An Ontological Interface for Software Developers to Select Security Patterns

Khoury, Paul El; Mokhtari, A.; Coquery, Emmanuel; Hacid, Mohand-Saïd

doi:10.1109/dexa.2008.110

Cited by 21 publications

(8 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Ontologies [28][29][30][31][32][33] are typically used to organize and structure context-specific terminology, which helps security analysts to classify and reason over security controls in regulatory documents. Ontologies, at their core, consist of a set of entities [34] that represent concrete concepts, or types of things, and a set of relations [34] that connect disparate concepts.…”

Section: Security Requirement Extraction and Modelingmentioning

confidence: 99%

“…These entities could be related together using common ontological relationships like is_a or part_of, e.g., John Lennon is_a Person who is part_of the Beatles. Applications of ontologies to the security lifecycle include assisting organizations in the security control selection and design-time software engineering process [33,35], providing support during the policy decision making process [36], enabling run-time adaptations (such as web service replacement) [37], and providing the building blocks for structuring regulatory terms and controls [38,39].…”

Section: Security Requirement Extraction and Modelingmentioning

confidence: 99%

See 1 more Smart Citation

Semantic hierarchies for extracting, modeling, and connecting compliance requirements in information security control standards

Hale

Gamble

2017

Requirements Eng

View full text Add to dashboard Cite

Companies and government organizations are increasingly compelled, if not required by law, to ensure that their information systems will comply with various federal and industry regulatory standards, such as the NIST Special Publication on Security Controls for Federal Information Systems (NIST SP-800-53), or the Common Criteria (ISO 15408-2). Such organizations operate business or mission critical systems where a lack of or lapse in security protections translates to serious confidentiality, integrity, and availability risks that, if exploited, could result in information disclosure, loss of money, or, at worst, loss of life. To mitigate these risks and ensure that their information systems meet regulatory standards, organizations must be able to (a) contextualize regulatory documents in a way that extracts the relevant technical implications for their systems, (b) formally represent their systems and demonstrate that they meet the extracted requirements following an accreditation process, and (c) ensure that all third-party systems, which may exist outside of the information system enclave as web or cloud services also implement appropriate security measures consistent with organizational expectations. This paper introduces a step-wise process, based on semantic hierarchies, that systematically extracts relevant security requirements from control standards to build a certification baseline for organizations to use in conjunction with formal methods and service agreements for accreditation. The approach is demonstrated following a case study of all audit-related controls in the SP-800-53, ISO 15408-2, and related documents. Accuracy, applicability, consistency, and efficacy of the approach were evaluated using controlled qualitative and quantitative methods in two separate studies.

show abstract

Section: Security Requirement Extraction and Modelingmentioning

confidence: 99%

Section: Security Requirement Extraction and Modelingmentioning

confidence: 99%

Semantic hierarchies for extracting, modeling, and connecting compliance requirements in information security control standards

Hale

Gamble

2017

Requirements Eng

View full text Add to dashboard Cite

show abstract

“…The relationships used in their work are similar to the dependencies among security problem patterns suggested by Hatebur et al [15] . In [16], an ontological interface for software developers to select security patterns was proposed. The proposed interface contains a mapping between security requirements on the one side and threat models, security bugs, security errors on the other side taking into consideration their contexts of applicability.…”

Section: Review Of Security Pattern Selectionmentioning

confidence: 99%

“…The ontology "knows" which threats threaten which assets, and which security patterns could lower the probability of occurrence in which contexts. It is meaningful for the software developer to find the appropriate security patterns by adopting an ontology based approach [16] .…”

Section: Security Ontologymentioning

confidence: 99%

An ontology-based approach to security pattern selection

Guan

Yang²,

Wang

2016

Int. J. Autom. Comput.

View full text Add to dashboard Cite

This cover sheet may not be removed from the document.Please scroll down to view the document.Abstract: Usually, the security requirements are addressed by abstracting the security problems arising in a specific context and providing a well proven solution to them. Security patterns incorporating proven security expertise solution to the recurring security problems have been widely accepted by the community of security engineering. The fundamental challenge for using security patterns to satisfy security requirements is the lack of defined syntax, which makes it impossible to ask meaningful questions and get semantically meaningful answers. Therefore, this paper presents an ontological approach to facilitating security knowledge mapping from security requirements to their corresponding solutions -security patterns.Ontologies have been developed using OWL and then incorporated into a security pattern search engine which enables sophisticated search and retrieval of security patterns using the proposed algorithm. Applying the introduced approach allows security novices to reuse security expertise to develop security software system.

show abstract

“…Our pattern-based approach consists in the creation of a pattern repository accompanied by a query mechanism [34] that helps application designers to select and customize the appropriate security solutions for their applications. In fact, such methodology homogenizes the quality of the security assurance for new applications and makes it independent from the expertise of the application developers.…”

Section: B Serenity Design Time and Runtime Frameworkmentioning

confidence: 99%

A Pattern-Based General Security Framework: An eBusiness Case Study

Benameur¹,

Fenet²,

Saidane

et al. 2009

2009 11th IEEE International Conference on High Performance Computing and Communications

View full text Add to dashboard Cite

Security and domain specific regulations are critical for any organization. Unfortunately, achieving these prerequisites in a socio-technical environment is a difficult task. For example, let us consider the aspect of computer security: neither software developers nor regulatory authorities are security experts. Therefore, it is important that security experts' knowledge is captured and made available to software developers. Security patterns are a suitable prescription to capture experts' solutions to commonly recurring security problems. In this paper, we present the application of a general framework, based on security patterns, used to develop secure applications. It covers the entire process of solution development: defining organizational security requirements using SECURE TROPOS, formalizing the pattern using SI*, implementing the pattern, integrating it into the final application, and monitoring the runtime. All these phases are discussed and illustrated with an eBusiness case study: the loan origination process.

show abstract

An Ontological Interface for Software Developers to Select Security Patterns

Cited by 21 publications

References 7 publications

Semantic hierarchies for extracting, modeling, and connecting compliance requirements in information security control standards

Semantic hierarchies for extracting, modeling, and connecting compliance requirements in information security control standards

An ontology-based approach to security pattern selection

A Pattern-Based General Security Framework: An eBusiness Case Study

Contact Info

Product

Resources

About