Skip to main content
SpringerLink
Log in

Security Requirements Engineering for Cloud Computing: The Secure Tropos Approach

  • Chapter
  • First Online:
Domain-Specific Conceptual Modeling

Abstract

Security is considered an important aspect of software systems, especially in the context of cloud computing. Nevertheless, current practices towards securing software systems fail to take into account security issues during the early development stages and also cannot properly address the unique characteristics and needs of the cloud environment. To address such issues, Secure Tropos was developed as a security-oriented requirements engineering approach, offering a modeling language and sets of diagrams which facilitate the elicitation and elaboration of security features for software systems. In this work, we introduce Secure Tropos by discussing its main concepts, their relations and the main diagrams used to capture the different aspects of a software system. SecTro, a CASE tool developed specifically for the creation and analysis of Secure Tropos diagrams, is used to model a case study as an illustrative example. Finally, future work on expanding the functionalities offered by Secure Tropos is discussed.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 109.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Depot, T.H.: The home depot reports findings in payment data breach investigation. http://krebsonsecurity.com/2014/09/home-depot-hit-by-same-malware-as-target/ (2014). Accessed 13 Oct 15

  2. Pavel, A.: Amazon.com server said to have been used in Sony attack. http://www.bloomberg.com/news/articles/2011-05-13/sony-network-said-to-have-been-invaded-by-hackers-using-amazon-com-server (2011). Accessed 13 Oct 15

  3. Cloud Security Alliance: Security research alliance to promote network security. Netw. Secur. 1999(2), 3–4 (1999)

    Google Scholar 

  4. Bergmayr, A., Brunelière, H., Izquierdo, J.L.C., Gorroñogoitia, J., Kousiouris, G., Kyriazis, D., Langer, P., Menychtas, A., Orue-Echevarria, L., Pezuela, C., Wimmer, M.: Migrating legacy software to the cloud with ARTIST. In: European Conference on Software Maintenance and Reengineering, CSMR, pp. 465–468 (2013)

    Google Scholar 

  5. Ferry, N., Rossini, A., Chauvel, F., Morin, B., Solberg, A.: Towards model-driven provisioning, deployment, monitoring, and adaptation of multicloud systems. In: 6th International Conference on Cloud Computing, pp. 887–894. IEEE Press (2013)

    Google Scholar 

  6. Frey, S., Hasselbring, W.: The cloudmig approach: Model-based migration of software systems to cloud-optimized applications. Int. J. Adv. Softw. 4(3–4), 342–353 (2011)

    Google Scholar 

  7. Armbrust, M., Fox, O., Griffith, R., Joseph, A.D., Katz, Y., Konwinski, A., et al.: Above the clouds: A Berkeley view of cloud computing. Technical report, pp. 07–013. University of California, Berkeley (2009)

    Google Scholar 

  8. Bresciani, P., Perini, A., Giorgini, P., Giunchiglia, F., Mylopoulos, J.: Tropos: an agent-oriented software development methodology. Auton. Agent. Multi-Agent Syst. 8(3), 203–236 (2004)

    Article  MATH  Google Scholar 

  9. Mouratidis, H.: A security oriented approach in the development of multiagent bsystems: applied to the management of the health and social care needs of older people in England. Ph.D. Thesis, University of Sheffields, UK (2004)

    Google Scholar 

  10. Yu, E.: Modelling strategic relationships for process reengineering. Ph.D. thesis, Department of Computer Science, University of Toronto, Canada (1995)

    Google Scholar 

  11. Chung, L., Nixon B.: Dealing with non-functional requirements: three experimental studies of a process-oriented approach. In: 17th International Conference on Software Engineering, pp. 25–37. ACM (1995)

    Google Scholar 

  12. Mouratidis, H., Islam, S., Kalloniatis, C., Gritzalis, S.: A framework to support selection of cloud providers based on security and privacy requirements. J. Syst. Softw. 86(9), 2276–2293 (2013)

    Article  Google Scholar 

  13. Mouratidis, H.: Secure software systems engineering: the secure tropos approach. J. Softw. 6(3), 331–339 (2011)

    Article  Google Scholar 

  14. Anton, A.I., Earp, J.B.: A requirements taxonomy for reducing web site privacy vulnerabilities. Requir. Eng. 9(3), 169–185 (2004)

    Article  Google Scholar 

  15. Schumacher, M., Roedig, U.: Security engineering with patterns. In: 8th Conference on Pattern Languages for Programs (PLoP), Illinois, USA (2001)

    Google Scholar 

  16. van Lamsweerde, A., Letier, E.: Handling obstacles in goal-oriented requirements engineering. Trans. Softw. Eng. 26(10), 978–1005 (2000)

    Article  Google Scholar 

  17. Crook, R., Ince, D., Lin, L.C., Nuseibeh, B.: Security requirements engineering: when anti-requirements hit the fan. In: 10th International Requirements Engineering Conference, pp. 203–205. IEEE Press (2002)

    Google Scholar 

  18. Lin, L.C., Nuseibeh, B., Ince, D., Jackson, M., Moffett, J.: Analysing security threats and vulnerabilities using abuse frames. Technical report 2003/10, The Open University (2003)

    Google Scholar 

  19. Liu, L., Yu, E., Mylopoulos, J.: Security and privacy requirements analysis within a social setting. In: 11th International Requirements Engineering Conference, pp. 151–161. IEEE Press (2003)

    Google Scholar 

  20. McDermott, J., Fox, C.: Using abuse care models for security requirements analysis. In: 15th Annual Computer Security Applications Conference, pp. 55–64. IEEE Press (1999)

    Google Scholar 

  21. Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. Requir. Eng. 10(1), 34–44 (2005)

    Article  Google Scholar 

  22. Jurjens, J.: Secure Systems Development with UML. Springer (2005)

    Google Scholar 

  23. Lodderstedt, T., Basin, D., Doser, J.: SecureUML: a UML based modelling language for model-driven security. In: UML 2002 The Unified Modeling Language, pp. 426–441. Springer (2002)

    Google Scholar 

  24. Mouratidis, H., Giorgini, P.: Secure tropos: a security-oriented extension of the tropos methodology. Int. J. Softw. Eng. Knowl. Eng. 17(2), 285–309 (2007)

    Article  Google Scholar 

  25. Giorgini, P., Massacci, F., Mylopoulos, J.: Requirement engineering meets security: a case study on modelling secure electronic transactions by VISA and Mastercard. In: 22nd International Conference On Conceptual Modeling (ER 2003), pp. 263-276. Springer (2003)

    Google Scholar 

  26. Mellado, D., Fernández-Medina, E., Piattini, M.: A common criterion based security requirements engineering process for the development of secure information system. Comput. Stan. Interfaces 29, 244–253 (2007)

    Article  Google Scholar 

  27. Mead, N.R., Steheny, T.: Security quality requirements engineering (SQUARE) methodology. SIGSOFT Softw. Eng. Notes 30(4), 1–7 (2005)

    Article  Google Scholar 

  28. Houmb, S.H., Islam, S., Knauss, E., Jrjens, J., Schneider, K.: Eliciting security requirements and tracing them to design: an integration of common criteria, heuristics, and UMLsec. Requirements. Eng. J. 15(1), 63–93 (2010)

    Google Scholar 

  29. Pavlidis, M., Mouratidis, H., Islam, S.: Modelling security using trust based concepts. Int. J. Secure Softw. Eng. 3(2), 36–53 (2012)

    Article  Google Scholar 

  30. Rosado, D.G., Fernández-Medina, E., López, J., Piattini, M.: Analysis of secure mobile grid systems: a systematic approach. Inf. Softw. Technol. 52(5), 517–536 (2010)

    Article  Google Scholar 

  31. Bandara, Arosha, Shinpei, H., Jurjens, J., Kaiya, H., Kubo, A., Laney, R., Mouratidis, H., et al.: Security patterns: comparing modeling approaches. In: Software Engineering for Secure Systems: Industrial and Research Perspectives: Industrial and Research Perspectives, p. 75 (2010)

    Google Scholar 

  32. Shei, S., Delaney, A., Kapetanakis, S., Mouratidis, H.: Visually Mapping Requirements Models to Cloud Services

    Google Scholar 

  33. Shei, S., Márquez Alcañiz, L., Mouratidis, H., Delaney, A., Rosado, D.G., Fernández-Medina, E.: Modelling secure cloud systems based on system requirements. In: Proceedings of ESPRE, pp. 19–24 (2015)

    Google Scholar 

  34. Pavlidis, M., Islam, S., Mouratidis, H.: A CASE tool to support automated modelling and analysis of security requirements. In: Nurcan, S., (eds.) IS Olympics: Information Systems in a Diverse World, pp. 95–109. Springer (2012)

    Google Scholar 

  35. Greek Parliament: Act 3892: Electronic registration and fulfilment of medical prescriptions and clinical test referrals. FEK 189(1), 4225–4232 (2010). [In Greek]

    Google Scholar 

  36. Argyropoulos, N., Mouratidis, H., Fish, A.: Towards the derivation of secure business process designs. In: 2nd International Workshop on Conceptual Modelling in Requirements and Business Analysis (MReBA) in Conjunction with the 34th International Conference on Conceptual Modeling (ER’15), Stockholm, Sweden, pp. 1–11. Springer (2015)

    Google Scholar 

  37. Argyropoulos, N., Márquez Alcañiz, L., Mouratidis, H., Fish, A., Rosado, D.G., De Guzmán, I.G.R., Fernández-Medina, E.: Eliciting security requirements for business processes of legacy systems. In: 8th IFIP WG 8.1 Working Conference on the Practice of Enterprise Modelling, Valencia, Spain. Springer (2015)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Secure and Dependable Software Systems (Sense), Research Cluster, University of Brighton, Brighton, BN2 4GJ, UK

    Haralambos Mouratidis, Nikolaos Argyropoulos & Shaun Shei

Authors
  1. Haralambos Mouratidis
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nikolaos Argyropoulos
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Shaun Shei
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Haralambos Mouratidis .

Editor information

Editors and Affiliations

  1. Faculty of Computer Science, Research Group Knowledge Engineering, University of Vienna, Wien, Austria

    Dimitris Karagiannis

  2. Institute of Applied Informatics, Alpen-Adria-Universität Klagenfurt Institute of Applied Informatics, Klagenfurt, Austria

    Heinrich C. Mayr

  3. University of Trento , Trento, Italy

    John Mylopoulos

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this chapter

Cite this chapter

Mouratidis, H., Argyropoulos, N., Shei, S. (2016). Security Requirements Engineering for Cloud Computing: The Secure Tropos Approach. In: Karagiannis, D., Mayr, H., Mylopoulos, J. (eds) Domain-Specific Conceptual Modeling. Springer, Cham. https://doi.org/10.1007/978-3-319-39417-6_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-39417-6_16

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-39416-9

  • Online ISBN: 978-3-319-39417-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation