[SystemSafety] "Security Risk" and Probability

Martyn Thomas martyn at 72f.org
Thu Nov 2 19:54:01 CET 2017 

How can software be safe and not secure? Only by having no safety function?

Martyn

> On 2 Nov 2017, at 18:30, Chris Hills <safetyyork at phaedsys.com> wrote:
> 
> It is a question of levels. 
> 
> At the base level the quality of the SW is that it is robust and does exactly what is intended no more and no less. 
> This is why MISRA-C now applies to security as much as to safety. 
> 
> However, the functional aspects of the source code can be safe but not secure, secure but not safe.
> In some cases (most I would venture) it is neither safe nor secure.
> 
> Software that is both safe and secure I would suggest is very rare as the requirements and design for a safe and secure system may be mutually exclusive or chasing different goals such that compromised must be made.   
> 
> Back to the base level that once those compromises and design decisions have been made then the software should fore fill  them precisely and reliably under all conditions.
> 
> Poor software can make a system insecure and unsafe. 
> High quality software cannot on its own make a system either safe or secure. 
> 
> -----Original Message-----
> From: systemsafety [mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de] On Behalf Of Peter Bernard Ladkin
> Sent: Thursday, October 26, 2017 8:15 AM
> To: systemsafety at lists.techfak.uni-bielefeld.de
> Subject: Re: [SystemSafety] "Security Risk" and Probability
> 
> Following on from my blog post yesterday about people's attempts to equate SILs, a safety requirement, with SLs, a security requirement, the question remains why one might want to try to do so. An evident motivation might be that both entail requirements on code quality. A higher SIL and a higher SL both require higher-quality code.
> 
> I give a simple example in
> https://abnormaldistribution.org/index.php/2017/10/26/code-quality-for-safety-and-code-quality-for-security/
> of a design which has perfect code quality for safety properties and poor code quality for security properties. Code quality cannot be measured on one ordinal scale. It is multi-dimensional.
> 
> That vitiates any argument through code quality for wanting to equate SILs with SLs.
> 
> That code quality is parametrised by properties is obvious when you think about it. You write down the list of properties P you want the code to fulfil and maybe it fulfils them. That doesn't necessarily say anything about whether the code fulfils a completely different list of properties P'. But people do seem to forget it frequently.
> 
> PBL
> 
> Prof. Peter Bernard Ladkin, Bielefeld, Germany MoreInCommon Je suis Charlie
> Tel+msg +49 (0)521 880 7319  www.rvs-bi.de
> 
> 
> 
> 
> 
> 
> _______________________________________________
> The System Safety Mailing List
> systemsafety at TechFak.Uni-Bielefeld.DE

More information about the systemsafety mailing list