发布求助
文献互助 智能选刊 最新文献

2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE)最新文献

筛选
英文 中文
Pattern-based and ISO 27001 compliant risk analysis for cloud systems 基于模式和符合ISO 27001标准的云系统风险分析
2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE) Pub Date : 2014-09-08 DOI: 10.1109/ESPRE.2014.6890527
A. Alebrahim, Denis Hatebur, Ludger Goeke
{"title":"Pattern-based and ISO 27001 compliant risk analysis for cloud systems","authors":"A. Alebrahim, Denis Hatebur, Ludger Goeke","doi":"10.1109/ESPRE.2014.6890527","DOIUrl":"https://doi.org/10.1109/ESPRE.2014.6890527","url":null,"abstract":"For accepting clouds and using cloud services by companies, security plays a decisive role. For cloud providers, one way to obtain customers' confidence is to establish security mechanisms when using clouds. The ISO 27001 standard provides general concepts for establishing information security in an organization. Risk analysis is an essential part in the ISO 27001 standard for achieving information security. This standard, however, contains ambiguous descriptions. In addition, it does not stipulate any method to identify assets, threats, and vulnerabilities. In this paper, we present a structured and pattern-based method to conduct risk analysis for cloud computing systems. It is tailored to SMEs. Our method addresses the requirements of the ISO 27001. We make use of the cloud system analysis pattern, security requirement patterns, threat patterns, and control patterns for conducting the risk analysis. The method is illustrated by a cloud logistics application example.","PeriodicalId":274809,"journal":{"name":"2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE)","volume":"49 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-09-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125640072","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 6
Supporting evolving security models for an agile security evaluation 支持不断发展的安全模型,以实现敏捷的安全评估
2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE) Pub Date : 2014-09-08 DOI: 10.1109/ESPRE.2014.6890525
Wolfgang Raschke, Massimiliano Zilli, Philip Baumgartner, Johannes Loinig, C. Steger, Christian Kreiner
{"title":"Supporting evolving security models for an agile security evaluation","authors":"Wolfgang Raschke, Massimiliano Zilli, Philip Baumgartner, Johannes Loinig, C. Steger, Christian Kreiner","doi":"10.1109/ESPRE.2014.6890525","DOIUrl":"https://doi.org/10.1109/ESPRE.2014.6890525","url":null,"abstract":"At present, security-related engineering usually requires a big up-front design (BUFD) regarding security requirements and security design. In addition to the BUFD, at the end of the development, a security evaluation process can take up to several months. In today's volatile markets customers want to influence the software design during the development process. Agile processes have proven to support these demands. Nevertheless, there is a clash with traditional security design and evaluation processes. In this paper, we propose an agile security evaluation method for the Common Criteria standard. This method is complemented by an implementation of a change detection analysis for model-based security requirements. This system facilitates the agile security evaluation process to a high degree.","PeriodicalId":274809,"journal":{"name":"2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE)","volume":"103 24","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-09-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"113945917","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 11
Towards a framework to measure security expertise in requirements analysis 建立一个框架来衡量需求分析中的安全专家
2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE) Pub Date : 2014-09-08 DOI: 10.1109/ESPRE.2014.6890522
Hanan Hibshi, T. Breaux, M. Riaz, L. Williams
{"title":"Towards a framework to measure security expertise in requirements analysis","authors":"Hanan Hibshi, T. Breaux, M. Riaz, L. Williams","doi":"10.1109/ESPRE.2014.6890522","DOIUrl":"https://doi.org/10.1109/ESPRE.2014.6890522","url":null,"abstract":"Research shows that commonly accepted security requirements are not generally applied in practice. Instead of relying on requirements checklists, security experts rely on their expertise and background knowledge to identify security vulnerabilities. To understand the gap between available checklists and practice, we conducted a series of interviews to encode the decision-making process of security experts and novices during security requirements analysis. Participants were asked to analyze two types of artifacts: source code, and network diagrams for vulnerabilities and to apply a requirements checklist to mitigate some of those vulnerabilities. We framed our study using Situation Awareness-a cognitive theory from psychology-to elicit responses that we later analyzed using coding theory and grounded analysis. We report our preliminary results of analyzing two interviews that reveal possible decision-making patterns that could characterize how analysts perceive, comprehend and project future threats which leads them to decide upon requirements and their specifications, in addition, to how experts use assumptions to overcome ambiguity in specifications. Our goal is to build a model that researchers can use to evaluate their security requirements methods against how experts transition through different situation awareness levels in their decision-making process.","PeriodicalId":274809,"journal":{"name":"2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE)","volume":"273 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-09-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115284845","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 7
L-SQUARE: Preliminary extension of the SQUARE methodology to address legal compliance L-SQUARE: SQUARE方法的初步扩展,以解决法律遵从问题
2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE) Pub Date : 2014-09-08 DOI: 10.1109/ESPRE.2014.6890524
Aaron Alva, Lisa R. Young
{"title":"L-SQUARE: Preliminary extension of the SQUARE methodology to address legal compliance","authors":"Aaron Alva, Lisa R. Young","doi":"10.1109/ESPRE.2014.6890524","DOIUrl":"https://doi.org/10.1109/ESPRE.2014.6890524","url":null,"abstract":"Laws and regulations must be considered in the requirements engineering process to help ensure legal compliance when developing software or engineering systems. To incorporate legal compliance considerations into the requirements engineering process, we introduce a preliminary extension of the SQUARE methodology, called L-SQUARE. In this paper, we develop L-SQUARE by discussing legal compliance concerns at each of the traditional nine steps in SQUARE. Then, we link existing research in requirements engineering and the law to each step, emphasizing where compliance concerns can be addressed. This preliminary extension of SQUARE sets existing research into an established methodology for requirements engineering, creating a framework for situating current research in legal compliance, and identifying gaps for future work.","PeriodicalId":274809,"journal":{"name":"2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-09-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129274828","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 2
Argumentation-based security requirements elicitation: The next round 基于论证的安全需求引出:下一轮
2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE) Pub Date : 2014-08-25 DOI: 10.1109/ESPRE.2014.6890521
D. Ionita, Jan-Willem Bullee, R. Wieringa
{"title":"Argumentation-based security requirements elicitation: The next round","authors":"D. Ionita, Jan-Willem Bullee, R. Wieringa","doi":"10.1109/ESPRE.2014.6890521","DOIUrl":"https://doi.org/10.1109/ESPRE.2014.6890521","url":null,"abstract":"Information Security Risk Assessment can be viewed as part of requirements engineering because it is used to translate security goals into security requirements, where security requirements are the desired system properties that mitigate threats to security goals. To improve the defensibility of these mitigations, several researchers have attempted to base risk assessment on argumentation structures. However, none of these approaches have so far been scalable or usable in real-world risk assessments. In this paper, we present the results from our search for a scalable argumentation-based information security RA method. We start from previous work on both formal argumentation frameworks and informal argument structuring and try to find a promising middle ground. An initial prototype using spreadsheets is validated and iteratively improved via several Case Studies. Challenges such as scalability, quantify-ability, ease of use, and relation to existing work in parallel fields are discussed. Finally, we explore the scope and applicability of our approach with regard to various classes of Information Systems while also drawing more general conclusions on the role of argumentation in security.","PeriodicalId":274809,"journal":{"name":"2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE)","volume":"18 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-08-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"117202236","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 16
Using malware analysis to improve security requirements on future systems 使用恶意软件分析来改进未来系统的安全需求
2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE) Pub Date : 2014-08-01 DOI: 10.1109/ESPRE.2014.6890526
Naney R. Mead, J. Morales
{"title":"Using malware analysis to improve security requirements on future systems","authors":"Naney R. Mead, J. Morales","doi":"10.1109/ESPRE.2014.6890526","DOIUrl":"https://doi.org/10.1109/ESPRE.2014.6890526","url":null,"abstract":"In this position paper, we propose to enhance current software development lifecycle models by including use cases, based on previous cyberattacks and their associated malware, and to propose an open research question: Are specific types of systems prone to specific classes of malware exploits? If this is the case, developers can create future systems that are more secure, from inception, by including use cases that address previous attacks.","PeriodicalId":274809,"journal":{"name":"2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE)","volume":"21 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124405069","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 3
Engineering privacy requirements valuable lessons from another realm 隐私工程需要从另一个领域获得宝贵的经验
2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE) Pub Date : 2014-08-01 DOI: 10.1109/ESPRE.2014.6890523
Y. Martín, J. D. Álamo, J. Yelmo
{"title":"Engineering privacy requirements valuable lessons from another realm","authors":"Y. Martín, J. D. Álamo, J. Yelmo","doi":"10.1109/ESPRE.2014.6890523","DOIUrl":"https://doi.org/10.1109/ESPRE.2014.6890523","url":null,"abstract":"The Privacy by Design approach to systems engineering introduces privacy requirements in the early stages of development, instead of patching up a built system afterwards. However, `vague', `disconnected from technology', or `aspirational' are some terms employed nowadays to refer to the privacy principles which must lead the development process. Although privacy has become a first-class citizen in the realm of non-functional requirements and some methodological frameworks help developers by providing design guidance, software engineers often miss a solid reference detailing which specific, technical requirements they must abide by, and a systematic methodology to follow. In this position paper, we look into a domain that has already successfully tackled these problems - web accessibility -, and propose translating their findings into the realm of privacy requirements engineering, analyzing as well the gaps not yet covered by current privacy initiatives.","PeriodicalId":274809,"journal":{"name":"2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE)","volume":"70 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123153175","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 18
Semiautomatic security requirements engineering and evolution using decision documentation, heuristics, and user monitoring 使用决策文档、启发式和用户监视的半自动安全需求工程和演进
2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE) Pub Date : 2014-08-01 DOI: 10.1109/ESPRE.2014.6890520
Tom-Michael Hesse, Stefan Gärtner, T. Roehm, B. Paech, K. Schneider, B. Brügge
{"title":"Semiautomatic security requirements engineering and evolution using decision documentation, heuristics, and user monitoring","authors":"Tom-Michael Hesse, Stefan Gärtner, T. Roehm, B. Paech, K. Schneider, B. Brügge","doi":"10.1109/ESPRE.2014.6890520","DOIUrl":"https://doi.org/10.1109/ESPRE.2014.6890520","url":null,"abstract":"Security issues can have a significant negative impact on the business or reputation of an organization. In most cases they are not identified in requirements and are not continuously monitored during software evolution. Therefore, the inability of a system to conform to regulations or its endangerment by new vulnerabilities is not recognized. In consequence, decisions related to security might not be taken at all or become obsolete quickly. But to evaluate efficiently whether an issue is already addressed appropriately, software engineers need explicit decision documentation. Often, such documentation is not performed due to high overhead. To cope with this problem, we propose to document decisions made to address security requirements. To lower the manual effort, information from heuristic analysis and end user monitoring is incorporated. The heuristic assessment method is used to identify security issues in given requirements automatically. This helps to uncover security decisions needed to mitigate those issues. We describe how the corresponding security knowledge for each issue can be incorporated into the decision documentation semiautomatically. In addition, violations of security requirements at runtime are monitored. We show how decisions related to those security requirements can be identified through the documentation and updated manually. Overall, our approach improves the quality and completeness of security decision documentation to support the engineering and evolution of security requirements.","PeriodicalId":274809,"journal":{"name":"2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE)","volume":"46 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128988843","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 9
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
请完成安全验证×
相关产品
×
本文献相关产品
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信