Semiautomatic security requirements engineering and evolution using decision documentation, heuristics, and user monitoring

Tom Michael Hesse, Stefan Gartner, Tobias Roehm, Barbara Paech, Kurt Schneider, Bernd Bruegge

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

7 Scopus citations

Abstract

Security issues can have a significant negative impact on the business or reputation of an organization. In most cases they are not identified in requirements and are not continuously monitored during software evolution. Therefore, the inability of a system to conform to regulations or its endangerment by new vulnerabilities is not recognized. In consequence, decisions related to security might not be taken at all or become obsolete quickly. But to evaluate efficiently whether an issue is already addressed appropriately, software engineers need explicit decision documentation. Often, such documentation is not performed due to high overhead. To cope with this problem, we propose to document decisions made to address security requirements. To lower the manual effort, information from heuristic analysis and end user monitoring is incorporated. The heuristic assessment method is used to identify security issues in given requirements au-tomatically. This helps to uncover security decisions needed to mitigate those issues. We describe how the corresponding security knowledge for each issue can be incorporated into the decision documentation semiautomatically. In addition, violations of security requirements at runtime are monitored. We show how decisions related to those security requirements can be identified through the documentation and updated manually. Overall, our approach improves the quality and completeness of security decision documentation to support the engineering and evolution of security requirements.

Original languageEnglish
Title of host publication2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering, ESPRE 2014 - Proceedings
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages1-6
Number of pages6
ISBN (Electronic)9781479963409
DOIs
StatePublished - 2014
Event2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering, ESPRE 2014 - Karlskrona, Sweden
Duration: 25 Aug 201425 Aug 2014

Publication series

Name2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering, ESPRE 2014 - Proceedings

Conference

Conference2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering, ESPRE 2014
Country/TerritorySweden
CityKarlskrona
Period25/08/1425/08/14

Keywords

  • Security requirements engineering
  • decision documentation
  • decision knowledge
  • heuristic analysis
  • knowledge carrying software
  • software evolution
  • user mon-itoring

Fingerprint

Dive into the research topics of 'Semiautomatic security requirements engineering and evolution using decision documentation, heuristics, and user monitoring'. Together they form a unique fingerprint.

Cite this