Pub Date : 2012-11-26DOI: 10.1109/RePa.2012.6359966
R. Gandhi, Mariam Rahmani
Security engineering involves systematically applying the accumulated experience and best practices, such as regulatory security requirements, to identify a repeatable solution that is cost-effective, continuously improved, and fulfills security expectations of the stakeholders. However, security principles and regulatory requirements are rarely applied systematically during system design. We outline a stepwise process to extract domain concepts and apply a lightweight formal modeling language, Alloy, for the representation of regulatory requirements as early security patterns. These patterns, as a collection of constraints describing regulatory requirements provide a template for the systematic integration and analysis of these constraints in a system context. Each pattern defines a constrained solution space that can be enforced in subsequent phases of secure system development, testing and operation.
{"title":"Early security patterns: A collection of constraints to describe regulatory security requirements","authors":"R. Gandhi, Mariam Rahmani","doi":"10.1109/RePa.2012.6359966","DOIUrl":"https://doi.org/10.1109/RePa.2012.6359966","url":null,"abstract":"Security engineering involves systematically applying the accumulated experience and best practices, such as regulatory security requirements, to identify a repeatable solution that is cost-effective, continuously improved, and fulfills security expectations of the stakeholders. However, security principles and regulatory requirements are rarely applied systematically during system design. We outline a stepwise process to extract domain concepts and apply a lightweight formal modeling language, Alloy, for the representation of regulatory requirements as early security patterns. These patterns, as a collection of constraints describing regulatory requirements provide a template for the systematic integration and analysis of these constraints in a system context. Each pattern defines a constrained solution space that can be enforced in subsequent phases of secure system development, testing and operation.","PeriodicalId":255558,"journal":{"name":"2012 Second IEEE International Workshop on Requirements Patterns (RePa)","volume":"93 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-11-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115374636","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2012-11-26DOI: 10.1109/RePa.2012.6359974
Rocky Slavin, Hui Shen, Jianwei Niu
Very often in the software development life cycle, security is applied too late or important security aspects are overlooked. Although the use of security patterns is gaining popularity, the current state of security requirements patterns is such that there is not much in terms of a defining structure. To address this issue, we are working towards defining the important characteristics as well as the boundaries for security requirements patterns in order to make them more effective. By examining an existing general pattern format that describes how security patterns should be structured and comparing it to existing security requirements patterns, we are deriving characterizations and boundaries for security requirements patterns. From these attributes, we propose a defining format. We hope that these can reduce user effort in elicitation and specification of security requirements patterns.
{"title":"Characterizations and boundaries of security requirements patterns","authors":"Rocky Slavin, Hui Shen, Jianwei Niu","doi":"10.1109/RePa.2012.6359974","DOIUrl":"https://doi.org/10.1109/RePa.2012.6359974","url":null,"abstract":"Very often in the software development life cycle, security is applied too late or important security aspects are overlooked. Although the use of security patterns is gaining popularity, the current state of security requirements patterns is such that there is not much in terms of a defining structure. To address this issue, we are working towards defining the important characteristics as well as the boundaries for security requirements patterns in order to make them more effective. By examining an existing general pattern format that describes how security patterns should be structured and comparing it to existing security requirements patterns, we are deriving characterizations and boundaries for security requirements patterns. From these attributes, we propose a defining format. We hope that these can reduce user effort in elicitation and specification of security requirements patterns.","PeriodicalId":255558,"journal":{"name":"2012 Second IEEE International Workshop on Requirements Patterns (RePa)","volume":"99 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-11-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133711685","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2012-11-26DOI: 10.1109/RePa.2012.6359976
S. Behnam, Daniel Amyot, G. Mussbacher, Edna Braun, N. Cartwright, Mario Saucier
Outcome-based regulations focus on measurable goals rather than on prescriptive ways of achieving these goals. As regulators start evolving regulations towards an outcome-based approach, it becomes important to reuse knowledge about existing problems and solutions, and patterns are known to be a means of increasing reusability. Regulatory parties can benefit from a pattern-based framework that (i) lays down a foundation for capturing knowledge about business goals and processes, (ii) provides methods for reusing this knowledge by extracting and customizing models for specific stakeholders, and (iii) enables evolution of the knowledge when new problems and solutions emerge. In this paper, we provide systematic steps for eliciting requirements leading to the creation of patterns and families and show the applicability of the Goal-oriented Pattern Family framework in this novel context. We improve the framework's infrastructure and include the concept of indicator in the framework in order to facilitate the reuse of compliance measurement approaches, in context.
{"title":"Using the Goal-oriented pattern family framework for modelling outcome-based regulations","authors":"S. Behnam, Daniel Amyot, G. Mussbacher, Edna Braun, N. Cartwright, Mario Saucier","doi":"10.1109/RePa.2012.6359976","DOIUrl":"https://doi.org/10.1109/RePa.2012.6359976","url":null,"abstract":"Outcome-based regulations focus on measurable goals rather than on prescriptive ways of achieving these goals. As regulators start evolving regulations towards an outcome-based approach, it becomes important to reuse knowledge about existing problems and solutions, and patterns are known to be a means of increasing reusability. Regulatory parties can benefit from a pattern-based framework that (i) lays down a foundation for capturing knowledge about business goals and processes, (ii) provides methods for reusing this knowledge by extracting and customizing models for specific stakeholders, and (iii) enables evolution of the knowledge when new problems and solutions emerge. In this paper, we provide systematic steps for eliciting requirements leading to the creation of patterns and families and show the applicability of the Goal-oriented Pattern Family framework in this novel context. We improve the framework's infrastructure and include the concept of indicator in the framework in order to facilitate the reuse of compliance measurement approaches, in context.","PeriodicalId":255558,"journal":{"name":"2012 Second IEEE International Workshop on Requirements Patterns (RePa)","volume":"5 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-11-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125448370","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2012-11-26DOI: 10.1109/RePa.2012.6359977
M. Riaz, L. Williams
Security requirements engineering ideally combines expertise in software security with proficiency in requirements engineering to provide a foundation for developing secure systems. However, security requirements are often inadequately understood and improperly specified, often due to lack of security expertise and a lack of emphasis on security during early stages of system development. Software systems often have common and recurrent security requirements in addition to system-specific security needs. Security requirements patterns can provide a means of capturing common security requirements while documenting the context in which a requirement manifests itself and the tradeoffs involved. The objective of this paper is to aid in understanding of the process for pattern development and provide considerations for writing effective security requirements patterns. We analyzed existing literature on software patterns, problem solving and cognition to outline the process for developing software patterns. We also reviewed strategies for specifying reusable security requirements and security requirements patterns. Our proposed considerations can aid pattern writers in capturing necessary contextual information when documenting security requirements patterns to facilitate application and integration of security requirements.
{"title":"Security requirements patterns: understanding the science behind the art of pattern writing","authors":"M. Riaz, L. Williams","doi":"10.1109/RePa.2012.6359977","DOIUrl":"https://doi.org/10.1109/RePa.2012.6359977","url":null,"abstract":"Security requirements engineering ideally combines expertise in software security with proficiency in requirements engineering to provide a foundation for developing secure systems. However, security requirements are often inadequately understood and improperly specified, often due to lack of security expertise and a lack of emphasis on security during early stages of system development. Software systems often have common and recurrent security requirements in addition to system-specific security needs. Security requirements patterns can provide a means of capturing common security requirements while documenting the context in which a requirement manifests itself and the tradeoffs involved. The objective of this paper is to aid in understanding of the process for pattern development and provide considerations for writing effective security requirements patterns. We analyzed existing literature on software patterns, problem solving and cognition to outline the process for developing software patterns. We also reviewed strategies for specifying reusable security requirements and security requirements patterns. Our proposed considerations can aid pattern writers in capturing necessary contextual information when documenting security requirements patterns to facilitate application and integration of security requirements.","PeriodicalId":255558,"journal":{"name":"2012 Second IEEE International Workshop on Requirements Patterns (RePa)","volume":"27 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-11-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125683335","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2012-11-26DOI: 10.1109/RePa.2012.6359973
O. Daramola, G. Sindre, T. Stålhane
The task of specifying and managing security requirements (SR) is a challenging one. Usually SR are often neglected or considered too late - leading to poor design, and cost overruns. Also, there is scarce expertise in managing SR, because most requirements engineering teams do not include security experts, which leads to prevalence of too vague or overly specific SR. In this work, we present an ontology-based approach that uses predefined pattern-based templates - requirements boilerplates - to aid requirements engineers in the formulation of SR. We realized the approach via a prototype tool that enables the formulation of SR from textual misuse case (TMUC) descriptions of security threat scenarios. The results from a preliminary evaluation suggest the viability of the proposed approach, in that the tool was judged as easy to use, supports reuse, and facilitates the formulation of good quality SR.
{"title":"Pattern-based security requirements specification using ontologies and boilerplates","authors":"O. Daramola, G. Sindre, T. Stålhane","doi":"10.1109/RePa.2012.6359973","DOIUrl":"https://doi.org/10.1109/RePa.2012.6359973","url":null,"abstract":"The task of specifying and managing security requirements (SR) is a challenging one. Usually SR are often neglected or considered too late - leading to poor design, and cost overruns. Also, there is scarce expertise in managing SR, because most requirements engineering teams do not include security experts, which leads to prevalence of too vague or overly specific SR. In this work, we present an ontology-based approach that uses predefined pattern-based templates - requirements boilerplates - to aid requirements engineers in the formulation of SR. We realized the approach via a prototype tool that enables the formulation of SR from textual misuse case (TMUC) descriptions of security threat scenarios. The results from a preliminary evaluation suggest the viability of the proposed approach, in that the tool was judged as easy to use, supports reuse, and facilitates the formulation of good quality SR.","PeriodicalId":255558,"journal":{"name":"2012 Second IEEE International Workshop on Requirements Patterns (RePa)","volume":"38 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-11-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124997339","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2012-11-26DOI: 10.1109/RePa.2012.6359965
Richa Sharma, K. K. Biswas
Requirements validation is an integral activity of Requirements Engineering. An early detection of mismatch between the observable behavior of the real-world and the interpreted behavior of the information system after requirements analysis is essential to the success of the software developed. This paper presents how norm analysis patterns can be effectively utilized for automated software validation. Norms represent behavioral patterns in an organization. In this paper, we harness this fact to validate the elicited requirements.
{"title":"Using norm analysis patterns for automated requirements validation","authors":"Richa Sharma, K. K. Biswas","doi":"10.1109/RePa.2012.6359965","DOIUrl":"https://doi.org/10.1109/RePa.2012.6359965","url":null,"abstract":"Requirements validation is an integral activity of Requirements Engineering. An early detection of mismatch between the observable behavior of the real-world and the interpreted behavior of the information system after requirements analysis is essential to the success of the software developed. This paper presents how norm analysis patterns can be effectively utilized for automated software validation. Norms represent behavioral patterns in an organization. In this paper, we harness this fact to validate the elicited requirements.","PeriodicalId":255558,"journal":{"name":"2012 Second IEEE International Workshop on Requirements Patterns (RePa)","volume":"108 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-11-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125130003","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2012-11-26DOI: 10.1109/RePa.2012.6359969
Cristina Palomares, C. Quer, Xavier Franch, Cindy Guerlain, Samuel Renault
Software Requirement Patterns (SRP) have been proposed as an artifact for fostering requirements reuse. PABRE is a framework that promotes the use of SRP as a means for requirements elicitation, validation and documentation in the context of IT procurement projects. In this paper, we present a catalogue of non-technical SRP included in the framework and present in detail some of them. We also introduce the motivation to arrive to these patterns.
{"title":"A catalogue of non-technical Requirement Patterns","authors":"Cristina Palomares, C. Quer, Xavier Franch, Cindy Guerlain, Samuel Renault","doi":"10.1109/RePa.2012.6359969","DOIUrl":"https://doi.org/10.1109/RePa.2012.6359969","url":null,"abstract":"Software Requirement Patterns (SRP) have been proposed as an artifact for fostering requirements reuse. PABRE is a framework that promotes the use of SRP as a means for requirements elicitation, validation and documentation in the context of IT procurement projects. In this paper, we present a catalogue of non-technical SRP included in the framework and present in detail some of them. We also introduce the motivation to arrive to these patterns.","PeriodicalId":255558,"journal":{"name":"2012 Second IEEE International Workshop on Requirements Patterns (RePa)","volume":"28 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-11-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132799883","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2012-11-26DOI: 10.1109/RePa.2012.6359968
Axel Hoffmann, Matthias Söllner, Holger Hoffmann, J. Leimeister
Users adopt trust to reduce social complexity that can be caused by the lack of knowledge about the inner working of an information system. Our aim is to translate results from trust research about the transformation of user trust in new technologies into software requirement patterns. Therefore, we collect antecedents that build trust, and develop requirement patterns that demand functionality to support these antecedents. This paper presents software requirement patterns consisting of the name, the goal, forces and the pre-defined requirement template that can be used to specify trust based requirements.
{"title":"Towards trust-based software requirement patterns","authors":"Axel Hoffmann, Matthias Söllner, Holger Hoffmann, J. Leimeister","doi":"10.1109/RePa.2012.6359968","DOIUrl":"https://doi.org/10.1109/RePa.2012.6359968","url":null,"abstract":"Users adopt trust to reduce social complexity that can be caused by the lack of knowledge about the inner working of an information system. Our aim is to translate results from trust research about the transformation of user trust in new technologies into software requirement patterns. Therefore, we collect antecedents that build trust, and develop requirement patterns that demand functionality to support these antecedents. This paper presents software requirement patterns consisting of the name, the goal, forces and the pre-defined requirement template that can be used to specify trust based requirements.","PeriodicalId":255558,"journal":{"name":"2012 Second IEEE International Workshop on Requirements Patterns (RePa)","volume":"83 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-11-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122959007","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2012-11-26DOI: 10.1109/RePa.2012.6359967
Yang Li, C. Pelties, M. Käser, Nitesh Narayan
Requirements patterns help reusing the knowledge of capturing required functionalities and properties of a system. To improve requirements engineering in seismological software development, we identify commonly used requirements patterns. This paper introduces research of identifying two main requirements patterns in projects typical for computational seismology, namely, the forward simulation pattern and the data access pattern. They help efficiently and effectively eliciting requirements by providing necessary abstractions. We present a dynamic rupture example to illustrate how to apply both patterns. The patterns can foster a more productive requirements engineering process and sharing software development knowledge within the domain.
{"title":"Requirements patterns for seismology software applications","authors":"Yang Li, C. Pelties, M. Käser, Nitesh Narayan","doi":"10.1109/RePa.2012.6359967","DOIUrl":"https://doi.org/10.1109/RePa.2012.6359967","url":null,"abstract":"Requirements patterns help reusing the knowledge of capturing required functionalities and properties of a system. To improve requirements engineering in seismological software development, we identify commonly used requirements patterns. This paper introduces research of identifying two main requirements patterns in projects typical for computational seismology, namely, the forward simulation pattern and the data access pattern. They help efficiently and effectively eliciting requirements by providing necessary abstractions. We present a dynamic rupture example to illustrate how to apply both patterns. The patterns can foster a more productive requirements engineering process and sharing software development knowledge within the domain.","PeriodicalId":255558,"journal":{"name":"2012 Second IEEE International Workshop on Requirements Patterns (RePa)","volume":"75 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-11-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124668487","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2012-11-26DOI: 10.1109/RePa.2012.6359975
T. Breaux, Hanan Hibshi, Ashwini Rao, Jean-Michel Lehker
Despite the abundance of information security guidelines, system developers have difficulties implementing technical solutions that are reasonably secure. Security patterns are one possible solution to help developers reuse security knowledge. The challenge is that it takes experts to develop security patterns. To address this challenge, we need a framework to identify and assess patterns and pattern application practices that are accessible to non-experts. In this paper, we narrowly define what we mean by patterns by focusing on requirements patterns and the considerations that may inform how we identify and validate patterns for knowledge reuse. We motivate this discussion using examples from the requirements pattern literature and theory in cognitive psychology.
{"title":"Towards a framework for pattern experimentation: Understanding empirical validity in requirements engineering patterns","authors":"T. Breaux, Hanan Hibshi, Ashwini Rao, Jean-Michel Lehker","doi":"10.1109/RePa.2012.6359975","DOIUrl":"https://doi.org/10.1109/RePa.2012.6359975","url":null,"abstract":"Despite the abundance of information security guidelines, system developers have difficulties implementing technical solutions that are reasonably secure. Security patterns are one possible solution to help developers reuse security knowledge. The challenge is that it takes experts to develop security patterns. To address this challenge, we need a framework to identify and assess patterns and pattern application practices that are accessible to non-experts. In this paper, we narrowly define what we mean by patterns by focusing on requirements patterns and the considerations that may inform how we identify and validate patterns for knowledge reuse. We motivate this discussion using examples from the requirements pattern literature and theory in cognitive psychology.","PeriodicalId":255558,"journal":{"name":"2012 Second IEEE International Workshop on Requirements Patterns (RePa)","volume":"4 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2012-11-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124854926","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: