Security Requirements

The quest for designing secure and trusted software has led to refined Software Engineering methodologies that rely on tools to support the design process. Automated reasoning mechanisms for requirements and software verification are by now a well-accepted part of the design process, and model driven architectures support the automation of the refinement process. We claim that we can further push the envelope towards the automatic exploration and selection among design alternatives and show that this is concretely possible for Secure Tropos, a requirements engineering methodology that addresses security and trust concerns. In Secure Tropos, a design consists of a network of actors (agents, positions or roles) with delegation/permission dependencies among them. Accordingly, the generation of design alternatives can be accomplished by a planner which is given as input a set of actors and goals and generates alternative multiagent plans to fulfill all given goals. We validate our claim with a case study using a state-of-the-art planner.

File is a component of a computer system that has importance value of its own, either in terms of availability, integrity, confidentiality and functionality to a system and application. If unintended changes happen on the related file, it may affect the security of related computer system. File integrity monitor (FIM) tools is widely used to minimize the file security risk. This paper proposed dynamic schedule for FIM. This paper presents a dynamic scheduling for FIM by combining on-line and off-line monitoring based on related files security requirement. Files are divided based on their security level group and integrity monitoring schedule is defined based on related groups. The initial testing result shows that our system is effective in on-line detection of file modification.

In order to develop security critical Information Systems, specifying security quality requirements is vitally important, although it is a very difficult task. Fortunately, there are several security standards, like the Common Criteria (ISO/IEC 15408), which help us handle security requirements. This article will present a Common Criteria centred and reuse-based process that deals with security requirements at the early stages of software development in a systematic and intuitive way, by providing a security resources repository as well as integrating the Common Criteria into the software lifecycle, so that it unifies the concepts of requirements engineering and security engineering.

Security is a crucial issue in cloud computing especially since a lot of stakeholders worldwide are involved. Achieving an acceptable security level in cloud environments is much harder when compared to other traditional IT systems due to specific cloud characteristics like: architecture, openness, multi-tenancy etc. Conventional security mechanisms are no longer suitable for applications and data in the cloud, since new security requirements have emerged. Furthermore, there is a clear need for a trusted security audit method for cloud providers. This paper identifies the security requirements that are specific to cloud computing and highlights how these requirements link to the cloud security policy while illustrating the structure of a General Security Policy Model. Furthermore , it proposes a method that can be adopted by cloud providers for auditing the security of their systems.

Nowadays, security solutions are mainly focused on providing security defences, instead of solving one of the main reasons for security problems that refers to an appropriate Information Systems (IS) design. In fact, requirements engineering often neglects enough attention to security concerns. In this paper it will be presented a case study of our proposal, called SREP (Security Requirements Engineering Process), which is a standard-centred process and a reuse-based approach which deals with the security requirements at the earlier stages of software development in a systematic and intuitive way by providing a security resources repository and by integrating the Common Criteria into the software development lifecycle. In brief, a case study is shown in this paper demonstrating how the security requirements for a security critical IS can be obtained in a guided and systematic way by applying SREP.

One of the missions of the North American Syn-chroPhasor Initiative (NASPI) is to create a robust, widely available and secure synchronized data measurement infrastructure, dubbed NASPInet, that will improve reliability of the power grid. Phasor Measurement Unit (PMU), a GPS clock synchronized measurement device capable of measuring the current and voltage phasors in the power grid, is the main measurement device that NASPInet envisions to support. While the dataflow, latency and to some extent security requirements for individual PMU applications that depend on the measurement infrastructure have been characterized, this work undertakes the challenge of characterizing the collective dataflow, latency and security requirements of the measurement infrastructure when using different network architectures and when multiple PMU applications simultaneously utilize NASPInet. For our analysis we focus on a case study where we model a scalable scenario in NASPInet for a part of the North American Power Grid, the western interconnect, using Network Simulator v2 (NS-2).

In order to develop security critical Information Systems, specifying security quality requirements is vitally important, although it is a very difficult task. Fortunately, there are several security standards, like the Common Criteria (ISO/IEC 15408), which help us handle security requirements. This article will present a Common Criteria centred and reuse-based process that deals with security requirements at the early stages of software development in a systematic and intuitive way, by providing a security resources repository as well as integrating the Common Criteria into the software lifecycle, so that it unifies the concepts of requirements engineering and security engineering.

This paper explores various dimensions of cloud computing security. It argues that security concerns of cloud computing need to be addressed from the perspective of individual stakeholder. Security focuses of cloud computing are essentially different in terms of its characteristics and business model. Conventional way of viewing as well as addressing security such as ‘bolting-in’ on the top of cloud computing may not work well. The paper attempts to portray the security spectrum necessary for enterprizes to understand the dynamics of cloud computing security, the relationships between security requirements of different stakeholders at different levels of abstraction, and the challenges it poses. The paper is expected to shed some lights on concerns as well as dynamics of cloud computing security.

Security facilities of information systems with high security requirements should be consistently and continuously developed, used, and maintained based on some common standards of information security. However, there is no engineering environment that can support all tasks in security engineering consistently and continuously. To construct a security engineering environment, a database that can manage all data concerning all tasks in

Secure software engineering is a big challenge. This is mainly due to the increasing complexity, openness and extensibility of modern applications, which make a complete analysis of security requirements very hard. The overall problem space is consequently no longer easily comprehensible for developers. This paper is an attempt to explore some of these issues underlying secure software engineering. We propose a secure software engineering framework, which suggests considering secure software engineering along four different, but complementary, views. Each view is capturing a particular relevant aspect of secure software engineering. Our motivations for developing this framework are to: (a) help understand and clarify the secure software engineering domain, (b) guide in classifying and comparing both secure software and securing approaches and (c) help researchers to identify new research axes.

In the last few years, we have witnessed an explosion in demand for security measures motivated by the proliferation of mobile/wireless networks, the fixed-mobile network convergence, and the emergence of new services, such as e-commerce. 3G-systems play a key role in this network evolution, and, thus, all stakeholders are interested in the security level supported in the new emerging mobile environment. This paper elaborates on the security framework in 3G mobile networks. The security requirements imposed by the different types of traffic, and by the different players involved (mobile users, serving network and service providers) are investigated. The security architecture, which comprises all the security mechanisms that are projected for the Universal Mobile Telecommunication System (UMTS) network, is analyzed. The employment of traditional security technologies, originally designed for fixed networking, such as firewalls, and static Virtual Private Network (VPN), in order to safeguard the UMTS core network from external attacks, as well as to protect user data when conveyed over the network are examined. Critical points in the 3G-security architecture that may cause network and service vulnerability are identified and discussed. Furthermore, proposals for the enhancement of the 3G-security architecture, and the provision of advanced security services to end-user data traffic within and outside the UMTS core network are discussed. The proposed enhancements can be easily integrated in the existing network infrastructure, and operate transparently to the UMTS network functionality. q IPsec IP security KAC key administration center MAC message authentication code MAP mobile application part MAPsec MAP security MS mobile station MT mobile terminal MSC mobile switching centre NE network entities NDS network domain security PS packet switched Rel-4 release 4 Rel-5 release 5 R99 release '99 RAND random challenge RES user response to challenge RNC radio network controller

Product authentication is needed to detect counterfeit products and to prevent them from entering the distribution channels of genuine products. Security is a critical property of product authentication systems. In this paper, we study trust and security in RFID-based product authentication systems. We first present a formal definition for product authentication process and then derive the general chain of trust as well as functional and nonfunctional security requirements for product authentication. Most of the scientific literature that covers the topic focuses on cryptographic tag authentication only. This paper, however, provides a broader view including also other known approaches, most notably location-based authentication. To derive the functional security requirements, we employ the concept of misuse cases that extends the use case paradigm well known in the field of requirements engineering. We argue that the level of security of any RFIDbased product authentication application is determined by how it fulfills the derived set of functional and nonfunctional requirements. The security of different RFID-based product authentication approaches is analyzed. To study how RFID supports secure product authentication in practice, we investigate how the current EPC standards conform to the functional security requirements of product authentication and show how the unaddressed requirements could be fulfilled. The benefits of implementing a service that detects the cloned tags in the level of the network's core services are identified.

Wireless Sensor Networks (WSN) is a recent advanced technology of computer networks and electronics. The WSN increasingly becoming more practicable solution to many challenging applications. The sensor networks depend upon the sensed data, which may depend upon the application. One of the major applications of the sensor networks is in military. So security is the greatest concern to deploy sensor network such hostile unattended environments, monitoring real world applications. But the limitations and inherent constraints of the sensor nodes does not support the existing traditional security mechanisms in WSN. Now the present research is mainly concentrated on providing security mechanism in sensor networks. In this context, security aspects of the sensor networks like requirements, classifications, and type of attacks etc., is analyzed in this survey paper.

Security services based on cryptographic mechanisms assume keys to be distributed prior to secure communications. The secure management of these keys is one of the most critical elements when integrating cryptographic functions into a system, since any security concept will be ineffective if the key management is weak. This paper approaches the problem of key management in a modular and hierarchical manner. It discusses key management security requirements, deals with generic key management concepts and design criteria, describes key management services and building blocks, as well as key management facilities, key management units, and their interrelationship.

Due to the spreading of SMS services and appearing of new business models, value-added SMS services have been introduced. According to the research results about wide distribution of security incidents on ICT systems worldwide, in spite of known security solutions, there is a necessity for organizational approach to implement security. This paper presents research and development efforts in building process model SecuRUP for security requirements engineering conformed to RUP framework. The model consists of processes, artifacts, activities and according roles for successful elicitation, analysis and specification of recognized security requirements and is validated on presented case study. The model validation results have shown significant process improvement, especially on roles and activities identification in SecuRUP elaboration process, but only further case studies in industry can be best indicators for usefulness of such models.

One of the most commonly used two-factor user authentication mechanisms nowadays is based on smart-card and password. A scheme of this type is called a smart-card-based password authentication scheme. The core feature of such a scheme is to enforce twofactor authentication in the sense that the client must have the smart-card and know the password in order to gain access to the server. In this paper, we scrutinize the security requirements of this kind of schemes, and propose a new scheme and a generic construction framework for smart-card-based password authentication. We show that a secure password based key exchange protocol can be efficiently transformed to a smartcard-based password authentication scheme provided that there exist pseudorandom functions and target collision resistant hash functions. Our construction appears to be the first one with provable security. In addition, we show that two recently proposed schemes of this kind are insecure.

The relationships between the work products of a security engineering process can be hard to understand, even for persons with a strong technical background but little knowledge of security engineering. Market forces are driving software practitioners who are not security specialists to develop software that requires security features. When these practitioners develop software solutions without appropriate security-specific processes and models, they sometimes fail to produce effective solutions. We have adapted a proven object oriented modeling technique, use cases, to capture and analyze security requirements in a simple way. We call the adaptation an abuse case model. Its relationship to other security engineering work products is relatively simple, from a user perspective

Almost a year ago, Microsoft has introduced the .NET architecture as a new component-based programming environment, which allows for easy integration of classical distributed programming techniques with Web computing. .NETdefines a type system and introduces notions such ...

Inherent in any organization are security risks and barriers that must be understood, analyzed, and minimized in order to prepare for and perpetuate future growth and return on investment within the business. Likewise, company leaders must determine the security health of the organization and routinely review the potential threats that are ever changing in this new global economy. Once these risks are outlined, the cost and potential damage must be weighed before action is implemented. This paper will address the modern problems of securing information technology (IT) of a mechanical engineering enterprise, which can be applied to other modern industries.

Developing secure web applications that can withstand malicious attacks requires a careful injection of security considerations into early stages of development lifecycle. Assessing security at the requirement analysis stage of the application development life cycle may help in mitigating security defects before they spread their wings into the latter stages of the development life cycle and into the final version of product. In this paper, we present a security metrics model based on the Goal Question Metric (GQM) approach, focusing on the design of the misuse case model. Misuse case is a technique to identify threats and integrate security requirements during the requirement analysis stage. The security metrics model helps in discovering and evaluating the misuse case models by ensuring a defect-free model. Here, the security metrics are based on the OWASP top 10-2010, in addition to misuse case modeling antipattern.

As organizations increase their reliance on information systems for daily business, they become more vulnerable to security breaches. Though a number of techniques, such as encryption and electronic signatures, are currently available to protect data when transmitted across sites, a truly comprehensive approach for data protection must also include mechanisms for enforcing access control policies based on data contents, subject qualifications and characteristics, and other relevant contextual information, such as time. ...

The phenomenon of cloud computing has been driven largely these days. Personal Cloud, as the cloud computing for personal usage, has come to the forefront. Compare with traditional operating system, personal cloud shifts individual computing "from being device-centric to information-centric", which create a bridge between operating system-based computing and the more service-oriented approach to IT. Also, the mobile thin-client has brought mobility to cloud computing. In this paper, we provide a reference base for the development of methodologies tailored for personal cloud computing. Besides, we also provide a security architecture for personal cloud based on the security requirement analysis.

Recently, new families of wireless ad hoc networks have emerged for specialized applications-personal area networks. Wireless personal area networks (WPAN) is rapidly gaining popularity. A wide variety of traditional computing devices and embedded Internet appliances are networked around us. However, due to the broadcast nature of these networks and the heterogeneity of devices on these networks, new security problems will arise, because the different types of devices have different capabilities and security requirements. In this paper, an overview of security issues like attacks and its countermeasures for wireless personal area networks such as Bluetooth, RFID and wireless sensor networks has been provided.

This paper first positively answers the previously open question of whether it was possible to obtain an optimal security reduction for an identity based signature (IBS) under a reasonable computational assumption. We revisit the Sakai-Ogishi-Kasahara IBS that was recently proven secure by Bellare, Namprempre and Neven through a general framework applying to a large family of schemes. We show that

System engineers are confronted with fast-paced technology developments, complicated contractual relationships, emerging threats and global security requirements, concerns for sustainability and viability of their ventures and a raft of other issues. In this environment, information technology-intensive systems in particular are exposed to risk and recent high-profile incidents have contributed to significant emphasis to be given to security. It is however impossible for systems engineers to become specialists in all areas of concern in order to be able to tackle effectively those issues and thus architecting systems needs to take into account good practice and existing relevant knowledge. When such knowledge is embodied into established and widely accepted standards, not only is there the opportunity to capitalise on their mature content but also to ripe the benefits of compliance, seamless integration and competitive advantage that standardisation provides. In this spirit we investigate in this paper the use of two popular and established standards, the ISO 27000 series and ISO/IEC 26702, as aids in the process of engineering secure systems.

Grid technology is increasingly being looked upon as a natural extension of the internet for engaging in complex data processing tasks over resources which are distributed across the world. Architects and developers employing grid systems must take into consideration security implications. Dynamic generation of virtual organizations leads to a synergistic picture which has to address security requirements never encountered before. Globus toolkit has devised a framework for making secure use of grid resource components which has been proved to be a feasible solution by a number of academic and scientific organizations. This paper is an attempt to identify and discern mechanisms proposed by Globus security model with certain test scenarios [1] .

IEEE 802.11 Wireless Networks have gained popularity, providing users mobility and flexibility in accessing information. Existing solutions for wireless LAN networks have been exposed to security vulnerabilities. Previous study has evaluated the security performance of IEEE 802.11 wireless networks using single server-client architecture. This research investigated the effect of multiple security mechanisms on the performance of multi-client congested and un-congested networks. The effect of different TCP and UDP packet sizes on performance of secure networks was also studied. The results showed that WEP encryption significantly degrades the performance of congested wireless networks. Network performance degradation increased as the number of clients was increased under all security mechanisms.

Almost a year ago, Microsoft has introduced the .NET architecture as a new component-based programming environment, which allows for easy integration of classical distributed programming techniques with Web computing. .NETdefines a type system and introduces notions such ...

This paper reports on a study which assessed the application of information and communication technologies (ICT) in health information access and dissemination in Uganda. The project focused not only on information obtainable through libraries for research, teaching, learning and practice, but also on ICT applications concerned with the administration and planning of health services in Uganda. A thematic analysis highlighted the current state of ICT applications, the extent of applications, the roles played and problems faced. The paper further explores areas where it is used most, cost of accessing information, user profile, ICT literacy, quality of services and telemedicine in the country. It concludes that a number of challenges must be addressed if the full benefit of the use and application of ICT in health information access and dissemination is to be realized in Uganda, and draws the attention of all the stakeholders in the health sector to the need to support and promote ICT as the most effective tool for health information access and dissemination.

This paper presents a conceptual framework for security engineering, with a strong focus on security requirements elicitation and analysis. This conceptual framework establishes a clear-cut vocabulary and makes explicit the interrelations between the different concepts and notions used in security engineering. Further, we apply our conceptual framework to compare and evaluate current security requirements engineering approaches, such as the Common Criteria, Secure Tropos, SREP, MSRA, as well as methods based on UML and problem frames. We review these methods and assess them according to different criteria, such as the general approach and scope of the method, its validation, and quality assurance capabilities. Finally, we discuss how these methods are related to the conceptual framework and to one another.

Data Warehouses (DWs) are widely accepted as the core of current decision support systems. Therefore, it is vital to incorporate security requirements from the early stages of the DWs projects and enforce them in the further design phases. Very few approaches specify security and audit measures in the conceptual modeling of DWs. Furthermore, these security measures are specified in the final implementation on top of commercial systems as there is not a standard relational representation of security measures for DWs (i.e. the well-known star schema does not allow us to specify security and audit measures on its multidimensional representation of data; instead, they must be specified on top of the implemented relational tables). On the other hand, the Common Warehouse Metamodel (CWM) has been accepted as the standard for the exchange and the interoperability of metadata. Nevertheless, it does not allow us to specify security measures for DWs. In this paper, we make use of the own extension mechanisms provided by the CWM to extend the relational package in order to build a star schema that represents the security and audit rules captured during the conceptual modeling phase of DWs. Finally, in order to show the benefits of our extension, we apply it to a case study related to the management of the pharmacy consortium business.

In 2005, Lee et al. proposed a blind signature scheme based on the discrete-logarithm problem to achieve the untraceability or unlinkability property. However, the scheme will be demonstrated as not being secure in this manuscript. We design an attack on the scheme such that a signature requester can obtain more than one valid signatures by performing only one round of the protocol. It violates an important security requirement of blind signatures.

Smart grid (SG) communication has recently received significant attentions to facilitate intelligent and distributed electric power transmission systems. However, communication trust and security issues still present practical concerns to the deployment of SG. In this paper, to cope with these challenging concerns, we propose a lightweight message authentication scheme features as a basic yet crucial component for secure SG communication framework. Specifically, in the proposed scheme, the smart meters which are distributed at different hierarchical networks of the SG can first achieve mutual authentication and establish the shared session key with Diffie-Hellman exchange protocol. Then, with the shared session key between smart meters and hash-based authentication code technique, the subsequent messages can be authenticated in a lightweight way. Detailed security analysis shows that the proposed scheme can satisfy the desirable security requirements of SG communications. In addition, extensive simulations have also been conducted to demonstrate the effectiveness of the proposed scheme in terms of low latency and few signal message exchanges.

DBSy (Domain Based Security) is a set of notations and techniques developed by QinetiQ specifically for the UK Mo D, a large distributed organisation. DBSy provides a way of describing and assessing business-driven information security requirements for network architectures. This focuses upon how the business requires information to be compartmentalised and how that might be achieved by strategic location of

Assumptions are frequently made during requirements analysis of a system about the trustworthiness of its various components (including human components). These trust assumptions, whether implicit or explicit, affect the scope of the analysis, derivation of security requirements, and in some cases how functionality is realized. This paper presents trust assumptions in the context of analysis of security requirements. A running example shows how trust assumptions can be used by a requirements engineer to help define and limit the scope of analysis and to document the decisions made during the process. The paper concludes with a case study examining the impact of trust assumptions on software that uses the secure electronic transaction specification.

Certificateless Public Key Cryptography" has very appealing features, namely it does not require any public key certification (cf. traditional Public Key Cryptography) nor having key escrow problem (cf. Identity-Based Cryptography). Unfortunately, construction of Certificateless Public Key Encryption (CLPKE) schemes has so far depended on the use of Identity-Based Encryption, which results in the bilinear pairing-based schemes that need costly operations. In this paper, we consider a relaxation of the original model of CLPKE and propose a new CLPKE scheme that does not depend on the bilinear pairings. We prove that in the random oracle model, our scheme meets the strong security requirements of the new model of CLPKE such as security against public key replacement attack and chosen ciphertext attack, assuming that the standard Computational Diffie-Hellman problem is intractable.

Convergence and ubiquity are the key characteristics of tomorrows service provision infrastructures. Cloud architectures will constitute cost-efficient backbones that will support the transmission, storage, and computing of the applications contents. These architectures can be used for business, scientific, and pervasive computing purposes. The diversity of the services delivered through cloud infrastructures increases their vulnerability to security incidents and attacks. The cost and complexity reduction requirements render the design and development of protection mechanisms even more challenging. In addition, key design features such as confidentiality, privacy, authentication, anonymity, survivability, dependability, and faulttolerance are, in some extent, conflicting. The objective of this tutorial is to present the state-of-the-art of security and explore research directions and technology trends to address the protection of cloud communications and networking infrastructures. An emphasis will be made on the collaboration of mobile devices in cloud based infrastructures. The fundamental concepts of cloud computing security will be explored, including cloud security services, cloud security principles, cloud security requirements, and testing techniques.

http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=6261019

The paper presents experiences with building a flexible, customer-driven security infrastructure for open collaborative applications. The experiences were gained in the framework of the Collaboratory.nl (CNL) project. The work is based on extended use of emerging Web Services and Grid security technologies combined with concepts from the Generic Authentication Authorization and Accounting (AAA) authorisation framework. Basic CNL use cases and functional security requirements are analysed in order to motivate the proposed Job-centric security model. This model describes access control and user-and resource management. The technical details and solutions are described based upon the current CNL implementation. The proposed Job-centric approach uses a Job description as a semantic document created on the basis of the signed order (or business agreement). It contains all of the information required to run the analysis, create and manage the virtual Job-based associations of users and resources. . In addition, this paper shows the usage of XACML as policy/role based access control model to build fine-grained access control and cross-organisation identity management using the Virtual Organization (VO) concept.

This paper reports on a study which assessed the application of information and communication technologies (ICT) in health information access and dissemination in Uganda. The project focused not only on information obtainable through libraries for research, teaching, learning and practice, but also on ICT applications concerned with the administration and planning of health services in Uganda. A thematic analysis highlighted the current state of ICT applications, the extent of applications, the roles played and problems faced. The paper further explores areas where it is used most, cost of accessing information, user profile, ICT literacy, quality of services and telemedicine in the country. It concludes that a number of challenges must be addressed if the full benefit of the use and application of ICT in health information access and dissemination is to be realized in Uganda, and draws the attention of all the stakeholders in the health sector to the need to support and promote ICT as the most effective tool for health information access and dissemination.

UNU-IIST is jointly funded by the government of Macao and the governments of the People's Republic of China and Portugal through a contribution to the UNU Endowment Fund. As well as providing twothirds of the endowment fund, the Macao authorities also supply UNU-IIST with its office premises and furniture and subsidise fellow accommodation.

We study the security of the widely deployed Secure Session Layer/Transport Layer Security (TLS) key agreement protocol. Our analysis identifies, justifies, and exploits the modularity present in the design of the protocol: the application keys offered to higher level applications are obtained from a master key, which in turn is derived, through interaction, from a pre-master key.

Developing secure web applications that can withstand malicious attacks requires a careful injection of security considerations into early stages of development lifecycle. Assessing security at the requirement analysis stage of the application development life cycle may help in mitigating security defects before they spread their wings into the latter stages of the development life cycle and into the final version of product. In this paper, we present a security metrics model based on the Goal Question Metric (GQM) approach, focusing on the design of the misuse case model. Misuse case is a technique to identify threats and integrate security requirements during the requirement analysis stage. The security metrics model helps in discovering and evaluating the misuse case models by ensuring a defect-free model. Here, the security metrics are based on the OWASP top 10-2010, in addition to misuse case modeling antipattern.