Professional Documents
Culture Documents
Christophe FELTUS
Luxembourg Institute of Science and Technology
christophe.feltus@list.lu
Agenda
1.
2.
3.
4.
5.
Motivation
Security requirements engineering
Challenges and issues
Proposal
References
Source:
http://www.lemondeinformatique.fr
How?
Private key
The issues
Zuccato et al. report that (1) SRE is in practice
frequently performed by security non-experts,
(2) security expertise is scarce, and (3)
security requirements and their dependencies
are often not directly known by requirements
engineers.
Proposal
To cope with this issue, this paper proposes a
framework for engineering reusable security
requirements patterns in the context of the current
requirements engineering practices for complex
systems.
In particular, the proposed framework consists in a
set of methods and models that gathers simple
and complex patterns according to their
complexity level and the security deployment level
of the project.
10
This framework aims to organize the elements that should be taken into account to build
and manage complex security patterns in function of:
(vertical axis) the complexity level of the security criteria that should be considered and
(horizontal axis) the security deployment life cycle of the information system
11
Access rights
mgt tool
6. Give access
Eg.: Employee
2. Crypted PW
3. PW in clear
Access rights
policy
Encryption
Engine
Re1
User authentication
Re2
PW encryption
Security Pattern :
Traditional Access
rights management
1. Access request
(Crypted Name/
Crypted PW)
8. Give access
Eg.:
Anonymous
User
2. Crypted name
3 Name in clear
5. PW in clear
Access rights
policy
4. Crypted PW
Encryption
Engine 1
Re1
User authentication
Re2
PW encryption
Re3
User privacy
Encryption
Engine 2
System of security
patterns : Cloud
specific Access
rights management
Cloud:
authentication
Re1
Re2
encryption
and Re3=Re1+Re2+Re3
Re1
Re3
privacy
Re2
encryption
(Schumacher, 2003)
References
Object Oriented
Approaches
UML Profils
RiskRep
UMLSec
Extended I*
ISSRM
SecureUML
Secure Tropos
CORAS
Use Case
EBIOS
Industrial
approaches
MisuseCase
MEHARI
AbuseCase
Security UseCase
26