What is CAIRIS?
CAIRIS stands for Computer Aided Integration of Requirements and Information Security. It is a platform for eliciting, specifying, and validating secure and usable systems. It was built from the ground up to support all the elements necessary for usability, requirements, and risk analysis.
Why did you build CAIRIS?
Why do I need CAIRIS?
No-one disagrees that security should be considered as early as possible when designing software, but how do you do this productively, i.e. without security getting in the way of the business of understanding the software’s core functional goals?
CAIRIS helps by supporting the usability, security, and requirements engineering activities that one might use at the initial stages of a project. If you’re undertaking these activities then you’re collecting data that needs to go somewhere. By using CAIRIS as a repository for this data, you will benefit from CAIRIS’ automatic analysis and visualisation capabilities.
What does CAIRIS do that other tools do not?
First, some tools focus on the specification of requirements. Others focus on modelling requirements together with related concepts. Still, others are centred around managing UX data. CAIRIS is the only tool that does all of this (and more).
Second, CAIRIS is, to the best of our knowledge, the only security design tool that supports the notion of environments. If you’re building a medical data repository that will be used by different communities of users, you will be concerned about the perceptions stakeholders in each community might have about security, and what this means when determining the value of an asset, or the impact of a risk. For example, clinical data might have a high confidentiality value to one community, but low confidentiality value in other; this difference in properties may be due to the level of anonymisation this asset might be subjected to in each community. Similarly, each community might have threats, vulnerabilities, people that look similar but have subtle variations. CAIRIS can capture these variations, thereby allowing the impact of design changes or changes in people’s characteristics and tasks to be examined for each ‘context of use’.
Third, CAIRIS is scaleable. In most other tools, analysts are required to build models by hand. However, as models get bigger, this task gets increasingly harder. CAIRIS addresses this by automatically generating models based on connections between concepts that analysts make. CAIRIS deals with the messiness associated with visualising this data, so you don’t have to.
Fourth, CAIRIS doesn’t attempt to be the ‘one tool that rules them all’. CAIRIS works best when used in combination with other ‘best of breed’ tools. For example, CAIRIS has been used to import data from sources ranging from wiki pages and spreadsheets, to open source repositories about attack patterns. Moreover, in addition to generating models and documentation, CAIRIS can generate goal models that can be imported into other tools like jUCMNav. CAIRIS also has an API, which makes it possible to build apps that can work with data from CAIRIS and other tools. Because of how CAIRIS has been implemented, it’s also fairly easy to develop extensions to CAIRIS based on new insights we might want to draw from analytics from CAIRIS, or even new APIs.
Finally, although CAIRIS’ origins are in specifying requirements, it has been recently extended to support the specification and analysis of software architectures as well. To date, we believe CAIRIS to be the only tool that supports the specification and analysis of both security requirements and security architectures.
Is CAIRIS used in the real world?
CAIRIS has been used in a number of real-world case studies. We’re currently working with a number of companies (both large and small) who are looking to adopt CAIRIS.
We’re always interested in hearing from others interested in adopting the tool, so please get in touch if you want to use CAIRIS and need help getting started.
Are there any examples of CAIRIS in action?
Yes, see the Examples page.
We are currently working on a project to build specification exemplars for critical infrastructure systems; these models will be based on CAIRIS. ACME Water is the first of these exemplars. We are currently building a second exemplar based on a rail company. Please get in touch for more information if these models or this project is of interest.
Is there is a live demo of CAIRIS that I can play with?
Yes. You can get started here.
Is CAIRIS free?
Yes. CAIRIS has been made freely available under an Apache Software License. You can find the source code for CAIRIS on github.
Does CAIRIS only work on Linux?
No, CAIRIS will run on any platform that supports its open source dependencies. Although it works best on Linux (particularly Debian based distributions), it has been known to run on Mac OS X and Windows as well. Because of its architecture, there is no reason why the server side components can’t run on one platform, and the client side components can’t run on another. CAIRIS has also been distributed as a Docker container, which will run on any platform that supports Docker.
Do you still do research around CAIRIS?
Very much so. We have a number of undergraduate and postgraduate research assistants that are currently extending CAIRIS, and exploring some of the ideas that originally motivated its development. We love to hear from prospective collaborators, so if working with us to improve the state of the art in security design tools is of interest then please get in touch.
How can I contribute to CAIRIS?
You can contribute in several ways.
- You can use CAIRIS in your own practice. One of our aims in developing CAIRIS is to transfer knowledge about security design tool best practice, so by using CAIRIS, you will be helping us do this. We welcome problem reports or feature requests; you can contribute these by doing little more than raising an issue on github, or getting in touch if your requirements are a little more elaborate.
- If you work in higher education, please consider using CAIRIS as a tool for teaching security design. CAIRIS has already been used in Oxford’s postgraduate Design of Security course. At BU, we’re also incorporating CAIRIS into our own cybersecurity teaching. We’re happy to share any teaching material we develop, so if you’re interested in using CAIRIS as part of your teaching then please get in touch.
- We’re always looking for people to help with general maintenance activities.
How can I sponsor CAIRIS?
We’d love to hear from companies interested in sponsoring the on-going design and evolution of CAIRIS. You can sponsor us in lots of different ways. These include:
- Providing people to help maintain and grow CAIRIS.
- Providing [modest] financial support we can use to employ interns to develop CAIRIS.
- Buying consultancy to help you adopt CAIRIS. Any income from CAIRIS consultancy, will go back into the development of CAIRIS.
- Knowledge Transfer Partnerships (KTPs). If you’re a UK SME and see CAIRIS as an important tool in growing your business, then a KTP is a great way of getting government funding to support us and your project.
Please get in touch if any (or all!) of the above is of interest to you.