Details
| Original language | English |
|---|---|
| Title of host publication | 2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering, ESPRE 2014 - Proceedings |
| Publisher | Institute of Electrical and Electronics Engineers Inc. |
| Pages | 1-6 |
| Number of pages | 6 |
| ISBN (electronic) | 9781479963409 |
| Publication status | Published - 2014 |
| Event | IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering, ESPRE 2014 - Karlskrona, Sweden Duration: 25 Aug 2014 → 25 Aug 2014 |
Publication series
| Name | 2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering, ESPRE 2014 - Proceedings |
|---|
Abstract
Security issues can have a significant negative impact on the business or reputation of an organization. In most cases they are not identified in requirements and are not continuously monitored during software evolution. Therefore, the inability of a system to conform to regulations or its endangerment by new vulnerabilities is not recognized. In consequence, decisions related to security might not be taken at all or become obsolete quickly. But to evaluate efficiently whether an issue is already addressed appropriately, software engineers need explicit decision documentation. Often, such documentation is not performed due to high overhead. To cope with this problem, we propose to document decisions made to address security requirements. To lower the manual effort, information from heuristic analysis and end user monitoring is incorporated. The heuristic assessment method is used to identify security issues in given requirements au-tomatically. This helps to uncover security decisions needed to mitigate those issues. We describe how the corresponding security knowledge for each issue can be incorporated into the decision documentation semiautomatically. In addition, violations of security requirements at runtime are monitored. We show how decisions related to those security requirements can be identified through the documentation and updated manually. Overall, our approach improves the quality and completeness of security decision documentation to support the engineering and evolution of security requirements.
Keywords
- decision documentation, decision knowledge, heuristic analysis, knowledge carrying software, Security requirements engineering, software evolution, user mon-itoring
ASJC Scopus subject areas
- Computer Science(all)
- Software
- Computer Science(all)
- Computer Networks and Communications
- Engineering(all)
- Safety, Risk, Reliability and Quality
Cite this
- Standard
- Harvard
- Apa
- Vancouver
- BibTeX
- RIS
2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering, ESPRE 2014 - Proceedings. Institute of Electrical and Electronics Engineers Inc., 2014. p. 1-6 6890520 (2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering, ESPRE 2014 - Proceedings).
Research output: Chapter in book/report/conference proceeding › Conference contribution › Research › peer review
}
TY - GEN
T1 - Semiautomatic security requirements engineering and evolution using decision documentation, heuristics, and user monitoring
AU - Hesse, Tom Michael
AU - Gartner, Stefan
AU - Roehm, Tobias
AU - Paech, Barbara
AU - Schneider, Kurt
AU - Bruegge, Bernd
PY - 2014
Y1 - 2014
N2 - Security issues can have a significant negative impact on the business or reputation of an organization. In most cases they are not identified in requirements and are not continuously monitored during software evolution. Therefore, the inability of a system to conform to regulations or its endangerment by new vulnerabilities is not recognized. In consequence, decisions related to security might not be taken at all or become obsolete quickly. But to evaluate efficiently whether an issue is already addressed appropriately, software engineers need explicit decision documentation. Often, such documentation is not performed due to high overhead. To cope with this problem, we propose to document decisions made to address security requirements. To lower the manual effort, information from heuristic analysis and end user monitoring is incorporated. The heuristic assessment method is used to identify security issues in given requirements au-tomatically. This helps to uncover security decisions needed to mitigate those issues. We describe how the corresponding security knowledge for each issue can be incorporated into the decision documentation semiautomatically. In addition, violations of security requirements at runtime are monitored. We show how decisions related to those security requirements can be identified through the documentation and updated manually. Overall, our approach improves the quality and completeness of security decision documentation to support the engineering and evolution of security requirements.
AB - Security issues can have a significant negative impact on the business or reputation of an organization. In most cases they are not identified in requirements and are not continuously monitored during software evolution. Therefore, the inability of a system to conform to regulations or its endangerment by new vulnerabilities is not recognized. In consequence, decisions related to security might not be taken at all or become obsolete quickly. But to evaluate efficiently whether an issue is already addressed appropriately, software engineers need explicit decision documentation. Often, such documentation is not performed due to high overhead. To cope with this problem, we propose to document decisions made to address security requirements. To lower the manual effort, information from heuristic analysis and end user monitoring is incorporated. The heuristic assessment method is used to identify security issues in given requirements au-tomatically. This helps to uncover security decisions needed to mitigate those issues. We describe how the corresponding security knowledge for each issue can be incorporated into the decision documentation semiautomatically. In addition, violations of security requirements at runtime are monitored. We show how decisions related to those security requirements can be identified through the documentation and updated manually. Overall, our approach improves the quality and completeness of security decision documentation to support the engineering and evolution of security requirements.
KW - decision documentation
KW - decision knowledge
KW - heuristic analysis
KW - knowledge carrying software
KW - Security requirements engineering
KW - software evolution
KW - user mon-itoring
UR - http://www.scopus.com/inward/record.url?scp=84908644441&partnerID=8YFLogxK
U2 - 10.1109/ESPRE.2014.6890520
DO - 10.1109/ESPRE.2014.6890520
M3 - Conference contribution
AN - SCOPUS:84908644441
T3 - 2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering, ESPRE 2014 - Proceedings
SP - 1
EP - 6
BT - 2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering, ESPRE 2014 - Proceedings
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering, ESPRE 2014
Y2 - 25 August 2014 through 25 August 2014
ER -