Hardware Security Risk Assessment: A Case Study

The security demands on development teams are growing in direct proportion to the security incidents discovered and leveraged in computer crime and cyber warfare every day. There is ongoing research to increase the effectiveness of security defect detection and penetration testing of products, but where the literature is thin, is in actual case studies that apply security assurance processes in a large-scale hardware-centric environment. This paper adds to the literature by providing an actual case study of hardware security assurance practices using a sample size of 151 projects. Furthermore, it documents and analyzes the efficacy of deploying selective automation using quantitative weighted risk ratings of the Security Development Lifecycle (SDL) to hardware projects, including strategic reuse of existing SDL collaterals for derivative projects. The evaluated methodology provided acceptable accuracy and labor savings, but the results indicate that automation focusing on assignment of a quantitative risk scoring introduces a dilution of real security concerns; instead, an approach using qualitative analysis and assignment of security assurance tasks is more beneficial.