<a href="https://colab.research.google.com/github/emilyclifton/Security/blob/main/SoftwareSecurityPlanning.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>

# Software Security Planning
Emily Clifton

CS6387-50

## Instructions


Students will hand in planning documents for a hypothetical software project.


1.   Select any software project you want. Describe your hypothetical project in some detail. A few paragraphs should be enough. It could be a web application, a desktop application, embedded software, etc.
2.   Requirements analysis document(s) including requirements traceability matrix.List item
3.   List of security requirements

Those are the minimum for this assignment. You. The concept is secure requirements analysis and design. Other things you may add:



1.   Addressing one of the OWASP lists in your design.
2.   Integrating specific coding standards such as CERT.



# Embedded Software: Secure Home Automation System

## Description:

This secure home automation system is designed to provide users with the convenience of controlling various smart devices within their home through a centralized embedded software platform. This system will enable users to manage devices such as lights, thermostats, appliances, security cameras, and door locks from a mobile application, offering seamless integration of home automation functionalities. The embedded software will act as the central controller, ensuring reliable communication and coordination between the smart devices and the user's mobile app. By leveraging securre communication protocols, the system aims to prevent unauthorized access and ensure the integrity and confidentiality of data transmitted between devices.

The primary functional requirements of the system include device control, status monitoring, and automation rules. Users will be able to turn devices on and off, adjust settings, and monitor the status of their smart devices in real-time through the app. Automation rules will allow the users to set predefined actions based on specific triggers, such as turning on the lights when motion is detected or adjusting the thermostat based on the time of day. The system will support a wide range of smart devices, ensuring compatibility and ease of use for the end user.

For the non-functional requirements, the secure home automation system will prioritize reliability, performance, and security. The embedded software must provide consistent and dependable device control and monitoring, with minimal latency and high responsiveness to user commands. Performance is crucial to ensure that the system can handle multiple devices and simultaneous user interactions without degradation in quality. Security will be a paramount consideration, with robust measures implemented to protect the system from potential vulnerablities and threats.

To achieve the necessary level of security, the system will incorporate several key features based on CERT Coding Standards and OWASP guidelines. Secure communication between devices and the central controller will be established using encryption protocols, ensuring that data transmitted over the network is protected from eavesdropping and tampering. Device authentication mechanisms will prevent unauthorized devices from connecting to the system, safeguarding against potential intrusions. The mobile app will require user authentication to access the system, adding an extra layer of protection for sensitive user data and device controls. Additionally, the system will be designed to mitigate common IoT vulnerabilities, such as those identified by the OWASP IoT Top Ten, through rigorous security testing and adherence to best practices in secure software development. Robust input validation, secure coding practices, and regular software updates will further enhance the security and resilience of the home automation system.

## Requirements Analysis

### Functional Requirements:



1.   **Device Control:**
   *   Users can turn devices on or off remotely via the mobile app.
   *   Users can adjust settings (e.g., dimming lights, changing thermostat temperature).

2.   **Status Monitoring:**
   *   The system provides real-time status updates of all connected devices.
   *   Users receive notifications of any status changes or alerts from devices.

3.   **Automation Rules:**
   *   Users can create, modify, and delete automation rules (e.g., if motion detected, turn on lights).
   *   The system supports scheduling for automation tasks.



### Non-functional Requirements:

1. **Reliability:**
   *   The system must have an uptime of 99.9%.
   *   Ensure consistent and dependable device control and monitoring.

2. **Performance:**
   *   The system should handle up to 50 devices simultaneously.
   *   Commands should be executed with a latency of less than 200 milliseconds.

3. **Security:**
   *   Implement end-to-end encryption for all communications.
   *   Ensure secure user authentication for mobile app access.
   *   Regularly update the software to patch any known vulnerabilities.

### Requirements Traceability Matrix

| Requirement ID | Description                           | Functional / Non-functional | Trace to Security Requirement               |
|----------------|---------------------------------------|-----------------------------|---------------------------------------------|
| FR1            | Remote device on/off control          | Functional                  | SR1, SR3, SR4, SR6                          |
| FR2            | Adjust device settings                | Functional                  | SR1, SR3, SR4, SR6                          |
| FR3            | Real-time status updates              | Functional                  | SR1, SR3, SR5, SR6                          |
| FR4            | Status change notifications           | Functional                  | SR1, SR3, SR5, SR6                          |
| FR5            | Create automation rules               | Functional                  | SR1, SR3, SR4, SR6, SR11                    |
| FR6            | Modify and delete automation rules    | Functional                  | SR1, SR3, SR4, SR6, SR11                    |
| FR7            | Scheduling automation tasks           | Functional                  | SR1, SR3, SR4, SR6, SR11                    |
| NFR1           | System uptime of 99.9%                | Non-functional              | N/A                                         |
| NFR2           | Handle up to 50 devices simultaneously| Non-functional              | N/A                                         |
| NFR3           | Command latency < 200ms               | Non-functional              | N/A                                         |
| NFR4           | End-to-end encryption                 | Non-functional              | SR1, SR5, SR7, SR9                          |
| NFR5           | Secure user authentication            | Non-functional              | SR4, SR6, SR10                              |
| NFR6           | Regular software updates              | Non-functional              | SR1, SR11                                   |

## List of Security Requirements

1. **SR1:** Secure Coding Practices
   *  Follow secure coding standards as outlined by CERT to prevent common coding vulnerabilities such as buffer overflows, integer overflows, and race conditions.

2. **SR2:** Input Validation
   *  Implement robust input validation to ensure that all inputs are checked for type, length, format, and range to prevent attacks such as injection and buffer overflow.

3. **SR3:** Injection Prevention
   *  Ensure that all data inputs are validated, sanitized, or escaped to protect against injection attacks such as SQL, NoSQL, and command injection.

4. **SR4:** Broken Authentication
   *  Implement secure authentication mechanisms to prevent broken authentication and session management issues, such as multi-factor authentication and secure password storage.

5. **SR5:** Sensitive Data Exposure
   *  Encrypt sensitive data both at rest and in transit to prevent unauthorized access and data breaches.

6. **SR6:** API Security
   *  Ensure secure API implementation by using strong authentication and authorization mechanisms, input validation, and secure data transmission protocols.

7. **SR7:** Excessive Data Exposure
   *  Limit the amount of data returned by APIs to the minimum necessary to prevent excessive data exposure.

8. **SR8:** Secure Mobile Storage
   *  Ensure that sensitive data stored on mobile devices is encrypted and protected against unauthorized access.

9. **SR9:** Secure Mobile Communication
   *  Ensure that all communications between the mobile app and the server are encrypted using strong protocols such as TLS.

10. **SR10:** Insecure Authentication
    *  Implement strong authentication mechanisms within the mobile app, such as multi-factor authentication and secure session management.

11. **SR11:** Security Configuration
    *  Ensure that the application is securely configured, following the OWASP ASVS guidelines for secure configuration management, including secure default settings and the removal of unnecessary features.

12. **SR12:** Access Control
    *  Implement strict access control mechanisms to ensure that users have the minimum necessary permissions, following the principle of least privilege.

13. **SR13:** Logging and Monitoring
    *  Implement logging and monitoring to detect and respond to security incidents, ensuring that logs are securely stored and monitored for suspicious activity.