The Security Twin Peaks

  • Thomas Heyman
  • Koen Yskout
  • Riccardo Scandariato
  • Holger Schmidt
  • Yijun Yu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6542)


The feedback from architectural decisions to the elaboration of requirements is an established concept in the software engineering community. However, pinpointing the nature of this feedback in a precise way is a largely open problem. Often, the feedback is generically characterized as additional qualities that might be affected by an architect’s choice. This paper provides a practical perspective on this problem by leveraging architectural security patterns. The contribution of this paper is the Security Twin Peaks model, which serves as an operational framework to co-develop security in the requirements and the architectural artifacts.


security software architecture requirements patterns 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bandara, A., Shinpei, H., Jürjens, J., Kaiya, H., Kubo, A., Laney, R., Mouratidis, H., Nhlabatsi, A., Nuseibeh, B., Tahara, Y., Tun, T., Washizaki, H., Yoshioka, N., Yu, Y.: Security patterns: Comparing modeling approaches. Technical Report 2009/06 (2009)Google Scholar
  2. 2.
    Bass, L., Clements, P., Kazman, R.: Software Architecture in Practice, 1st edn. Addison-Wesley, Reading (1998)Google Scholar
  3. 3.
    Blakley, B., Heath, C., Members of The Open Group Security Forum: Security design patterns. The Open Group (2004)Google Scholar
  4. 4.
    Buschmann, F., Meunier, R., Rohnert, H., Sommerlad, P., Stal, M.: Pattern-Oriented Software Architecture: A system of Patterns. Wiley, Chichester (1996)Google Scholar
  5. 5.
    Côté, I., Heisel, M., Wentzlaff, I.: Pattern-based Exploration of Design Alternatives for the Evolution of Software Architectures. International Journal of Cooperative Information Systems, World Scientific Publishing Company Special Issue of the Best Papers of the ECSA 2007 (December 2007)Google Scholar
  6. 6.
    Dougherty, C., Sayre, K., Seacord, R.C., Svoboda, D., Togashi, K.: Secure design patterns. Tech. Rep. CMU/SEI-2009-TR-010, Carnegie Mellon Software Engineering Institute (2009)Google Scholar
  7. 7.
    Fernandez, E.B., Larrondo-Petrie, M.M., Sorgente, T., Vanhilst, M.: A Methodology to Develop Secure Systems Using Patterns. In: Integrating Security and Software Engineering: Advances and Future Visions, pp. 107–126 (2007)Google Scholar
  8. 8.
    Giorgini, P., Mouratidis, H.: Secure tropos: A security-oriented extension of the tropos methodology. International Journal of Software Engineering and Knowledge Engineering 17(2), 285–309 (2007)CrossRefGoogle Scholar
  9. 9.
    Haley, C.B., Laney, C.R., Moffett, D.J., Nuseibeh, B.: Security requirements engineering: A framework for representation and analysis. IEEE Transactions on Software Engineering 34(1), 133–153 (2008)CrossRefGoogle Scholar
  10. 10.
    Haley, C.B., Moffett, J.D., Laney, R., Nuseibeh, B.: A framework for security requirements engineering. In: Proceedings of the International Workshop on Software Engineering for Secure Systems (SESS), pp. 35–42. ACM Press, New York (2006)Google Scholar
  11. 11.
    Haley, C.B., Nuseibeh, B.: Bridging requirements and architecture for systems of systems. In: Proceedings of the International Symposium on Information Technology (ITSim), vol. 4, pp. 1–8 (2008)Google Scholar
  12. 12.
    Hall, J.G., Rapanotti, L., Jackson, M.: Problem oriented software engineering: Solving the package router control problem. IEEE Transactions on Software Engineering 34(2), 226–241 (2008)CrossRefGoogle Scholar
  13. 13.
    Heyman, T., Yskout, K., Scandariato, R., Joosen, W.: An analysis of the security patterns landscape. In: Proceedings of the International Workshop on Software Engineering for Secure Systems (SESS), pp. 3–10. IEEE Computer Society, Los Alamitos (2007)Google Scholar
  14. 14.
    Islam, S., Mouratidis, H., Jürjens, J.: A framework to support alignment of secure software engineering with legal regulations. Journal of Software and Systems Modeling (March 2010) (published online first)Google Scholar
  15. 15.
    Jackson, M.: Problem Frames. Analyzing and structuring software development problems. Addison-Wesley, Reading (2001)Google Scholar
  16. 16.
    Jürjens, J.: Secure Systems Development with UML. Springer, Heidelberg (2005)zbMATHGoogle Scholar
  17. 17.
    Kienzle, D.M., Elder, M.C., Tyree, D., Edwards-Hewitt, J.: Security patterns repository (2002)Google Scholar
  18. 18.
    Mouratidis, H., Jürjens, J.: From goal-driven security requirements engineering to secure design. International Journal of Intelligent Systems – Special Issue on Goal-Driven Requirements Engineering 25(8), 813–840 (2010)Google Scholar
  19. 19.
    Mouratidis, H., Jürjens, J., Fox, J.: Towards a comprehensive framework for secure systems development. In: Dubois, E., Pohl, K. (eds.) CAiSE 2006. LNCS, vol. 4001, pp. 48–62. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  20. 20.
    Mouratidis, H., Weiss, M., Giorgini, P.: Modelling secure systems using an agent oriented approach and security patterns. International Journal of Software Engineering and Knowledge Engineering (IJSEKE) 16(3), 471–498 (2006)CrossRefGoogle Scholar
  21. 21.
    Nhlabatsi, A., Nuseibeh, B., Yu, Y.: Security requirements engineering for evolving software systems: A survey. Journal of Secure Software Engineering 1(1), 54–73 (2009)CrossRefGoogle Scholar
  22. 22.
    Nuseibeh, B.: Weaving together requirements and architectures. Computer 34(3), 115–117 (2001)CrossRefGoogle Scholar
  23. 23.
    Schmidt, H.: A Pattern- and Component-Based Method to Develop Secure Software. Deutscher Wissenschafts-Verlag (DWV), Baden-Baden (April 2010)Google Scholar
  24. 24.
    Schumacher, M., Fernandez-Buglioni, E., Hybertson, D., Buschmann, F., Sommerlad, P.: Security Patterns: Integrating Security and Systems Engineering. Wiley & Sons, Chichester (2005)Google Scholar
  25. 25.
    Steel, C., Nagappan, R., Lai, R.: Core security patterns: Best practices and strategies for J2EE, web services, and identity management (2005)Google Scholar
  26. 26.
    van Lamsweerde, A.: From system goals to software architecture. In: Bernardo, M., Inverardi, P. (eds.) SFM 2003. LNCS, vol. 2804, pp. 25–43. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  27. 27.
    van Lamsweerde, A.: Requirements Engineering: From System Goals to UML Models to Software Specifications. Wiley, Chichester (March 2009)Google Scholar
  28. 28.
    Weiss, M.: Modeling security patterns using NFR analysis. In: Integrating Security and Software Engineering, pp. 127–141. Idea Group, USA (2007)CrossRefGoogle Scholar
  29. 29.
    Weiss, M., Mouratidis, H.: Selecting security patterns that fulfill security requirements. In: IEEE International Requirements Engineering Conference (2008)Google Scholar
  30. 30.
    Yoder, J., Barcalow, J.: Architectural patterns for enabling application security. In: Proceedings of the International Patterns Language of Programming (PLoP) Conference (1997)Google Scholar
  31. 31.
    Yskout, K., Scandariato, R., De Win, B., Joosen, W.: Transforming security requirements into architecture. In: Proceedings of the International Conference on Availability, Reliability and Security (AReS), pp. 1421–1428. IEEE Computer Society, Washington, DC (2008)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Thomas Heyman
    • 1
  • Koen Yskout
    • 1
  • Riccardo Scandariato
    • 1
  • Holger Schmidt
    • 2
  • Yijun Yu
    • 3
  1. 1.IBBT-DistriNetKatholieke Universiteit LeuvenBelgium
  2. 2.Technische Universität DortmundGermany
  3. 3.Open UniversityUnited Kingdom

Personalised recommendations