immunity
- 1)
adj.[quality factor] the degree to which something
protects itself from infection by unauthorized malicious
programs (e.g., computer viruses, worms, Trojan horses,
malicious scripts).
- 2)
n. the means by which something protects itself from
infection by unauthorized malicious programs.
The typical objectives of an immunity requirement are
to:
- Prevent milicious programs from destroying or damaging
data and applications.
- Prevent unauthorized users or programs from accessing
restricted data and services.
Immunity requirements are typically specified in terms of
the following measurements:
- Minimum percentage of malicious programs identified.
- Minimum percentage of malicious programs prevented from
causing infection.
- Minimum percentage of malicious programs cured (e.g.,
removed from infected machine).
The following are typical examples of immunity
requirements:
- Scanning— “The application shall
scan all entered or downloaded data and software against the
published definitions of known computer viruses, worms, and
Trojan horses.”
- Disinfection— “If possible, the
application shall disinfect any data or software found to
contain such a harmful program.”
- Prevention— “The application
shall delete the infected file if it cannot disinfect the
infected data or software.”
- Current Definitions— “The
application shall daily update its list of published
definitions of known harmful programs.”
- Notification— “The application
shall notify a member of the security team if it detects a
harmful program during a scan.”
The following guidelines have been found to be useful when
producing immunity requirements:
- The scope of an immunity requirement can be:
- Immunity requirements can be identified and specified in
term of the following:
| Component of
Requirement |
Possibile Values |
| Infectous Agent |
Virus
Worm
Trojan Horse
Malicious Script |
| Source |
E-mail
File
Input Data |
| State |
Normal Processing
Degraded Mode
Under Attack |
| Measurement |
Minimum percentage of malicious programs
identified.
Minimum percentage of malicious programs prevented
causing infection.
Minimum percentage of malicious programs cleaned
(removed). |
- Use
misuse cases to perform security
threat analysis and
security use
cases to analyze and specify security requirements.
- Applications can partially delegate immunity requirements
to their containing data centers, but only if those data
centers provide (and will continue to provide) adequate
security mechanisms to fulfill the requirements. This may be
a legitimate architectural decision under certain
circumstances.
- Immunity requirements should
not be specified in terms of the types of
security architecture mechanisms that are typically used to
implement them:
- Commercial-off-the-shelf (COTS) antivirus
programs.
- Firewalls.
- Prohibition of type-unsafe languages (e.g., C) that may
allow buffer overflows that contain malicious scripts.
- Programming standards (e.g., for ensuring type safety
and array bounds checking).