The Community for Technology Leaders
2014 IEEE 1st Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE) (2014)
Karlskrona, Sweden
Aug. 25, 2014 to Aug. 25, 2014
ISBN: 978-1-4799-6340-9
pp: 1-6
Tom-Michael Hesse , Institute of Computer Science, University of Heidelberg, Germany
Stefan Gartner , Software Engineering Group, Leibniz Universität Hannover, Germany
Tobias Roehm , Institut für Informatik, Technische Universität München, Germany
Barbara Paech , Institute of Computer Science, University of Heidelberg, Germany
Kurt Schneider , Software Engineering Group, Leibniz Universität Hannover, Germany
Bernd Bruegge , Institut für Informatik, Technische Universität München, Germany
ABSTRACT
Security issues can have a significant negative impact on the business or reputation of an organization. In most cases they are not identified in requirements and are not continuously monitored during software evolution. Therefore, the inability of a system to conform to regulations or its endangerment by new vulnerabilities is not recognized. In consequence, decisions related to security might not be taken at all or become obsolete quickly. But to evaluate efficiently whether an issue is already addressed appropriately, software engineers need explicit decision documentation. Often, such documentation is not performed due to high overhead. To cope with this problem, we propose to document decisions made to address security requirements. To lower the manual effort, information from heuristic analysis and end user monitoring is incorporated. The heuristic assessment method is used to identify security issues in given requirements au-tomatically. This helps to uncover security decisions needed to mitigate those issues. We describe how the corresponding security knowledge for each issue can be incorporated into the decision documentation semiautomatically. In addition, violations of security requirements at runtime are monitored. We show how decisions related to those security requirements can be identified through the documentation and updated manually. Overall, our approach improves the quality and completeness of security decision documentation to support the engineering and evolution of security requirements.
INDEX TERMS
Security, Documentation, Monitoring, Software, Knowledge engineering, Context, IEEE Potentials
CITATION

T. Hesse, S. Gartner, T. Roehm, B. Paech, K. Schneider and B. Bruegge, "Semiautomatic security requirements engineering and evolution using decision documentation, heuristics, and user monitoring," 2014 IEEE 1st Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE), Karlskrona, Sweden, 2014, pp. 1-6.
doi:10.1109/ESPRE.2014.6890520
98 ms
(Ver 3.3 (11022016))