Abstract
The feedback from architectural decisions to the elaboration of requirements is an established concept in the software engineering community. However, pinpointing the nature of this feedback in a precise way is a largely open problem. Often, the feedback is generically characterized as additional qualities that might be affected by an architect’s choice. This paper provides a practical perspective on this problem by leveraging architectural security patterns. The contribution of this paper is the Security Twin Peaks model, which serves as an operational framework to co-develop security in the requirements and the architectural artifacts.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Bandara, A., Shinpei, H., Jürjens, J., Kaiya, H., Kubo, A., Laney, R., Mouratidis, H., Nhlabatsi, A., Nuseibeh, B., Tahara, Y., Tun, T., Washizaki, H., Yoshioka, N., Yu, Y.: Security patterns: Comparing modeling approaches. Technical Report 2009/06 (2009)
Bass, L., Clements, P., Kazman, R.: Software Architecture in Practice, 1st edn. Addison-Wesley, Reading (1998)
Blakley, B., Heath, C., Members of The Open Group Security Forum: Security design patterns. The Open Group (2004)
Buschmann, F., Meunier, R., Rohnert, H., Sommerlad, P., Stal, M.: Pattern-Oriented Software Architecture: A system of Patterns. Wiley, Chichester (1996)
Côté, I., Heisel, M., Wentzlaff, I.: Pattern-based Exploration of Design Alternatives for the Evolution of Software Architectures. International Journal of Cooperative Information Systems, World Scientific Publishing Company Special Issue of the Best Papers of the ECSA 2007 (December 2007)
Dougherty, C., Sayre, K., Seacord, R.C., Svoboda, D., Togashi, K.: Secure design patterns. Tech. Rep. CMU/SEI-2009-TR-010, Carnegie Mellon Software Engineering Institute (2009)
Fernandez, E.B., Larrondo-Petrie, M.M., Sorgente, T., Vanhilst, M.: A Methodology to Develop Secure Systems Using Patterns. In: Integrating Security and Software Engineering: Advances and Future Visions, pp. 107–126 (2007)
Giorgini, P., Mouratidis, H.: Secure tropos: A security-oriented extension of the tropos methodology. International Journal of Software Engineering and Knowledge Engineering 17(2), 285–309 (2007)
Haley, C.B., Laney, C.R., Moffett, D.J., Nuseibeh, B.: Security requirements engineering: A framework for representation and analysis. IEEE Transactions on Software Engineering 34(1), 133–153 (2008)
Haley, C.B., Moffett, J.D., Laney, R., Nuseibeh, B.: A framework for security requirements engineering. In: Proceedings of the International Workshop on Software Engineering for Secure Systems (SESS), pp. 35–42. ACM Press, New York (2006)
Haley, C.B., Nuseibeh, B.: Bridging requirements and architecture for systems of systems. In: Proceedings of the International Symposium on Information Technology (ITSim), vol. 4, pp. 1–8 (2008)
Hall, J.G., Rapanotti, L., Jackson, M.: Problem oriented software engineering: Solving the package router control problem. IEEE Transactions on Software Engineering 34(2), 226–241 (2008)
Heyman, T., Yskout, K., Scandariato, R., Joosen, W.: An analysis of the security patterns landscape. In: Proceedings of the International Workshop on Software Engineering for Secure Systems (SESS), pp. 3–10. IEEE Computer Society, Los Alamitos (2007)
Islam, S., Mouratidis, H., Jürjens, J.: A framework to support alignment of secure software engineering with legal regulations. Journal of Software and Systems Modeling (March 2010) (published online first)
Jackson, M.: Problem Frames. Analyzing and structuring software development problems. Addison-Wesley, Reading (2001)
Jürjens, J.: Secure Systems Development with UML. Springer, Heidelberg (2005)
Kienzle, D.M., Elder, M.C., Tyree, D., Edwards-Hewitt, J.: Security patterns repository (2002)
Mouratidis, H., Jürjens, J.: From goal-driven security requirements engineering to secure design. International Journal of Intelligent Systems – Special Issue on Goal-Driven Requirements Engineering 25(8), 813–840 (2010)
Mouratidis, H., Jürjens, J., Fox, J.: Towards a comprehensive framework for secure systems development. In: Dubois, E., Pohl, K. (eds.) CAiSE 2006. LNCS, vol. 4001, pp. 48–62. Springer, Heidelberg (2006)
Mouratidis, H., Weiss, M., Giorgini, P.: Modelling secure systems using an agent oriented approach and security patterns. International Journal of Software Engineering and Knowledge Engineering (IJSEKE) 16(3), 471–498 (2006)
Nhlabatsi, A., Nuseibeh, B., Yu, Y.: Security requirements engineering for evolving software systems: A survey. Journal of Secure Software Engineering 1(1), 54–73 (2009)
Nuseibeh, B.: Weaving together requirements and architectures. Computer 34(3), 115–117 (2001)
Schmidt, H.: A Pattern- and Component-Based Method to Develop Secure Software. Deutscher Wissenschafts-Verlag (DWV), Baden-Baden (April 2010)
Schumacher, M., Fernandez-Buglioni, E., Hybertson, D., Buschmann, F., Sommerlad, P.: Security Patterns: Integrating Security and Systems Engineering. Wiley & Sons, Chichester (2005)
Steel, C., Nagappan, R., Lai, R.: Core security patterns: Best practices and strategies for J2EE, web services, and identity management (2005)
van Lamsweerde, A.: From system goals to software architecture. In: Bernardo, M., Inverardi, P. (eds.) SFM 2003. LNCS, vol. 2804, pp. 25–43. Springer, Heidelberg (2003)
van Lamsweerde, A.: Requirements Engineering: From System Goals to UML Models to Software Specifications. Wiley, Chichester (March 2009)
Weiss, M.: Modeling security patterns using NFR analysis. In: Integrating Security and Software Engineering, pp. 127–141. Idea Group, USA (2007)
Weiss, M., Mouratidis, H.: Selecting security patterns that fulfill security requirements. In: IEEE International Requirements Engineering Conference (2008)
Yoder, J., Barcalow, J.: Architectural patterns for enabling application security. In: Proceedings of the International Patterns Language of Programming (PLoP) Conference (1997)
Yskout, K., Scandariato, R., De Win, B., Joosen, W.: Transforming security requirements into architecture. In: Proceedings of the International Conference on Availability, Reliability and Security (AReS), pp. 1421–1428. IEEE Computer Society, Washington, DC (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Heyman, T., Yskout, K., Scandariato, R., Schmidt, H., Yu, Y. (2011). The Security Twin Peaks. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds) Engineering Secure Software and Systems. ESSoS 2011. Lecture Notes in Computer Science, vol 6542. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-19125-1_13
Download citation
DOI: https://doi.org/10.1007/978-3-642-19125-1_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-19124-4
Online ISBN: 978-3-642-19125-1
eBook Packages: Computer ScienceComputer Science (R0)