f122028 – vivan kourosh. authors universidad de murcia ambrosio toval, reader in software...
TRANSCRIPT
REQUIREMENTS REUSE FOR IMPROVING
INFORMATION SYSTEMS SECURITY
F122028 – VIVAN Kourosh
VIVAN Kourosh - ME 2013 2
Authors
• Universidad de MurciaAmbrosio TOVAL, Reader in Software
Engineering in the Department of ComputingJoaquin NICOLASBegona MOROS, lecturer. She has a
background in prototyping environment, software development and requirement engineering (RE)
Universidad Politécnica de ValenciaFernando GARCIS
VIVAN Kourosh - ME 2013 3
Origins
CARMMA project:develop a risk analysis using MAGERIT in the
Regional Information Systems and Telecommunications Office
One year/ 5 analysts/ 50 stakeholders Results
Countermeasures costs could be lower if assets would be developed taking into security issue from the beginning. But MAGERIT countermeasures are linked to thread not assets.
VIVAN Kourosh - ME 2013 4
Purpose
Method took place during elicitation and specification
Use a reused repository that contains Requirements from MAGERIT
Method focus on security of information system
Method result are:Specification documents and testing
documents
VIVAN Kourosh - ME 2013 5
Main phases
1. Requirements selection
2. Analysis and negociation
3. Documentation
4. Repository improvement
5. Validation
VIVAN Kourosh - ME 2013 6
Create reused repository
VIVAN Kourosh - ME 2013 7
Reused repository
Classified by domains and profilesDomains: finance, shop...Profiles: personal data law privacy,
information system security…
Requirement can be parameterized or not
VIVAN Kourosh - ME 2013 8
Requirements selection
VIVAN Kourosh - ME 2013 9
Analysis and negotiation
VIVAN Kourosh - ME 2013 10
Documentation
VIVAN Kourosh - ME 2013 11
Repository improvement & Validation
VIVAN Kourosh - ME 2013 12
Related litteratures Toval, A., Nicolás, J., Moros, B., & García, F. (2002). Requirements
reuse for improving information systems security: a practitioner’s approach.Requirements Engineering, 6(4), 205-219.
Sindre, G., Firesmith, D. G., & Opdahl, A. L. (2003, June). A reuse-based approach to determining security requirements. In Proceedings of the 9th international workshop on requirements engineering: foundation for software quality (REFSQ’03), Klagenfurt, Austria.
Gutiérrez, C., Moros, B., Toval, A., Fernández-Medina, E., & Piattini, M. (2005, August). Security requirements for web services based on SIREN. In Symposium on Requirements Engineering for Information Security, Paris, France.
Tsang, V. W. S. Towards Analysis of Templates for Security Requirements(Doctoral dissertation, University of Auckland).
VIVAN Kourosh - ME 2013 13
PDD
VIVAN Kourosh - ME 2013 14
Deliverables
VIVAN Kourosh - ME 2013 15
Exemple
SyRS.3.5.2.S42. The maintainability contract of the electronic equipment shall include a clause enforcing the supplier to make a commitment to solve any failure in less than [time in minutes].
SyRS: System Requirement Specification document3.5.2: Section number
3.5 System attributesS42 : Security requirement 42
IEEE 1233standard
VIVAN Kourosh - ME 2013 16
Thank you