Altran Praxis English language selection button
Altran Praxis French language selection button
Altran Praxis English language label
Altran Praxis Logo
Altran Praxis Security Engineering image

Security engineering

Pedigree

Altran Praxis’ interest in security engineering has been inspired by its established skills in software engineering, systems engineering, risk management, and development assurance. Praxis’ security sector customers have included financial institutions, government agencies and regulatory bodies. Our work has addressed the defence, finance and critical national infrastructure sectors. Praxis’ experience covers work to some of the most stringent levels of assurance such as ITSEC E6 and CC EAL7, including work with the US National Security Agency (NSA) to provide an EAL5+ demonstrator.

Focus

Praxis’ information security services concentrate on:
  • Software intensive systems, particularly large, complex or novel engineering projects.
  • High levels of product assurance.
  • Security as part of a wider regulatory environment.
  • Managing security risk in trade-offs (such as with safety or reliability), in particular to limit waste by delivering just what is required.
  • Systems engineering process assessment and improvement.
  • Playing our part in the community by moving the knowledge of the industry forward.

Approach

Praxis’ security engineering is based around a clear and documented understanding of risk. This approach is consistent with best industrial and governmental practice (ISO 27000 series, UK MPS) and allows:
  • Cost-effective elicitation of risks and possible mitigations.
  • Transparent comparison of security and other risks.
  • Auditable and robust development of system security requirements.
  • Exploitation of good practices in risk management across industries and sectors.

Example Security Engineering projects

  • High-assurance development demonstrator (Tokeneer) for the US NSA.
  • Review of Common Criteria-compliant development techniques for a government agency.
  • Advice on security issues relating to process plant for a regulatory body.

Why Altran Praxis for Security Engineering?

  • Successfully transferred Praxis’ pedigree of high-integrity safety-critical software and safety engineering to the security sector.
  • Applies transparent, repeatable and auditable risk management techniques.
  • Has widely recognised capabilities across a range of sectors and industries.
  • Actively participates in industry bodies, including standards development.
  • Has established relationships with government agencies and regulators and is trusted by the NSA.

Case reference

SafSec (săf´sek)

Altran Praxis Security Engineering case reference image

Challenge

The SafSec project was funded by the Ministry of Defence Procurement Agency’s Future Business Group who wished to:

"reduce the cost and effort of safety certification and security accreditation for future military avionics systems".

particularly for new developments (advanced avionics architecture, open source architecture, integrated modular avionics, commercial off-the-shelf software) and in-service upgrades.

Engagement and approach

Praxis used its extensive knowledge of both safety and security to define a single methodology that was acceptable to all stakeholders, for addressing certification of both Safety and Security on Avionics systems. The stakeholders consulted by Praxis included:
  • BAE Systems
  • General Dynamics UK Ltd
  • Smiths Aerospace
  • QinetiQ Boscombe Down, Malvern, Farnborough
  • CESG
  • MOD Accreditors
  • Logica CLEF
  • CAA
  • University of York

Outcome

The SafSec project demonstrated that there are strong parallels between safety and security certification, and trials on two avionics systems showed that accreditations can be cheaper and faster if these parallels are exploited. The SafSec methodology has since been used to inform various security engineering projects.

Capabilities

High-assurance software development

Praxis has demonstrated its ability to deliver bespoke and customised secure software meeting the highest levels of security assurance such as ITSEC E6 or Common Criteria EAL7. Software warranties can be offered where appropriate.

Software tools

Praxis’ SPARK toolset provides a means for specifying and verifying program information flow; as part of an appropriate architecture this can provide strong evidence of the security properties of software.

Software assurance

Praxis’ experience in software verification and quality assurance can be deployed to establish satisfaction of security criteria, either as part of a development team or as an independent technical assessment service.

Risk management services

Including threat identification, risk assessment and the modelling of threats and mitigations.

Engineering process consultancy

Including accreditation planning, evidence generation and process improvement.

"This project [Praxis’ development of a high-security computer system for Mondex International] has provided further evidence for the benefits of formality, in terms of rigour and dependability”.
Head of Security,
Mondex International