Authors:
Roman Wirtz
and
Maritta Heisel
Affiliation:
Working Group Software Engineering, University of Duisburg - Essen, Oststr. 99, Duisburg, Germany
Keyword(s):
Security Risk, Risk Management, Risk Treatment, Controls, Requirements Engineering, Model-based, Patterns.
Abstract:
In recent years, a significant number of security breaches have been reported. A security breach can lead to value loss for stakeholders, not only financially but also in terms of reputation loss. The likelihood and consequnce of a scenario, impacting security of software, constitute a risk level. Risk management describes coordinated activities to identify, evaluate, and treat risks. Following the principle of security-by-design and treating risks as early as possible during software development, the costs can be reduced significantly. Based on our previous work to identify and evaluate risks, we aim to assist developers in treating risks in one of the earliest phases, i.e. during requirements engineering. To do so, we propose a stepwise method that allows selecting and documenting suitable countermeasures, i.e. controls. As input, it takes a requirements model and a CORAS security model. A distinguishing feature of our method is that we use patterns in the form of templates to eval
uate the effectiveness of controls. Furthermore, we integrate the selected controls into the requirements model following an aspect-oriented approach. The resulting model can be used as input for the design phase, thus helping to create an architecture that considers security right from the beginning.
(More)