论文信息 - Practical Experience Gained from Modeling Security Goals: Using SGITs in an Industrial Project

Practical Experience Gained from Modeling Security Goals: Using SGITs in an Industrial Project

Security inspections, especially in the early development stage, are becoming increasingly important for bringing security-relevant aspects into software systems. Nowadays, such inspections often do not focus in detail on security. The well-known and approved benefits of inspections do not exploit their full potential regarding security. Thus, we have developed the Security Goal Indicator Tree (SGIT) for eliminating existing shortcomings. SGITs are a new approach for modeling and checking security-relevant aspects during the entire software development lifecycle. This article describes the modeling of such security-goal-based trees as part of requirements engineering. Initial experience was gathered from creating SGITs in an industrial environment. After the probands of our industry partner received training on existing security models, the necessary knowledge for creating security models was collected and applied. This resulted in three context-specific SGITs discussed in this article.

Frank Elberzhager | Alessandra Bagnato | Christian Jung | Fabio Raiteri

[1] Gary McGraw,et al. Software Penetration Testing , 2005, IEEE Secur. Priv..

[2] Jared D. DeMott,et al. Fuzzing for Software Security Testing and Quality Assurance , 2008 .

[3] Andy Huber,et al. Peer reviews in software: a practical guide , 2002, SOEN.

[4] Marek Jawurek,et al. Security Goal Indicator Trees: A Model of Software Features that Supports Efficient Security Inspection , 2008, 2008 11th IEEE High Assurance Systems Engineering Symposium.

[5] Barry Boehm,et al. Top 10 list [software development] , 2001 .

[6] Bashar Nuseibeh,et al. A framework for security requirements engineering , 2006, SESS '06.

[7] David Evans,et al. Improving Security Using Extensible Lightweight Static Analysis , 2002, IEEE Softw..

[8] Pedram Amini,et al. Fuzzing: Brute Force Vulnerability Discovery , 2007 .

[9] Michael A. Howard,et al. A process for performing security code reviews , 2006, IEEE Security & Privacy.

[10] Barry W. Boehm,et al. Software Defect Reduction Top 10 List , 2001, Computer.