Golnaz Elahi

A vulnerability-centric requirements engineering framework: analyzing security attacks, countermeasures, and requirements based on vulnerabilities

Many security breaches occur because of exploitation of vulnerabilities within the system. Vulnerabilities are weaknesses in the requirements, design, and implementation, which attackers exploit to compromise the system. This paper proposes a methodological framework for security requirements elicitation and analysis centered on vulnerabilities. The framework offers modeling and analysis facilities to assist system designers in analyzing vulnerabilities and their effects on the system; identifying potential attackers and analyzing their behavior for compromising the system; and identifying and analyzing the countermeasures to protect the system. The framework proposes a qualitative goal model evaluation analysis for assessing the risks of vulnerabilities exploitation and analyzing the impact of countermeasures on such risks.

A Modeling Ontology for Integrating Vulnerabilities into Security Requirements Conceptual Foundations

Vulnerabilities are weaknesses in the requirements, design, and implementation, which attackers exploit to compromise the system. This paper proposes a vulnerability-centric modeling ontology, which aims to integrate empirical knowledge of vulnerabilities into the system development process. In particular, we identify the basic concepts for modeling and analyzing vulnerabilities and their effects on the system. These concepts drive the definition of criteria that make it possible to compare and evaluate security frameworks based on vulnerabilities. We show how the proposed modeling ontology can be adopted in various conceptual modeling frameworks through examples.

Trust Trade-off Analysis for Security Requirements Engineering

Security requirements often have implicit assumptions about trust relationships among actors. The more actors trust each other, the less stringent the security requirements are likely to be. Trust always involves the risk of mistrust; hence, trust implies a trade-off: gaining some benefits from depending on a second party in trade for getting exposed to security and privacy risks. When trust assumptions are implicit, these trust trade-offs are made implicitly and in an ad-hoc way. By taking advantage of agent- and goal-oriented analysis, we propose a method for discovering trade-offs that trust relationships bring. This method aims to help the analyst select among alternative dependency relationships by making explicit trust trade-offs. We propose a simple algorithm for making the trade-offs in a way that reaches a balance between costs and benefits.

Reflective Analysis of the Syntax and Semantics of the i* Framework

Conceptual modeling notations are often designed without the benefit of empirical input. Reflective analysis of modeling languages can help find the gap between the intended design of the language and its use in practice. In this paper, we study instances of the i* goal and agent-oriented Framework to analyze differences between the core i* syntax developed at the University of Toronto and existing variations. We have surveyed 15 student assignments and 15 academic papers and presentations in order to capture and analyze the most common i* syntax variations. Through this analysis we offer insights into i* syntax and suggestions to improve the framework and increase consistency between models.

Security Requirements Engineering in the Wild: A Survey of Common Practices

Various governmental or academic institutes survey current security trends, and report vulnerabilities, security breaches, and their costs. However, it is unclear whether (and how) practitioners analyze these vulnerabilities and attacks to arrive at security requirements and decide on security solutions. What modeling methods are used for eliciting, analyzing, and documenting security requirements in real-world practice? This paper intends to answer such questions through a survey of security requirements engineering practices. 374 software professionals from 237 International and Chinese firms participated in the survey. The results show businesses often try to consider security from early stages of the development life cycle, however, ultimately, security is left to be built into the system at the implementation phase. We observed that practitioners favour qualitative risk assessment rather than quantitative approaches, and this helps them consider more varieties of factors when comparing alternative security design solutions.

Modeling Knowledge Transfer in a Software Maintenance Organization – An Experience Report and Critical Analysis

Modeling notations have been introduced to help understand the why behind software processes. We ask how are these techniques being used in industrial practices? The first part of this paper reports on the experiences at an industrial software organization, Ericsson Marconi SpA, in applying i* modeling to analyze knowledge transfer effectiveness for software maintenance. The modeling was done in-house without consultation with the i* research community. In the second part of the paper, university researchers analyze the modeling experience in that organization, drawing a comparison with the usage of i* typically envisaged by the research community. We found that the modeling approach used at the industry site employed smaller and simplified models, but were effective for highlighting key issues for the organization and communication. From the case study, we draw some conclusions for the future development of the i* modeling approach.

Service Security Analysis Based on i*: An Approach from the Attacker Viewpoint

Security analysis is a knowledge intensive process, in which the attackers and the system owners are competing with their knowledge about how the system is built, what are the weakest points of the system, and how to exploit or to protect them. In other words, it is a race of knowledge. In this paper, we present a service security modeling approach based on the agent-oriented requirement modeling framework, i*. In this approach, we first model system actors’ rationale for delivery of the service function. Then, we model a malicious actor whose intention is to disable the system functionality by exploiting their knowledge about the service and potential attacks. We assume that attackers have full knowledge about the system, which is the worst case scenario. Finally, the method automatically identifies attack routes across the actors’ dependency network based on the available knowledge. We use a recent network attack event to a major Internet service provider to illustrate the approach.

RUPSec: extending business modeling and requirements disciplines of RUP for developing secure systems

Nowadays, one of the main challenges facing computer systems is increasing attacks and security threats against them. Therefore, capturing, analyzing, designing, developing and testing of security requirements have became an important issue in development of security-critical computing systems, such as banking, military and e-commerce systems. For developing every system, a process model is chosen. The rational unified process (RUP) is one of the most popular and complete process models which has been used by developers in recent years. Our study and analysis has shown that RUP should be extended for developing security-critical systems. In this paper, we report our work on extending business modeling and requirements disciplines of RUP for developing secure systems. We call this extended version of RUP as RUPSec. The proposed extensions in RUPSec are adding and integrating a number of activities, roles, and artifacts to RUP in order to capture, document and model threats and security requirements.