Caveat emptor no more: The RABET-V Architecture Assessment

Twitter Facebook


Architecture, the A in RABET-V (yes, it’s an acronym), is a crucial differentiator between CIS’ evaluation program and others. But what makes architecture so vital that we would want to evaluate it?

A fitting comparison can be drawn to physical construction. Just as a poorly designed building, despite its outward appearance, cannot endure over time, software, too, requires a solid architectural foundation. Software procurers often only see the surface-level aspects, akin to a building's façade. RABET-V, on the other hand, provides an X-ray view into the structural integrity of software and its underlying dependencies, allowing for informed assessments of its build quality.

How does RABET-V do it? Various tools allow the essence of the architecture to be attained without requiring access to vendor source code.

What exactly does RABET-V measure? A building can be measured in strength, durability, safety factor, and energy efficiency. Similarly, software architecture can be measured in terms of its quality measures. ISO 25010 (Systems and software engineering—Systems and software Quality Requirements and Evaluation (SQuaRE)) and other standards define several measures for use by RABET-V.

Just as the final build quality of a house is determined by the quality of raw materials and the expertise of the construction team, RABET-V evaluates software by examining both the reliability of its components and the sophistication of their integration (modularity, isolation, and depth).

Reliability

The “degree to which a system, product or component performs specified functions under specified conditions for a specified period of time”

— ISO 25010:2011

Most building components aren’t fabricated on-site; likewise, modern software includes hundreds, sometimes thousands, of smaller third-party components called dependencies.

If building contractors cut corners and use substandard lumber or thin insulation, the quality and longevity of the structure are compromised.

Similarly, in software development, a software system's quality and reliability depend on its components' integrity. If developers overlook security vulnerabilities or use poorly maintained libraries, it can undermine the software’s functionality and security.

RABET-V collates a Software Bill of Materials (SBOM) from software assets, listing each third-party component used. The SBOM is then subjected to a Software Composition Analysis (SCA) of each dependency, considering the component’s health regarding contributors, popularity, and known vulnerabilities.

Modularity

The “degree to which a system or computer program is composed of discrete components such that a change to one component has minimal impact on other components”

— ISO 24765

Perhaps only some people want to live in a modular home, but this approach has advantages. The same bathroom or kitchen module can be combined differently, minimizing the number of unique variants required.

A similar principle applies in software development: components that logically belong together should be integrated into cohesive modules. This modular approach ensures that each module encapsulates related functionalities while maintaining clear interfaces with other modules.

Isolation

The “degree of effectiveness and efficiency with which it is possible to assess the impact on a product or system of an intended change to one or more of its parts, or to diagnose a product for deficiencies or causes of failures, or to identify parts to be modified.”

— ISO 25010:2011

Isolation in software can be likened to the points of egress in a room: having more points of egress makes access easier but limits how a space can be used, as furniture may block windows or doors.

Similarly, security services in software should have clearly defined access points that are consistently used. Just as hallways connecting rooms improve traffic flow and lead to less complex room designs, well-defined access points in software contribute to a more structured and manageable system architecture.

Depth

A coherent architectural design builds harmoniously on various elements. Similarly, security services should be layered to provide complementary functions rather than overlapping ones. Layering security measures ensures that if one layer is breached, others remain intact to mitigate risks, enhancing the system's resilience against cyber threats.

Conclusion

RABET-V is the ultimate home inspection, making the walls transparent and the truth apparent. Just as no savvy home buyer would forgo a thorough home inspection to uncover potential structural problems, no non-voting election technology should be deployed without undergoing a RABET-V assessment.

Current page