CAIRIS

What is CAIRIS?

CAIRIS stands for Computer Aided Integration of Requirements and Information Security. It was designed to be a security requirements management tool, and was built from the ground up to support all the elements necessary for usability, requirements, and risk analysis.

Why did you build CAIRIS?

CAIRIS was developed as part of Shamal Faily’s doctoral research. CAIRIS was designed and developed to better understand the form that software tools for secure and usable software design might take.

Why do I need CAIRIS?

No-one disagrees that security should be considered as early as possible when designing software, but how do you do this productively, i.e. without security getting in the way of the business of understanding the software’s core functional goals?

CAIRIS helps by supporting the usability, security, and requirements engineering activities that one might use at the initial stages of a project. If you’re undertaking these activities then you’re collecting data that needs to go somewhere. By using CAIRIS as a repository for this data, you will benefit from CAIRIS’ automatic analysis and visualisation capabilities.

What does CAIRIS do that other tools do not?

Several things.

First, some tools focus on the specification of requirements. Others focus on modelling requirements together with related concepts. Still others are centered around managing UX data. CAIRIS is the only tool that does all of this (and more).

Second, CAIRIS is, to the best of our knowledge, the only security design tool that supports the notion of environments. If you’re building a medical data repository that will be used by different communities of users, you will be concerned about the nuances each community has about an asset’s security properties. For example, clinical data might have a high confidentiality value to one community, but low confidentiality value in other; this difference in properties may be due to the level of anonymisation this asset might be subjected to in each community. Similarly, each community might have threats, vulnerabilities, people that look similar but have subtle variations. CAIRIS can capture these variations, thereby allowing the impact of design changes, or changes in people’s characteristics and tasks to be examined for each ‘context of use’.

Third, CAIRIS is scaleable. In most other tools, analysts are required to build models by hand. However, as models get bigger, this task gets increasingly harder. CAIRIS addresses this by automatically generating models based on connections between concepts that analysts make. CAIRIS deals with the messiness associated with visualising this data, so you don’t have to.

Fourth, CAIRIS doesn’t attempt to be the ‘one tool that rules them all’. CAIRIS works best when used in combination with other ‘best of breed’ tools. For example, CAIRIS has been used to import data from sources ranging from wiki pages and spreadsheets, to open source repositories about attack patterns. Moreover, in addition to generating models and documentation, CAIRIS can generate goal models that can be imported into other tools like jUCMNav. Because of how CAIRIS has been implemented, it’s also fairly easy to develop extensions for importing and exporting data.

Finally, although CAIRIS’ origins are in specifying requirements, it has been recently extended to support the specification and analysis of software architectures as well. To date, we believe CAIRIS to be the only tool that supports the specification and analysis of both security requirements and security architectures.

Is CAIRIS used in the real world?

CAIRIS has been used in a number of real-world case studies. You can read about some of these studies here. We’re currently working with a number of companies (both large and small) who are looking to adopt CAIRIS.

We’re always interested in hearing from others interested in adopting the tool, so please get in touch if you want to use CAIRIS and need help getting started.

Are there any examples of CAIRIS in action?

Yes, see the Examples page.

The design data for webinos is also based on CAIRIS.

We are currently working on a project to build specification exemplars for critical infrastructure systems; these models will be based on CAIRIS. ACME Water is the first of these exemplars. We are currently building a second exemplar based on a rail company. Please get in touch for more information if these models or this project is of interest.

Is there is a live demo of CAIRIS that I can play with?

Yes. You can get started here.

Is CAIRIS free?

Yes. CAIRIS has been made freely available under an Apache Software License. You can find the source code for CAIRIS on github.

Does CAIRIS only work on Linux?

CAIRIS will run on any platform that supports its open source dependencies. Although it works best on Linux (particularly Debian based distributions), it has been known to run on Mac OS X and Windows as well. Because of its architecture, there is no reason why the server side components can’t run on one platform, and the client side components can’t run on another.

Do you still do research around CAIRIS?

Very much so. We have a number of undergraduate and postgraduate research assistants that are currently extending CAIRIS, and exploring some of the ideas that originally motivated its development. We love to hear from prospective collaborators, so if working with us to improve the state of the art in security design tools is of interest then please get in touch.

How can I contribute to CAIRIS?

You can contribute in several ways.

How can I sponsor CAIRIS?

We’d love to hear from companies interested in sponsoring the on-going design and evolution of CAIRIS. You can sponsor us in lots of different ways. These include:

Please get in touch if any (or all!) of the above is of interest to you.