Redefining Security Engineering

Abstract

For a long time, security was not in the focus of software engineering and system engineering processes. Only quite recently the situation has changed and security issues are now more and more integrated into concrete steps of the development process. Various approaches exist for the elicitation of security requirements, for threat modeling, for risk analysis, or for security testing. These different approaches are more-and-more adapted for practical use and become integrated parts of software development life-cycles. Nevertheless, they only support isolated steps in the process (e.g. security of code) or concentrate on particular types of requirements (e.g. for access control). The long-term goal for security engineering shall be the establishment of processes supporting all steps of the engineering process in an integrated way and to co-ordinate the contributions by different roles in this process. This paper identifies the different tasks of security engineering and discusses what parts of these tasks can be realised by using existing approaches. Further, three embedded scenarios are used to identify some concrete requirements for a security engineering process. This discussion shall show the scope of future research and developments in the area of security engineering and motivate inter-disciplinary approaches to establish security engineering as a research discipline.