Abstract
Security patterns capture proven security knowledge to help analysts tackle security problems. Although advanced research in this field has produced an impressive collection of patterns, they are not widely applied in practice. In parallel, Requirements Engineering has been increasing focusing on security-specific issues, arguing for an upfront treatment of security in system design. However, the vast body of security patterns are not integrated with existing proposals for security requirements analysis, making them difficult to apply as part of early system analysis and design. In this paper, we propose to integrate security patterns with our previously introduced goal-oriented security requirements analysis approach. Specifically, we provide a full concept mapping between textual security patterns and contextual goal models, as well as systematic instructions for constructing contextual goal models from security patterns. Moreover, we propose a systematic process for selecting and applying security patterns, illustrated with a realistic smart grid scenario. To facilitate the practical adoption of security patterns, we have created contextual goal models for 20 security patterns documented in the literature, and have implemented a prototype tool to support our proposal.
Chapter PDF
Similar content being viewed by others
References
Hafiz, M., Adamczyk, P., Johnson, R.E.: Organizing security patterns. IEEE Software 24(4), 52–60 (2007)
Scandariato, R., Yskout, K., Heyman, T., Joosen, W.: Architecting software with security patterns. Technical report, KU Leuven (2008)
Fernandez-Buglioni, E.: Security patterns in practice: designing secure architectures using software patterns. John Wiley & Sons (2013)
Mouratidis, H., Giorgini, P.: Secure tropos: a security-oriented extension of the tropos methodology. International Journal of Software Engineering and Knowledge Engineering 17(02), 285–309 (2007)
Liu, L., Yu, E.S.K., Mylopoulos, J.: Secure-i*: Engineering secure software systems through social analysis. Int. J. Software and Informatics 3(1), 89–120 (2009)
Paja, E., Dalpiaz, F., Giorgini, P.: Managing security requirements conflicts in socio-technical systems. In: Conceptual Modeling, pp. 270–283. Springer (2013)
Li, T., Horkoff, J.: Dealing with security requirements for socio-technical systems: A holistic approach. In: Jarke, M., Mylopoulos, J., Quix, C., Rolland, C., Manolopoulos, Y., Mouratidis, H., Horkoff, J. (eds.) CAiSE 2014. LNCS, vol. 8484, pp. 285–300. Springer, Heidelberg (2014)
Li, T., Mylopoulos, J.: Modeling and applying security patterns using contextual goal models. In: The 7th International i* Workshop, iStar14 (2014)
Asnar, Y., Massacci, F., Saidane, A., Riccucci, C., Felici, M., Tedeschi, A., El-Khoury, P., Li, K., Séguran, M., Zannone, N.: Organizational patterns for security and dependability: From design to application. Int. J. Secur. Softw. Eng. 2(3), 1–22 (2011)
Fernandez, E.B., Fonoage, M., VanHilst, M., Marta, M.: The secure three-tier architecture pattern. In: CISIS, pp. 555–560 (2008)
Schumacher, M., Fernandez-Buglioni, E., Hybertson, D.: Security patterns: Integrating security and systems engineering (2006)
Buschmann, F., Henney, K., Schimdt, D.: Pattern-oriented Software Architecture: On Patterns and Pattern Language, vol. 5. John Wiley & Sons (2007)
Ali, R., Dalpiaz, F., Giorgini, P.: A goal-based framework for contextual requirements modeling and analysis. Requirements Engineering 15(4), 439–458 (2010)
Lapouchnian, A., Mylopoulos, J.: Modeling domain variability in requirements engineering with contexts. In: Conceptual Modeling-ER 2009, pp. 115–130 (2009)
Bresciani, P., Perini, A., Giorgini, P., Giunchiglia, F., Mylopoulos, J.: Tropos: An agent-oriented software development methodology. Autonomous Agents and Multi-Agent Systems 8(3), 203–236 (2004)
Firesmith, D.: Specifying reusable security requirements. Journal of Object Technology 3(1), 61–75 (2004)
Horkoff, J., Yu, E.: Comparison and evaluation of goal-oriented satisfaction analysis techniques. Requirements Engineering 18(3), 199–222 (2013)
Niu, N., Easterbrook, S.: So, you think you know others’ goals? a repertory grid study. IEEE Software 24(2), 53–61 (2007)
Li, T., Horkoff, J., Mylopoulos, J.: A prototype tool for modeling and analyzing security requirements from a holistic viewpoint. In: The CAiSE 2014 Forum at the 26th International Conference on Advanced Information Systems Engineering (2014)
Mouratidis, H., Weiss, M., Giorgini, P.: Modeling secure systems using an agent-oriented approach and security patterns. International Journal of Software Engineering and Knowledge Engineering 16(3), 471 (2006)
Yu, Y., Kaiya, H., Washizaki, H., Xiong, Y., Hu, Z., Yoshioka, N.: Enforcing a security pattern in stakeholder goal models. In: Proceedings of the 4th ACM Workshop on Quality of Protection, pp. 9–14 (2008)
Araujo, I., Weiss, M.: Linking Patterns and non-functional requirements. In: Proceedings of the Ninth Conference on Pattern Language of Programs (PLOP 2002), September 8-12 (2002)
Shiroma, Y., Washizaki, H., Fukazawa, Y., Kubo, A., Yoshioka, N.: Model-driven security patterns application based on dependences among patterns. In: International Conference on Availability, Reliability, and Security 2010, pp. 555–559 (February 2010)
Sanchez-Cid, F., Mana, A.: Serenity pattern-based software development life-cycle. In: 19th International Workshop on Database and Expert Systems Application, pp. 305–309 (September 2008)
Gross, D., Yu, E.: From non-functional requirements to design through patterns. Requirements Engineering 6(1), 18–36 (2001)
Supaporn, K., Prompoon, N., Rojkangsadan, T.: An approach: Constructing the grammar from security pattern. In: Proc. 4th International Joint Conference on Computer Science and Software Engineering (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 IFIP International Federation for Information Processing
About this paper
Cite this paper
Li, T., Horkoff, J., Mylopoulos, J. (2014). Integrating Security Patterns with Security Requirements Analysis Using Contextual Goal Models. In: Frank, U., Loucopoulos, P., Pastor, Ó., Petrounias, I. (eds) The Practice of Enterprise Modeling. PoEM 2014. Lecture Notes in Business Information Processing, vol 197. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-45501-2_15
Download citation
DOI: https://doi.org/10.1007/978-3-662-45501-2_15
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-45500-5
Online ISBN: 978-3-662-45501-2
eBook Packages: Computer ScienceComputer Science (R0)