Enforcing Security and Privacy via a Cooperation of Security Experts and Software Engineers: A Model-Based Vision

In an early phase of a software development process (requirement analysis), functional and non-function requirements are gathered. While a lot of research has been done on how to bring functional requirements into the software, non-functional requirements are still challenging. One of the reasons is that non-functional requirements are often hard to measure and hard to test. Unfortunately, security, privacy, and data protections are such non-functional requirements. To make things even more complicate, software engineering is a social process. This means multiple parties (i.e., security experts, software architects, and programmers) have to work together, which will result unavoidable in misunderstandings and misinterpretation. Therefore, it is often not clear if security concerns are implemented correctly, or have been at least formalized correctly for later implementation during the requirement analysis. This paper is a discussion starter, on how to overcome communication-based problems, ensure that security concerns are implemented correctly, and how to avoid software erosion that later on breaks security concerns. Therefore, we discuss strategies which combine security concepts with software engineering methods by the intensive use of models. Such models are already used in academia and even in industry. We recommend to use models more often, more intensive, and for more concerns.