Details
Original language | English |
---|---|
Title of host publication | 2014 IEEE 22nd International Requirements Engineering Conference, RE 2014 - Proceedings |
Publisher | Institute of Electrical and Electronics Engineers Inc. |
Pages | 103-112 |
Number of pages | 10 |
ISBN (electronic) | 9781479930333 |
Publication status | Published - 26 Sept 2014 |
Event | 2014 IEEE 22nd International Requirements Engineering Conference, RE 2014 - Karlskrona, Sweden Duration: 25 Aug 2014 → 29 Aug 2014 |
Publication series
Name | IEEE International Conference on Requirements Engineering Proceedings |
---|---|
ISSN (Print) | 1090-705X |
Abstract
Security is an increasingly important quality facet in modern information systems and needs to be retained. Due to a constantly changing environment, long-living software systems "age" not by wearing out, but by failing to keep up-to-date with their environment. The problem is that requirements engineers usually do not have a complete overview of the security-related knowledge necessary to retain security of long-living software systems. This includes security standards, principles and guidelines as well as reported security incidents. In this paper, we focus on the identification of known vulnerabilities (and their variations) in natural-language requirements by leveraging security knowledge. For this purpose, we present an integrative security knowledge model and a heuristic method to detect vulnerabilities in requirements based on reported security incidents. To support knowledge evolution, we further propose a method based on natural language analysis to refine and to adapt security knowledge. Our evaluation indicates that the proposed assessment approach detects vulnerable requirements more reliable than other methods (Bayes, SVM, k-NN). Thus, requirements engineers can react faster and more effectively to a changing environment that has an impact on the desired security level of the information system.
Keywords
- Heuristics, Knowledge carrying software, Requirements analysis, Security requirements, Software evolution
ASJC Scopus subject areas
- Computer Science(all)
- Software
- Computer Science(all)
- Computer Science Applications
Cite this
- Standard
- Harvard
- Apa
- Vancouver
- BibTeX
- RIS
2014 IEEE 22nd International Requirements Engineering Conference, RE 2014 - Proceedings. Institute of Electrical and Electronics Engineers Inc., 2014. p. 103-112 6912252 (IEEE International Conference on Requirements Engineering Proceedings).
Research output: Chapter in book/report/conference proceeding › Conference contribution › Research › peer review
}
TY - GEN
T1 - Maintaining requirements for long-living software systems by incorporating security knowledge
AU - Gärtner, Stefan
AU - Ruhroth, Thomas
AU - Bürger, Jens
AU - Schneider, Kurt
AU - Jürjens, Jan
N1 - Publisher Copyright: © 2014 IEEE.
PY - 2014/9/26
Y1 - 2014/9/26
N2 - Security is an increasingly important quality facet in modern information systems and needs to be retained. Due to a constantly changing environment, long-living software systems "age" not by wearing out, but by failing to keep up-to-date with their environment. The problem is that requirements engineers usually do not have a complete overview of the security-related knowledge necessary to retain security of long-living software systems. This includes security standards, principles and guidelines as well as reported security incidents. In this paper, we focus on the identification of known vulnerabilities (and their variations) in natural-language requirements by leveraging security knowledge. For this purpose, we present an integrative security knowledge model and a heuristic method to detect vulnerabilities in requirements based on reported security incidents. To support knowledge evolution, we further propose a method based on natural language analysis to refine and to adapt security knowledge. Our evaluation indicates that the proposed assessment approach detects vulnerable requirements more reliable than other methods (Bayes, SVM, k-NN). Thus, requirements engineers can react faster and more effectively to a changing environment that has an impact on the desired security level of the information system.
AB - Security is an increasingly important quality facet in modern information systems and needs to be retained. Due to a constantly changing environment, long-living software systems "age" not by wearing out, but by failing to keep up-to-date with their environment. The problem is that requirements engineers usually do not have a complete overview of the security-related knowledge necessary to retain security of long-living software systems. This includes security standards, principles and guidelines as well as reported security incidents. In this paper, we focus on the identification of known vulnerabilities (and their variations) in natural-language requirements by leveraging security knowledge. For this purpose, we present an integrative security knowledge model and a heuristic method to detect vulnerabilities in requirements based on reported security incidents. To support knowledge evolution, we further propose a method based on natural language analysis to refine and to adapt security knowledge. Our evaluation indicates that the proposed assessment approach detects vulnerable requirements more reliable than other methods (Bayes, SVM, k-NN). Thus, requirements engineers can react faster and more effectively to a changing environment that has an impact on the desired security level of the information system.
KW - Heuristics
KW - Knowledge carrying software
KW - Requirements analysis
KW - Security requirements
KW - Software evolution
UR - http://www.scopus.com/inward/record.url?scp=84909967412&partnerID=8YFLogxK
U2 - 10.1109/RE.2014.6912252
DO - 10.1109/RE.2014.6912252
M3 - Conference contribution
AN - SCOPUS:84909967412
T3 - IEEE International Conference on Requirements Engineering Proceedings
SP - 103
EP - 112
BT - 2014 IEEE 22nd International Requirements Engineering Conference, RE 2014 - Proceedings
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2014 IEEE 22nd International Requirements Engineering Conference, RE 2014
Y2 - 25 August 2014 through 29 August 2014
ER -