A comparison of security requirements engineering methods

This paper presents a conceptual framework for security engineering, with a strong focus on security requirements elicitation and analysis. This conceptual framework establishes a clear-cut vocabulary and makes explicit the interrelations between the different concepts and notions used in security engineering. Further, we apply our conceptual framework to compare and evaluate current security requirements engineering approaches, such as the Common Criteria, Secure Tropos, SREP, MSRA, as well as methods based on UML and problem frames. We review these methods and assess them according to different criteria, such as the general approach and scope of the method, its validation, and quality assurance capabilities. Finally, we discuss how these methods are related to the conceptual framework and to one another.     

Using argumentation to evaluate software assurance standards

ContextMany people and organisations rely upon software safety and security standards to provide confidence in software intensive systems. For example, people rely upon the Common Criteria for Information Technology Security Evaluation to establish justified and sufficient confidence that an evaluated information technology product’s contributions to security threats and threat management are acceptable. Is this standard suitable for this purpose?ObjectiveWe propose a method for assessing whether conformance with a software safety or security standard is sufficient to support a conclusion such as adequate safety or security. We hypothesise that our method is feasible and capable of revealing interesting issues with the proposed use of the assessed standard.MethodThe software safety and security standards with which we are concerned require evidence and discuss the objectives of that evidence. Our method is to capture a standard’s evidence and objectives as an argument supporting the desired conclusion and to subject this argument to logical criticism. We have evaluated our method by case study application to the Common Criteria standard.ResultsWe were able to capture and criticise an argument from the Common Criteria standard. Review revealed 121 issues with the analysed use of the standard. These range from vagueness in its text to failure to require evidence that would substantially increase confidence in the security of evaluated software.ConclusionOur method was feasible and revealed interesting issues with using a Common Criteria evaluation to support a conclusion of adequate software security. Considering the structure of similar assurance standards, we see no reason to believe that our method will not prove similarly valuable in other applications.     

How to Assess the Effectiveness of your Anti-virus?

I will present an approach whose purpose aims at supporting and making easier and more relevant the choice of an anti-virus product. Among the qualities, which one can expect from an anti-virus product, appear classically the optimal use of the resources and the reactivity of the manufacturer, particularly concerning the viral signature base update. If these requirements are significant, other methodical and technical verifications may be required in order for an individual or a company to make their choice. In the Common Criteria evaluation scheme, a protection profile is proposed to help a software manufacturer to design a product that should be evaluated by an independent security evaluation laboratory. Protection profiles are written in accordance with the Common Criteria standard. Starting from a protection profile, we list some tests that could be carried out to validate the security requirements of an anti-virus product. Both use of a protection profile and the specification of tests seem to be a valuable basis to measure the confidence to grant an anti-virus product.     

通用标准CC的研究与实现

随着计算机技术及Internet的不断发展，如何保证信息系统安全成为一个重要课题．针对这个问题，设计实现了基于信息技术安全性评估准则(通用标准)的系统评估方法和软件．首先在分析通用标准结构的基础上，设计了安全功能和保证要求的体系结构；接着针对保护轮廓和安全目标这两个通用标准的核心文档进行了分析与设计，并指出了文档结构中的内在联系；然后提出了针对标准结构和其内在关联应完成的评估要素；最后给出了评估系统的设计和实现．通过实际保护轮廓和软件产品的安全目标实例分析表明本文所提出的评估方法和系统能够指导信息系统的评估和实践．     

使用CC标准开发的高保证安全信息系统

通用标准（Common Criteria）提供了衡量系统安全性的流行准则。本文主要提出通过各类保证措施,如何构建符合CC标准的高保证安全信息系统。文中首先给出了CC的评估模型、评估过程和安全保证的具体要求。然后以开发安全审计系统为例,分析了系统安全功能和保证要求的产生、审计系统的实现框架以及为达到标准要求而在系统开发过程中使用的各种保证证据和保证措施。最后,又分析了审计系统对整个系统的性能影响因素,并提出了改进办法。本文通过深入剖析通用标准中各个保证要求的内涵,为开发具有高保证要求的信息系统提供了理论指导和实现方法。     

Eliciting security requirements and tracing them to design: an integration of Common Criteria, heuristics, and UMLsec

Building secure systems is difficult for many reasons. This paper deals with two of the main challenges: (i) the lack of security expertise in development teams and (ii) the inadequacy of existing methodologies to support developers who are not security experts. The security standard ISO 14508 Common Criteria (CC) together with secure design techniques such as UMLsec can provide the security expertise, knowledge, and guidelines that are needed. However, security expertise and guidelines are not stated explicitly in the CC. They are rather phrased in security domain terminology and difficult to understand for developers. This means that some general security and secure design expertise are required to fully take advantage of the CC and UMLsec. In addition, there is the problem of tracing security requirements and objectives into solution design, which is needed for proof of requirements fulfilment. This paper describes a security requirements engineering methodology called SecReq. SecReq combines three techniques: the CC, the heuristic requirements editor HeRA, and UMLsec. SecReq makes systematic use of the security engineering knowledge contained in the CC and UMLsec, as well as security-related heuristics in the HeRA tool. The integrated SecReq method supports early detection of security-related issues (HeRA), their systematic refinement guided by the CC, and the ability to trace security requirements into UML design models. A feedback loop helps reusing experience within SecReq and turns the approach into an iterative process for the secure system life-cycle, also in the presence of system evolution.     

Developer-focused assurance requirements [Evaluation Assurance Level and Common Criteria for IT system evaluation]

In 1999, the International Organization for Standardization and the International Electrotechnical Commission jointly published the Common Criteria for Information Technology Security revaluation to provide IT security evaluation guidelines that extend to an international community. The assurance requirements, including prepackaged sets of Evaluation Assurance Levels (EALs) in the Common Criteria (CC), represent the paradigm that assurance equals evaluation, and more evaluation leads to more assurance. This paradigm is at odds with the commercial off-the-shelf (COTS) marketplace, neither reflecting how confidence is typically achieved nor providing a cost-effective means for supplying grounds for confidence in the security capabilities of the information technology being evaluated.     

Requirements Reuse for Improving Information Systems Security: A Practitioner’s Approach

Information systems security issues have usually been considered only after the system has been developed completely, and rarely during its design, coding, testing or deployment. However, the advisability of considering security from the very beginning of the system development has recently begun to be appreciated, and in particular in the system requirements specification phase. We present a practical method to elicit and specify the system and software requirements, including a repository containing reusable requirements, a spiral process model, and a set of requirements documents templates. In this paper, this method is focused on the security of information systems and, thus, the reusable requirements repository contains all the requirements taken from MAGERIT, the Spanish public administration risk analysis and management method, which conforms to ISO 15408, Common Criteria Framework. Any information system including these security requirements must therefore pass a risk analysis and management study performed with MAGERIT. The requirements specification templates are hierarchically structured and are based on IEEE standards. Finally, we show a case study in a system of our regional administration aimed at managing state subsidies.     

Using security robustness analysis for early-stage validation of functional security requirements

Security is nowadays an indispensable requirement in software systems. Traditional software engineering processes focus primarily on business requirements, leaving security as an afterthought to be addressed via generic “patched-on” defensive mechanisms. This approach is insufficient, and software systems need to have security functionality engineered within in a similar fashion as ordinary business functional requirements. Functional security requirements need to be elicited, analyzed, specified and validated at the early stages of the development life cycle. If the functional security requirements were not properly validated, then there is a risk of developing a system that is insecure, deeming it unusable. Acceptance testing is an effective technique to validate requirements. However, an ad hoc approach to develop acceptance tests will suffer the omission of important tests. This paper presents a systematic approach to develop executable acceptance tests that is specifically geared for model-based secure software engineering processes. The approach utilizes early-stage artifacts, namely misuse case and domain models, and robustness diagrams. The feasibility of the proposed approach is demonstrated by applying it to a real-world system. The results show that a comprehensive set of security acceptance tests can be developed based upon misuse case models for early-stage validation of functional security requirements.     

Effectiveness and performance analysis of model-oriented security requirements engineering to elicit security requirements: a systematic solution for developing secure software systems

Software systems are becoming more and more critical in every domain of human society. These systems are used not only by corporates and governments, but also by individuals and across networks of organizations. The wide use of software systems has resulted in the need to contain a large amount of critical information and processes, which certainly need to remain secure. As a consequence, it is important to ensure that the systems are secure by considering security requirements at the early phases of software development life cycle. In this paper, we propose to consider security requirements as functional requirements and apply model-oriented security requirements engineering framework as a systematic solution to elicit security requirements for e-governance software systems. As the result, high level of security can be achieved by more coverage of assets and threats, and identifying more traces of vulnerabilities in the early stages of requirements engineering. This in turn will help to elicit effective security requirements as countermeasures with business requirements.     

基于IPSEC的VPN的安全功能要求的设计与分析

《计算机信息系统安全保护等级划分准则》是我国计算机安全产品和系统必须遵循的标准,而CC是一个新的国际性通用标准,设计一个满足CC标准的网络安全产品或系统,目前国内还没有借鉴之处。文章对国际国内的安全标准现状进行了分析比较,研究了将我国的计算机信息系统安全保护等级的要求用CC标准来描述的问题,并对基于IPSEC的VPN的安全功能要求的实现进行了研究。     

Survey and analysis on Security Requirements Engineering

Security Requirements Engineering is a new research area in software engineering, with the realization that security must be analyzed early during the requirements phase. Many researchers are working in this area; however, there is a lack in security requirements treatment. The security requirements are one of the non-functional requirements, which act as constraints on functions of the system. Organizations are depending on information systems for communicating and sharing information. Thus, IT security is becoming central in fulfilling business goals, to guard assets and to create trustworthy systems. To develop systems with adequate security features, it is essential to capture the security requirements. In this paper, we present a view on Security Requirements, issues, types, Security Requirements Engineering (SRE) and methods. We analyzed and compared different methods and found that SQUARE and Security Requirements Engineering Process methods cover most of the important activities of SRE. The developers can adopt these SRE methods and easily identify the security requirements for software systems.     

Secure Tropos framework for software product lines requirements engineering

Security and requirements engineering are two of the most important factors of success in the development of a software product line (SPL). Goal-driven security requirements engineering approaches, such as Secure Tropos, have been proposed as a suitable paradigm for elicitation of security requirements and their analysis on both a social and a technical dimension. Nevertheless, goal-driven security requirements engineering methodologies are not appropriately tailored to the specific demands of SPL, while on the other hand specific proposals of SPL engineering have traditionally ignored security requirements. This paper presents work that fills this gap by proposing “SecureTropos-SPL” framework.     

Building an international security standard

The Common Criteria for Information Technology Security Evaluation standard (CC) promises to replace scattered and often conflicting regional and national security standards. An emerging international standard, it is intended to support developers, evaluators and consumers of security products. The CC provides a framework to rate products by evaluation assurance level (EAL). Each EAL embodies a recommended set of assurance requirements: the higher the EAL, the more secure the product. You can use EALs to pick and choose which assurance requirements you want to satisfy. Think of the EALs as you would think of bandwidth or processor speed. Not everyone in your organization needs a dedicated T3 line or a 450 MHz desktop. Likewise, not every security product you use needs an EAL7 rating. The article shows how you, as a security products consumer, can use the CC to help determine if a given product meets your security needs. By rating different products according to their EALs, the CC can help you comparison shop and select an appropriately secure product. Further, the standard's international scope can help you integrate your system's security components with those in other countries-whether those components belong to customers, vendors, or other divisions of your own enterprise     

Requirements engineering for trust management: model, methodology, and reasoning

A number of recent proposals aim to incorporate security engineering into mainstream software engineering. Yet, capturing trust and security requirements at an organizational level, as opposed to an IT system level, and mapping these into security and trust management policies is still an open problem. This paper proposes a set of concepts founded on the notions of ownership, permission, and trust and intended for requirements modeling. It also extends Tropos, an agent-oriented software engineering methodology, to support security requirements engineering. These concepts are formalized and are shown to support the automatic verification of security and trust requirements using Datalog. To make the discussion more concrete, we illustrate the proposal with a Health Care case study.This work is an expanded and revised version of [19,20].     

软件安全需求获取方法的研究

近年来,软件主动式防御思想在软件安全性保障中的地位越来越高,它是一种积极的保障软件安全性的思想,可有效地构建高可信性软件。安全需求的获取是软件安全性保障中最关键的部分,是主动式防御首要完成的任务并且也是最难完成的部分。针对典型的安全需求获取方法,从它们的研究途径、应用情况等方面进行比较和分析,总结并讨论了安全需求获取方法的状况及其未来的发展趋势。上述工作将对安全需求获取方法的研究和实践应用提供有益参考。     

软件质量量化指标及实现方法的探讨

在ISO软件质量模型的基础上,建立质量需求评价准则(SQRC)和质量设计评价准则(SQDC)之间的定量关系,将软件质量需求指标转化为软件质量的设计指标,为软件开发人员在设计和编码阶段实施软件质量保证提供指南。它将软件质量保证的任务向设计和编码人员进行分解,有利于软件项目工程化生产过程中的质量管理,从而降低软件生产的风险。     

CCA技术的研究及其在地球动力学中的应用

大规模科学应用建模和模拟的特殊需求及其复杂性为科学家的研究带来了巨大的挑战。现今被广泛应用的组件技术不能应对这些问题。美国新近提出了一种适用于大规模科学领域的组件规范——CCA（Common Component Architecture）,它将基于组件的软件开发方法引入到大规模科学领域中,能够很好地满足其特殊需求,解决建模和模拟过程中的复杂性。首先对CCA规范做了简要介绍,然后对基于CCA的框架进行深入分析,并通过实验证实了CCA的可行性。最后将CCA技术引入到地球动力学的研究中,更好地实现地球动力学模拟。     

Certifying open source - the Linux experience

The Common Criteria is an international standard for evaluating the security functions of IT products. The authors describe how they obtained this security certification for Linux, the first open-source product to receive such certification.     

A systematic review of security requirements engineering

One of the most important aspects in the achievement of secure software systems in the software development process is what is known as Security Requirements Engineering. However, very few reviews focus on this theme in a systematic, thorough and unbiased manner, that is, none of them perform a systematic review of security requirements engineering, and there is not, therefore, a sufficiently good context in which to operate. In this paper we carry out a systematic review of the existing literature concerning security requirements engineering in order to summarize the evidence regarding this issue and to provide a framework/background in which to appropriately position new research activities.