Semiautomatic security requirements engineering and evolution using decision documentation, heuristics, and user monitoring

Research output: Chapter in book/report/conference proceedingConference contributionResearchpeer review

Authors

  • Tom Michael Hesse
  • Stefan Gartner
  • Tobias Roehm
  • Barbara Paech
  • Kurt Schneider
  • Bernd Bruegge

Research Organisations

External Research Organisations

  • Heidelberg University
  • Technical University of Munich (TUM)
View graph of relations

Details

Original languageEnglish
Title of host publication2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering, ESPRE 2014 - Proceedings
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages1-6
Number of pages6
ISBN (electronic)9781479963409
Publication statusPublished - 2014
EventIEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering, ESPRE 2014 - Karlskrona, Sweden
Duration: 25 Aug 201425 Aug 2014

Publication series

Name2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering, ESPRE 2014 - Proceedings

Abstract

Security issues can have a significant negative impact on the business or reputation of an organization. In most cases they are not identified in requirements and are not continuously monitored during software evolution. Therefore, the inability of a system to conform to regulations or its endangerment by new vulnerabilities is not recognized. In consequence, decisions related to security might not be taken at all or become obsolete quickly. But to evaluate efficiently whether an issue is already addressed appropriately, software engineers need explicit decision documentation. Often, such documentation is not performed due to high overhead. To cope with this problem, we propose to document decisions made to address security requirements. To lower the manual effort, information from heuristic analysis and end user monitoring is incorporated. The heuristic assessment method is used to identify security issues in given requirements au-tomatically. This helps to uncover security decisions needed to mitigate those issues. We describe how the corresponding security knowledge for each issue can be incorporated into the decision documentation semiautomatically. In addition, violations of security requirements at runtime are monitored. We show how decisions related to those security requirements can be identified through the documentation and updated manually. Overall, our approach improves the quality and completeness of security decision documentation to support the engineering and evolution of security requirements.

Keywords

    decision documentation, decision knowledge, heuristic analysis, knowledge carrying software, Security requirements engineering, software evolution, user mon-itoring

ASJC Scopus subject areas

Cite this

Semiautomatic security requirements engineering and evolution using decision documentation, heuristics, and user monitoring. / Hesse, Tom Michael; Gartner, Stefan; Roehm, Tobias et al.
2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering, ESPRE 2014 - Proceedings. Institute of Electrical and Electronics Engineers Inc., 2014. p. 1-6 6890520 (2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering, ESPRE 2014 - Proceedings).

Research output: Chapter in book/report/conference proceedingConference contributionResearchpeer review

Hesse, TM, Gartner, S, Roehm, T, Paech, B, Schneider, K & Bruegge, B 2014, Semiautomatic security requirements engineering and evolution using decision documentation, heuristics, and user monitoring. in 2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering, ESPRE 2014 - Proceedings., 6890520, 2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering, ESPRE 2014 - Proceedings, Institute of Electrical and Electronics Engineers Inc., pp. 1-6, IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering, ESPRE 2014, Karlskrona, Sweden, 25 Aug 2014. https://doi.org/10.1109/ESPRE.2014.6890520
Hesse, T. M., Gartner, S., Roehm, T., Paech, B., Schneider, K., & Bruegge, B. (2014). Semiautomatic security requirements engineering and evolution using decision documentation, heuristics, and user monitoring. In 2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering, ESPRE 2014 - Proceedings (pp. 1-6). Article 6890520 (2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering, ESPRE 2014 - Proceedings). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/ESPRE.2014.6890520
Hesse TM, Gartner S, Roehm T, Paech B, Schneider K, Bruegge B. Semiautomatic security requirements engineering and evolution using decision documentation, heuristics, and user monitoring. In 2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering, ESPRE 2014 - Proceedings. Institute of Electrical and Electronics Engineers Inc. 2014. p. 1-6. 6890520. (2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering, ESPRE 2014 - Proceedings). doi: 10.1109/ESPRE.2014.6890520
Hesse, Tom Michael ; Gartner, Stefan ; Roehm, Tobias et al. / Semiautomatic security requirements engineering and evolution using decision documentation, heuristics, and user monitoring. 2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering, ESPRE 2014 - Proceedings. Institute of Electrical and Electronics Engineers Inc., 2014. pp. 1-6 (2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering, ESPRE 2014 - Proceedings).
Download
@inproceedings{4894ac4e1b6b422788b41c3885133dd8,
title = "Semiautomatic security requirements engineering and evolution using decision documentation, heuristics, and user monitoring",
abstract = "Security issues can have a significant negative impact on the business or reputation of an organization. In most cases they are not identified in requirements and are not continuously monitored during software evolution. Therefore, the inability of a system to conform to regulations or its endangerment by new vulnerabilities is not recognized. In consequence, decisions related to security might not be taken at all or become obsolete quickly. But to evaluate efficiently whether an issue is already addressed appropriately, software engineers need explicit decision documentation. Often, such documentation is not performed due to high overhead. To cope with this problem, we propose to document decisions made to address security requirements. To lower the manual effort, information from heuristic analysis and end user monitoring is incorporated. The heuristic assessment method is used to identify security issues in given requirements au-tomatically. This helps to uncover security decisions needed to mitigate those issues. We describe how the corresponding security knowledge for each issue can be incorporated into the decision documentation semiautomatically. In addition, violations of security requirements at runtime are monitored. We show how decisions related to those security requirements can be identified through the documentation and updated manually. Overall, our approach improves the quality and completeness of security decision documentation to support the engineering and evolution of security requirements.",
keywords = "decision documentation, decision knowledge, heuristic analysis, knowledge carrying software, Security requirements engineering, software evolution, user mon-itoring",
author = "Hesse, {Tom Michael} and Stefan Gartner and Tobias Roehm and Barbara Paech and Kurt Schneider and Bernd Bruegge",
year = "2014",
doi = "10.1109/ESPRE.2014.6890520",
language = "English",
series = "2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering, ESPRE 2014 - Proceedings",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
pages = "1--6",
booktitle = "2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering, ESPRE 2014 - Proceedings",
address = "United States",
note = "IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering, ESPRE 2014 ; Conference date: 25-08-2014 Through 25-08-2014",

}

Download

TY - GEN

T1 - Semiautomatic security requirements engineering and evolution using decision documentation, heuristics, and user monitoring

AU - Hesse, Tom Michael

AU - Gartner, Stefan

AU - Roehm, Tobias

AU - Paech, Barbara

AU - Schneider, Kurt

AU - Bruegge, Bernd

PY - 2014

Y1 - 2014

N2 - Security issues can have a significant negative impact on the business or reputation of an organization. In most cases they are not identified in requirements and are not continuously monitored during software evolution. Therefore, the inability of a system to conform to regulations or its endangerment by new vulnerabilities is not recognized. In consequence, decisions related to security might not be taken at all or become obsolete quickly. But to evaluate efficiently whether an issue is already addressed appropriately, software engineers need explicit decision documentation. Often, such documentation is not performed due to high overhead. To cope with this problem, we propose to document decisions made to address security requirements. To lower the manual effort, information from heuristic analysis and end user monitoring is incorporated. The heuristic assessment method is used to identify security issues in given requirements au-tomatically. This helps to uncover security decisions needed to mitigate those issues. We describe how the corresponding security knowledge for each issue can be incorporated into the decision documentation semiautomatically. In addition, violations of security requirements at runtime are monitored. We show how decisions related to those security requirements can be identified through the documentation and updated manually. Overall, our approach improves the quality and completeness of security decision documentation to support the engineering and evolution of security requirements.

AB - Security issues can have a significant negative impact on the business or reputation of an organization. In most cases they are not identified in requirements and are not continuously monitored during software evolution. Therefore, the inability of a system to conform to regulations or its endangerment by new vulnerabilities is not recognized. In consequence, decisions related to security might not be taken at all or become obsolete quickly. But to evaluate efficiently whether an issue is already addressed appropriately, software engineers need explicit decision documentation. Often, such documentation is not performed due to high overhead. To cope with this problem, we propose to document decisions made to address security requirements. To lower the manual effort, information from heuristic analysis and end user monitoring is incorporated. The heuristic assessment method is used to identify security issues in given requirements au-tomatically. This helps to uncover security decisions needed to mitigate those issues. We describe how the corresponding security knowledge for each issue can be incorporated into the decision documentation semiautomatically. In addition, violations of security requirements at runtime are monitored. We show how decisions related to those security requirements can be identified through the documentation and updated manually. Overall, our approach improves the quality and completeness of security decision documentation to support the engineering and evolution of security requirements.

KW - decision documentation

KW - decision knowledge

KW - heuristic analysis

KW - knowledge carrying software

KW - Security requirements engineering

KW - software evolution

KW - user mon-itoring

UR - http://www.scopus.com/inward/record.url?scp=84908644441&partnerID=8YFLogxK

U2 - 10.1109/ESPRE.2014.6890520

DO - 10.1109/ESPRE.2014.6890520

M3 - Conference contribution

AN - SCOPUS:84908644441

T3 - 2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering, ESPRE 2014 - Proceedings

SP - 1

EP - 6

BT - 2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering, ESPRE 2014 - Proceedings

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering, ESPRE 2014

Y2 - 25 August 2014 through 25 August 2014

ER -

By the same author(s)