A framework for security requirements engineering

Haley, Charles B.; Moffett, Jonathan; Laney, Robin; Nuseibeh, Bashar

doi:10.1145/1137627.1137634

Cited by 91 publications

(50 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…requirements) have received a great deal of attention from researchers over the last ten years. Security requirements identification, reasoning and evaluation have also been extensively researched [40][41][42][43][44]. Yet, very little has been done to evaluate the adherence of the design stage to the intended security requirement, in particular evaluating the software architecture.…”

Section: Discussionmentioning

confidence: 99%

The ISDF Framework: Towards Secure Software Development

Alkussayer¹,

Allen²

2010

Journal of Information Processing Systems

View full text Add to dashboard Cite

Abstract-The rapid growth of communication and globalization has changed the software engineering process. Security has become a crucial component of any software system. However, software developers often lack the knowledge and skills needed to develop secure software. Clearly, the creation of secure software requires more than simply mandating the use of a secure software development lifecycle; the components produced by each stage of the lifecycle must be correctly implemented for the resulting system to achieve its intended goals. This study demonstrates that a more effective approach to the development of secure software can result from the integration of carefully selected security patterns into appropriate stages of the software development lifecycle to ensure that security designs are correctly implemented. The goal of this study is to provide developers with an Integrated Security Development Framework (ISDF) that can assist them in building more secure software.

show abstract

Section: Discussionmentioning

confidence: 99%

The ISDF Framework: Towards Secure Software Development

Alkussayer¹,

Allen²

2010

Journal of Information Processing Systems

View full text Add to dashboard Cite

show abstract

“…. constraints on functional requirements to protect the assets from threats" [26]. For example, the webpage sent by the web server must be identical to the webpage received by the client (i.e., integrity).…”

Section: Kirin Security Rulesmentioning

confidence: 99%

On lightweight mobile phone application certification

Enck

Ongtang

McDaniel

2009

Proceedings of the 16th ACM Conference on Computer and Communications Security

750

451

View full text Add to dashboard Cite

Users have begun downloading an increasingly large number of mobile phone applications in response to advancements in handsets and wireless networks. The increased number of applications results in a greater chance of installing Trojans and similar malware. In this paper, we propose the Kirin security service for Android, which performs lightweight certification of applications to mitigate malware at install time. Kirin certification uses security rules, which are templates designed to conservatively match undesirable properties in security configuration bundled with applications. We use a variant of security requirements engineering techniques to perform an in-depth security analysis of Android to produce a set of rules that match malware characteristics. In a sample of 311 of the most popular applications downloaded from the official Android Market, Kirin and our rules found 5 applications that implement dangerous functionality and therefore should be installed with extreme caution. Upon close inspection, another five applications asserted dangerous rights, but were within the scope of reasonable functional needs. These results indicate that security configuration bundled with Android applications provides practical means of detecting malware.

show abstract

“…In the realm of security software engineering, Haley et al [10,9] present a framework for representing security requirements in an application context and for both formal and informal argumentation about whether a system satisfies them. The proposed argumentation process specifies several iterative steps for the problem part of the Twin Peaks.…”

Section: Related Workmentioning

confidence: 99%

The Security Twin Peaks

Heyman

Yskout

Scandariato

et al. 2011

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. The feedback from architectural decisions to the elaboration of requirements is an established concept in the software engineering community. However, pinpointing the nature of this feedback in a precise way is a largely open problem. Often, the feedback is generically characterized as additional qualities that might be affected by an architect's choice. This paper provides a practical perspective on this problem by leveraging architectural security patterns. The contribution of this paper is the Security Twin Peaks model, which serves as an operational framework to co-develop security in the requirements and the architectural artifacts.

show abstract

A framework for security requirements engineering

Cited by 91 publications

References 19 publications

The ISDF Framework: Towards Secure Software Development

The ISDF Framework: Towards Secure Software Development

On lightweight mobile phone application certification

The Security Twin Peaks

Contact Info

Product

Resources

About