A System for Seamless Support from Security Requirements Analysis to Security Design Using a Software Security Knowledge Base

Owing to the widespread use of the internet, software services are being provided to millions of consumers and the importance of software security has increased considerably. Specifically, difficulties in developing a security design based on the results of a security requirements analysis are a focal point for investigation. One promising approach for addressing these difficulties is to create a knowledge base for secure software development and a process for utilizing it. The information obtained regarding the security design of the knowledge base, which is associated with the knowledge used in the security requirements analysis, can be considered during the design phase. This paper describes the development of a system that seamlessly supports the design phase based on the results of a security requirements analysis and the knowledge base. We then present an example to demonstrate the usefulness of the proposed system. This knowledge base maintains an association between knowledge types and is traceable. Therefore, if the knowledge used to create a type of artifact evolves, it is possible to detect artifacts used knowledge associated with it.

[1]  Jan Jürjens,et al.  Eliciting security requirements and tracing them to design: an integration of Common Criteria, heuristics, and UMLsec , 2010, Requirements Engineering.

[2]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[3]  Eduardo B. Fernandez,et al.  A Methodology to Develop Secure Systems Using Patterns , 2006 .

[4]  Axelle Apvrille,et al.  Secure software development by example , 2005, IEEE Security & Privacy Magazine.

[5]  Gary McGraw,et al.  Knowledge for Software Security , 2005, IEEE Secur. Priv..

[6]  Peter Sommerlad,et al.  Security Patterns: Integrating Security and Systems Engineering , 2006 .

[7]  Joshua J. Pauli,et al.  Threat-Driven Design and Analysis of Secure Software Architectures , 2006 .

[8]  Wouter Joosen,et al.  Does organizing security patterns focus architectural choices? , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[9]  Gary McGraw Software Security , 2012, Datenschutz und Datensicherheit - DuD.

[10]  Mario Piattini,et al.  Security patterns and requirements for internet-based applications , 2006, Internet Res..

[11]  Hironori Washizaki,et al.  Validating Security Design Patterns Application Using Model Testing , 2013, 2013 International Conference on Availability, Reliability and Security.

[12]  Ralph E. Johnson,et al.  Growing a pattern language (for security) , 2012, Onward! 2012.