Reusable knowledge in security requirements engineering: a systematic mapping study

Souag, Amina; Mazo, Raúl; Salinesi, Camille; Comyn-Wattiau, Isabelle

doi:10.1007/s00766-015-0220-8

Cited by 54 publications

(35 citation statements)

References 72 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, as pointed out by Souag et al, security knowledge is hard to acquire for software designers in reality [26]. Without bridging the knowledge gap, the assumptions made in the above approaches become unrealistic, preventing the real adaption of those attack analysis approaches.…”

Section: Discussion and Related Workmentioning

confidence: 99%

“…Souag et al survey reusable knowledge-based security requirements engineering approaches over the last 20 years, which shows that 9 out of 95 surveyed papers represent reusable knowledge in the form of patterns (other forms include catalogs, taxonomies, etc.) [26]. Although patterns can be reused in a comparatively easy manner, Araujo et al have pointed out that analysts need first to have a thorough understanding of available patterns in order correctly select and apply them [33].…”

Section: Practical Challenges In Reusing Attack Patternsmentioning

confidence: 99%

See 1 more Smart Citation

Security attack analysis using attack patterns

Paja

Mylopoulos

et al. 2016

2016 IEEE Tenth International Conference on Research Challenges in Information Science (RCIS)

View full text Add to dashboard Cite

Abstract-Discovering potential attacks on a system is an essential step in engineering secure systems, as the identified attacks will determine essential security requirements. The prevalence of Socio-Technical Systems (STSs) makes attack analysis particularly challenging. These systems are composed of people and organizations, their software systems, as well as physical infrastructures. As such, a thorough attack analysis needs to consider strategic (social and organizational) aspects of the involved people and organizations, as well as technical aspects affecting software systems and the physical infrastructure, requiring a large amount of security knowledge which is difficult to acquire. In this paper, we propose a systematic approach to efficiently leverage a comprehensive attack knowledge repository (CAPEC) in order to identify realistic and detailed attack behaviors, avoiding severe repercussions of security breaches. In particular, we propose a systematic method to model CAPEC attack patterns, which has been applied to 102 patterns, in order to semi-automatically select and apply such patterns. Using the CAPEC patterns as part of a systematic and tool-supported process, we can efficiently operationalize attack strategies and identify realistic alternative attacks on an STS. We validate our proposal by performing a case study on a smart grid scenario.

show abstract

Section: Discussion and Related Workmentioning

confidence: 99%

Section: Practical Challenges In Reusing Attack Patternsmentioning

confidence: 99%

Security attack analysis using attack patterns

Paja

Mylopoulos

et al. 2016

2016 IEEE Tenth International Conference on Research Challenges in Information Science (RCIS)

View full text Add to dashboard Cite

show abstract

“…The reader may refer to the tutorial in [42] to know about all the concepts and relations used in Secure Tropos. The choice of Secure Tropos was motivated by the fact that it is one of the richer modeling frameworks in terms of concepts that are used to model security requirements according to a recent systematic mapping study [11] on the subject. However, one needs to be "knowledgeable" about security and security requirements when using Secure Tropos, which is not always the case as reported in the introduction.…”

Section: The Aman-da Methodsmentioning

confidence: 99%

“…The security goals being not enough to generate security requirements, two ontologies (security and domain ones) were used as a source of knowledge to discover threats, vulnerabilities, security requirements and their actors, organizational goals, and other domain specific concepts. Acknowledging the small number of publications tackling this issue and providing an evaluation of proposals on real cases [11], we felt the motivation and necessity to undertake this empirical research.…”

Section: Introductionmentioning

confidence: 99%

Using the AMAN-DA method to generate security requirements: a case study in the maritime domain

et al. 2017

Self Cite

View full text Add to dashboard Cite

Abstract. [Context and motivation]Security requirements are known to be "the most difficult of requirements types", and potentially the ones causing the greatest risk if they are not correct. One approach to requirements elicitation is based on the reuse of explicit knowledge. AMAN-DA is a requirement elicitation method that reuses encapsulated knowledge in security and domain ontologies to produce security requirements specifications.[Question/Problem] The main research question addressed in this paper is to what extent is AMAN-DA able to generate domain specific security requirements? [Principal idea/results] Following a well-documented process, a case study related to the maritime domain was undertaken with the goal to demonstrate the utility and effectiveness of AMAN-DA for the elicitation and analysis of domain specific security requirements. The usefulness of the method was also evaluated with a group of twelve experts.[Contribution] The paper demonstrates the elicitation of domain specific security requirements by presenting the AMAN-DA method and its application. It describes the evaluation and reports some significant results and their implications for practice, and future research, especially for the field of knowledge reuse in requirements engineering.

show abstract

“…These are considering as technical choice made during implementation [1]. The different between security and privacy is that threats to individual privacy often rise from authorized users of the system rather than from unauthorized one [2].…”

Section: Introductionmentioning

confidence: 99%

A Goal based Framework by adopting SQUARE Process for Privacy and Security Requirement Engineering

Hayat¹,

Shakoor²,

Mubarak³

et al. 2017

IJCA

View full text Add to dashboard Cite

Identifying, categorizing and prioritizing requirements in terms of privacy and security is the main concern for software developers. Privacy requirement gathering is remain the challenge for software engineers for distributed and complex software. Privacy and security requirement engineering is important step in building these software systems. For this different privacy requirement engineering approaches has been proposed such as security quality requirement engineering (SQUARE) which provide a step for elicitation of requirements in terms of privacy. The purpose of this paper is to support the requirement engineers by modifying the SQUARE approach by providing a process of analysis and evaluate the goal based assets with a framework to identify security goals in accordance to the privacy and security requirements both.

show abstract

Reusable knowledge in security requirements engineering: a systematic mapping study

Cited by 54 publications

References 72 publications

Security attack analysis using attack patterns

Security attack analysis using attack patterns

Using the AMAN-DA method to generate security requirements: a case study in the maritime domain

A Goal based Framework by adopting SQUARE Process for Privacy and Security Requirement Engineering

Contact Info

Product

Resources

About