Elaborating Security Requirements by Construction of Intentional Anti-Models

Caring for security at requirements engineering time is amessage that has finally received some attention recently.However, it is not yet very clear how to achieve thissystematically through the various stages of therequirements engineering process.The paper presents a constructive approach to themo...

Full description

Saved in:
Bibliographic Details
Published in:International Conference on Software Engineering: Proceedings of the 26th International Conference on Software Engineering; 23-28 May 2004 pp. 148 - 157
Main Author: van Lamsweerde, Axel
Format: Conference Proceeding
Language:English
Published: Washington, DC, USA IEEE Computer Society 23.05.2004
Series:ACM Conferences
Subjects:
Applied sciences
Computer science; control theory; systems
Computing methodologies > Modeling and simulation > Model development and analysis
Computing methodologies > Modeling and simulation > Model development and analysis > Model verification and validation
Exact sciences and technology
General and reference > Cross-computing tools and techniques > Verification
Security and privacy > Software and application security > Software security engineering
Software
Software and its engineering > Software creation and management > Designing software
Software and its engineering > Software creation and management > Designing software > Requirements analysis
Software and its engineering > Software creation and management > Software development process management
Software and its engineering > Software creation and management > Software development techniques > Object oriented development
Software and its engineering > Software creation and management > Software verification and validation > Formal software verification
Software and its engineering > Software notations and tools > Development frameworks and environments > Object oriented frameworks
Software and its engineering > Software organization and properties > Software functional properties > Correctness > Access protection
Software and its engineering > Software organization and properties > Software functional properties > Formal methods > Software verification
Software engineering
Theory of computation > Semantics and reasoning > Program reasoning > Program verification
Formal method
Software development
Epistemology
Refinement method
Banking
Electronic countermeasure
Vulnerability
Modeling
Observable
Formal specification
World wide web
User requirement
Internet
Safety
ISBN:9780769521633, 0769521630
ISSN:0270-5257
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Caring for security at requirements engineering time is amessage that has finally received some attention recently.However, it is not yet very clear how to achieve thissystematically through the various stages of therequirements engineering process.The paper presents a constructive approach to themodeling, specification and analysis of application-specificsecurity requirements. The method is based on agoal-oriented framework for generating and resolvingobstacles to goal satisfaction. The extended frameworkaddresses malicious obstacles (called anti-goals) set up byattackers to threaten security goals. Threat trees are builtsystematically through anti-goal refinement until leafnodes are derived that are either software vulnerabilitiesobservable by the attacker or anti-requirementsimplementable by this attacker. New security requirementsare then obtained as countermeasures by application ofthreat resolution operators to the specification of the anti-requirementsand vulnerabilities revealed by the analysis.The paper also introduces formal epistemic specificationconstructs and patterns that may be used to support aformal derivation and analysis process. The method isillustrated on a web-based banking system for whichsubtle attacks have been reported recently.
Bibliography:SourceType-Conference Papers & Proceedings-1
ObjectType-Conference Paper-1
content type line 25
ISBN:9780769521633
0769521630
ISSN:0270-5257
DOI:10.5555/998675.999421