Abstract
The specification of security requirements for systems of systems is often an activity that is forced upon non-security experts and performed under time pressure. This paper describes how we have addressed this problem by using a collection of modular safeguards, which are tailored to the application domain. These safeguards, which are specific but still fairly atomic, are combined into requirement profiles that seamlessly integrate into the overall development approach. These safeguards are grouped into 15 classes which subsume requirements that aim for low, medium and high security capabilities. Each requirement is further specified with a technical description defining actual values. To achieve a holistic coverage, we have created requirement profiles that define combinations of modular safeguards and have added complementary organizational safeguards. We will show how we have developed this approach over the years and present our practical experiences of the seamless integration into the development life cycle.
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Zuccato, A., Endersz, V., Daniels, N.: Security requirement Engineering at a Telekom Provider. In: Jakoubi, S., Tjoa, S., Weippl, E. (eds.) ARES 2008 Proceedings, pp. 1139–1147. IEEE Computer Society, Los Alamitos (2008)
Bishop, M.: Computer Security: Art and Science. Addison Wesley, Reading (2003)
International Organization for Standardization: ISO/IEC 15408:2005 - Common Criteria for Information Technology Evaluation (2005)
National Institute of Standards and Technology: Special publications (800 series) (2009), http://csrc.nist.gov/publications/PubsSPs.html
Zuccato, A.: Holistic security requirement engineering for electronic commerce. Computers & Security 23(1), 63–76 (2004)
Mead, N., Hough, E., Stehney II, T.: Security Quality Requirements Engineering (SQUARE) Methodology. SEI Technical Report (2005)
McDermott, J., Fox, C.: Using abuse case models for security requirements analysis. In: Proceeding of the 15th Annual Computer Security Applications Conference, pp. 55–64. IEEE, Los Alamitos (1999)
Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. Requirements Engineering 10(1), 34–44 (2005)
International Organization for Standardization: ISO/IEC 27001:2005, IInformation technology – Security techniques – Information security management systems – Requirements (2005)
International Organization for Standardization: ISO/IEC 15408-2:1999 Information technology – Security techniques – Evaluation criteria for IT security – Part 2: Security functional requirements (1999)
Schumacher, M., Fernandez-Buglioni, E., abd Frank Buschman, D.H., Sommerlad, P.: Security Patterns - Integrating Security and Systems Engineering. Wiley, Chichester (2006)
Burr, W.E., Dodson, D.F., Polk, W.T.: Electronic Authentication Guideline. NIST Special Publication 800-63 Version 1.0.2, National Institute of Standards and Technology (2006)
International Organization for Standardization: ISO/IEC 9000:2000 Quality management systems - Fundamentals and vocabulary (2000)
SSE-CMM Project: Systems Security Engineering Capability Maturity Model. v 3.0 edn. (2003)
Zuccato, A., Kögler, C.: Functional security testing – closing the gap between software testing and security testing: A case from a telecom provider. In: Massacci, F., Redwine Jr., S.T., Zannone, N. (eds.) ESSoS 2009. LNCS, vol. 5429, pp. 185–194. Springer, Heidelberg (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Zuccato, A., Daniels, N., Jampathom, C., Nilson, M. (2010). Report: Modular Safeguards to Create Holistic Security Requirement Specifications for System of Systems. In: Massacci, F., Wallach, D., Zannone, N. (eds) Engineering Secure Software and Systems. ESSoS 2010. Lecture Notes in Computer Science, vol 5965. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-11747-3_17
Download citation
DOI: https://doi.org/10.1007/978-3-642-11747-3_17
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-11746-6
Online ISBN: 978-3-642-11747-3
eBook Packages: Computer ScienceComputer Science (R0)