A Requirement Centric Framework for Information Security Evaluation

Information security evaluation of software-intensive systems typically relies heavily on the experience of the security professionals. Obviously, automated approaches are needed in this field. Unfortunately, there is no practical approach to carrying out security evaluation in a systematic way. We introduce a general-level holistic framework for security evaluation based on security behaviour modelling and security evidence collection, and discuss its applicability to the design of security evaluation experimentation set-ups in real-world systems.

[1]  John M. Boone,et al.  INTEGRITY-ORIENTED CONTROL OBJECTIVES: PROPOSED REVISIONS TO THE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA (TCSEC), DoD 5200.28-STD , 1991 .

[2]  Donald Firesmith,et al.  Analyzing the Security Significance of System Requirements , 2005 .

[3]  William H. Sanders,et al.  Model-based evaluation: from dependability to security , 2004, IEEE Transactions on Dependable and Secure Computing.

[4]  Jean-Marc Jézéquel,et al.  ≪UML≫ 2002 — The Unified Modeling Language , 2002, Lecture Notes in Computer Science.

[5]  T. Olovsson,et al.  On measurement of operational security , 1994, IEEE Aerospace and Electronic Systems Magazine.

[6]  Bashar Nuseibeh,et al.  Deriving security requirements from crosscutting threat descriptions , 2004, AOSD '04.

[7]  Reijo Savola,et al.  Weak Signals in Information Security Management , 2005, CIS.

[8]  Markus Schumacher,et al.  Security Engineering with Patterns , 2003, Lecture Notes in Computer Science.

[9]  Eduardo B. Fernández,et al.  A Pattern System for Access Control , 2004, DBSec.

[10]  Keith W. Miller,et al.  Defining an adaptive software security metric from a dynamic software failure tolerance measure , 1996, Proceedings of 11th Annual Conference on Computer Assurance. COMPASS '96.

[11]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[12]  Jan Trobitius,et al.  Anwendung der "Common Criteria for Information Technology Security Evaluation" (CC) / ISO 15408 auf ein SOA Registry-Repository , 2007, Informatiktage.

[13]  Carl E. Landwehr,et al.  Basic concepts and taxonomy of dependable and secure computing , 2004, IEEE Transactions on Dependable and Secure Computing.

[14]  Jeffrey M. Voas Why is it so hard to predict software system trustworthiness from software component trustworthiness? , 2001, Proceedings 20th IEEE Symposium on Reliable Distributed Systems.

[15]  J. A. McDermid,et al.  A formal approach for security evaluation , 1992, COMPASS `92 Proceedings of the Seventh Annual Conference on Computer Assurance.