Eliciting security requirements and tracing them to design: An integration of Common Criteria, heuristics, and UMLsec (bibtex)
by Houmb, Siv Hilde, Islam, Shareeful, Knauss, Eric, Jürjens, Jan and Schneider, Kurt
Abstract:
Building secure systems is difficult for many reasons.$\backslash$nThis paper deals with two of the main challenges: (i)$\backslash$nthe lack of security expertise in development teams, and (ii)$\backslash$nthe inadequacy of existing methodologies to support developers$\backslash$nwho are not security experts. The security standard$\backslash$nISO 14508 (Common Criteria) together with secure design$\backslash$ntechniques such as UMLsec can provide the security expertise,$\backslash$nknowledge, and guidelines that are needed. However,$\backslash$nsecurity expertise and guidelines are not stated explicitly in$\backslash$nthe Common Criteria. They are rather phrased in security$\backslash$ndomain terminology and difficult to understand for developers.$\backslash$nThis means that some general security and secure design$\backslash$nexpertise are required to fully take advantage of the Common$\backslash$nCriteria and UMLsec. In addition, there is the problem of tracing security requirements and objectives into solution$\backslash$ndesign,which is needed for proof of requirements fulfilment.$\backslash$nThis paper describes a security requirements engineering$\backslash$nmethodology called SecReq. SecReq combines three techniques:$\backslash$nthe Common Criteria, the heuristic requirements editorHeRA,$\backslash$nandUMLsec. SecReqmakes systematic use of the$\backslash$nsecurity engineering knowledge contained in the Common$\backslash$nCriteria and UMLsec, as well as security-related heuristics$\backslash$nin the HeRA tool. The integrated SecReq method supports$\backslash$nearly detection of security-related issues (HeRA), their systematic$\backslash$nrefinement guided by the Common Criteria, and the$\backslash$nability to trace security requirements into UML design models.$\backslash$nA feedback loop helps reusing experiencewithin SecReq$\backslash$nand turns the approach into an iterative process for the secure$\backslash$nsystem life-cycle, also in the presence of system evolution.
Reference:
Eliciting security requirements and tracing them to design: An integration of Common Criteria, heuristics, and UMLsec (Houmb, Siv Hilde, Islam, Shareeful, Knauss, Eric, Jürjens, Jan and Schneider, Kurt), In Requirements Engineering, volume 15, 2010.
Bibtex Entry:
@article{Houmb2010,
abstract = {Building secure systems is difficult for many reasons.$\backslash$nThis paper deals with two of the main challenges: (i)$\backslash$nthe lack of security expertise in development teams, and (ii)$\backslash$nthe inadequacy of existing methodologies to support developers$\backslash$nwho are not security experts. The security standard$\backslash$nISO 14508 (Common Criteria) together with secure design$\backslash$ntechniques such as UMLsec can provide the security expertise,$\backslash$nknowledge, and guidelines that are needed. However,$\backslash$nsecurity expertise and guidelines are not stated explicitly in$\backslash$nthe Common Criteria. They are rather phrased in security$\backslash$ndomain terminology and difficult to understand for developers.$\backslash$nThis means that some general security and secure design$\backslash$nexpertise are required to fully take advantage of the Common$\backslash$nCriteria and UMLsec. In addition, there is the problem of tracing security requirements and objectives into solution$\backslash$ndesign,which is needed for proof of requirements fulfilment.$\backslash$nThis paper describes a security requirements engineering$\backslash$nmethodology called SecReq. SecReq combines three techniques:$\backslash$nthe Common Criteria, the heuristic requirements editorHeRA,$\backslash$nandUMLsec. SecReqmakes systematic use of the$\backslash$nsecurity engineering knowledge contained in the Common$\backslash$nCriteria and UMLsec, as well as security-related heuristics$\backslash$nin the HeRA tool. The integrated SecReq method supports$\backslash$nearly detection of security-related issues (HeRA), their systematic$\backslash$nrefinement guided by the Common Criteria, and the$\backslash$nability to trace security requirements into UML design models.$\backslash$nA feedback loop helps reusing experiencewithin SecReq$\backslash$nand turns the approach into an iterative process for the secure$\backslash$nsystem life-cycle, also in the presence of system evolution.},
author = {Houmb, Siv Hilde and Islam, Shareeful and Knauss, Eric and J{\"{u}}rjens, Jan and Schneider, Kurt},
doi = {10.1007/s00766-009-0093-9},
isbn = {0947-3602},
issn = {09473602},
journal = {Requirements Engineering},
keywords = {Common Criteria (CC),Heuristics,Secure design,Security requirement elicitation,UMLsec,secvolution,secvolution_pw},
mendeley-tags = {secvolution,secvolution_pw},
number = {1},
pages = {63--93},
title = {{Eliciting security requirements and tracing them to design: An integration of Common Criteria, heuristics, and UMLsec}},
volume = {15},
year = {2010}
}
Powered by bibtexbrowser