Lightweight modeling and analysis of security concepts
ESSoS'11 Proceedings of the Third international conference on Engineering secure software and systems
Secure business process model specification through a UML 2.0 activity diagram profile
Decision Support Systems
Supporting requirements engineers in recognising security issues
REFSQ'11 Proceedings of the 17th international working conference on Requirements engineering: foundation for software quality
Systematic development of UMLsec design models based on security requirements
FASE'11/ETAPS'11 Proceedings of the 14th international conference on Fundamental approaches to software engineering: part of the joint European conferences on theory and practice of software
Appraisal and reporting of security assurance at operational systems level
Journal of Systems and Software
Proceedings of the Second International Conference on Computational Science, Engineering and Information Technology
Towards Tool-Support for Usable Secure Requirements Engineering with CAIRIS
International Journal of Secure Software Engineering
Modelling Security Using Trust Based Concepts
International Journal of Secure Software Engineering
Model Based Process to Support Security and Privacy Requirements Engineering
International Journal of Secure Software Engineering
A framework to support selection of cloud providers based on security and privacy requirements
Journal of Systems and Software
A taxonomy for requirements engineering and software test alignment
ACM Transactions on Software Engineering and Methodology (TOSEM)
Comparing attack trees and misuse cases in an industrial setting
Information and Software Technology
Computer Standards & Interfaces
| Hi-index | 0.00 |
Building secure systems is difficult for many reasons. This paper deals with two of the main challenges: (i) the lack of security expertise in development teams and (ii) the inadequacy of existing methodologies to support developers who are not security experts. The security standard ISO 14508 Common Criteria (CC) together with secure design techniques such as UMLsec can provide the security expertise, knowledge, and guidelines that are needed. However, security expertise and guidelines are not stated explicitly in the CC. They are rather phrased in security domain terminology and difficult to understand for developers. This means that some general security and secure design expertise are required to fully take advantage of the CC and UMLsec. In addition, there is the problem of tracing security requirements and objectives into solution design, which is needed for proof of requirements fulfilment. This paper describes a security requirements engineering methodology called SecReq. SecReq combines three techniques: the CC, the heuristic requirements editor HeRA, and UMLsec. SecReq makes systematic use of the security engineering knowledge contained in the CC and UMLsec, as well as security-related heuristics in the HeRA tool. The integrated SecReq method supports early detection of security-related issues (HeRA), their systematic refinement guided by the CC, and the ability to trace security requirements into UML design models. A feedback loop helps reusing experience within SecReq and turns the approach into an iterative process for the secure system life-cycle, also in the presence of system evolution.