A research project with experimental tools and supporting web pages.
The Security Engineering (SE) workbench is a Research Project to improve the study and practice of Security Engineering through Information-Driven Security Analysis.
Project Description:
|
Project Overview
|
What’s New
|
|
Related article in IEEE Computer
|
|
CS2023: ACM/IEEE-CS/AAAI Curricula - Security Knowledge Area
|
|
Reference Documents
|
Project Status: Continuous Integration / Continuous Deployment (CI/CD)
Terms of Use: See the bottom of this page.
Feedback: Send a note to the email address at the bottom of this page to help improve this project by: describing your interest in the SE Workbench, explaining how you use the tools and webpages, or offering comments and suggestions.
Software Requirements: The Project pages are viewable with any web browser. The Project tool pages (DataTables and Explorers) are tested with Firefox and Safari browsers on both desktop and mobile platforms. Other browsers may have difficulty rendering Project tool data because of their limitations in parsing XML data. All reported issues will be investigated.
Navigation:
|
Primer
|
Data Tables
|
Explorer Tools
|
Security Engineering is a sub-discipline of Systems Engineering that is concerned with the trustworthiness and resilience of information systems in operational environments that may contain vulnerabilities, weaknesses, theats, threat actors and threat agents.
Security Engineering Overview:
|
Concepts
|
Terminology
|
Analytical Model
|
The SE-workbench is a collection of software tools and information sources in support of the study and practice of Security Engineering. The software tools enable and assist with several forms of Information Driven Security Analysis.
Security Analysis Concepts:
|
Analysis Process
|
Analysis Tasks
|
Security Engineers who perform security analysis tasks rely on accumulated information about system weaknesses, security attacks and best practices for security controls. Commonly referenced information sources include: NIST SP800-53 which contains information about Security Controls; MITRE CWE which contains information about weaknesses and vulnerabilities commonly found in information systems; MITRE CAPEC which contains information about actor behaviors and actions associated with security attacks; and Common Criteria 2022 R1 which contains information about security design and evaluation requirements. Together, these data sets provide a foundation for Information Driven Security Analysis.
Automation for Security Information Sources: Automation can transform basic information security sources into interactive resources for security engineers. As an illustration of basic automation, compare the content and search capabilities from the webpages for the security information sources provided above, with the content, filtering, sorting and search capabilities in the data tables available at the links below.
Basic Data Tables:
|
NIST SP800-53 R5.1
|
|
MITRE CWE V4.14
|
MITRE CAPEC V3.9
|
|
Common Criteria 2022 R1
|
The SE-workbench tools further extend the basic data tables to support indepth security analysis. The tools provide the ability to manipulate, aggregate, correlate and visualize security information from several points of view. The tools also provide the capability to create artifacts to support security analysis tasks. These capabilities help students gain knowledge and experience with critical thinking and situational analysis for complex security issues and scenarios. Currently there are three tools: Security Control Explorer, Security Vulnerability Explorer and Security Attack Explorer. A fourth tool is being developed: Security Design Explorer. All of the tools are built on a common User Interface (UI). The tools allow for customized selection, display and export of information relevant to a range of Security Analysis tasks. A brief tutorial and sample exercises are provided for each tool.
| Security Explorer Tool Design |
This tool organizes and displays the security and privacy controls from NIST SP800-53, their connections with ISO27001 along with the security capabilities from the NIST Cybersecurity Framework and links to authoritative security reference documents. The entries can be selected, filtered and searched by title, family, impact baseline, control type and text reference. Entries of interest can be exported in PDF, CSV, or Print format. There is an option to Export a detailed worksheet (CSV) suitable for use in Security Controls Baselines and Assessments. The current version of the SCE tool is based on NIST SP800-53 R5.1.
| SCE Tutorial | SCE Tool | SCE Exercises |
This tool organizes and displays security weaknesses and vulnerabilities from MITRE Common Weakness Enumeration (CWE), relationship to published lists such as OWASP, connections to NIST Vulnerability Database (NVD), along with analytical insights and correlation from other information sources. The entries can be selected, filtered and searched. Entries of interest can be exported in PDF, CSV, or Print format. There is an option to Export a detailed worksheet (CSV) suitable for use in Security Vulnerability Assessments and Investigations. The current version of the SVE tool is based on MITRE CWE Version 4.14.
| SVE Tutorial | SVE Tool | SVE Exercises |
This tool organizes and displays security attack patterns from MITRE Common Attack Pattern Enumeration and Classification (CAPEC), along with: connections to MITRE Common Weaknesses (CWE), exploitation techniques from MITRE Attack (ATT&CK), recommended test and assurance strategies. Each attack is ranked by typical severity and likelihood, with links to additional detail and information sources. The entries can be selected, filtered and searched. Entries of interest can be exported in PDF, CSV, or Print format. There is an option to Export a detailed worksheet (CSV) suitable for use in Security Threat/Attack Models and Assessments. The current version of the SAE tool is based on MITRE CAPEC Version 3.9.
| SAE Tutorial | SAE Tool | SAE Exercises |
This tool organizes and displays information from Common Criteria Security Functional Requirements. The requirements are grouped and mapped to security subsystems and components. Security subsystems and components are a logical representation of architecture used in design and evaluation of security capabilities of systems. The requirements can be selected, filtered and searched. Entries of interest can be exported in PDF, CSV, or Print format. There is an option to Export a detailed worksheet (CSV) suitable for use in system development. The SDE tool is based on Common Criteria 2022 Release 1.
Status: Under Construction
| SDE Tutorial | SDE Tool (alpha version) | SDE Exercises |
TERMS OF USE: THE SE-WORKBENCH WEB PAGES AND TOOLS ARE PROVIDED FOR EDUCATION AND RESEARCH PURPOSES. THE CONTENT OF THE SE-WORKBENCH IS PROVIDED ON “AS IS” BASIS WITH NO COMMITMENT TO AVAILABILITY OR CORRECTNESS. ANY USE OF THE CONTENT OF THE SE-WORKBENCH PROJECT IS SUBJECT TO THE CONDITIONS AND DISCLAIMERS LISTED BELOW.
CONDITIONS: ATTRIBUTION OF USE. NO REVERSE ENGINEERING. NO DERIVATIVE WORKS. NOT TO BE USED IN SUPPORT OF ILLEGAL ACTIVITY.
DISCLAIMER: ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
MITRE CAPEC is free to use by any organization or individual for any research, development, and/or commercial purposes, per these MITRE CAPEC Terms of Use.
MITRE CWE is free to use by any organization or individual for any research, development, and/or commercial purposes, per these MITRE CWE Terms of Use.
MITRE ATT&CK MITRE grants a non-exclusive, royalty-free license to use ATT&CK® for research, development, and commercial purposes, per these MITRE ATTACK Terms of Use.
NIST SP800-53R5 publication may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright in the United States. Attribution would, however, be appreciated by NIST. See page i of NIST SP800-53R5 Document.
Contact Information: se.workbench@gmail.com
Project Last Updated: 21 March 2024