Abstract
How to design a security engineering process that can cope with the dynamic evolution of Future Internet scenarios and the rigidity of existing system engineering processes? The SecureChange approach is to orchestrate (as opposed to integrate) security and system engineering concerns by two types of relations between engineering processes: (i) vertical relations between successive security-related processes; and (ii) horizontal relations between mainstream system engineering processes and concurrent security-related processes. This approach can be extended to cover the complete system/ software lifecycle, from early security requirement elicitation to runtime configuration and monitoring, via high-level architecting, detailed design, development, integration and design-time testing. In this paper we illustrate the high-level scientific principles of the approach.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Bergmann, G., et al.: Change-Driven Model Transformations. Change (in) the Rule to Rule the Change. In: Software and System Modeling (to appear, 2011)
Bergmann, G., Horváth, Á., Ráth, I., Varró, D., Balogh, A., Balogh, Z., Ökrös, A.: Incremental evaluation of model queries over EMF models. In: Petriu, D.C., Rouquette, N., Haugen, Ø. (eds.) MODELS 2010. LNCS, vol. 6394, pp. 76–90. Springer, Heidelberg (2010)
Breu, M., Breu, R., Löw, S.: Living on the MoVE: Towards an Architecture for a Living Models Infrastructure. International Journal on Advances in Software, 290–295 (2010)
Chechik, M., et al.: Relationship-based change propagation: A case study. In: Proc. of the ICSE Workshop on Modeling in Software Engineering (MISE 2009), pp. 7–12. IEEE, Los Alamitos (2009)
De Win, B., et al.: On the secure software development process: CLASP, SDL and Touchpoints compared. Information and Software Technology 51(7), 1152–1171 (2009)
Deliverable 3.2 “A Methodology for Evolutionary Requirements”, http://www.securechange.eu
Dragoni, N., et al.: A Load Time Policy Checker for Open Multi-Application Smart Cards. In: Proc. of IEEE Policy 2011. IEEE, Los Alamitos (2011)
Elahi, G., Yu, E., Zannone, N.: A vulnerability-centric requirements engineering framework: analyzing security attacks, countermeasures, and requirements based on vulnerabilities. Requirements Engineering 15, 41–62 (2010)
Félix, E., Delande, O., Massacci, F., Paci, F.: Managing Changes with Legacy Security Engineering Processes. In: Proc. of IEEE Int. Conf. on Intelligence and Security Informatics (2011)
Fourneret, E., et al.: Selective Test Generation Method for Evolving Critical Systems. In: Proc. of 1st Int. Workshop on Regression Testing. IEEE, Los Alamitos (2011)
Fourneret, E., et al.: Model-Based Security Verification and Testing for Smart-cards. In: Proc. of ARES 2011. IEEE, Los Alamitos (2011)
Giorgini, P., Massacci, F., Mylopoulos, J., Zannone, N.: Requirements engineering for trust management: model, methodology, and reasoning. Internat. Journal of Information Security 5(4), 257–274 (2006)
Haley, C., Laney, R., Moffett, J., Nuseibeh, B.: Security requirements engineering: A framework for representation and analysis. IEEE Trans. Softw. Eng. 34, 133–153 (2008)
Hassine, J., Rilling, J., Hewitt, J.: Change impact analysis for requirement evolution using use case maps. In: Proc. of the 8th Intl. Workshop on Principles of Software Evolution, pp. 81–90. IEEE, Los Alamitos (2005)
Innerhofer-Oberperfler, F., Hafner, M., Breu, R.: Living Security – Collaborative Security Management in a Changing World. In: Proc. of IASTED Int. Conf. on Soft. Eng. (2011)
ISO 12207, Systems and software engineering — Software life cycle processes, ISO (2008)
ISO 15288, Systems and software engineering — System life cycle processes, ISO (2008)
ISO 31000, Risk management – Principles and guidelines, ISO (2009)
Jacobs, B., Piessens, F.: Expressive modular fine-grained concurrency specification. In: Proc. of POPL 2011, pp. 271–282. ACM, New York (2011)
Jacobs, B., Smans, J., Piessens, F.: A quick tour of the VeriFast program verifier. In: Ueda, K. (ed.) APLAS 2010. LNCS, vol. 6461, pp. 304–311. Springer, Heidelberg (2010)
Jürjens, J., Marchal, L., Ochoa, M., Schmidt, H.: Incremental security verification for evolving uMLsec models. In: France, R.B., Kuester, J.M., Bordbar, B., Paige, R.F. (eds.) ECMFA 2011. LNCS, vol. 6698, pp. 52–68. Springer, Heidelberg (2011)
Jürjens, J.: Secure Systems Development with UML. Springer, Heidelberg (2005)
Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis – The CORAS Approach. Springer, Heidelberg (2011)
Lund, M.S., Solhaug, B., Stølen, K.: Risk Analysis of Changing and Evolving Systems Using CORAS. In: Aldini, A., Gorrieri, R. (eds.) FOSAD 2011. LNCS, vol. 6858, pp. 231–274. Springer, Heidelberg (2011)
Massacci, F., Mylopolous, J., Paci, F., Tun, T.T., Yu, Y.: An Extended Ontology for Security Requirements. In: 1st Internat. Workshop on Information Systems Security Engineering (WISSE 2011), London (2011)
Massacci, F., Mylopoulos, J., Zannone, N.: Computer-aided support for Secure Tropos. Automated Software Eng. 14, 341–364 (2007)
Normand, V., Félix, E.: Toward model-based security engineering: developing a security analysis DSML. In: Proc. of ECMDA-FA (2009)
Philippaerts, P., et al.: The Belgian Electronic Identity Card: A Verification Case Study. In: Proc. AVOCS 2011 (2011) (submitted)
System Security Eng. Capability Maturity Model, http://www.sse-cmm.org/index.html
Tran, M.S., Massacci, F.: Dealing with Known Unknowns: Towards a Game-Theoretic Foundation for Software Requirement Evolution. In: Mouratidis, H., Rolland, C. (eds.) CAiSE 2011. LNCS, vol. 6741, pp. 62–76. Springer, Heidelberg (2011)
Tun, T.T., Yu, Y., Laney, R., Nuseibeh, B.: Early identification of problem interactions: A tool-supported approach. In: Glinz, M., Heymans, P. (eds.) REFSQ 2009 Amsterdam. LNCS, vol. 5512, pp. 74–88. Springer, Heidelberg (2009)
Tun, T.T., et al.: Model-based argument analysis for evolving security requirements. In: Proc. of the IEEE SSIRI 2010, pp. 88–97. IEEE, Los Alamitos (2010)
van Lamsweerde, A.: Elaborating security requirements by construction of intentional anti-models. In: Proc. of ICSE 2004, pp. 148–157. ACM, New York (2004)
Vogels, F., Jacobs, B., Piessens, F., Smans, J.: Annotation inference for separation logic based verifiers. In: Bruni, R., Dingel, J. (eds.) FORTE 2011 and FMOODS 2011. LNCS, vol. 6722, pp. 319–333. Springer, Heidelberg (2011)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Massacci, F. et al. (2011). Orchestrating Security and System Engineering for Evolving Systems. In: Abramowicz, W., Llorente, I.M., Surridge, M., Zisman, A., Vayssière, J. (eds) Towards a Service-Based Internet. ServiceWave 2011. Lecture Notes in Computer Science, vol 6994. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-24755-2_12
Download citation
DOI: https://doi.org/10.1007/978-3-642-24755-2_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-24754-5
Online ISBN: 978-3-642-24755-2
eBook Packages: Computer ScienceComputer Science (R0)