Modeling Security Requirements: Extending SysML with Security Requirements Engineering Concepts
Ilham Maskani, Jaouad Boutahar and Souhal El Ghazi El Houssani. Modeling Security Requirements: Extending SysML with Security Requirements Engineering Concepts. International Journal of Applied Information Systems 12(9):30-36, December 2017. URL, DOI BibTeX
@article{10.5120/ijais2017451731, author = "Ilham Maskani and Jaouad Boutahar and Souhal El Ghazi El Houssani", title = "Modeling Security Requirements: Extending SysML with Security Requirements Engineering Concepts", journal = "International Journal of Applied Information Systems", issue_date = "December 2017", volume = 12, number = 9, month = "Dec", year = 2017, issn = "2249-0868", pages = "30-36", url = "http://www.ijais.org/archives/volume12/number9/1016-2017451731", doi = "10.5120/ijais2017451731", publisher = "Foundation of Computer Science (FCS), NY, USA", address = "New York, USA" }
Abstract
In Security Requirements Engineering, many approaches offer different ways to model security requirements. This paper presents a model that can be used in conjunction with any of the former approaches. The model is an extension of SysML requirements diagrams that adds concepts from Security Requirements Engineering: Stakeholder, Goal, Asset and Risk. The proposed model is illustrated by applying it to a telemedicine system.
Reference
- I. Maskani, J. Boutahar, and S. EL Ghazi El Houssaïni, 2016, “Analysis of Security Requirements Engineering?: Towards a Comprehensive Approach,” IJACSA Int. J. Adv. Comput. Sci. Appl., vol. 7, no. 11, pp. 39–45, Nov. 2016.
- “What is SysML? | OMG SysML.” [Online]. Available: http://www.omgsysml.org/what-is-sysml.htm. [Accessed: 14-Nov-2017].
- “About the OMG System Modeling Language Specification Version 1.5.” [Online]. Available: http://www.omg.org/spec/SysML/1.5/. [Accessed: 14-Nov-2017].
- “ISO/IEC 19514:2017 - Information technology -- Object management group systems modeling language (OMG SysML).” [Online]. Available: https://www.iso.org/standard/65231.html. [Accessed: 14-Nov-2017].
- A. Van Lamsweerde and E. Letier, 2004, “From object orientation to goal orientation: A paradigm shift for requirements engineering,” in Radical Innovations of Software and Systems Engineering in the Future, Springer, 2004, pp. 325–340.
- “i* Intentional STrategic Actor Relationships modelling - istar.” [Online]. Available: http://www.cs.toronto.edu/km/istar/. [Accessed: 30-Oct-2017].
- “Tropos |.” [Online]. Available: http://www.troposproject.eu/. [Accessed: 09-Nov-2017].
- “GRL.” [Online]. Available: http://www.cs.toronto.edu/km/GRL/. [Accessed: 09-Nov-2017].
- “Z.151 : User Requirements Notation (URN) - Language definition.” [Online]. Available: https://www.itu.int/rec/T-REC-Z.151-201210-I/en. [Accessed: 09-Nov-2017].
- N. A. Qureshi, I. J. Jureta, and A. Perini, 2012, “Towards a Requirements Modeling Language for Self-Adaptive Systems,” in Requirements Engineering: Foundation for Software Quality, 2012, pp. 263–279.
- “ISO/IEC 27000:2016 - Information technology -- Security techniques -- Information security management systems -- Overview and vocabulary,” ISO. [Online]. Available: http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=66435. [Accessed: 20-Oct-2016].
- Mead N, Hough E, Stehney T , 2005, Security quality requirements engineering (SQUARE) methodology. Carnegie Mellon Software Engineering Institute, Technical report CMU/SEI-2005-TR-009.
- S. F. Gürses and T. Santen, 2006, “Contextualizing Security Goals: A Method for Multilateral Security Requirements Elicitation.,” in ResearchGate, 2006, pp. 42–53.
- C. B. Haley, R. Laney, J. D. Moffett, and B. Nuseibeh, 2008, “Security Requirements Engineering: A Framework for Representation and Analysis,” IEEE Trans. Softw. Eng., vol. 34, no. 1, pp. 133–153, Jan. 2008.
- A. Zuccato, 2007, “Holistic security management framework applied in electronic commerce,” Comput. Secur., vol. 26, no. 3, pp. 256–265, May 2007.
- A. van Lamsweerde, 2004, “Elaborating Security Requirements by Construction of Intentional Anti-Models,” in Proceedings of the 26th International Conference on Software Engineering, Washington, DC, USA, 2004, pp. 148–157.
- P. Giorgini, F. Massacci, J. Mylopoulos, and N. Zannone, 2006, “Requirements engineering for trust management: model, methodology, and reasoning,” Int. J. Inf. Secur., vol. 5, no. 4, pp. 257–274, Aug. 2006.
- E. Paja, F. Dalpiaz, and P. Giorgini, 2015, “Modelling and reasoning about security requirements in socio-technical systems,” Data Knowl. Eng., vol. 98, pp. 123–143, Jul. 2015.
- D. Mellado, E. Fernández-Medina, and M. Piattini, 2007, “A common criteria based security requirements engineering process for the development of secure information systems,” Comput. Stand. Interfaces, vol. 29, no. 2, pp. 244–253, Feb. 2007.
- J. Jurjens, 2010, Secure Systems Development with UML. Berlin, Heidelberg: Springer-Verlag, 2010.
- P.Salini and S. Kanmani, 2012, “Security Requirements Engineering Process for Web Applications,” Procedia Eng., vol. 38, pp. 2799–2807, 2012.
- T. Lodderstedt, D. Basin, and J. Doser, 2002, “SecureUML: A UML-based modeling language for model-driven security,” «UML» 2002— Unified Model. Lang., pp. 426–441, 2002.
- T. M. Hale and J. C. Kvedar, 2014, “Privacy and Security Concerns in Telehealth,” Virtual Mentor, vol. 16, no. 12, p. 981, Jan. 2014.
- V. Garg and J. Brewer, 2011, “Telemedicine Security: A Systematic Review,” J. Diabetes Sci. Technol., vol. 5, no. 3, p. 768, May 2011.
- R. Laleau, F. Semmak, A. Matoussi, D. Petit, A. Hammad, and B. Tatibouet, 2010, “A first attempt to combine SysML requirements diagrams and B,” Innov. Syst. Softw. Eng., vol. 6, no. 1–2, pp. 47–54, Mar. 2010.
- L. Apvrille and Y. Roudier, 2013, “SysML-Sec: A SysML environment for the design and development of secure embedded systems,” APCOSEC Asia-Pac. Counc. Syst. Eng., pp. 8–11, 2013.
Keywords
Requirements modeling; Security Requirements Engineering; SysML Extension