Core Security Requirements Artefacts
نویسندگان
چکیده
Although security requirements engineering has recently attracted increasing attention, it has lacked a context in which to operate. A number of papers have described how security requirements may be violated, but apart from a few hints in the general literature, none have described satisfactorily what security requirements are. This paper proposes a framework of core security requirements artefacts, which unifies the concepts of the two disciplines of requirements engineering and security engineering. From requirements engineering it takes the concept of functional goals, which are operationalised into functional requirements, with appropriate constraints. From security engineering it takes the concept of assets, together with threats of harm to those assets. Security goals aim to protect from those threats, and are operationalised into security requirements, which take the form of constraints on the functional requirements. In addition we explore the consequences of the fact that security is concerned with the protection of assets, while computers only provide interfaces. We show how to specify the relationship between security requirements and the specification of software behaviour, using Jackson's Problem Frames approach.
منابع مشابه
Model-Driven Security Engineering for Trust Management in SECTET
Service Oriented Architectures with underlying technologies like web services and web services orchestration have opened the door to a wide range of novel application scenarios, especially in the context of inter-organizational cooperation. One of the remaining obstacles for a widespread use of these techniques is security. Companies and organizations open their systems and core business proces...
متن کاملEngaging Stakeholders in Security Design: An Assumption-Driven Approach
System stakeholders fail to engage with security until comparatively late in the design and development process. User Experience artefacts like personas and scenarios create this engagement, but creating and contextualising them is difficult without real-world, empirical data; such data cannot be easily elicited from disengaged stakeholders. This paper presents an approach for engaging stakehol...
متن کاملAn Engineering Process and Modelling
This paper presents a novel Security Engineering Process for the creation of security-enhanced system models. The process offers a language for the definition of a domain-specific security knowledge language, the creation of security artefacts using the previous architecture and the use of these artefacts in a system model for fulfilling its security requirements and assurance. It makes securit...
متن کاملA Model Driven Approach for Generating Code from Security Requirements
Nowadays, Information Systems are present in numerous areas and they usually contain data with special security requirements. However, these requirements do not often receive the attention that they deserve and, on many occasions, they are not considered or are only considered when the system development has nished. On the other hand, the use of model driven approaches has recently demonstrated...
متن کاملA Framework for Specifying and Managing Security Requirements in Collaborative Systems
Although security has been recognized as an increasingly important and critical issue for software system development, most security requirements are poorly specified: ambiguous, misleading, inconsistent among various parts, and lacking sufficient details. In this paper, a framework for specifying unambiguous, interoperable security requirements and detecting conflict and undesirable emergent p...
متن کامل