Selecting Security Patterns that Fulfill Security Requirements Method presentation by Ondrej Travnicek Utrecht University Method Engineering 2014

Selecting Security Patterns that Fulfill Security

Requirements

Method presentation by Ondrej Travnicek

Utrecht University Method Engineering 2014

Outline• Introduction

o Overviewo Main phases

• Related literatureo Pasto Presento Future

• Method description• Example• Conclusion

o Strengths / Opportunitieso Weaknesses / Threats


Introduction

• Purposeo To aid developers with the selection of security patterns

• Authorso Michael Weiss

• Associate professor• Carleton University (Ottawa, Canada)• Open source, ecosystems, mash-ups, patterns, and social network

analysiso Haralambos (Haris) Mouratidis

• Professor• University of Brighton (Brighton, UK)• Software systems engineering, security requirements engineering,

software engineering, information systems engineering


Overview

Introduction

• Build repositoryo Pattern investigation & decompositiono Search engine implementation

• Select patternso Inputo Search engine at worko Output


Main phases

Related literature

• From non-functional requirements to design through patterns (Gross & Yu, 2001)o Modeling the impact of security patternso Non-functional requirement frameworko Analysis employed by Weiss and Mouratidis (2008)

• Elaborating security requirements by construction of intentional anti- models (Van Lamsweerde, 2004)o Modeling, specification and analysis of security requirementso Security, not only an after thought


Past

Related literature

• Building a pattern repository: Benefitting from the open, lightweight, and participative nature of wikis (Weiss & Birokou, 2007)o Effects of increasing number of security patternso Pattern repository through wikis

• Using security patterns to develop secure systems (Fernandez et al., 2011)o Ongoing global collaborationo Use of patterns in development of secure systems


‘Present’

Related literature

• Legally “reasonable” security requirements: A 10-year FTC retrospective (Breaux & Baumer, 2011)o Investigation into “reasonable” security

• Otherso Cited: 22 timeso Application of the method


Future

Method description


Method represented using the Process-Deliverable Diagram (Weerd & Brinkkemper, 2008).

Example

From GRL model

to Prolog facts


Conclusion• Strengths / Opportunities

o Universalo Development heavy environment

• Weaknesses / Threatso Single project situationo Repository updateso Repository sources and builder


References• Breaux, T. D., & Baumer, D. L. (2011). Legally “reasonable” security requirements: A

10-year FTC retrospective. computers & security, 30(4), 178-193. • Fernandez, E. B., Yoshioka, N., Washizaki, H., Jurjens, J., VanHilst, M., & Pernul, G.

(2011). Using security patterns to develop secure systems, 2, 16-31.• Gross, D., & Yu, E. (2001). From non-functional requirements to design through

patterns. Requirements Engineering, 6(1), 18-36. • Van Lamsweerde, A. (2004). Elaborating security requirements by construction of

intentional anti- models. Proceedings of the 26th International Conference on Software Engineering (pp. 148-157). IEEE Computer Society.

• Weerd, I. van de, & Brinkkemper, S. (2008). Meta-modeling for situational analysis and design methods. In M.R. Syed and S.N. Syed (Eds.), Handbook of Research on Modern Systems Analysis and Design Technologies and Applications (pp. 38-58). Hershey: Idea Group Publishing.

• Weiss, M., & Birukou, A. (2007). Building a pattern repository: Benefitting from the open, lightweight, and participative nature of wikis. International Symposium on Wikis (WikiSym), ACM (pp. 21-23).

• Weiss, M., & Mouratidis, H. (2008). Selecting security patterns that fulfill security requirements. International Requirements Engineering, 2008. RE'08. 16th IEEE (pp. 169-172). Catalonia: IEEE.


Questions?


Documents

Selecting Security Patterns that Fulfill Security Requirements Method presentation by Ondrej Travnicek Utrecht University Method Engineering 2014