Skip to main content
SpringerLink
Log in

Report: Modular Safeguards to Create Holistic Security Requirement Specifications for System of Systems

  • Conference paper
Engineering Secure Software and Systems (ESSoS 2010)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5965))

Included in the following conference series:

Abstract

The specification of security requirements for systems of systems is often an activity that is forced upon non-security experts and performed under time pressure. This paper describes how we have addressed this problem by using a collection of modular safeguards, which are tailored to the application domain. These safeguards, which are specific but still fairly atomic, are combined into requirement profiles that seamlessly integrate into the overall development approach. These safeguards are grouped into 15 classes which subsume requirements that aim for low, medium and high security capabilities. Each requirement is further specified with a technical description defining actual values. To achieve a holistic coverage, we have created requirement profiles that define combinations of modular safeguards and have added complementary organizational safeguards. We will show how we have developed this approach over the years and present our practical experiences of the seamless integration into the development life cycle.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Zuccato, A., Endersz, V., Daniels, N.: Security requirement Engineering at a Telekom Provider. In: Jakoubi, S., Tjoa, S., Weippl, E. (eds.) ARES 2008 Proceedings, pp. 1139–1147. IEEE Computer Society, Los Alamitos (2008)

    Google Scholar 

  2. Bishop, M.: Computer Security: Art and Science. Addison Wesley, Reading (2003)

    Google Scholar 

  3. International Organization for Standardization: ISO/IEC 15408:2005 - Common Criteria for Information Technology Evaluation (2005)

    Google Scholar 

  4. National Institute of Standards and Technology: Special publications (800 series) (2009), http://csrc.nist.gov/publications/PubsSPs.html

  5. Zuccato, A.: Holistic security requirement engineering for electronic commerce. Computers & Security 23(1), 63–76 (2004)

    Article  Google Scholar 

  6. Mead, N., Hough, E., Stehney II, T.: Security Quality Requirements Engineering (SQUARE) Methodology. SEI Technical Report (2005)

    Google Scholar 

  7. McDermott, J., Fox, C.: Using abuse case models for security requirements analysis. In: Proceeding of the 15th Annual Computer Security Applications Conference, pp. 55–64. IEEE, Los Alamitos (1999)

    Google Scholar 

  8. Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. Requirements Engineering 10(1), 34–44 (2005)

    Article  Google Scholar 

  9. International Organization for Standardization: ISO/IEC 27001:2005, IInformation technology – Security techniques – Information security management systems – Requirements (2005)

    Google Scholar 

  10. International Organization for Standardization: ISO/IEC 15408-2:1999 Information technology – Security techniques – Evaluation criteria for IT security – Part 2: Security functional requirements (1999)

    Google Scholar 

  11. Schumacher, M., Fernandez-Buglioni, E., abd Frank Buschman, D.H., Sommerlad, P.: Security Patterns - Integrating Security and Systems Engineering. Wiley, Chichester (2006)

    Google Scholar 

  12. Burr, W.E., Dodson, D.F., Polk, W.T.: Electronic Authentication Guideline. NIST Special Publication 800-63 Version 1.0.2, National Institute of Standards and Technology (2006)

    Google Scholar 

  13. International Organization for Standardization: ISO/IEC 9000:2000 Quality management systems - Fundamentals and vocabulary (2000)

    Google Scholar 

  14. SSE-CMM Project: Systems Security Engineering Capability Maturity Model. v 3.0 edn. (2003)

    Google Scholar 

  15. Zuccato, A., Kögler, C.: Functional security testing – closing the gap between software testing and security testing: A case from a telecom provider. In: Massacci, F., Redwine Jr., S.T., Zannone, N. (eds.) ESSoS 2009. LNCS, vol. 5429, pp. 185–194. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. TeliaSonera, Common Development, Product Security, Sweden

    Albin Zuccato, Nils Daniels, Cheevarat Jampathom & Mikael Nilson

  2. Department of Computer and System Science, Stockholm University, Sweden

    Albin Zuccato

Authors
  1. Albin Zuccato
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nils Daniels
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Cheevarat Jampathom
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Mikael Nilson
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Dipartimento Ingegneria e Scienza dell’Informazione, Università di Trento, Via Sommarive 14, 38050, Povo (Trento), Italy

    Fabio Massacci

  2. Department of Computer Science, Rice University, 3122 Duncan Hall, 6100 Main Street, TX 77005, Houston, USA

    Dan Wallach

  3. Faculty of Mathematics and Computer Science, Eindhoven University of Technology, Den Dolech 2, 5612, Eindhoven, AZ, The Netherlands

    Nicola Zannone

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Zuccato, A., Daniels, N., Jampathom, C., Nilson, M. (2010). Report: Modular Safeguards to Create Holistic Security Requirement Specifications for System of Systems. In: Massacci, F., Wallach, D., Zannone, N. (eds) Engineering Secure Software and Systems. ESSoS 2010. Lecture Notes in Computer Science, vol 5965. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-11747-3_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-11747-3_17

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-11746-6

  • Online ISBN: 978-3-642-11747-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation