Functional Requirements Under Security PresSuRE

Stephan Faßbender, Maritta Heisel, Rene Meis

2014

Abstract

Recently, there has been an increase of reported security incidents hitting large software systems. Such incidents can originate from different attackers exploiting vulnerabilities of different parts of a system. Hence, there is a need for enhancing security considerations in software development. It is crucial for requirements engineers to identify security threats early on, and to refine the threats into security requirements. In this paper, we introduce a methodology for Problem-based Security Requirements Elicitation (PresSuRE). PresSuRE is a method for identifying security needs during the requirements analysis of software systems using a problem frame model. Our method does not rely entirely on the requirements engineer to detect security needs, but provides a computer-aided security threat identification, and subsequently the elicitation of security requirements. The identification is based on the functional requirements for a system-to-be. We illustrate and validate our approach using a smart grid scenario provided by the industrial partners of the EU project NESSoS.

References

  1. (2009). Requirements of AMI. Technical report, OPEN meter project.
  2. Alrajeh, D., Kramer, J., Russo, A., and Uchitel, S. (2009). Learning operational requirements from goal models. In ICSE 7809, pages 265-275.
  3. Beckers, K., Faßbender, S., Heisel, M., and Meis, R. (2013a). A problem-based approach for computer aided privacy threat identification. In APF 7812, pages 1-16. Springer.
  4. Beckers, K., Faßbender, S., Heisel, M., and Paci, F. (2013b). Combining goal-oriented and problem-oriented requirements engineering methods. In CD-ARES 7813, pages 278-294.
  5. Beckers, K., Hatebur, D., and Heisel, M. (2013c). A problem-based threat analysis in compliance with common criteria. In ARES 7813. IEEE Computer Society.
  6. Boehm, B. W. and Papaccio, P. N. (1988). Understanding and controlling software costs. IEEE Transactions on Software Engineering, 14(10):1462-1477.
  7. Cavusoglu, H., Mishra, B., and Raghunathan, S. (2004). The effect of internet security breach announcements on market value: Capital market reactions for breached firms and internet security developers. Int. J. Electron. Commerce, 9(1):70-104.
  8. Dolev, D. and Yao, A. C. (1983). On the security of public key protocols. IEEE Transactions on Information Theory, 29(2):198-207.
  9. Faßbender, S. and Heisel, M. (2013). From problems to laws in requirements engineering using modeltransformation. In ICSOFT 7813, pages 447-458. SciTePress.
  10. Firesmith, D. (2003). Specifying good requirements. Journal of Object Technology, 2(4).
  11. Haley, C. B., Laney, R., Moffett, J. D., and Nuseibeh, B. (2008). Security requirements engineering: A framework for representation and analysis. IEEE Transactions on Software Engineering, 34(1):133-153.
  12. Hatebur, D. and Heisel, M. (2010). Making pattern- and model-based software development more rigorous. In ICFEM 7810, pages 253-269. Springer.
  13. Howard, M. and Lipner, S. (2006). The Security Development Lifecycle : SDL : A Process for Developing Demonstrably More Secure Software. Microsoft Press.
  14. ISO/IEC (2009a). Common Criteria for Information Technology Security Evaluation. ISO/IEC 15408, International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), Geneva ,Switzerland.
  15. ISO/IEC (2009b). Information technology - Security techniques - Information security management systems - Overview and Vocabulary. ISO/IEC 27000, International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), Geneva ,Switzerland.
  16. Jackson, M. (2001). Problem Frames. Analyzing and structuring software development problems. AddisonWesley.
  17. Jürjens, J. (2005). Secure Systems Development with UML. Springer.
  18. Khansa, L., Cook, D. F., James, T., and Bruyaka, O. (2012). Impact of HIPAA provisions on the stock market value of healthcare institutions, and information security and other information technology firms. Computers & Security, 31(6):750 - 770.
  19. Kreutzmann, H., Vollmer, S., Tekampe, N., and Abromeit, A. (2011). Protection profile for the gateway of a smart metering system. Technical report, BSI.
  20. Liu, L., Yu, E., and Mylopoulos, J. (2003). Security and privacy requirements analysis within a social setting. In RE 7803, pages 151-161.
  21. McDermott, J. and Fox, C. (1999). Using abuse case models for security requirements analysis. In ACSAC 7899, pages 55-64.
  22. Mohammadi, N. G., Alebrahim, A., Weyer, T., Heisel, M., and Pohl, K. (2013). A framework for combining problem frames and goal models to support context analysis during requirements engineering. In CDARES 7813, pages 272-288.
  23. Mouratidis, H. and Giorgini, P. (2007). Secure Tropos: a security-oriented extension of the tropos methodology. International Journal of Software Engineering and Knowledge Engineering, 17(2):285-309.
  24. Salehie, M., Pasquale, L., Omoronyia, I., Ali, R., and Nuseibeh, B. (2012). Requirements-driven adaptive security: Protecting variable assets at runtime. In RE 7812, pages 111-120.
  25. Schmidt, H. and Jürjens, J. (2011). Connecting security requirements analysis and secure design using patterns and UMLsec. In CAiSE 7811, pages 367-382. Springer.
  26. Sindre, G. and Opdahl, A. L. (2005). Eliciting security requirements with misuse cases. Requir. Eng., 10(1):34- 44.
  27. Van Lamsweerde, A. (2004). Elaborating security requirements by construction of intentional anti-models. In ICSE 7804, pages 148-157.
  28. Volkamer, M. and Vogt, R. (2008). Common Criteria Protection Profile for Basic set of security requirements for Online Voting Products. Bundesamt f”ur Sicherheit in der Informationstechnik.
  29. Willis, R. (1998). Hughes Aircraft's Widespread Deployment of a Continuously Improving Software Process. AD-a358 993. Carnegie-Mellon University.
Download


Paper Citation


in Harvard Style

Faßbender S., Heisel M. and Meis R. (2014). Functional Requirements Under Security PresSuRE . In Proceedings of the 9th International Conference on Software Paradigm Trends - Volume 1: ICSOFT-PT, (ICSOFT 2014) ISBN 978-989-758-037-6, pages 5-16. DOI: 10.5220/0005098600050016


in Bibtex Style

@conference{icsoft-pt14,
author={Stephan Faßbender and Maritta Heisel and Rene Meis},
title={Functional Requirements Under Security PresSuRE},
booktitle={Proceedings of the 9th International Conference on Software Paradigm Trends - Volume 1: ICSOFT-PT, (ICSOFT 2014)},
year={2014},
pages={5-16},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005098600050016},
isbn={978-989-758-037-6},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 9th International Conference on Software Paradigm Trends - Volume 1: ICSOFT-PT, (ICSOFT 2014)
TI - Functional Requirements Under Security PresSuRE
SN - 978-989-758-037-6
AU - Faßbender S.
AU - Heisel M.
AU - Meis R.
PY - 2014
SP - 5
EP - 16
DO - 10.5220/0005098600050016