f122028 – vivan kourosh. authors universidad de murcia ambrosio toval, reader in software...

REQUIREMENTS REUSE FOR IMPROVING

INFORMATION SYSTEMS SECURITY

F122028 – VIVAN Kourosh

VIVAN Kourosh - ME 2013 2

Authors

• Universidad de MurciaAmbrosio TOVAL, Reader in Software

Engineering in the Department of ComputingJoaquin NICOLASBegona MOROS, lecturer. She has a

background in prototyping environment, software development and requirement engineering (RE)

Universidad Politécnica de ValenciaFernando GARCIS

VIVAN Kourosh - ME 2013 3

Origins

CARMMA project:develop a risk analysis using MAGERIT in the

Regional Information Systems and Telecommunications Office

One year/ 5 analysts/ 50 stakeholders Results

Countermeasures costs could be lower if assets would be developed taking into security issue from the beginning. But MAGERIT countermeasures are linked to thread not assets.

VIVAN Kourosh - ME 2013 4

Purpose

Method took place during elicitation and specification

Use a reused repository that contains Requirements from MAGERIT

Method focus on security of information system

Method result are:Specification documents and testing

documents

VIVAN Kourosh - ME 2013 5

Main phases

1. Requirements selection

2. Analysis and negociation

3. Documentation

4. Repository improvement

5. Validation

VIVAN Kourosh - ME 2013 6

Create reused repository

VIVAN Kourosh - ME 2013 7

Reused repository

Classified by domains and profilesDomains: finance, shop...Profiles: personal data law privacy,

information system security…

Requirement can be parameterized or not

VIVAN Kourosh - ME 2013 8

Requirements selection

VIVAN Kourosh - ME 2013 9

Analysis and negotiation

VIVAN Kourosh - ME 2013 10

Documentation

VIVAN Kourosh - ME 2013 11

Repository improvement & Validation

VIVAN Kourosh - ME 2013 12

Related litteratures Toval, A., Nicolás, J., Moros, B., & García, F. (2002). Requirements

reuse for improving information systems security: a practitioner’s approach.Requirements Engineering, 6(4), 205-219.

Sindre, G., Firesmith, D. G., & Opdahl, A. L. (2003, June). A reuse-based approach to determining security requirements. In Proceedings of the 9th international workshop on requirements engineering: foundation for software quality (REFSQ’03), Klagenfurt, Austria.

Gutiérrez, C., Moros, B., Toval, A., Fernández-Medina, E., & Piattini, M. (2005, August). Security requirements for web services based on SIREN. In Symposium on Requirements Engineering for Information Security, Paris, France.

Tsang, V. W. S. Towards Analysis of Templates for Security Requirements(Doctoral dissertation, University of Auckland).

VIVAN Kourosh - ME 2013 13

PDD

VIVAN Kourosh - ME 2013 14

Deliverables

VIVAN Kourosh - ME 2013 15

Exemple

SyRS.3.5.2.S42. The maintainability contract of the electronic equipment shall include a clause enforcing the supplier to make a commitment to solve any failure in less than [time in minutes].

SyRS: System Requirement Specification document3.5.2: Section number

3.5 System attributesS42 : Security requirement 42

IEEE 1233standard

VIVAN Kourosh - ME 2013 16

Thank you