Towards a Comprehensive Framework for Secure Systems Development

Mouratidis, Haralambos; Jürjens, Jan; Fox, Jorge

doi:10.1007/11767138_5

Cited by 38 publications

(37 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…There are works that define a transition between development stages, for example, a correspondence between KAOS and SecureUML is proposed in [23] to define security policies related of access control. And, in [24] a mapping between Secure Tropos and UMLsec is proposed.…”

Section: ) Comparisonmentioning

confidence: 99%

See 1 more Smart Citation

A Review of Security Requirements Engineering Methods with Respect to Risk Analysis and Model-Driven Engineering

Muñante

Chiprianov

Gallon

et al. 2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Part 1: Cross-Domain Conference and Workshop on Multidisciplinary Research and Practice for Information Systems (CD-ARES 2014): Software SecurityInternational audienceOne of the most important aspects that help improve the quality and cost of secure information systems in their early stages of the development lifecycle is Security Requirements Engineering (SRE). However, obtaining such requirements is non-trivial. One domain dealing also with eliciting security requirements is Risk Analysis (RA). Therefore, we perform a review of SRE methods in order to analyse which ones are compatible with RA processes. Moreover, the transition from these early security requirements to security policies at later stages in the lifecycle is generally non-automatic, informal and incomplete. To deal with such issues, model-driven engineering (MDE) uses formal models and automatic model transformations. Therefore, we also review which SRE methods are compatible with MDE approaches. Consequently, our review is based on criteria derived partially from existing survey works, further enriched and specialized in order to evaluate the compatibility of SRE methods with the disciplines of RA and MDE. It summarizes the evidence regarding this issue so as to improve understanding and facilitate evaluating and selecting SRE methods

show abstract

Section: ) Comparisonmentioning

confidence: 99%

“…So it is necessary to combine SRE methodologies with RA methodologies. Several works have already been proposed this: KAOS [25], Secure Tropos [24] [27], CORAS [15] [28].…”

Section: Introductionmentioning

confidence: 99%

A Review of Security Requirements Engineering Methods with Respect to Risk Analysis and Model-Driven Engineering

Muñante

Chiprianov

Gallon

et al. 2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Also relevant is URN [24], an i* variation which has been added as part of the industrial Telecommunications Standard Z.151 [25] for systems specification. Besides these three main proposals, namely seminal i*, Tropos and GRL [26], there are also others that have introduced several constructs in the language with different research aims, such as security and trust concerns [12,18], temporal operators [27] and traceability constructs [28], among others. In spite of the different aims of the proposals using the i* framework, it is possible to classify the i* extensions or modifications with respect to the constructs they customize (see Table 1).…”

Section: The I* Framework and Its Variationsmentioning

confidence: 99%

“…A more indepth discussion may be found at [9]. We have identified only one proposal [28,29] which generates a different language structure because it adds softgoals to describe dependency's security properties. However, even this proposal is built upon the same conceptual framework.…”

Section: The I* Framework and Its Variationsmentioning

confidence: 99%

Towards interoperability of i* models using iStarML

Cares

Franch

Perini

et al. 2011

Computer Standards & Interfaces

View full text Add to dashboard Cite

Goal-oriented and agent-oriented modelling provides an effective approach to the understanding of distributed information systems that need to operate in open, heterogeneous and evolving environments. Frameworks, firstly introduced more than ten years ago, have been extended along language variants, analysis methods and CASE tools, posing language semantics and tool interoperability issues. Among them, the i* framework is one the most widespread. We focus on i*-based modelling languages and tools and on the problem of supporting model exchange between them. In this paper, we introduce the i* interoperability problem and derive an XML interchange format, called iStarML, as a practical solution to this problem. We first discuss the main requirements for its definition, then we characterise the core concepts of i* and we detail the tags and options of the interchange format. We complete the presentation of iStarML showing some possible applications. Finally, a survey on the i* community perception about iStarML is included for assessment purposes.

show abstract

“…For example, in [27] Mouratidis et.al. merge the high-level concepts and modelling activities of the secure Tropos methodology with UMLsec models.…”

Section: Secure Software Engineering and Modelling Languagesmentioning

confidence: 99%

A UML-based static verification framework for security

2009

View full text Add to dashboard Cite

Citation: Siveroni, I., Zisman, A. & Spanoudakis, G. (2010). A UML-based static verification framework for security. Requirements Engineering, 15(1), pp. 95-118. doi: 10.1007/s00766-009-0091-y This is the unspecified version of the paper.This version of the publication may differ from the final published version. Abstract Secure software engineering is a new research area that has been proposed to address security issues during the development of software systems. This new area of research advocates that security characteristics should be considered from the early stages of the software development life cycle and should not be added as another layer in the system on an ad-hoc basis after the system is built. In this paper we describe a UML-based Static Verification Framework (USVF) to support the design and verification of secure software systems in early stages of the software development life-cycle taking into consideration security and general requirements of the software system. USVF performs static verification on UML models consisting of UML class and state machine diagrams extended by an action language. We present an operational semantics of UML models, define a property specification language designed to reason about temporal and general properties of UML state machines using the semantic domains of the former, and implement the model checking process by translating models and properties into Promela, the input language of the SPIN model checker. We show that the methodology can be applied to the verification of security properties by representing the main aspects of security, namely availability, integrity and confidentiality, in the USVF property specification language. Permanent

show abstract

Towards a Comprehensive Framework for Secure Systems Development

Cited by 38 publications

References 16 publications

A Review of Security Requirements Engineering Methods with Respect to Risk Analysis and Model-Driven Engineering

A Review of Security Requirements Engineering Methods with Respect to Risk Analysis and Model-Driven Engineering

Towards interoperability of i* models using iStarML

A UML-based static verification framework for security

Contact Info

Product

Resources

About