A framework to support alignment of secure software engineering with legal regulations

Regulation compliance is getting more and more important for software systems that process and manage sensitive information. Therefore, identifying and analysing relevant legal regulations and aligning them with security requirements become necessary for the effective development of secure software systems. Nevertheless, Secure Software Engineering Modelling Languages (SSEML) use different concepts and terminology from those used in the legal domain for the description of legal regulations. This situation, together with the lack of appropriate background and knowledge of laws and regulations, introduces a challenge for software developers. In particular, it makes difficult to perform (i) the elicitation of appropriate security requirements from the relevant laws and regulations; and (ii) the correct tracing of the security requirements throughout the development stages. This paper presents a framework to support the consideration of laws and regulations during the development of secure software systems. In particular, the framework enables software developers (i) to correctly elicit security requirements from the appropriate laws and regulations; and (ii) to trace these requirements throughout the development stages in order to ensure that the design indeed supports the required laws and regulations. Our framework is based on existing work from the area of secure software engineering, and it complements this work with a novel and structured process and a well-defined method. A practical case study is employed to demonstrate the applicability of our work.

[1]  Jan Jürjens,et al.  Secure systems development with UML , 2004 .

[2]  Annie I. Antón,et al.  Towards Regulatory Compliance: Extracting Rights and Obligations to Align Requirements with Regulations , 2006, 14th IEEE International Requirements Engineering Conference (RE'06).

[3]  Axel van Lamsweerde,et al.  Handling Obstacles in Goal-Oriented Requirements Engineering , 2000, IEEE Trans. Software Eng..

[4]  Haralambos Mouratidis,et al.  A security oriented approach in the development of multiagent systems : applied to the management of the health and social care needs of older people in England , 2004 .

[5]  Giovanni Sartor,et al.  Fundamental legal concepts: A formal and teleological characterisation* , 2006, Artificial Intelligence and Law.

[6]  Insup Lee,et al.  Privacy APIs: access control techniques to analyze and verify legal privacy policies , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[7]  Haralambos Mouratidis,et al.  Security Attack Testing (SAT) - testing the security of information systems at design time , 2007, Inf. Syst..

[8]  Daniel Amyot,et al.  Towards a Framework for Tracking Legal Compliance in Healthcare , 2007, CAiSE.

[9]  Jan Jürjens,et al.  Incorporating Security Requirements from Legal Regulations into UMLsec model , 2008, MODSEC@MoDELS.

[10]  Fausto Giunchiglia,et al.  Tropos: An Agent-Oriented Software Development Methodology , 2004, Autonomous Agents and Multi-Agent Systems.

[11]  Haralambos Mouratidis,et al.  Secure Tropos: a Security-Oriented Extension of the Tropos Methodology , 2007, Int. J. Softw. Eng. Knowl. Eng..

[12]  Premkumar T. Devanbu,et al.  Software engineering for security: a roadmap , 2000, ICSE '00.

[13]  Bashar Nuseibeh,et al.  Security Requirements Engineering: A Framework for Representation and Analysis , 2008, IEEE Transactions on Software Engineering.

[14]  John Mylopoulos,et al.  Modeling security requirements through ownership, permission and delegation , 2005, 13th IEEE International Conference on Requirements Engineering (RE'05).

[15]  John Mylopoulos,et al.  Non-Functional Requirements in Software Engineering , 2000, International Series in Software Engineering.

[16]  Annie I. Antón,et al.  Addressing Legal Requirements in Requirements Engineering , 2007, 15th IEEE International Requirements Engineering Conference (RE 2007).

[17]  Donald Firesmith,et al.  Engineering Security Requirements , 2003, J. Object Technol..

[18]  Annie I. Antón,et al.  Deriving semantic models from privacy policies , 2005, Sixth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'05).

[19]  Annie I. Antón,et al.  Analyzing Regulatory Rules for Privacy and Security Requirements , 2008, IEEE Transactions on Software Engineering.

[20]  Jan Jürjens,et al.  Towards a Comprehensive Framework for Secure Systems Development , 2006, CAiSE.

[21]  Alistair Sutcliffe,et al.  15th IEEE International Requirements Engineering Conference, RE 2007, October 15-19th, 2007, New Delhi, India , 2008, RE.

[22]  Jan Jürjens Sound methods and effective tools for model-based security engineering with UML , 2005, ICSE.

[23]  N. Isaacs,et al.  Fundamental Legal Conceptions as Applied in Judicial Reasoning: And Other Legal Essays , 2010 .

[24]  Haralambos Mouratidis,et al.  When security meets software engineering: a case of modelling secure information systems , 2005, Inf. Syst..

[25]  Barbara Paech,et al.  MOQARE: misuse-oriented quality requirements engineering , 2008, Requirements Engineering.

[26]  Nancy R. Mead Identifying Security Requirements Using the Security Quality Requirements Engineering (SQUARE) Method , 2007 .

[27]  Robert Darimont,et al.  Goal-oriented Analysis of Regulations , 2006, ReMo2V.

[28]  Mario Piattini,et al.  A common criteria based security requirements engineering process for the development of secure information systems , 2007, Comput. Stand. Interfaces.

[29]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[30]  Andrea Herrmann,et al.  Exploring the Characteristics of NFR Methods - A Dialogue About Two Approaches , 2007, REFSQ.

[31]  John Mylopoulos,et al.  From Laws to Requirements , 2008, 2008 Requirements Engineering and Law.

[32]  Haralambos Mouratidis,et al.  Integrating Security and Software Engineering: An Introduction , 2007 .

[33]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[34]  Bashar Nuseibeh,et al.  Arguing Satisfaction of Security Requirements , 2008 .

[35]  Jan Jürjens,et al.  Tools for secure systems development with UML , 2007, International Journal on Software Tools for Technology Transfer.

[36]  Fabio Massacci,et al.  Using a security requirements engineering methodology in practice: The compliance with the Italian data protection legislation , 2005, Comput. Stand. Interfaces.

[37]  Haralambos Mouratidis,et al.  Integrating Security and Software Engineering: Advances and Future Visions , 2006 .