Abstract
Security is considered an important aspect of software systems, especially in the context of cloud computing. Nevertheless, current practices towards securing software systems fail to take into account security issues during the early development stages and also cannot properly address the unique characteristics and needs of the cloud environment. To address such issues, Secure Tropos was developed as a security-oriented requirements engineering approach, offering a modeling language and sets of diagrams which facilitate the elicitation and elaboration of security features for software systems. In this work, we introduce Secure Tropos by discussing its main concepts, their relations and the main diagrams used to capture the different aspects of a software system. SecTro, a CASE tool developed specifically for the creation and analysis of Secure Tropos diagrams, is used to model a case study as an illustrative example. Finally, future work on expanding the functionalities offered by Secure Tropos is discussed.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Depot, T.H.: The home depot reports findings in payment data breach investigation. http://krebsonsecurity.com/2014/09/home-depot-hit-by-same-malware-as-target/ (2014). Accessed 13 Oct 15
Pavel, A.: Amazon.com server said to have been used in Sony attack. http://www.bloomberg.com/news/articles/2011-05-13/sony-network-said-to-have-been-invaded-by-hackers-using-amazon-com-server (2011). Accessed 13 Oct 15
Cloud Security Alliance: Security research alliance to promote network security. Netw. Secur. 1999(2), 3–4 (1999)
Bergmayr, A., Brunelière, H., Izquierdo, J.L.C., Gorroñogoitia, J., Kousiouris, G., Kyriazis, D., Langer, P., Menychtas, A., Orue-Echevarria, L., Pezuela, C., Wimmer, M.: Migrating legacy software to the cloud with ARTIST. In: European Conference on Software Maintenance and Reengineering, CSMR, pp. 465–468 (2013)
Ferry, N., Rossini, A., Chauvel, F., Morin, B., Solberg, A.: Towards model-driven provisioning, deployment, monitoring, and adaptation of multicloud systems. In: 6th International Conference on Cloud Computing, pp. 887–894. IEEE Press (2013)
Frey, S., Hasselbring, W.: The cloudmig approach: Model-based migration of software systems to cloud-optimized applications. Int. J. Adv. Softw. 4(3–4), 342–353 (2011)
Armbrust, M., Fox, O., Griffith, R., Joseph, A.D., Katz, Y., Konwinski, A., et al.: Above the clouds: A Berkeley view of cloud computing. Technical report, pp. 07–013. University of California, Berkeley (2009)
Bresciani, P., Perini, A., Giorgini, P., Giunchiglia, F., Mylopoulos, J.: Tropos: an agent-oriented software development methodology. Auton. Agent. Multi-Agent Syst. 8(3), 203–236 (2004)
Mouratidis, H.: A security oriented approach in the development of multiagent bsystems: applied to the management of the health and social care needs of older people in England. Ph.D. Thesis, University of Sheffields, UK (2004)
Yu, E.: Modelling strategic relationships for process reengineering. Ph.D. thesis, Department of Computer Science, University of Toronto, Canada (1995)
Chung, L., Nixon B.: Dealing with non-functional requirements: three experimental studies of a process-oriented approach. In: 17th International Conference on Software Engineering, pp. 25–37. ACM (1995)
Mouratidis, H., Islam, S., Kalloniatis, C., Gritzalis, S.: A framework to support selection of cloud providers based on security and privacy requirements. J. Syst. Softw. 86(9), 2276–2293 (2013)
Mouratidis, H.: Secure software systems engineering: the secure tropos approach. J. Softw. 6(3), 331–339 (2011)
Anton, A.I., Earp, J.B.: A requirements taxonomy for reducing web site privacy vulnerabilities. Requir. Eng. 9(3), 169–185 (2004)
Schumacher, M., Roedig, U.: Security engineering with patterns. In: 8th Conference on Pattern Languages for Programs (PLoP), Illinois, USA (2001)
van Lamsweerde, A., Letier, E.: Handling obstacles in goal-oriented requirements engineering. Trans. Softw. Eng. 26(10), 978–1005 (2000)
Crook, R., Ince, D., Lin, L.C., Nuseibeh, B.: Security requirements engineering: when anti-requirements hit the fan. In: 10th International Requirements Engineering Conference, pp. 203–205. IEEE Press (2002)
Lin, L.C., Nuseibeh, B., Ince, D., Jackson, M., Moffett, J.: Analysing security threats and vulnerabilities using abuse frames. Technical report 2003/10, The Open University (2003)
Liu, L., Yu, E., Mylopoulos, J.: Security and privacy requirements analysis within a social setting. In: 11th International Requirements Engineering Conference, pp. 151–161. IEEE Press (2003)
McDermott, J., Fox, C.: Using abuse care models for security requirements analysis. In: 15th Annual Computer Security Applications Conference, pp. 55–64. IEEE Press (1999)
Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. Requir. Eng. 10(1), 34–44 (2005)
Jurjens, J.: Secure Systems Development with UML. Springer (2005)
Lodderstedt, T., Basin, D., Doser, J.: SecureUML: a UML based modelling language for model-driven security. In: UML 2002 The Unified Modeling Language, pp. 426–441. Springer (2002)
Mouratidis, H., Giorgini, P.: Secure tropos: a security-oriented extension of the tropos methodology. Int. J. Softw. Eng. Knowl. Eng. 17(2), 285–309 (2007)
Giorgini, P., Massacci, F., Mylopoulos, J.: Requirement engineering meets security: a case study on modelling secure electronic transactions by VISA and Mastercard. In: 22nd International Conference On Conceptual Modeling (ER 2003), pp. 263-276. Springer (2003)
Mellado, D., Fernández-Medina, E., Piattini, M.: A common criterion based security requirements engineering process for the development of secure information system. Comput. Stan. Interfaces 29, 244–253 (2007)
Mead, N.R., Steheny, T.: Security quality requirements engineering (SQUARE) methodology. SIGSOFT Softw. Eng. Notes 30(4), 1–7 (2005)
Houmb, S.H., Islam, S., Knauss, E., Jrjens, J., Schneider, K.: Eliciting security requirements and tracing them to design: an integration of common criteria, heuristics, and UMLsec. Requirements. Eng. J. 15(1), 63–93 (2010)
Pavlidis, M., Mouratidis, H., Islam, S.: Modelling security using trust based concepts. Int. J. Secure Softw. Eng. 3(2), 36–53 (2012)
Rosado, D.G., Fernández-Medina, E., López, J., Piattini, M.: Analysis of secure mobile grid systems: a systematic approach. Inf. Softw. Technol. 52(5), 517–536 (2010)
Bandara, Arosha, Shinpei, H., Jurjens, J., Kaiya, H., Kubo, A., Laney, R., Mouratidis, H., et al.: Security patterns: comparing modeling approaches. In: Software Engineering for Secure Systems: Industrial and Research Perspectives: Industrial and Research Perspectives, p. 75 (2010)
Shei, S., Delaney, A., Kapetanakis, S., Mouratidis, H.: Visually Mapping Requirements Models to Cloud Services
Shei, S., Márquez Alcañiz, L., Mouratidis, H., Delaney, A., Rosado, D.G., Fernández-Medina, E.: Modelling secure cloud systems based on system requirements. In: Proceedings of ESPRE, pp. 19–24 (2015)
Pavlidis, M., Islam, S., Mouratidis, H.: A CASE tool to support automated modelling and analysis of security requirements. In: Nurcan, S., (eds.) IS Olympics: Information Systems in a Diverse World, pp. 95–109. Springer (2012)
Greek Parliament: Act 3892: Electronic registration and fulfilment of medical prescriptions and clinical test referrals. FEK 189(1), 4225–4232 (2010). [In Greek]
Argyropoulos, N., Mouratidis, H., Fish, A.: Towards the derivation of secure business process designs. In: 2nd International Workshop on Conceptual Modelling in Requirements and Business Analysis (MReBA) in Conjunction with the 34th International Conference on Conceptual Modeling (ER’15), Stockholm, Sweden, pp. 1–11. Springer (2015)
Argyropoulos, N., Márquez Alcañiz, L., Mouratidis, H., Fish, A., Rosado, D.G., De Guzmán, I.G.R., Fernández-Medina, E.: Eliciting security requirements for business processes of legacy systems. In: 8th IFIP WG 8.1 Working Conference on the Practice of Enterprise Modelling, Valencia, Spain. Springer (2015)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Mouratidis, H., Argyropoulos, N., Shei, S. (2016). Security Requirements Engineering for Cloud Computing: The Secure Tropos Approach. In: Karagiannis, D., Mayr, H., Mylopoulos, J. (eds) Domain-Specific Conceptual Modeling. Springer, Cham. https://doi.org/10.1007/978-3-319-39417-6_16
Download citation
DOI: https://doi.org/10.1007/978-3-319-39417-6_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-39416-9
Online ISBN: 978-3-319-39417-6
eBook Packages: Computer ScienceComputer Science (R0)