Skip to main content
SpringerLink
Log in

A methodology for security assurance-driven system development

  • Digital Privacy
  • Published:
Requirements Engineering Aims and scope Submit manuscript

Abstract

In this work, we introduce an assurance methodology that integrates assurance case creation with system development. It has been developed in order to provide trust and privacy assurance to the evolving European project PICOS (Privacy and Identity Management for Community Services), an international research project focused on mobile communities and community-supporting services, with special emphasis on aspects such as privacy, trust, and identity management. The leading force behind the approach is the ambition to develop a methodology for building and maintaining security cases throughout the system development life cycle in a typical system engineering effort, when much of the information relevant for assurance is produced and feedback can be provided to system developers. The first results of the application of the methodology to the development of the PICOS platform are presented.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Similar content being viewed by others

References

  1. Privacy and Identity Management for Community Services (PICOS). http://www.picos-project.eu

  2. Graydon PJ, Knight JC, Strunk EA (2007) Assurance based development of critical systems. In: 37th annual IEEE/IFIP international conference on Dependable Systems and Networks (DSN’07). pp 347–357

  3. Goodenough J, Lipson H, Weinstock C (2007) Arguing security—creating security assurance cases. Carnegie Mellon University. Available at https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/assurance/643-BSI.html. Last Accessed 19 Sep 2008

  4. Jacobson Y, Christerson M, Jonsson P, Overgaard G (1992) Object-oriented software engineering—a use case driven approach. Addison Wesley/ACM Press, Massachusetts/New York

    MATH  Google Scholar 

  5. Dawson S (2005) The genesys of cyberscience and its mathematical models. SRI International, System Design Laboratory. Technical report, number AFRL-IF-RS-TR-2005-49

  6. Kalloniatis C, Kavakli E, Gritzalis S (2008) Addressing privacy requirements in system design: the PriS method. Requir Eng 13(3):241–255

    Article  Google Scholar 

  7. Liu L, Yu E, Mylopoulos J (2003) Security and privacy requirements analysis within a social setting. In: 11th IEEE international requirements engineering conference (RE’03), Monterey Bay, CA, pp 151–161

  8. Liu L, Yu E, Mylopoulos J (2002) Analyzing security requirements as relationships among strategic actors, SREIS’02, e-proceedings, Raleigh, NC

  9. Chung L (1993) Dealing with security requirements during the development of information systems. In: Proceedings of advanced information systems engineering, LNCS 685, pp 234–251

  10. van Lamsweerde A, Letier E (2000) Handling obstacles in goal-oriented requirements engineering. IEEE Trans Softw Eng, special issue on exception handling 26(10):978–1005

    Google Scholar 

  11. Mylopoulos J, Chung L, Nixon B (1992) Representing and using non-functional requirements: a process-oriented approach. IEEE Trans Softw Eng 18(6):483–497

    Article  Google Scholar 

  12. Kalloniatis C, Kavakli E, Gritzalis S (2004) Security requirements engineering for eGovernment applications: analysis of current frameworks. In: Proceedings of the DEXA’04 EGOV’04 3rd international conference on electronic government, LNCS 3183, Zaragoza, Spain, Sep 2004, pp 66–71

  13. Hope P, McGraw G, Antón AI (2004) Misuse and abuse cases: getting past the positive. IEEE Secur Priv 2(3):90–92

    Article  Google Scholar 

  14. Software security assurance: A State-of-the-Art Report (SOAR), 31 July 2007

  15. Wilander J, Gustavsson J (2005) Security requirements—a field study of current practice. In: E-proceedings of the symposium on requirements engineering for information security, 2005

  16. Strunk EA, Knight JC (2006) The essential synthesis of problem frames and assurance cases. In: Proceedings of 2nd international workshop on applications and advances in problem frames, co-located with 29th international conference on software engineering, Shanghai, May 2006

  17. Kelly T (2004) A systematic approach to safety case management. In: Proceedings SAE 2004 World Congress, Detroit, USA, 2004

  18. Jackson MA (2001) Problem frames: analysing and structuring software development problem. Addison Wesley Publishing Company, Massachusetts

    Google Scholar 

  19. Hall JG, Rapanotti L (2008) Assurance-driven design. In: The third international conference on software engineering advances, 2008 (ICSEA, 2008), Oct 2008, pp 379–388

  20. Hall JG, Rapanotti L, Jackson M (2007) Problem oriented software engineering: a design-theoretic framework for software engineering. In: Proceedings of the fifth IEEE international conference on software engineering and formal methods, pp 15–24

  21. Bloomfield RE, Bishop PG, Jones CCM, Froome PKD (1998) ASCAD—Adelard Safety Case Development Manual, Adelard 1998, ISBN 0 953377105

  22. Scott Ankrum AT, Kromholz AH (2006) Structured assurance cases: three common standards’ (slides presented at the Association for Software Quality [ASQ] Section 509 Software Special Interest Group meeting, McLean, VA, 23 Jan 2006

  23. Larsen KG, Xinxin L (1991) Compositionality through an operational semantics of contexts. J Log Comput 1(6):761–795

    Article  MATH  Google Scholar 

  24. Milner R (1980) A calculus of communicating systems. Springer, ISBN 0-387-10235-3

  25. Hennessy M, Milner R (1980) On observing nondeterminism and concurrency. In: de Bakker JW, van Leeuwen J (eds) Automata, languages and programming, 7th colloquium, vol 85 of Lecture Notes in Computer Science, Noordweijkerhout, Springer, The Netherlands, 14–18 July 1980, pp 299–309

  26. ISTPA International Security Trust and Privacy Association (2007) Analysis of privacy principles: making privacy operational, Version 2.0

  27. Potts C (1995) Using schematic scenarios to understand user needs. In: Proceedings of DIS’95—ACM symposium on designing interactive systems: processes, practices and techniques. University of Michigan

Download references

Acknowledgments

The research leading to these results has received funding from the European Community’s Seventh Framework Programme (FP7/2007-2011) under grant agreement no. 215056.

Author information

Authors and Affiliations

  1. Computer Science Department, University of Malaga, Campus de Teatinos s/n, 29071, Málaga, Spain

    José Luis Vivas, Isaac Agudo & Javier López

Authors
  1. José Luis Vivas
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Isaac Agudo
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Javier López
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Isaac Agudo.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Vivas, J.L., Agudo, I. & López, J. A methodology for security assurance-driven system development. Requirements Eng 16, 55–73 (2011). https://doi.org/10.1007/s00766-010-0114-8

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00766-010-0114-8

Keywords

Search

Navigation