Upload
christine-meryl-daniel
View
217
Download
0
Embed Size (px)
Citation preview
Selecting Security Patterns that Fulfill Security
Requirements
Method presentation by Ondrej Travnicek
Utrecht University Method Engineering 2014
Outline• Introduction
o Overviewo Main phases
• Related literatureo Pasto Presento Future
• Method description• Example• Conclusion
o Strengths / Opportunitieso Weaknesses / Threats
Utrecht University Method Engineering 2014
Introduction
• Purposeo To aid developers with the selection of security patterns
• Authorso Michael Weiss
• Associate professor• Carleton University (Ottawa, Canada)• Open source, ecosystems, mash-ups, patterns, and social network
analysiso Haralambos (Haris) Mouratidis
• Professor• University of Brighton (Brighton, UK)• Software systems engineering, security requirements engineering,
software engineering, information systems engineering
Utrecht University Method Engineering 2014
Overview
Introduction
• Build repositoryo Pattern investigation & decompositiono Search engine implementation
• Select patternso Inputo Search engine at worko Output
Utrecht University Method Engineering 2014
Main phases
Related literature
• From non-functional requirements to design through patterns (Gross & Yu, 2001)o Modeling the impact of security patternso Non-functional requirement frameworko Analysis employed by Weiss and Mouratidis (2008)
• Elaborating security requirements by construction of intentional anti- models (Van Lamsweerde, 2004)o Modeling, specification and analysis of security requirementso Security, not only an after thought
Utrecht University Method Engineering 2014
Past
Related literature
• Building a pattern repository: Benefitting from the open, lightweight, and participative nature of wikis (Weiss & Birokou, 2007)o Effects of increasing number of security patternso Pattern repository through wikis
• Using security patterns to develop secure systems (Fernandez et al., 2011)o Ongoing global collaborationo Use of patterns in development of secure systems
Utrecht University Method Engineering 2014
‘Present’
Related literature
• Legally “reasonable” security requirements: A 10-year FTC retrospective (Breaux & Baumer, 2011)o Investigation into “reasonable” security
• Otherso Cited: 22 timeso Application of the method
Utrecht University Method Engineering 2014
Future
Method description
Utrecht University Method Engineering 2014
Method represented using the Process-Deliverable Diagram (Weerd & Brinkkemper, 2008).
Example
From GRL model
to Prolog facts
Utrecht University Method Engineering 2014
Conclusion• Strengths / Opportunities
o Universalo Development heavy environment
• Weaknesses / Threatso Single project situationo Repository updateso Repository sources and builder
Utrecht University Method Engineering 2014
References• Breaux, T. D., & Baumer, D. L. (2011). Legally “reasonable” security requirements: A
10-year FTC retrospective. computers & security, 30(4), 178-193. • Fernandez, E. B., Yoshioka, N., Washizaki, H., Jurjens, J., VanHilst, M., & Pernul, G.
(2011). Using security patterns to develop secure systems, 2, 16-31.• Gross, D., & Yu, E. (2001). From non-functional requirements to design through
patterns. Requirements Engineering, 6(1), 18-36. • Van Lamsweerde, A. (2004). Elaborating security requirements by construction of
intentional anti- models. Proceedings of the 26th International Conference on Software Engineering (pp. 148-157). IEEE Computer Society.
• Weerd, I. van de, & Brinkkemper, S. (2008). Meta-modeling for situational analysis and design methods. In M.R. Syed and S.N. Syed (Eds.), Handbook of Research on Modern Systems Analysis and Design Technologies and Applications (pp. 38-58). Hershey: Idea Group Publishing.
• Weiss, M., & Birukou, A. (2007). Building a pattern repository: Benefitting from the open, lightweight, and participative nature of wikis. International Symposium on Wikis (WikiSym), ACM (pp. 21-23).
• Weiss, M., & Mouratidis, H. (2008). Selecting security patterns that fulfill security requirements. International Requirements Engineering, 2008. RE'08. 16th IEEE (pp. 169-172). Catalonia: IEEE.
Utrecht University Method Engineering 2014
Questions?
Utrecht University Method Engineering 2014