Security goal indicator trees: A model of software features that supports efficient security inspection

We analyze the specific challenges of inspecting software development documents for security: Most security goals are formulated as negative (i.e. avoidance) goals, and security is a non-local property of the whole system. We suggest a new type of model for security-relevant features to address these challenges. Our model, named Security Goal Indicator Tree (SGIT), maps negative and non-local goals to positive, concrete features of the software that can be checked during an inspection. It supports inspection of software documents from various phases of the development process. An SGIT links a security goal with numerous indicators (which may be beneficial or detrimental for the achievement of the goal) and structures the set of indicators by Boolean and conditional relationships enabling an efficient selection of indicator subsets. We present SGIT examples, explain how to use them in an inspection, give advice on creating SGITs, and give an outlook on how SGITs will be embedded in a comprehensive method for software security inspection.