Armstrong Nhlabatsi

Security Requirements Engineering for Evolving Software Systems: A Survey

Long-lived software systems often undergo evolution over an extended period. Evolution of these systems is inevitable as they need to continue to satisfy changing business needs, new regulations and standards, and introduction of novel technologies. Such evolution may involve changes that add, remove, or modify features; or that migrate the system from one operating platform to another. These changes may result in requirements that were satisfied in a previous release of a system not being satisfied in subsequent versions. When evolutionary changes violate security requirements, a system may be left vulnerable to attacks. In this article we review current approaches to security requirements engineering and conclude that they lack explicit support for managing the effects of software evolution. We then suggest that a cross fertilization of the areas of software evolution and security engineering would address the problem of maintaining compliance to security requirements of software systems as they evolve.

Towards a Unified Framework for Contextual Variability in Requirements

Context is a significant factor in deciding the set of requirements relevant to a system (i.e., software product construction), the alternatives the system can adopt to satisfy these requirements, and the quality assessment of each alternative. By context we mean the conditions in the operating environment of an system that influences how the system should behave in different situations. However, the relationship between context and requirements can be challenging to capture and analyze. Presently this area of requirements engineering is largely under-researched. In this position paper, we discuss several ways by which context can be related to requirements and subsequently used for product derivation. We outline an approach that facilitates better understanding and use of contextual information in requirements. Our approach integrates three requirements engineering approaches - goal modeling, feature modeling, and problem frames - and is aimed at facilitating treatment of contextual variability in requirements.

“Why can’t I do that?”: tracing adaptive security decisions

One of the challenges of any adaptive system is to ensure that users can understand how and why the behaviour of the system changes at runtime. This is particularly important for adaptive security behaviours which are essential for applications that are used in many different contexts, such as those hosted in the cloud. In this paper, we propose an approach for using traceability information, enriched with causality relations and contextual attributes of the deployment environment, when providing feedback to the users. We demonstrate, using a cloud storage-as-a-service environment, how our approach provides users of cloud applications better information, explanations and assurances about the security decisions made by the system. This enables the user to understand why a certain security adaptation has occurred, how the adaptation is related to current context of use of the application, and a guarantee that the application still satisfies its security requirements after an adaptation.

Requirements and specifications for adaptive security: concepts and analysis

In an adaptive security-critical system, security mechanisms change according to the type of threat posed by the environment. Specifying the behavior of these systems is difficult because conditions of the environment are difficult to describe until the system has been deployed and used for a length of time. This paper defines the problem of adaptation in security-critical systems, and outlines the RELAIS approach for expressing requirements and specifying the behavior in a way that helps identify the need for adaptation, and the appropriate adaptation behavior at runtime. The paper introduces the notion of adaptation via input approximation and proposes statistical machine learning techniques for realizing it. The approach is illustrated with a running example and is applied to a realistic security example from a cloud-based file-sharing application. Bayesian classification and logistic regression methods are used to implement adaptive specifications and these methods offer different levels of adaptive security and usability in the file-sharing application.

Dynamic security metrics for measuring the effectiveness of moving target defense techniques

Moving Target Defense (MTD) utilizes granularity, flexibility and elasticity properties of emerging networking technologies in order to continuously change the attack surface. There are many different MTD techniques proposed in the past decade to thwart cyberattacks. Due to the diverse range of different MTD techniques, it is of paramount importance to assess and compare their effectiveness. However, each technique causes distinct (dynamic) changes in the network, making an objective comparison difficult. In this paper, we incorporate MTD techniques into a temporal graph-based graphical security model, and develop a new set of dynamic security metrics to assess and compare their effectiveness. To this end, we first categorize and compare different attack and defense efforts. Second, we describe the temporal graph-based graphical security model to capture dynamic changes made by various MTD techniques in the network. We then develop a new set of security metrics for attack and defense efforts to evaluate the effectiveness of the MTD techniques. We implement two different MTD techniques, namely network topology shuffle and software diversity, and show their effectiveness against a targeted attack scenario in our experimental analysis. The results demonstrate that the proposed dynamic security metrics can capture different properties of MTD techniques, permitting a more fine-grained comparison and offering guidance for selecting the most effective MTD technique.

A process model for customisation of software in multi-tenant SaaS model

This paper outlines a generic process framework for customisation of software in cloud computing. The flexibility for client-specific customisation of the software offered by software-as-a-service (SaaS) is limited. The challenge for cloud providers is how they customise the software that is hosted in their SaaS model where multiple clients share the same software code with their specific customised needs.

Managing security control assumptions using causal traceability

Security control specifications of software systems are designed to meet their security requirements. It is difficult to know both the value of assets and the malicious intention of attackers at design time, hence assumptions about the operational environment often reveal unexpected flaws. To diagnose the causes of violations in security requirements it is necessary to check these design-time assumptions. Otherwise, the system could be vulnerable to potential attacks. Addressing such vulnerabilities requires an explicit understanding of how the security control specifications were defined from the original security requirements. However, assumptions are rarely explicitly documented and monitored during system operation. This paper proposes a systematic approach to monitoring design-time assumptions explicitly as logs, by using trace ability links from requirements to specifications. The work also helps identify which alternative specifications of security control can be used to satisfy a security requirement that has been violated based on the logs. The work is illustrated by an example of an electronic patient record system.

Traceability for Adaptive Information Security in the Cloud

One of the key challenges in cloud computing is the security of the consumer data stored and processed by cloud machines. When the usage context of a cloud application changes, or when the context is unknown, there is a risk that security policies are violated. To minimize this risk, cloud applications need to be engineered to adapt their security policies to maintain satisfaction of security requirements despite changes in their usage context. We call such adaptation capability Adaptive Information Security. The paper argues that one of the prerequisites to adaptive information security is the use of traceability as a means to understanding the relationship between security requirements and security policies. Using an example, we motivate the need for improving traceability in the development of cloud applications.

Building Contingencies into Specifications

We propose an approach to runtime feature composition and conflict resolution that combines arbitration and contingencies. By arbitration we mean the resolution of conflicts between features using priorities. Contingency means having several specifications per feature, satisfying the same requirement, depending on the current state of the shared resource. Evaluation of our approach shows that combining arbitration and contingencies ensures that in the event of a conflict, requirements of the conflicting features are eventually satisfied.