Mutual Refinement of Security Requirements and Architecture Using Twin Peaks Model

It is difficult to sufficiently specify software security requirements because they depend on a software architecture that has not yet been designed. Although the Twin Peaks model is a reference model to elicit a sufficient amount of software requirements in conjunction with the architectural requirements, it is still unclear how the security requirements can be elicited while taking the architecture into consideration. We propose a novel method to elicit the security requirements with architecture elaboration based on the Twin Peaks model, which is called the Twin Peaks Model application for Security Analysis (TMP-SA). In our method, security countermeasures for attacks are elicited as the security requirements incrementally according to the refinement of the architecture. We can comprehensively explore the alternatives for the countermeasures (security requirements) and choose the most suitable one for each project because we can focus on the architecture-specific security issues as well as architecture-independent security issues. We have applied our method to several applications and discuss its advantages and limitations. We found that our method is suitable for iterative development, and it enables us to find threats caused by architectural issues that are severely difficult to find when analyzing only the requirements issues.

[1]  Steve Lipner,et al.  Security development lifecycle , 2010, Datenschutz und Datensicherheit - DuD.

[2]  Yuji Yamaoka,et al.  Cozilet: transparent encapsulation to prevent abuse of trusted applets , 2004, 20th Annual Computer Security Applications Conference.

[3]  John Mylopoulos,et al.  Secure-I*: Engineering Secure Software Systems through Social Analysis , 2009, Int. J. Softw. Informatics.

[4]  Rainer Weinreich,et al.  Integrating Requirements and Design Decisions in Architecture Representation , 2010, ECSA.

[5]  Eduardo B. Fernández,et al.  Security patterns and secure systems design , 2007, ACM-SE 45.

[6]  Peter Liggesmeyer,et al.  Identification of Security-Safety Requirements for the Outdoor Robot RAVON Using Safety Analysis Techniques , 2010, 2010 Fifth International Conference on Software Engineering Advances.

[7]  Axel van Lamsweerde,et al.  Elaborating security requirements by construction of intentional anti-models , 2004, Proceedings. 26th International Conference on Software Engineering.

[8]  Bashar Nuseibeh,et al.  Weaving Together Requirements and Architectures , 2001, Computer.

[9]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[10]  Nobukazu Yoshioka,et al.  Misuse Cases + Assets + Security Goals , 2009, 2009 International Conference on Computational Science and Engineering.

[11]  Silvio Romero de Lemos Meira,et al.  Relating Security Requirements and Design Patterns: Reducing Security Requirements Implementation Impacts with Design Patterns , 2009, 2009 Fourth International Conference on Software Engineering Advances.

[12]  Takashi Yoshikawa,et al.  Supporting Requirements Change Management in Goal Oriented Analysis , 2008, 2008 16th IEEE International Requirements Engineering Conference.

[13]  Haruhiko Kaiya,et al.  Enhancing Domain Knowledge for Requirements Elicitation with Web Mining , 2010, 2010 Asia Pacific Software Engineering Conference.

[14]  Haruhiko Kaiya,et al.  Security Requirements Elicitation Using Method Weaving and Common Criteria , 2008, MoDELS Workshops.

[15]  Thomas Heyman,et al.  The Security Twin Peaks , 2011, ESSoS.

[16]  Nobukazu Yoshioka,et al.  Effective Security Impact Analysis with Patterns for Software Enhancement , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[17]  Nancy R. Mead,et al.  Security quality requirements engineering (SQUARE) methodology , 2005, SESS@ICSE.

[18]  Jan Jürjens,et al.  Eliciting security requirements and tracing them to design: an integration of Common Criteria, heuristics, and UMLsec , 2010, Requirements Engineering.