Orchestrating security and system engineering for evolving systems (original) (raw)

Managing changes with legacy security engineering processes

2011

Abstract Managing changes in Security Engineering is a difficult task: the analyst must keep the consistency between security knowledge such as assets, attacks and treatments to stakeholders' goals and security requirements. Research-wise the usual solution is an integrated methodology in which risk, security requirements and architectural solutions are addressed within the same tooling environment and changes can be easily propagated.

Modelling Secure Systems Evolution: Abstract and Concrete Change Specifications

Lecture Notes in Computer Science, 2011

Developing security-critical systems is difficult, and there are many well-known examples of vulnerabilities exploited in practice. In fact, there has recently been a lot of work on methods, techniques, and tools to improve this situation already at the system specification and design. However, security-critical systems are increasingly long-living and undergo evolution throughout their lifetime. Therefore, a secure software development approach that supports maintaining the needed levels of security even through later software evolution is highly desirable. In this chapter, we recall the UMLsec approach to model-based security and discuss on tools and techniques to model and verify evolution of UMLsec models.

An Engineering Process and Modelling Framework for development of Secure Systems

2013

This paper presents a novel Security Engineering Process for the creation of security-enhanced system models. The process offers a language for the definition of a domain-specific security knowledge language, the creation of security artefacts using the previous architecture and the use of these artefacts in a system model for fulfilling its security requirements and assurance. It makes security fit naturally in the systems by interleaving security into the initial architecture and system description. The process offers also solutions for the security properties by means of Security Patterns (a new type of patterns developed in the process) and Security Building Blocks. The Security Engineering Process and its Framework has being applied successfully to several and different domains (metering devices, emergency scenarios, set-top boxes, etc.) and is currently being expanded to work with cloud computing scenarios. To illustrate our process we use a mobile command post scenario where ...

Security Software Engineering: Do it the right way

Proceedings of the 6th WSEAS International …, 2007

Secure software development is one of the most information system issues that raised through the use of the internet and networked systems. The importance of developing secure software increases. In this work we present a process for the development of security critical software projects and an overview of some of the existing processes, standards, life cycle models that support the secure software development. It is a guide to the common body of knowledge for producing, acquiring, and sustaining secure software.

Survey: security in the system development life cycle

2005

A general approach to security architecture is introduced. A survey of existing attempts to develop the security architecture introduces the topic. Security can be highlighted as part of the system development life cycle. The authors assume that security cannot be achieved by concentrating on one system component but can be achieved by identifying the relationship between these components and how information is used among them. An original sphere of use and interaction is presented upon which security measures can be evaluated and the required security controls can be chosen.

Seventh international workshop on Software Engineering for Secure Systems (SESS 2011)

Proceedings - International Conference on Software Engineering, 2011

The 7th edition of the SESS workshop aims at providing a venue for software engineers and security researchers to exchange ideas and techniques. In fact, software is at core of most of the business transactions and its smart integration in an industrial setting may be the competitive advantage even when the core competence is outside the ICT field. As a result, the revenues of a firm depend directly on several complex software-based systems. Thus, stakeholders and users should be able to trust these systems to provide data and elaborations with a degree of confidentiality, integrity, and availability compatible with their needs. Moreover, the pervasiveness of software products in the creation of critical infrastructures has raised the value of trustworthiness and new efforts should be dedicated to achieve it. However, nowadays almost every application has some kind of security requirement even if its use is not to be considered critical.