Configuration Management in Security related Software Engineering Processes

IT-Security requires specific enhancements and tailoring during the complete life cycle of the product or system, including a security focused SW-engineering process. One of the key technologies to manage the software engineering process is the use of a tool driven Software Configuration Management. Software Configuration Management (SCM)[10] is an aspect of establishing that the functional requirements and specifications are realised in the implementation during the whole life cycle. SCM is the activity of controlling the software product by managing the versions of all components and their relationships. It is one of the fundamental activities of software engineering in general and becomes most important in the development of high assurance software as in IT-Security. This paper demonstrates, that the management of the whole software life cycle using SCM guarantees the traceability from the requirements specification (phase) via the design and the implementation phases to the final software product and maintenance phases by coordinating/controlling the changes in all phases of the software engineering process. Using SCM with defined roles and access control enables the implementation of security measures to manage the software engineering process in a defined and controlled way. Thereby the assurance of the development process itself will be improved. This paper discusses basic requirements of a Software Configuration Management System to suit the field of IT-Security. The scope of these requirements extends from quality standards, such as the ISO9000, to the specifics in general acccepted "ITSecurity Evaluation Criteria", such as the ITSEC (Information Technology Security Evaluation Criteria)[6] and the CC (Common Criteria)[2]. A first approach to a maturity model for SCM in IT-Security will be given.