Abstract
Security requirements vary in nature and form. These requirements may come from compliance checklists, implementation guidelines, corporate standards, and reports from organizations such as NIST, MITRE, and OWASP. Stakeholders may express additional requirements, depending on the context, to address threats and vulnerabilities as quickly as possible. Requirements are usually expressed in natural language, sometimes accompanied by tests, fixes, or descriptions of attack vectors. Analyzing, managing, verifying, validating, and tracing the requirements are therefore challenging as it relies heavily on human activity. Formalizing requirements for automated analysis and reuse can help to reduce human error-prone activities. Seamless Object-Oriented Requirement (SOOR) promotes a paradigm of multi-requirement views. In this paradigm, requirements are classes described in an object-oriented programming (OOP) language that combines representations in natural language with those in formal languages, such as LTL or Eiffel. The embedded formal language representations can provide means for validating requirements. In addition, the major advantage is that OOP supports seamless reuse of requirements classes and extensions through inheritance or associations. RQCODE is a novel approach based firstly on the implementation of SOOR in Java, and secondly on the applicability of SOOR to security requirements. This is done while providing a lightweight formalization through the associated tests that validate and strengthen system security according to the Security Technical Implementation Guide (STIG). We argue that this approach, also known as RQCODE, offers several advantages for formalizing, reusing, analyzing, and validating security requirements by automated means. In this chapter, we discuss the challenges of requirements specification in the cybersecurity domain and present our RQCODE approach.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
More details of the example are in https://github.com/VeriDevOps/RQCODE/tree/master/src/main/java/rqcode/example
- 2.
More temporal patterns in Java on Github https://github.com/VeriDevOps/RQCODE/tree/master/src/main/java/rqcode/temporal_patterns
- 3.
- 4.
References
J.M. Bruel, S. Ebersold, F. Galinier, M. Mazzara, A. Naumchev, B. Meyer, ACM Comput. Surv. 54(5), 93:1 (2021). https://doi.org/10.1145/3448975
D. Zowghi, C. Coulin, in Engineering and Managing Software Requirements, ed. by A. Aurum, C. Wohlin (Springer, Berlin/Heidelberg, 2005), pp. 19–46. https://doi.org/10.1007/3-540-28244-0_2
IEEE 830-1993, IEEE Recommended Practice for Software Requirements Specifications. https://standards.ieee.org/ieee/830/1221/
A. Chakraborty, M.K. Baowaly, A. Arefin, A.N. Bahar, J. Emerg. Trends Comput. Inf. Sci. 3(5) (2012)
D. Firesmith, et al., J. Object Technol. 2(1), 53 (2003)
B. Guttman, E. Roback, NIST (1995). https://www.nist.gov/publications/introduction-computer-security-nist-handbook. Last Modified: 2018-11-10T10:11-05:00 Publisher: Barbara Guttman, E Roback
I.E. Commission, others, IEC 62443: Security for Industrial Automation and Control Systems–Part 4-1: Secure Product Development Lifecycle Requirements. Tech. rep. (2018)
Security Technical Implementation Guide (STIG) Complete List. https://www.stigviewer.com/stigs
OWASP Web Security Testing Guide | OWASP Foundation. https://owasp.org/www-project-web-security-testing-guide/
G. Sabaliauskaite, A. Loconsole, E. Engström, M. Unterkalmsteiner, B. Regnell, P. Runeson, T. Gorschek, R. Feldt, in Requirements Engineering: Foundation for Software Quality, ed. by R. Wieringa, A. Persson. Lecture Notes in Computer Science (Springer, Berlin/Heidelberg, 2010), pp. 128–142. https://doi.org/10.1007/978-3-642-14192-8_14
L. Karlsson, Ã….G. Dahlstedt, B. Regnell, J.N. och Dag, A. Persson, Inf. Softw. Technol. 49(6), 588 (2007)
D. Cuddeback, A. Dekhtyar, J. Hayes, in 2010 18th IEEE International Requirements Engineering Conference (2010), pp. 231–240. https://doi.org/10.1109/RE.2010.35. ISSN: 2332-6441
R. Kasauli, G. Liebel, E. Knauss, S. Gopakumar, B. Kanagwa, in 2017 IEEE 25th International Requirements Engineering Conference (RE) (IEEE, 2017), pp. 352–361
E.M. Schön, D. Winter, M.J. Escalona, J. Thomaschewski, in International Conference on Agile Software Development (Springer, Cham, 2017), pp. 37–51
I. Inayat, S.S. Salim, S. Marczak, M. Daneva, S. Shamshirband, Comput. Hum. Behav. 51, 915 (2015)
C. Rolland, C. Proix (2006), pp. 257–277. https://doi.org/10.1007/BFb0035136
Finite Automata. https://www.cs.rochester.edu/u/nelson/courses/csc_173/fa/fa.html
J.R. Abrial, Modeling in Event-B: System and Software Engineering (Cambridge University Press, 2010). Google-Books-ID: 23UgAwAAQBAJ
D. Jackson, Software Abstractions, Revised Edition: Logic, Language, and Analysis (MIT Press, 2011)
D. Bouskela, A. Falcone, A. Garro, A. Jardin, M. Otter, N. Thuy, A. Tundis, Requir. Eng. 27(1), 1 (2022). https://doi.org/10.1007/s00766-021-00359-z
D. Bjørner, in Mathematical Studies of Information Processing, ed. by E.K. Blum, M. Paul, S. Takasu. Lecture Notes in Computer Science (Springer, Berlin/Heidelberg, 1979), pp. 326–359. https://doi.org/10.1007/3-540-09541-1_33
D.L. Parnas, in The Future of Software Engineering, ed. by S. Nanz (Springer, Berlin/Heidelberg, 2011), pp. 125–148. https://doi.org/10.1007/978-3-642-15187-3_8
A. Naumchev, B. Meyer, Computer Languages, Systems & Structures 49, 119 (2017). https://doi.org/https://doi.org/10.1016/j.cl.2017.04.001. https://www.sciencedirect.com/science/article/pii/S1477842416301981
S. Konrad, B.H. Cheng, L.A. Campbell, R. Wassermann, Requirements Engineering for High Assurance Systems (RHAS’03), vol. 11 (2003). https://documentcloud.adobe.com/link/review?uri=urn:aaid:scds:US:df310295-34de-492a-b389-5359146eed19
R. Wassermann, B.H. Cheng, in Michigan State University, PLoP Conference on Citeseer (Citeseer, 2003). https://documentcloud.adobe.com/link/review?uri=urn:aaid:scds:US:562417be-c44d-47d7-a9c5-bc366f207ca9
I. Siveroni, A. Zisman, G. Spanoudakis, in 2008 Third International Conference on Availability, Reliability and Security (IEEE, 2008), pp. 96–103. https://documentcloud.adobe.com/link/review?uri=urn:aaid:scds:US:9b2d1580-441d-4aef-8914-2b6cd4e3b3d1
I. Siveroni, A. Zisman, G. Spanoudakis, Requir. Eng. 15(1), 95 (2010). https://doi.org/10.1007/s00766-009-0091-y
A. Zisman, in Second International Conference on Internet and Web Applications and Services (ICIW’07) (IEEE, 2007), pp. 8–8
J. Dong, T. Peng, Y. Zhao, Inf. Softw. Technol. 52(3), 274 (2010)
S. Ouchani, O.A. Mohamed, M. Debbabi, M. Pourzandi, in Software Engineering Research, Management and Applications 2010 (Springer, 2010), pp. 163–177
S. Ouchani, O.A. Mohamed, M. Debbabi, in 2013 IEEE 7th International Conference on Software Security and Reliability (IEEE, 2013), pp. 227–236. https://documentcloud.adobe.com/link/review?uri=urn:aaid:scds:US:f71fe199-99f8-4c77-bd6d-2122f84d3cec
S. Ouchani, M. Debbabi, Computing 97(7), 691 (2015)
S. Ouchani, Y. Jarraya, O.A. Mohamed, in 2011 Ninth Annual International Conference on Privacy, Security and Trust (IEEE, 2011), pp. 142–149. https://documentcloud.adobe.com/link/review?uri=urn:aaid:scds:US:2f653129-e94b-46e0-a9e5-55614133ab3b
R.C. Martin, Object Mentor 1(34), 597 (2000)
M. Kwiatkowska, G. Norman, D. Parker, in International Conference on Modelling Techniques and Tools for Computer Performance Evaluation (Springer, 2002), pp. 200–204
H. Kaiya, S. Kono, S. Ogata, T. Okubo, N. Yoshioka, H. Washizaki, K. Kaijiri, in International Conference on Advanced Information Systems Engineering (Springer, 2014), pp. 343–348
I. Williams, X. Yuan, in 2017 IEEE Cybersecurity Development (SecDev) (IEEE, 2017), pp. 85–86
I. Williams, in 2018 IEEE 26th International Requirements Engineering Conference (RE) (IEEE, 2018), pp. 448–453
G. McGraw, IEEE Secur. Privacy 2(2), 80 (2004)
J. Jürjens, in International Conference on The Unified Modeling Language (Springer, 2002), pp. 412–425
A. Sudhodanan, A. Armando, R. Carbone, L. Compagna, others, in NDSS (2016)
B. Smith, L. Williams, in 2012 IEEE Sixth International Conference on Software Security and Reliability (IEEE, 2012), pp. 108–117
M. Felderer, M. Büchler, M. Johns, A.D. Brucker, R. Breu, A. Pretschner, in Advances in Computers, vol. 101, ed. by A. Memon (Elsevier, 2016), pp. 1–51. https://doi.org/10.1016/bs.adcom.2015.11.003. https://www.sciencedirect.com/science/article/pii/S0065245815000649
I. Schieferdecker, J. Grossmann, M. Schneider, arXiv preprint arXiv:1202.6118 (2012)
J. Großmann, M. Schneider, J. Viehmann, M.F. Wendland, in International Symposium On Leveraging Applications of Formal Methods, Verification and Validation (Springer, 2014), pp. 322–336
M.S. Lund, B. Solhaug, K. Stølen, Model-Driven Risk Analysis: the CORAS Approach (Springer Science & Business Media, 2010)
J. Botella, B. Legeard, F. Peureux, A. Vernotte, in International Symposium On Leveraging Applications of Formal Methods, Verification and Validation (Springer, 2014), pp. 337–352. https://documentcloud.adobe.com/link/review?uri=urn:aaid:scds:US:decdf192-2e7b-45cf-b6fe-0c517eb8b764
F. Bouquet, C. Grandpierre, B. Legeard, F. Peureux, in Proceedings of the 3rd International Workshop on Automation of Software Test (2008), pp. 45–48
F. Lebeau, B. Legeard, F. Peureux, A. Vernotte, in 2013 IEEE Sixth International Conference on Software Testing, Verification and Validation Workshops (IEEE, 2013), pp. 445–452. https://documentcloud.adobe.com/link/review?uri=urn:aaid:scds:US:9769a8fb-23f9-4eec-a146-da36d95333a8
A. Naumchev, Requirements templates in Eiffel (2021). https://github.com/anaumchev/requirements_templates. Original-date: 2018-08-04T06:58:02Z
K. Ismaeel, A. Naumchev, A. Sadovykh, D. Truscan, E.P. Enoiu, C. Seceleanu, in 2021 IEEE 29th International Requirements Engineering Conference Workshops (REW) (2021), pp. 357–363. https://doi.org/10.1109/REW53955.2021.00063
S. Chidamber, C. Kemerer, IEEE Trans. Softw. Eng. 20(6), 476 (1994). https://doi.org/10.1109/32.295895. Conference Name: IEEE Transactions on Software Engineering
G. Succi, W. Pedrycz, S. Djokic, P. Zuliani, B. Russo, Empir. Softw. Eng. 10(1), 81 (2005). https://doi.org/10.1023/B:EMSE.0000048324.12188.a2
M.B. Dwyer, G.S. Avrunin, J.C. Corbett, in Proceedings of the 21st International Conference on Software Engineering (1999), pp. 411–420
A. Sadovykh, Rqcode framework on github (2022). https://github.com/VeriDevOps/RQCODE
E. Miranda, in Agile Processes in Software Engineering and Extreme Programming, ed. by V. Stray, K.J. Stol, M. Paasivaara, P. Kruchten (Springer International Publishing, Cham, 2022), Lecture Notes in Business Information Processing, pp. 19–34. https://doi.org/10.1007/978-3-031-08169-9_2
J. Smart, BDD in Action: Behavior-Driven Development for the Whole Software Lifecycle (Simon and Schuster, 2014)
A. Mavin, P. Wilkinson, in 2010 18th IEEE International Requirements Engineering Conference (2010), pp. 277–282. https://doi.org/10.1109/RE.2010.39. ISSN: 2332-6441
D. Flemström, H. Jonsson, E.P. Enoiu, W. Afzal, in 2021 14th IEEE Conference on Software Testing, Verification and Validation (ICST) (2021), pp. 351–361. https://doi.org/10.1109/ICST49551.2021.00047. ISSN: 2159-4848
S. Friedenthal, A. Moore, R. Steiner, A Practical Guide to SysML: The Systems Modeling Language (Morgan Kaufmann, 2014)
V. Debruyne, F. Simonot-Lion, Y. Trinquet, in Architecture Description Languages, ed. by P. Dissaux, M. Filali-Amine, P. Michel, F. Vernadat (Springer US, Boston, MA, 2005), IFIP The International Federation for Information Processing, pp. 181–195. https://doi.org/10.1007/0-387-24590-1_12
M.M. Lankhorst, H.A. Proper, H. Jonkers, in Enterprise, Business-Process and Information Systems Modeling, ed. by T. Halpin, J. Krogstie, S. Nurcan, E. Proper, R. Schmidt, P. Soffer, R. Ukor. Lecture Notes in Business Information Processing (Springer, Berlin/Heidelberg, 2009), pp. 367–380. https://doi.org/10.1007/978-3-642-01862-6_30
M. Strecker, in International Conference on Automated Deduction (Springer, 2002), pp. 63–77
K. Lano, The B Language and Method: A Guide to Practical Formal Development (Springer Science & Business Media, 2012). Google-Books-ID: aoPuBwAAQBAJ
A. Bauer, M. Leucker, C. Schallhart, ACM Trans. Softw. Eng. Methodol. 20(4), 14:1 (2011). https://doi.org/10.1145/2000799.2000800
M. Jackson, Inf. Softw. Technol. 47(14), 903 (2005). https://doi.org/10.1016/j.infsof.2005.08.004. https://www.sciencedirect.com/science/article/pii/S0950584905001229
H. Foster, S. Uchitel, J. Magee, J. Kramer, in Proceedings of the 28th International Conference on Software Engineering, ICSE ’06 (Association for Computing Machinery, New York, NY, USA, 2006), pp. 771–774. https://doi.org/10.1145/1134285.1134408
A. Sadovykh, G. Widforss, D. Truscan, E.P. Enoiu, W. Mallouli, R. Iglesias, A. Bagnto, O. Hendel, in 2021 Design, Automation Test in Europe Conference Exhibition (DATE) (2021), pp. 1330–1333. https://doi.org/10.23919/DATE51398.2021.9474185. ISSN: 1558-1101
Acknowledgements
This work is partially supported by the VeriDevOps [68] project funded by the Horizon 2020 program under the grant agreement No. 957212 (VeriDevOps project).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this chapter
Cite this chapter
Sadovykh, A., Messe, N., Nigmatullin, I., Ebersold, S., Naumcheva, M., Bruel, JM. (2024). Security Requirements Formalization with RQCODE. In: Sadovykh, A., Truscan, D., Mallouli, W., Cavalli, A.R., Seceleanu, C., Bagnato, A. (eds) CyberSecurity in a DevOps Environment . Springer, Cham. https://doi.org/10.1007/978-3-031-42212-6_3
Download citation
DOI: https://doi.org/10.1007/978-3-031-42212-6_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-42211-9
Online ISBN: 978-3-031-42212-6
eBook Packages: Computer ScienceComputer Science (R0)