Abstract
Current software security approaches involving software and information assurance, involve security activities such as threat modeling, misuse cases, and rigorous testing during the development, implementation and maintenance phases of the software lifecycle. With OPL (operational, public-image, legal) model, we propose that security requirements should be elicited at the data field level from end-users during the requirements modeling phase of the lifecycle. The elicited classification can then be used to drive the process of identifying critical processes of software, which leads to more effective threat modeling and testing regimens downstream.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Owens, D.: Integrating Software Security into The Software Development Lifecycle, IMPACT, http://www.impact-alliance.org (accessed 2013)
Dynamics, General. Venturing Beyond the Castle Walls – The Need for Data-Centric Security Models in Cloud Computing Environments, General Dynamics Information Technology (2012), https://meritalk.com/uploads_resources/000081_4435.pdf
Pfleeger, C.P., Pfleeger, S.L.: Security in Computing, 4th edn. Prentice Hall, Indianapolis (2006)
Rauch, M.: What is Information Assurance, Articlesbase (2009), http://www.articlesbase.com/security-articles/what-is-information-assurance-1142179.html
SAFECode, Software Assurance: An Overview of Current Industry Best Practices, Wakefield, Massachusetts, USA (2008), http://www.safecode.org
Dash, R.: Risk Assessment Techniques for Software Development. European Journal of Scientific Research 42(4), 629–636 (2010), www.eurojournals.com/ejsr.htm
Le Grand, C.H.: Software Security Assurance: A framework for Software Vulnerability Management and Audit. CHL Global Associates (2005), www.ouncelabs.com
Microsoft, Microsoft Security Development Lifecycle, Simplified Implementation of the Microsoft SDL (2010), http://www.microsoft.com/sdl
Williams, L.: Misuse (or Abuse) Cases, North Carolina State University, North Carolina, United States, http://www.cigital.com/justiceleague/wp-content/uploads/2007/07/touchpoints.gif (accessed 2013)
Steven, J.: Defining Misuse within the Development Process. IEEE Security and Privacy, United States (2006)
Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. Requirements Eng. 10, 34–44 (2004)
Myagmar, S., Lee, A.J., Yurcik, W.: Threat Modeling as a Basis for Security Requirements. In: Symposium on Requirements Engineering for Information Security (SREIS), United States (2005)
Howard, M.: Demystifying the Threat-Modeling Process. IEEE Security and Privacy, United States (2005)
Etges, R., McNeil, K.: Understanding Data Classification Based on Business and Security Requirements. Journal Online 5 (2006)
Heiser, J.: Data classification best practices: Techniques, methods and projects, http://www.SearchSecurity.com (accessed 2013)
Verizon, Data-Centric Vulnerability Management (2012), http://www.verizonenterprise.com/resources/whitepaper/wp_data-centric-vulnerability-management_en_xg.pdf
Bajaj, A.: Large Scale Requirements Modeling: an Industry Analysis, A Model and a Teaching Case. Journal of Information Systems Education, United States (2006)
Bajaj, A. , Large Scale Requirements Modeling, University of Tulsa, United States (2008).
Bajaj, A.: The Effect of Abstraction of Constructs in Data Models on Modeling Performance: An Exploratory Empirical Study. In: Americas Conference on Information Systems (ACMIS), United States (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Rahimian, F., Bajaj, A. (2013). Specifying Security at the Systems Analysis Level: Operational, Public-Image and Legal Aspects. In: Wrycza, S. (eds) Information Systems: Development, Learning, Security. SIGSAND/PLAIS 2013. Lecture Notes in Business Information Processing, vol 161. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40855-7_4
Download citation
DOI: https://doi.org/10.1007/978-3-642-40855-7_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-40854-0
Online ISBN: 978-3-642-40855-7
eBook Packages: Computer ScienceComputer Science (R0)