Haruhiko Kaiya

MASG: Advanced Misuse Case Analysis Model with Assets and Security Goals

Misuse case model and its development process are useful and practical for security requirements analysis, but they require expertise especially about security assets and goals. To enable inexperienced requirements analysts to elicit and to analyse security requirements, we present an extension of misuse case model and its development process by incorporating new model elements, assets and security goals. We show its effectiveness from the quantitative and qualitative results of a case study. According to the results, we conclude the extension and its process enable inexperienced analysts to elicit security requirements as well as experienced analysts do.

A Metamodel for Security and Privacy Knowledge in Cloud Services

We propose a metamodel for handling security and privacy in cloud service development and operation. The metamodel is expected to be utilized for building a knowledge base to accumulate, classify and reuse existing cloud security and privacy patterns and practices in a consistent and uniform way. Moreover the metamodel and knowledge base are expected to be utilized for designing and maintaining architectures for cloud service systems incorporating security and privacy.

Implementation Support of Security Design Patterns Using Test Templates

Security patterns are intended to support software developers as the patterns encapsulate security expert knowledge. However, these patterns may be inappropriately applied because most developers are not security experts, leading to threats and vulnerabilities. Here we propose a support method for security design patterns in the implementation phase of software development. Our method creates a test template from a security design pattern, consisting of an “aspect test template” to observe the internal processing and a “test case template”. Providing design information creates a test from the test template with a tool. Because our test template is reusable, it can easily perform a test to validate a security design pattern. In an experiment involving four students majoring in information sciences, we confirm that our method can realize an effective test, verify pattern applications, and support pattern implementation.

Security and privacy behavior definition for behavior driven development

There is an issue when security measures are implemented and tested while using agile software development techniques such as Behavior Driven Development (BDD). We need to define the necessary levels of security and the privacy behaviors and acceptance criteria for the BDD. A method for defining the acceptance criteria (BehaveSafe) by creating a threat and countermeasure graph called the T&C graph is proposed in this paper. We have estimated the efficiency of our method with a web based system.

Validating Security Design Pattern Applications by Testing Design Models

Software developers are not necessarily security experts, confirming potential threats and vulnerabilities at an early stage of the development process (e.g., in the requirementand design-phase) is insufficient. Additionally, even if designed software considers security at an early stage, whether the software really satisfies the security requirements must be confirmed. To realize secure design, this work proposes an application to validate security patterns using model testing. Its method provides extended security patterns, which include requirementand design-level patterns as well as a new model testing process using these patterns. After a developer specifies threats and vulnerabilities in the target system during an early stage of development, this method can validate whether the security patterns are properly applied and assess if these vulnerabilities are resolved. Validating Security Design Pattern Applications by Testing Design Models

Security Requirements Analysis Using Knowledge in CAPEC

Because all the requirements analysts are not the experts of security, providing security knowledge automatically is one of the effective means for supporting security requirements elicitation. We propose a method for eliciting security requirements on the basis of Common Attack Patterns Enumeration and Classification (CAPEC). A requirements analyst can automatically acquire the candidates of attacks against a functional requirement with the help of our method. Because technical terms are mainly used in the descriptions in CAPEC and usual phrases are used in the requirements descriptions, there are gaps between them. To bridge the gaps, our method contains a mapping between technical terms and noun phrases called term maps.

Modelling Goal Dependencies and Domain Model Together

Several actors such as human, organization, software applications and hardware units perform our daily activities such as medical care, entertainment and so on. We call each daily activity a socio-technical system (STS), and we also call actors except human and organizations Machines. Human and organizations in an STS become better than ever when new Machines are introduced into the STS and they are beneficial to human and organizations. Although modelling goal dependencies in such a STS contributes to identifying beneficial Machines because such a dependency can represent an actor asks some Machine to achieve his own goal. It is however not easy for modelers to describe a correct dependency. We thus proposed and exemplified an extended modelling notation called Goal Dependency Model with Objects (GDMO) based on strategic dependency (SD) in i*. In GDMO, objects related to a goal in an SD are explicitly specified. Modelers can determine an actor has the right to want the goal to be achieved because relationships between the actor and the objects such as ownership clarify the right. They can also determine another actor has the ability to achieve the goal. In addition, relationships among objects, i.e. a domain model, can suggest missing SDs, and the boundary of an STS can be determined without omission.

TESEM: A Tool for Verifying Security Design Pattern Applications by Model Testing

Because software developers are not necessarily security experts, identifying potential threats and vulnerabilities in the early stage of the development process (e.g., the requirement- or design-phase) is insufficient. Even if these issues are addressed at an early stage, it does not guarantee that the final software product actually satisfies security requirements. To realize secure designs, we propose extended security patterns, which include requirement-and design-level patterns as well as a new model testing process. Our approach is implemented in a tool called TESEM (Test Driven Secure Modeling Tool), which supports pattern applications by creating a script to execute model testing automatically. During an early development stage, the developer specifies threats and vulnerabilities in the target system, and then TESEM verifies whether the security patterns are properly applied and assesses whether these vulnerabilities are resolved.

Annotating Goals with Concerns in Goal-Oriented Requirements Engineering

In goal-oriented requirements analysis, goals specify multiple concerns such as functions, strategies, and non-functions, and they are refined into sub goals from mixed views of these concerns. This intermixture of concerns in goals makes it difficult for a requirements analyst to understand and maintain goal refinements. Separating concerns and specifying them explicitly is one of the useful approaches to improve the understandability of goal refinements, i.e., the relations between goals and their sub goals. In this paper, we propose a technique to annotate goals with the concerns they have in order to support the understanding of goal refinement. In our approach, goals are refined into sub goals referring to the annotated concerns, and these concerns annotated to a goal and its sub goals provide the meaning of its goal refinement. By tracing and focusing on the annotated concerns, requirements analysts can understand goal refinements and modify unsuitable ones. We have developed a supporting tool and made an exploratory experiment to evaluate the usefulness of our approach.

Verifying Implementation of Security Design Patterns Using a Test Template

Although security patterns contain security expert knowledge to support software developers, these patterns may be inappropriately applied because most developers are not security specialists, leading to threats and vulnerabilities. Here we propose a validation method for security design patterns in the implementation phase of software development. Our method creates a test template from a security design pattern, which consists of the aspect test template to observe the internal processing and the test case template. Providing design information creates a test from the test template. Because a test template is recyclable, it can create easily a test, which can validate the security design patterns. As a case study, we applied our method to a web system. The result shows that our method can test repetition in the early stage of implementation, verify pattern applications, and assess whether vulnerabilities are resolved.