Selecting Security Patterns that Fulfill Security Requirements Method presentation by Ondrej Travnicek Utrecht University Method Engineering 2014
Outline Introduction o Overview o Main phases Related literature o Past o Present o Future Method description Example Conclusion o Strengths / Opportunities o Weaknesses / Threats Utrecht University Method Engineering 2014
Introduction Purpose o To aid developers with the selection of security patterns Authors o Michael Weiss Associate professor Carleton University (Ottawa, Canada) Open source, ecosystems, mash-ups, patterns, and social network analysis o Haralambos (Haris) Mouratidis Professor University of Brighton (Brighton, UK) Software systems engineering, security requirements engineering, software engineering, information systems engineering Utrecht University Method Engineering 2014 Overview
Introduction Build repository o Pattern investigation & decomposition o Search engine implementation Select patterns o Input o Search engine at work o Output Utrecht University Method Engineering 2014 Main phases
Related literature From non-functional requirements to design through patterns (Gross & Yu, 2001) o Modeling the impact of security patterns o Non-functional requirement framework o Analysis employed by Weiss and Mouratidis (2008) Elaborating security requirements by construction of intentional anti- models (Van Lamsweerde, 2004) o Modeling, specification and analysis of security requirements o Security, not only an after thought Utrecht University Method Engineering 2014 Past
Related literature Building a pattern repository: Benefitting from the open, lightweight, and participative nature of wikis (Weiss & Birokou, 2007) o Effects of increasing number of security patterns o Pattern repository through wikis Using security patterns to develop secure systems (Fernandez et al., 2011) o Ongoing global collaboration o Use of patterns in development of secure systems Utrecht University Method Engineering 2014 ‘Present’
Related literature Legally “reasonable” security requirements: A 10- year FTC retrospective (Breaux & Baumer, 2011) o Investigation into “reasonable” security Others o Cited: 22 times o Application of the method Utrecht University Method Engineering 2014 Future
Method description
Utrecht University Method Engineering 2014 Method represented using the Process-Deliverable Diagram (Weerd & Brinkkemper, 2008).
Example From GRL model to Prolog facts Utrecht University Method Engineering 2014
Conclusion Strengths / Opportunities o Universal o Development heavy environment Weaknesses / Threats o Single project situation o Repository updates o Repository sources and builder Utrecht University Method Engineering 2014
References Breaux, T. D., & Baumer, D. L. (2011). Legally “reasonable” security requirements: A 10- year FTC retrospective. computers & security, 30(4), Fernandez, E. B., Yoshioka, N., Washizaki, H., Jurjens, J., VanHilst, M., & Pernul, G. (2011). Using security patterns to develop secure systems, 2, Gross, D., & Yu, E. (2001). From non-functional requirements to design through patterns. Requirements Engineering, 6(1), Van Lamsweerde, A. (2004). Elaborating security requirements by construction of intentional anti- models. Proceedings of the 26th International Conference on Software Engineering (pp ). IEEE Computer Society. Weerd, I. van de, & Brinkkemper, S. (2008). Meta-modeling for situational analysis and design methods. In M.R. Syed and S.N. Syed (Eds.), Handbook of Research on Modern Systems Analysis and Design Technologies and Applications (pp ). Hershey: Idea Group Publishing. Weiss, M., & Birukou, A. (2007). Building a pattern repository: Benefitting from the open, lightweight, and participative nature of wikis. International Symposium on Wikis (WikiSym), ACM (pp ). Weiss, M., & Mouratidis, H. (2008). Selecting security patterns that fulfill security requirements. International Requirements Engineering, RE'08. 16th IEEE (pp ). Catalonia: IEEE. Utrecht University Method Engineering 2014
Questions?