Maintaining Security in Software Evolution

  • Jan JürjensEmail author
  • Kurt Schneider
  • Jens Bürger
  • Fabien Patrick Viertel
  • Daniel Strüber
  • Michael Goedicke
  • Ralf Reussner
  • Robert Heinrich
  • Emre Taşpolatoğlu
  • Marco Konersmann
  • Alexander Fay
  • Winfried Lamersdorf
  • Jan Ladiges
  • Christopher Haubeck
Open Access


In this chapter, we introduce a three-layered framework for maintaining security in software evolution at design time and run time. Additionally, we present a suite of five approaches that employ the framework. Two approaches focus on design-time use of knowledge extracted from natural-language documents to identify potential steps for co-evolving the system’s design and on integrating architecture model information with program code. A third approach bridges design time and run time to support architects as the software evolves. The two remaining approaches focus on run-time security maintenance. The fourth approach monitors run-time information in order to detect suspicious behaviour, which is reacted to automatically by adapting the system with mitigation, while the fifth approach focuses on interdisciplinary changes in automation software. In combination, the approaches address current challenges for security maintenance at design time and run time.


  1. [AA13]
    C. Aldrich and Lidia Auret.Unsupervised process monitoring and fault diagnosis with machine learning methods. Advances in computer vision and pattern recognition. London, New York: Springer, 2013.isbn: 1447151852.Google Scholar
  2. [AJY11]
    A. Bauer, J. Jürjens, and Y. Yu. “Run-Time Security Traceability for Evolving Systems”. In:The Computer Journal54.1 (2011), pp. 58–87. Scholar
  3. [AKK14]
    A. Averbakh, K. Niklas, and K. Schneider. “Knowledge from Document Annotations as By-Product in Distributed Software Engineering”. In:The 26th Int. Conf. on Software Eng. and Knowledge Engineering(2014).Google Scholar
  4. [AT12]
    L. V. Allen and D. M. Tilbury. “Anomaly Detection Using Model Generation for Event-Based Systems Without a Preexisting Formal Model”. In:Systems, Man and Cybernetics, Part A: Systems and Humans, IEEE Transactions on42.3 (2012), pp. 654–668.issn: 1083–4427. Scholar
  5. [Bür+18]
    Jens Bürger et al. “A framework for semi-automated co-evolution of security knowledge and system models”. In:Journal of Systems and Software139 (2018), pp. 142–160.issn: 0164-1212. Scholar
  6. [CM04]
    Brian Chess and Gary McGraw. “Static Analysis for Security”. In:IEEE Security & Privacy2.6 (2004), pp. 76–79.Google Scholar
  7. [EL02]
    David Evans and David Larochelle. “Improving Security using Extensible Lightweight Static Analysis”. In:IEEE Software 19.1 (2002), pp. 42–51.CrossRefGoogle Scholar
  8. [Gär16]
    Stefan Gärtner. “Heuristische und wissensbasierte Sicherheitsprüfung von Softwareentwicklungsartefakten basierend auf natürlichsprachlichen Informationen”. PhD thesis. 2016.Google Scholar
  9. [Hau+14a]
    C. Haubeck et al. “An active service-component architecture to enable self-awareness of evolving production systems”. In:IEEE International Conference on Emerging Technology and Factory Automation (ETFA). 2014.
  10. [HKW03]
    S. Hashtrudi Zad, R. H. Kwong, and W. M. Wonham. “Fault diagnosis in discreteevent systems: framework and model reduction”. In:IEEE Transactions on Automatic Control 48.7 (2003), pp. 1199–1212. Scholar
  11. [HLF18]
    Christopher Haubeck, Winfried Lamersdorf, and Alexander Fay. “A Knowledge Carrying Service-Component Architecture for Smart Cyber Physical Systems: An Example based on self-documenting production systems”. In:International Workshop on Engineering Service-Oriented Applications and Cloud Services, in conjunction with ICSOC. 2018.CrossRefGoogle Scholar
  12. [Ise06]
    Rolf Isermann.Fault-Diagnosis Systems: An Introduction from Fault Detection to Fault Tolerance. Berlin and Heidelberg: Springer-Verlag Berlin Heidelberg, 2006.isbn: 3540241124.url:
  13. [J B+15]
    J. Bürger et al. “Restoring Security of Long-Living Systems by Co-Evolution”. In:39th Annual IEEE Computer Software and Applications Conf. (COMPSAC 2015). 6 pp. IEEE Computer Soc. 2015.Google Scholar
  14. [JJS15]
    J. Bürger, J. Jürjens, and S.Wenzel. “Restoring Security of Evolving Software Models using Graph-Transformation”. In:Int. Journal on Software Tools for Technology Transfer (STTT) (2015). Springer Online First.
  15. [Kon16]
    Marco Konersmann. “A Process for Explicitly Integrated Software Architecture”. In:Softwaretechnik-Trends 36.2 (2016). ISSN: 0720–8928.url:
  16. [Kon18]
    Marco Konersmann. “Explicitly Integrated Architecture - An Approach for Integrating Software Architecture Model Information with Program Code”. PhD thesis. University of Duisburg-Essen, Mar. 2018.Google Scholar
  17. [L M+10]
    L. Montrieux et al. “Tool Support for Code Generation from a UMLsec Property”. In:25th IEEE/ACM Int. Conf. on Automated Software Eng. (ASE’10). 2010.
  18. [Lad+13a]
    J. Ladiges et al. “Evolution of Production Facilities and its Impact on Non-Functional Requirements”. In:IEEE International Conference on Industrial Informatics (INDIN). 2013.Google Scholar
  19. [Lad+14b]
    Jan Ladiges et al. “Evolution Management of Production Facilities by Semi-Automated Requirement Verification”. In:at - Automatisierungstechnik. Vol. 62. 11. Berlin, Oct. 2014, pp. 781–793.Google Scholar
  20. [Lad+15b]
    J. Ladiges et al. “Supporting Commissioning of Production Plants by Model-Based Testing and Model Learning”. In:International Symposium on Industrial Electronics (ISIE). 2015.Google Scholar
  21. [LFL16]
    Jan Ladiges, Alexander Fay, and Winfried Lamersdorf. “Automated Determining of Manufacturing Properties and Their Evolutionary Changes from Event Traces”. In:Intelligent Industrial Systems2.2 (2016), pp. 163–178.issn: 2199-854X.url: Scholar
  22. [LL11]
    D. Lefebvre and E. Leclercq. “Stochastic Petri Net Identification for the Fault Detection and Isolation of Discrete Event Systems”. In:IEEE Transactions on Systems, Man and Cybernetics, Part A: Systems and Humans41.2 (2011), pp. 213–225. Scholar
  23. [Man03]
    Heiko Mantel. “A Uniform Framework for the Formal Specification and Verification of Information Flow Security”. In: (2003).Google Scholar
  24. [Mur+98]
    Gail C. Murphy et al. “An Empirical Study of Static Call Graph Extractors”. In:ACM Transactions on Software Engineering and Methodology (TOSEM)7.2 (1998), pp. 158–191.Google Scholar
  25. [NF15]
    Oliver Niggemann and Christian Frey. “Data-driven anomaly detection in cyberphysical production systems”. In:at - Automatisierungstechnik 63.10 (2015).issn: 0178-2312.
  26. [Obj16]
    Object Management Group.OMG Meta Object Facility (MOF) Core Specification, Version 2.5.1. Object Management Group (OMG), Nov. 2016.url:
  27. [Omo+12]
    I. Omoronyia et al. “Caprice: a tool for engineering adaptive privacy”. In:Proc. of the 27th IEEE/ACM Int. Conf. on Automated Software Eng. - ASE 2012 (2012), p. 354.
  28. [Omo+13]
    I. Omoronyia et al. “Engineering adaptive privacy: On the role of privacy awareness requirements”. In:Proc. - Int. Conf. on Software Engineering(2013), pp. 632–641.issn: 02705257.
  29. [Pha+13]
    R. Pham et al. “Tailoring video recording to support efficient GUI testing and debugging”. In:Software Quality Journal(June 2013), pp. 1–20.url:
  30. [RJ12]
    T. Ruhroth and J. Jürjens. “Supporting Security Assurance in the Context of Evolution: Modular Modeling and Analysis with UMLsec”. In: IEEE: 14th Int. Symp. on High-Assurance Systems Eng. (HASE 2012). IEEE CS, Oct. 2012.
  31. [RLL10]
    M. Roth, J.-J Lesage, and L. Litz. “Black-box identification of discrete event systems with optimal partitioning of concurrent subsystems”. In:American Control Conference (ACC). 2010.Google Scholar
  32. [Ruh+14a]
    T. Ruhroth et al. “Towards Adaptation and Evolution of Domain-specific Knowledge for Maintaining Secure Systems”. In:15th Int. Conf. of Product Focused Software Development and Process Improvement (Profes’14). Vol. 8892. LNCS. Springer, 2014, pp. 239–253. Scholar
  33. [Sch06]
    Kurt Schneider. “Rationale as a By-Product”. In:Rationale Management in Software Engineering. Ed. by Allen H. Dutoit et al. Springer-Verlag Berlin Heidelberg, 2006, pp. 91–109.isbn: 978-3-540-30997-0.
  34. [Sch09]
    Kurt Schneider.Experience and Knowledge Management in Software Engineering. Springer-Verlag, 2009.CrossRefGoogle Scholar
  35. [VKK17]
    Fabien Patrick Viertel, Oiver Karras, and Schneider Kurt. “Vulnerability Recognition by Execution Trace Difierentiation”. In:2017 ACM/IEEE International Symposium on Software Performance (SSP), Karlsruhe. Software Technik Trends, 2017.Google Scholar
  36. [Vog+15c]
    Birgit Vogel-Heuser et al. “Evolution of software in automated production systems: Challenges and Research Directions”. In:Journal of Systems and Software 110 (2015), pp. 54–84.issn: 0164-1212.CrossRefGoogle Scholar

Copyright information

© The Author(s) 2019

Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

Authors and Affiliations

  • Jan Jürjens
    • 1
    Email author
  • Kurt Schneider
    • 2
  • Jens Bürger
    • 1
  • Fabien Patrick Viertel
    • 2
  • Daniel Strüber
    • 1
  • Michael Goedicke
    • 3
  • Ralf Reussner
    • 4
  • Robert Heinrich
    • 4
  • Emre Taşpolatoğlu
    • 5
  • Marco Konersmann
    • 6
  • Alexander Fay
    • 7
  • Winfried Lamersdorf
    • 8
  • Jan Ladiges
    • 7
  • Christopher Haubeck
    • 8
  1. 1.Institute for Computer ScienceUniversity of Koblenz-LandauKoblenzGermany
  2. 2.Institute of Software EngineeringLeibniz Universität HannoverHannoverGermany
  3. 3.paluno – The Ruhr Institute for Software Technology, Specification of Software SystemsUniversität Duisburg-EssenEssenGermany
  4. 4.Institute for Program Structures and Data OrganizationKarlsruhe Institute of Technology (KIT)KarlsruheGermany
  5. 5.Department of Software Engineering, FZI Forschungszentrum InformatikKarlsruheGermany
  6. 6.Institute for Software Technology, Research Group Software EngineeringUniversitt Koblenz-LandauKoblenzGermany
  7. 7.Institute of Automation Technology, Helmut Schmidt UniversityHamburgGermany
  8. 8.MIN-Faculty, Department of Informatics, Distributed SystemsUniversität HamburgHamburgGermany

Personalised recommendations