Towards a Requirements-Driven Workbench for Supporting Software Certification and Accreditation

Security certification activities for software systems rely heavily on requirements mandated by regulatory documents and their compliance evidences to support accreditation decisions. Therefore, the design of a workbench to support these activities should be grounded in a thorough understanding of the characteristics of certification requirements and their relationships with certification activities. To this end, we utilize our findings from the case study of a certification process of The United States Department of Defense (DoD) to identify the design objectives of a requirements-driven workbench for supporting certification analysts. The primary contributions of this paper are: identifying key areas of automation and tool support for requirements-driven certification activities; an ontology-driven dynamic and flexible workbench architecture to address process variability; and a prototype implementation.

[1]  Christopher J. Alberts,et al.  OCTAVEsm Criteria, Version 2.0 , 2001 .

[2]  Robin A. Gandhi,et al.  Building problem domain ontology from security requirements in regulatory documents , 2006, SESS '06.

[3]  Robin A. Gandhi,et al.  Ontology-based active requirements engineering framework , 2005, 12th Asia-Pacific Software Engineering Conference (APSEC'05).

[4]  Robin A. Gandhi,et al.  Building Decision Support Problem Domain Ontology from Natural Language Requirements for Software Assurance , 2006, Int. J. Softw. Eng. Knowl. Eng..

[5]  Robin A. Gandhi,et al.  Security Requirements Driven Risk Assessment for Critical Infrastructure Information Systems , 2005 .

[6]  Seok-Won Lee,et al.  Dependability Requirements for Software-intensive Systems through the Definition of a Common Language , 2005 .

[7]  Robin Gandhi,et al.  Process Artifacts Defined as an Aspectual Service to System Models , 2006, 2006 Service-Oriented Computing: Consequences for Engineering Requirements (SOCCER'06 - RE'06 Workshop).

[8]  Peter D. Karp,et al.  OKBC: A Programmatic Foundation for Knowledge Base Interoperability , 1998, AAAI/IAAI.

[9]  Robin A. Gandhi,et al.  Certification process artifacts defined as measurable units for software assurance , 2007, Softw. Process. Improv. Pract..

[10]  Kristin A. Cook,et al.  Illuminating the Path: The Research and Development Agenda for Visual Analytics , 2005 .

[11]  Robin A. Gandhi,et al.  Requirements as Enablers for Software Assurance , 2006 .

[12]  B. C. Vickery,et al.  Ontologies , 1997, J. Inf. Sci..

[13]  Austin Tate,et al.  Guest Editors' Introduction: Ontologies , 1999 .

[14]  Robin A. Gandhi,et al.  Establishing trustworthiness in services of the critical infrastructure through certification and accreditation , 2005, ACM SIGSOFT Softw. Eng. Notes.

[15]  L. Beran,et al.  [Formal concept analysis]. , 1996, Casopis lekaru ceskych.

[16]  Bashar Nuseibeh,et al.  Core Security Requirements Artefacts , 2004 .

[17]  Deborah L. McGuinness,et al.  OWL Web ontology language overview , 2004 .

[18]  Acm Sigsoft,et al.  Proceedings of the third International Workshop on Software Engineering for Secure Systems , 2007 .

[19]  Axel van Lamsweerde,et al.  Goal-oriented requirements enginering: a roundtrip from research to practice [enginering read engineering] , 2004, Proceedings. 12th IEEE International Requirements Engineering Conference, 2004..