Creating and Applying Security Goal Indicator Trees in an Industrial Environment

Security inspections are increasingly important for bringing security-relevant aspects into software systems, particularly during the early stages of development. Nowadays, such inspections often do not focus specifically on security. With regard to security, the well-known and approved benefits of inspections are not exploited to their full potential. This book chapter focuses on the Security Goal Indicator Tree application for eliminating existing shortcomings, the training that led to their creation in an industrial project environment, their usage, and their reuse by a team in industry. SGITs are a new approach for modeling and checking security-relevant aspects throughout the entire software development lifecycle. This book chapter describes the modeling of such security goal based trees as part of requirements engineering using the GOAT tool dedicated plug-in and the retrieval of these models during the various phases of the software development lifecycle in a project by means of Software Vulnerability Repository Services (SHIELDS, Software Vulnerability Repository Services) created in the European project SHIELDS (SHIELDS, SHIELDS Detecting known security vulnerabilities from within design and development tools). DOI: 10.4018/978-1-4666-0978-5.ch014

[1]  R. J. Shields,et al.  Effects of diet transition regimen on survival, growth and lipid composition of intensively reared Atlantic cod, Gadus morhua, larvae , 2004, Aquaculture International.

[2]  David Evans,et al.  Improving Security Using Extensible Lightweight Static Analysis , 2002, IEEE Softw..

[3]  Filippo Lanubile,et al.  Does active guidance improve software inspections? A preliminary empirical study , 2004, IASTED Conf. on Software Engineering.

[4]  Michael A. Howard,et al.  A process for performing security code reviews , 2006, IEEE Security & Privacy.

[5]  Paul A. Strooper,et al.  Selecting V&V Technology Combinations: How to Pick a Winner? , 2007, 12th IEEE International Conference on Engineering Complex Computer Systems (ICECCS 2007).

[6]  Adam A. Porter,et al.  Comparing Detection Methods For Software Requirements Inspections: A Replication Using Professional Subjects , 1998, Empirical Software Engineering.

[7]  Bashar Nuseibeh,et al.  A framework for security requirements engineering , 2006, SESS '06.

[8]  Frank Elberzhager,et al.  Practical Experience Gained from Modeling Security Goals: Using SGITs in an Industrial Project , 2010, 2010 International Conference on Availability, Reliability and Security.

[9]  Per Runeson,et al.  What do we know about defect detection methods? [software testing] , 2006, IEEE Software.

[10]  Frank Elberzhager,et al.  Software Inspections Using Guided Checklists to Ensure Security Goals , 2009, 2009 International Conference on Availability, Reliability and Security.

[11]  Gary McGraw,et al.  Software Penetration Testing , 2005, IEEE Secur. Priv..

[12]  Michael Fagan Design and Code Inspections to Reduce Errors in Program Development , 1976, IBM Syst. J..

[13]  Marek Jawurek,et al.  Security Goal Indicator Trees: A Model of Software Features that Supports Efficient Security Inspection , 2008, 2008 11th IEEE High Assurance Systems Engineering Symposium.