Skip to main content
SpringerLink
Log in

Security Requirements Formalization with RQCODE

  • Chapter
  • First Online:
CyberSecurity in a DevOps Environment

  • 268 Accesses

Abstract

Security requirements vary in nature and form. These requirements may come from compliance checklists, implementation guidelines, corporate standards, and reports from organizations such as NIST, MITRE, and OWASP. Stakeholders may express additional requirements, depending on the context, to address threats and vulnerabilities as quickly as possible. Requirements are usually expressed in natural language, sometimes accompanied by tests, fixes, or descriptions of attack vectors. Analyzing, managing, verifying, validating, and tracing the requirements are therefore challenging as it relies heavily on human activity. Formalizing requirements for automated analysis and reuse can help to reduce human error-prone activities. Seamless Object-Oriented Requirement (SOOR) promotes a paradigm of multi-requirement views. In this paradigm, requirements are classes described in an object-oriented programming (OOP) language that combines representations in natural language with those in formal languages, such as LTL or Eiffel. The embedded formal language representations can provide means for validating requirements. In addition, the major advantage is that OOP supports seamless reuse of requirements classes and extensions through inheritance or associations. RQCODE is a novel approach based firstly on the implementation of SOOR in Java, and secondly on the applicability of SOOR to security requirements. This is done while providing a lightweight formalization through the associated tests that validate and strengthen system security according to the Security Technical Implementation Guide (STIG). We argue that this approach, also known as RQCODE, offers several advantages for formalizing, reusing, analyzing, and validating security requirements by automated means. In this chapter, we discuss the challenges of requirements specification in the cybersecurity domain and present our RQCODE approach.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 149.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD 199.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    More details of the example are in https://github.com/VeriDevOps/RQCODE/tree/master/src/main/java/rqcode/example

  2. 2.

    More temporal patterns in Java on Github https://github.com/VeriDevOps/RQCODE/tree/master/src/main/java/rqcode/temporal_patterns

  3. 3.

    https://www.stigviewer.com/stig/canonical_ubuntu_18.04_lts/2021-06-16/finding/V-219157

  4. 4.

    https://www.stigviewer.com/stig/canonical_ubuntu_18.04_lts/2021-06-16/finding/V-219158

References

  1. J.M. Bruel, S. Ebersold, F. Galinier, M. Mazzara, A. Naumchev, B. Meyer, ACM Comput. Surv. 54(5), 93:1 (2021). https://doi.org/10.1145/3448975

  2. D. Zowghi, C. Coulin, in Engineering and Managing Software Requirements, ed. by A. Aurum, C. Wohlin (Springer, Berlin/Heidelberg, 2005), pp. 19–46. https://doi.org/10.1007/3-540-28244-0_2

    Chapter  Google Scholar 

  3. IEEE 830-1993, IEEE Recommended Practice for Software Requirements Specifications. https://standards.ieee.org/ieee/830/1221/

  4. A. Chakraborty, M.K. Baowaly, A. Arefin, A.N. Bahar, J. Emerg. Trends Comput. Inf. Sci. 3(5) (2012)

    Google Scholar 

  5. D. Firesmith, et al., J. Object Technol. 2(1), 53 (2003)

    Article  Google Scholar 

  6. B. Guttman, E. Roback, NIST (1995). https://www.nist.gov/publications/introduction-computer-security-nist-handbook. Last Modified: 2018-11-10T10:11-05:00 Publisher: Barbara Guttman, E Roback

  7. I.E. Commission, others, IEC 62443: Security for Industrial Automation and Control Systems–Part 4-1: Secure Product Development Lifecycle Requirements. Tech. rep. (2018)

    Google Scholar 

  8. Security Technical Implementation Guide (STIG) Complete List. https://www.stigviewer.com/stigs

  9. OWASP Web Security Testing Guide | OWASP Foundation. https://owasp.org/www-project-web-security-testing-guide/

  10. G. Sabaliauskaite, A. Loconsole, E. Engström, M. Unterkalmsteiner, B. Regnell, P. Runeson, T. Gorschek, R. Feldt, in Requirements Engineering: Foundation for Software Quality, ed. by R. Wieringa, A. Persson. Lecture Notes in Computer Science (Springer, Berlin/Heidelberg, 2010), pp. 128–142. https://doi.org/10.1007/978-3-642-14192-8_14

  11. L. Karlsson, Ã….G. Dahlstedt, B. Regnell, J.N. och Dag, A. Persson, Inf. Softw. Technol. 49(6), 588 (2007)

    Google Scholar 

  12. D. Cuddeback, A. Dekhtyar, J. Hayes, in 2010 18th IEEE International Requirements Engineering Conference (2010), pp. 231–240. https://doi.org/10.1109/RE.2010.35. ISSN: 2332-6441

  13. R. Kasauli, G. Liebel, E. Knauss, S. Gopakumar, B. Kanagwa, in 2017 IEEE 25th International Requirements Engineering Conference (RE) (IEEE, 2017), pp. 352–361

    Google Scholar 

  14. E.M. Schön, D. Winter, M.J. Escalona, J. Thomaschewski, in International Conference on Agile Software Development (Springer, Cham, 2017), pp. 37–51

    Google Scholar 

  15. I. Inayat, S.S. Salim, S. Marczak, M. Daneva, S. Shamshirband, Comput. Hum. Behav. 51, 915 (2015)

    Article  Google Scholar 

  16. C. Rolland, C. Proix (2006), pp. 257–277. https://doi.org/10.1007/BFb0035136

  17. Finite Automata. https://www.cs.rochester.edu/u/nelson/courses/csc_173/fa/fa.html

  18. J.R. Abrial, Modeling in Event-B: System and Software Engineering (Cambridge University Press, 2010). Google-Books-ID: 23UgAwAAQBAJ

    Google Scholar 

  19. D. Jackson, Software Abstractions, Revised Edition: Logic, Language, and Analysis (MIT Press, 2011)

    Google Scholar 

  20. D. Bouskela, A. Falcone, A. Garro, A. Jardin, M. Otter, N. Thuy, A. Tundis, Requir. Eng. 27(1), 1 (2022). https://doi.org/10.1007/s00766-021-00359-z

    Article  Google Scholar 

  21. D. Bjørner, in Mathematical Studies of Information Processing, ed. by E.K. Blum, M. Paul, S. Takasu. Lecture Notes in Computer Science (Springer, Berlin/Heidelberg, 1979), pp. 326–359. https://doi.org/10.1007/3-540-09541-1_33

  22. D.L. Parnas, in The Future of Software Engineering, ed. by S. Nanz (Springer, Berlin/Heidelberg, 2011), pp. 125–148. https://doi.org/10.1007/978-3-642-15187-3_8

  23. A. Naumchev, B. Meyer, Computer Languages, Systems & Structures 49, 119 (2017). https://doi.org/https://doi.org/10.1016/j.cl.2017.04.001. https://www.sciencedirect.com/science/article/pii/S1477842416301981

  24. S. Konrad, B.H. Cheng, L.A. Campbell, R. Wassermann, Requirements Engineering for High Assurance Systems (RHAS’03), vol. 11 (2003). https://documentcloud.adobe.com/link/review?uri=urn:aaid:scds:US:df310295-34de-492a-b389-5359146eed19

  25. R. Wassermann, B.H. Cheng, in Michigan State University, PLoP Conference on Citeseer (Citeseer, 2003). https://documentcloud.adobe.com/link/review?uri=urn:aaid:scds:US:562417be-c44d-47d7-a9c5-bc366f207ca9

  26. I. Siveroni, A. Zisman, G. Spanoudakis, in 2008 Third International Conference on Availability, Reliability and Security (IEEE, 2008), pp. 96–103. https://documentcloud.adobe.com/link/review?uri=urn:aaid:scds:US:9b2d1580-441d-4aef-8914-2b6cd4e3b3d1

  27. I. Siveroni, A. Zisman, G. Spanoudakis, Requir. Eng. 15(1), 95 (2010). https://doi.org/10.1007/s00766-009-0091-y

    Article  Google Scholar 

  28. A. Zisman, in Second International Conference on Internet and Web Applications and Services (ICIW’07) (IEEE, 2007), pp. 8–8

    Google Scholar 

  29. J. Dong, T. Peng, Y. Zhao, Inf. Softw. Technol. 52(3), 274 (2010)

    Article  Google Scholar 

  30. S. Ouchani, O.A. Mohamed, M. Debbabi, M. Pourzandi, in Software Engineering Research, Management and Applications 2010 (Springer, 2010), pp. 163–177

    Google Scholar 

  31. S. Ouchani, O.A. Mohamed, M. Debbabi, in 2013 IEEE 7th International Conference on Software Security and Reliability (IEEE, 2013), pp. 227–236. https://documentcloud.adobe.com/link/review?uri=urn:aaid:scds:US:f71fe199-99f8-4c77-bd6d-2122f84d3cec

  32. S. Ouchani, M. Debbabi, Computing 97(7), 691 (2015)

    Article  MathSciNet  Google Scholar 

  33. S. Ouchani, Y. Jarraya, O.A. Mohamed, in 2011 Ninth Annual International Conference on Privacy, Security and Trust (IEEE, 2011), pp. 142–149. https://documentcloud.adobe.com/link/review?uri=urn:aaid:scds:US:2f653129-e94b-46e0-a9e5-55614133ab3b

  34. R.C. Martin, Object Mentor 1(34), 597 (2000)

    Google Scholar 

  35. M. Kwiatkowska, G. Norman, D. Parker, in International Conference on Modelling Techniques and Tools for Computer Performance Evaluation (Springer, 2002), pp. 200–204

    Google Scholar 

  36. H. Kaiya, S. Kono, S. Ogata, T. Okubo, N. Yoshioka, H. Washizaki, K. Kaijiri, in International Conference on Advanced Information Systems Engineering (Springer, 2014), pp. 343–348

    Google Scholar 

  37. I. Williams, X. Yuan, in 2017 IEEE Cybersecurity Development (SecDev) (IEEE, 2017), pp. 85–86

    Google Scholar 

  38. I. Williams, in 2018 IEEE 26th International Requirements Engineering Conference (RE) (IEEE, 2018), pp. 448–453

    Google Scholar 

  39. G. McGraw, IEEE Secur. Privacy 2(2), 80 (2004)

    Article  Google Scholar 

  40. J. Jürjens, in International Conference on The Unified Modeling Language (Springer, 2002), pp. 412–425

    Google Scholar 

  41. A. Sudhodanan, A. Armando, R. Carbone, L. Compagna, others, in NDSS (2016)

    Google Scholar 

  42. B. Smith, L. Williams, in 2012 IEEE Sixth International Conference on Software Security and Reliability (IEEE, 2012), pp. 108–117

    Google Scholar 

  43. M. Felderer, M. Büchler, M. Johns, A.D. Brucker, R. Breu, A. Pretschner, in Advances in Computers, vol. 101, ed. by A. Memon (Elsevier, 2016), pp. 1–51. https://doi.org/10.1016/bs.adcom.2015.11.003. https://www.sciencedirect.com/science/article/pii/S0065245815000649

  44. I. Schieferdecker, J. Grossmann, M. Schneider, arXiv preprint arXiv:1202.6118 (2012)

    Google Scholar 

  45. J. Großmann, M. Schneider, J. Viehmann, M.F. Wendland, in International Symposium On Leveraging Applications of Formal Methods, Verification and Validation (Springer, 2014), pp. 322–336

    Google Scholar 

  46. M.S. Lund, B. Solhaug, K. Stølen, Model-Driven Risk Analysis: the CORAS Approach (Springer Science & Business Media, 2010)

    Google Scholar 

  47. J. Botella, B. Legeard, F. Peureux, A. Vernotte, in International Symposium On Leveraging Applications of Formal Methods, Verification and Validation (Springer, 2014), pp. 337–352. https://documentcloud.adobe.com/link/review?uri=urn:aaid:scds:US:decdf192-2e7b-45cf-b6fe-0c517eb8b764

  48. F. Bouquet, C. Grandpierre, B. Legeard, F. Peureux, in Proceedings of the 3rd International Workshop on Automation of Software Test (2008), pp. 45–48

    Google Scholar 

  49. F. Lebeau, B. Legeard, F. Peureux, A. Vernotte, in 2013 IEEE Sixth International Conference on Software Testing, Verification and Validation Workshops (IEEE, 2013), pp. 445–452. https://documentcloud.adobe.com/link/review?uri=urn:aaid:scds:US:9769a8fb-23f9-4eec-a146-da36d95333a8

  50. A. Naumchev, Requirements templates in Eiffel (2021). https://github.com/anaumchev/requirements_templates. Original-date: 2018-08-04T06:58:02Z

  51. K. Ismaeel, A. Naumchev, A. Sadovykh, D. Truscan, E.P. Enoiu, C. Seceleanu, in 2021 IEEE 29th International Requirements Engineering Conference Workshops (REW) (2021), pp. 357–363. https://doi.org/10.1109/REW53955.2021.00063

  52. S. Chidamber, C. Kemerer, IEEE Trans. Softw. Eng. 20(6), 476 (1994). https://doi.org/10.1109/32.295895. Conference Name: IEEE Transactions on Software Engineering

  53. G. Succi, W. Pedrycz, S. Djokic, P. Zuliani, B. Russo, Empir. Softw. Eng. 10(1), 81 (2005). https://doi.org/10.1023/B:EMSE.0000048324.12188.a2

    Article  Google Scholar 

  54. M.B. Dwyer, G.S. Avrunin, J.C. Corbett, in Proceedings of the 21st International Conference on Software Engineering (1999), pp. 411–420

    Google Scholar 

  55. A. Sadovykh, Rqcode framework on github (2022). https://github.com/VeriDevOps/RQCODE

  56. E. Miranda, in Agile Processes in Software Engineering and Extreme Programming, ed. by V. Stray, K.J. Stol, M. Paasivaara, P. Kruchten (Springer International Publishing, Cham, 2022), Lecture Notes in Business Information Processing, pp. 19–34. https://doi.org/10.1007/978-3-031-08169-9_2

  57. J. Smart, BDD in Action: Behavior-Driven Development for the Whole Software Lifecycle (Simon and Schuster, 2014)

    Google Scholar 

  58. A. Mavin, P. Wilkinson, in 2010 18th IEEE International Requirements Engineering Conference (2010), pp. 277–282. https://doi.org/10.1109/RE.2010.39. ISSN: 2332-6441

  59. D. Flemström, H. Jonsson, E.P. Enoiu, W. Afzal, in 2021 14th IEEE Conference on Software Testing, Verification and Validation (ICST) (2021), pp. 351–361. https://doi.org/10.1109/ICST49551.2021.00047. ISSN: 2159-4848

  60. S. Friedenthal, A. Moore, R. Steiner, A Practical Guide to SysML: The Systems Modeling Language (Morgan Kaufmann, 2014)

    Google Scholar 

  61. V. Debruyne, F. Simonot-Lion, Y. Trinquet, in Architecture Description Languages, ed. by P. Dissaux, M. Filali-Amine, P. Michel, F. Vernadat (Springer US, Boston, MA, 2005), IFIP The International Federation for Information Processing, pp. 181–195. https://doi.org/10.1007/0-387-24590-1_12

  62. M.M. Lankhorst, H.A. Proper, H. Jonkers, in Enterprise, Business-Process and Information Systems Modeling, ed. by T. Halpin, J. Krogstie, S. Nurcan, E. Proper, R. Schmidt, P. Soffer, R. Ukor. Lecture Notes in Business Information Processing (Springer, Berlin/Heidelberg, 2009), pp. 367–380. https://doi.org/10.1007/978-3-642-01862-6_30

  63. M. Strecker, in International Conference on Automated Deduction (Springer, 2002), pp. 63–77

    Google Scholar 

  64. K. Lano, The B Language and Method: A Guide to Practical Formal Development (Springer Science & Business Media, 2012). Google-Books-ID: aoPuBwAAQBAJ

    Google Scholar 

  65. A. Bauer, M. Leucker, C. Schallhart, ACM Trans. Softw. Eng. Methodol. 20(4), 14:1 (2011). https://doi.org/10.1145/2000799.2000800

  66. M. Jackson, Inf. Softw. Technol. 47(14), 903 (2005). https://doi.org/10.1016/j.infsof.2005.08.004. https://www.sciencedirect.com/science/article/pii/S0950584905001229

  67. H. Foster, S. Uchitel, J. Magee, J. Kramer, in Proceedings of the 28th International Conference on Software Engineering, ICSE ’06 (Association for Computing Machinery, New York, NY, USA, 2006), pp. 771–774. https://doi.org/10.1145/1134285.1134408

  68. A. Sadovykh, G. Widforss, D. Truscan, E.P. Enoiu, W. Mallouli, R. Iglesias, A. Bagnto, O. Hendel, in 2021 Design, Automation Test in Europe Conference Exhibition (DATE) (2021), pp. 1330–1333. https://doi.org/10.23919/DATE51398.2021.9474185. ISSN: 1558-1101

Download references

Acknowledgements

This work is partially supported by the VeriDevOps [68] project funded by the Horizon 2020 program under the grant agreement No. 957212 (VeriDevOps project).

Author information

Authors and Affiliations

  1. SOFTEAM, Ivry-sur-Seine, France

    Andrey Sadovykh

  2. IRIT, Toulouse, France

    Nan Messe, Ildar Nigmatullin, Sophie Ebersold, Maria Naumcheva & Jean-Michel Bruel

Authors
  1. Andrey Sadovykh
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nan Messe
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ildar Nigmatullin
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Sophie Ebersold
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Maria Naumcheva
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Jean-Michel Bruel
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Andrey Sadovykh .

Editor information

Editors and Affiliations

  1. SOFTEAM, Ivry-sur-Seine, France

    Andrey Sadovykh

  2. Information Technologies, Ã…bo Akademi University, Turku, Finland

    Dragos Truscan

  3. Montimage, Paris, France

    Wissam Mallouli

  4. Montimage, Paris, France

    Ana Rosa Cavalli

  5. Mälardalen University, Västerås, Sweden

    Cristina Seceleanu

  6. SOFTEAM, Ivry-sur-Seine, France

    Alessandra Bagnato

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Sadovykh, A., Messe, N., Nigmatullin, I., Ebersold, S., Naumcheva, M., Bruel, JM. (2024). Security Requirements Formalization with RQCODE. In: Sadovykh, A., Truscan, D., Mallouli, W., Cavalli, A.R., Seceleanu, C., Bagnato, A. (eds) CyberSecurity in a DevOps Environment . Springer, Cham. https://doi.org/10.1007/978-3-031-42212-6_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-42212-6_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-42211-9

  • Online ISBN: 978-3-031-42212-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation