2,905 research outputs found

    Software security requirements management as an emerging cloud computing service

    Get PDF
    © 2016 Elsevier Ltd. All rights reserved.Emerging cloud applications are growing rapidly and the need for identifying and managing service requirements is also highly important and critical at present. Software Engineering and Information Systems has established techniques, methods and technology over two decades to help achieve cloud service requirements, design, development, and testing. However, due to the lack of understanding of software security vulnerabilities that should have been identified and managed during the requirements engineering phase, we have not been so successful in applying software engineering, information management, and requirements management principles that have been established for the past at least 25 years, when developing secure software systems. Therefore, software security cannot just be added after a system has been built and delivered to customers as seen in today's software applications. This paper provides concise methods, techniques, and best practice requirements engineering and management as an emerging cloud service (SSREMaaES) and also provides guidelines on software security as a service. This paper also discusses an Integrated-Secure SDLC model (IS-SDLC), which will benefit practitioners, researchers, learners, and educators. This paper illustrates our approach for a large cloud system Amazon EC2 service

    Engineering Blockchain Based Software Systems: Foundations, Survey, and Future Directions

    Full text link
    Many scientific and practical areas have shown increasing interest in reaping the benefits of blockchain technology to empower software systems. However, the unique characteristics and requirements associated with Blockchain Based Software (BBS) systems raise new challenges across the development lifecycle that entail an extensive improvement of conventional software engineering. This article presents a systematic literature review of the state-of-the-art in BBS engineering research from a software engineering perspective. We characterize BBS engineering from the theoretical foundations, processes, models, and roles and discuss a rich repertoire of key development activities, principles, challenges, and techniques. The focus and depth of this survey not only gives software engineering practitioners and researchers a consolidated body of knowledge about current BBS development but also underpins a starting point for further research in this field

    Domain- and Quality-aware Requirements Engineering for Law-compliant Systems

    Get PDF
    Titel in deutscher Übersetzung: DomĂ€nen- und qualitĂ€tsgetriebene Anforderungserhebung fĂŒr gesetzeskonforme Systeme Der bekannte Leitsatz in der Anforderungserhebung und -analyse besagt, dass es schwierig ist, das richtige System zu bauen, wenn man nicht weiß, was das 'Richtige' eigentlich ist. Es existieren ĂŒberzeugende Belege, dass dieser Leitsatz die Notwendigkeit der Anforderungserhebung und -analyse exakt definiert und beschreibt. Zum Beispiel ergaben Studien, dass das Beheben von Defekten in einer Software, die bereits produktiv genutzt wird, bis zu 80 mal so teuer ist wie das frĂŒhzeitige Beheben der korrespondierenden Defekte in den Anforderungen. Generell hat es sich gezeigt, dass das DurchfĂŒhren einer angemessenen Anforderungserhebung und -analyse ein wichtiger Erfolgsfaktor fĂŒr Softwareentwicklungsprojekte ist. WĂ€hrend der Progression von den initialen WĂŒnschen der beteiligten Interessensvertretern fĂŒr ein zu entwickelndes System zu einer Spezifikation fĂŒr eben dieses Systems mĂŒssen Anforderungsanalysten einen komplexen Entscheidungsprozess durchlaufen, der die initialen WĂŒnsche in die Spezifikation ĂŒberfĂŒhrt. TatsĂ€chlich wird das Treffen von Entscheidungen als integraler Bestandteil der Anforderungsanalyse gesehen. In dieser Arbeit werden wir versuchen zu verstehen welche AktivitĂ€ten und Information von Nöten sind, um eine fundierte Auswahl von Anforderungen vorzunehmen, welche Herausforderungen damit verbunden sind, wie eine ideale Lösung zur Anforderungswahl aussehen könnte und in welchen Bereichen der aktuelle Stand der Technik in Bezug auf diese ideale Lösung lĂŒckenhaft ist. Innerhalb dieser Arbeit werden wir die Informationen, die notwendig fĂŒr eine fundierte Anforderungsauswahl sind, identifizieren, einen Prozess prĂ€sentieren, um diese notwendigen Informationen zu sammeln, die Herausforderungen herausstellen, die durch diesen Prozess und die damit verbundenen AktivitĂ€ten adressiert werden und eine Auswahl von Methoden diskutieren, mit deren Hilfe man die AktivitĂ€ten des Prozesses umsetzen kann. Die gesammelten Informationen werden dann fĂŒr eine automatisierte Anforderungsauswahl verwendet. FĂŒr die Auswahl kommt ein Optimierungsmodell, das Teil des Beitrags dieser Arbeit ist, zum Einsatz. Da wir wĂ€hrend der Erstellung dieser Arbeit zwei große LĂŒcken im Stand der Technik bezĂŒglich unseres Prozesses und der damit verbundenen AktivitĂ€ten identifiziert haben, prĂ€sentieren wir darĂŒber hinaus zwei neuartige Methoden fĂŒr die Kontexterhebung und die Erhebung von rechtlichen Anforderungen, um diese LĂŒcken zu schließen. Diese Methoden sind Teil des Hauptbeitrags dieser Arbeit. Unsere Lösung fĂŒr der Erhebung des Kontext fĂŒr ein zu entwickelndes System ermöglicht das Etablieren eines domĂ€nenspezifischen Kontextes unter Zuhilfenahme von Mustern fĂŒr verschiedene DomĂ€nen. Diese Kontextmuster erlauben eine strukturierte Erhebung und Dokumentation aller relevanten Interessensvertreter und technischen EntitĂ€ten fĂŒr ein zu entwickelndes System. Sowohl die Dokumentation in Form von grafischen Musterinstanzen und textuellen Vorlageninstanzen als auch die Methode zum Sammeln der notwendigen Informationen sind expliziter Bestandteil jedes Kontextmusters. ZusĂ€tzlich stellen wir auch Hilfsmittel fĂŒr die Erstellung neuer Kontextmuster und das Erweitern der in dieser Arbeit prĂ€sentierten Kontextmustersprache zur VerfĂŒgung. Unsere Lösung fĂŒr die Erhebung von rechtlichen Anforderungen basiert auch auf Mustern und stellt eine Methode bereit, welche es einem erlaubt, die relevanten Gesetze fĂŒr ein zu erstellendes System, welches in Form der funktionalen Anforderungen bereits beschrieben sein muss, zu identifizieren und welche die bestehenden funktionalen Anforderungen mit den rechtlichen Anforderungen verknĂŒpft. Diese Methode beruht auf der Zusammenarbeit zwischen Anforderungsanalysten und Rechtsexperten und schließt die VerstĂ€ndnislĂŒcke zwischen ihren verschiedenartigen Welten. Wir veranschaulichen unseren Prozess unter der Zuhilfenahme eines durchgehenden Beispiels aus dem Bereich der service-orientierten Architekturen. ZusĂ€tzlich prĂ€sentieren wir sowohl die Ergebnisse der Anwendung unseres Prozesses (bzw. Teilen davon) auf zwei reale FĂ€lle aus den Bereichen von Smart Grids und Wahlsystemen, als auch alle anderen Ergebnisse der wissenschaftlichen Methoden, die wir genutzt haben, um unsere Lösung zu fundieren und validieren.The long known credo of requirements engineering states that it is challenging to build the right system if you do not know what right is. There is strong evidence that this credo exactly defines and describes the necessity of requirements engineering. Fixing a defect when it is already fielded is reported to be up to eighty times more expensive than fixing the corresponding requirements defects early on. In general, conducting sufficient requirements engineering has shown to be a crucial success factor for software development projects. Throughout the progression from initial stakeholders' wishes regarding the system-to-be to a specification for the system-to-be requirements engineers have to undergo a complex decision process for forming the actual plan connecting stakeholder wishes and the final specification. Indeed, decision making is considered to be an inherent part of requirements engineering. In this thesis, we try to understand which activities and information are needed for selecting requirements, which the challenges are, how an ideal solution for selecting requirements would look like, and where the current state of the art is deficient regarding the ideal solution. Within this thesis we identify the information necessary for an informed requirements selection, present a process in which one collects all the necessary information, highlight the challenges to be addressed by this process and its activities, and a selection of methods to conduct the activities of the process. All the collected information is then used for an automated requirements selection using an optimization model which is also part of the contribution of this thesis. As we identified two major gaps in the state of the art considering the proposed process and its activities, we also present two novel methods for context elicitation and for legal compliance requirements elicitation to fill the gaps as part of the main contribution. Our solution for context elicitation enables a domain-specific context establishment based on patterns for different domains. The context patterns allow a structured elicitation and documentation of relevant stakeholders and technical entities for a system-to-be. Both, the documentation in means of graphical pattern instances and textual template instances as well as the method for collecting the necessary information are explicitly given in each context pattern. Additionally, we also provide the means which are necessary to derive new context patterns and extend our context patterns language which is part of this thesis. Our solution for legal compliance requirements elicitation is a pattern-based and guided method which lets one identify the relevant laws for a system-to-be, which is described in means of functional requirements, and which intertwines the functional requirements with the according legal requirements. This method relies on the collaboration of requirements engineers and legal experts, and bridges the gap between their distinct worlds. Our process is exemplified using a running example in the domain of service oriented architectures. Additionally, the results of applying (parts of) the process to real life cases from the smart grid domain and voting system domain are presented, as well as all other results from the scientific means we took to ground and validate the proposed solutions

    Legal compliance by design (LCbD) and through design (LCtD) : preliminary survey

    Get PDF
    1st Workshop on Technologies for Regulatory Compliance co-located with the 30th International Conference on Legal Knowledge and Information Systems (JURIX 2017). The purpose of this paper is twofold: (i) carrying out a preliminary survey of the literature and research projects on Compliance by Design (CbD); and (ii) clarifying the double process of (a) extending business managing techniques to other regulatory fields, and (b) converging trends in legal theory, legal technology and Artificial Intelligence. The paper highlights the connections and differences we found across different domains and proposals. We distinguish three different policydriven types of CbD: (i) business, (ii) regulatory, (iii) and legal. The recent deployment of ethical views, and the implementation of general principles of privacy and data protection lead to the conclusion that, in order to appropriately define legal compliance, Compliance through Design (CtD) should be differentiated from CbD

    UNDERSTANDING USER PERCEPTIONS AND PREFERENCES FOR MASS-MARKET INFORMATION SYSTEMS – LEVERAGING MARKET RESEARCH TECHNIQUES AND EXAMPLES IN PRIVACY-AWARE DESIGN

    Get PDF
    With cloud and mobile computing, a new category of software products emerges as mass-market information systems (IS) that addresses distributed and heterogeneous end-users. Understanding user requirements and the factors that drive user adoption are crucial for successful design of such systems. IS research has suggested several theories and models to explain user adoption and intentions to use, among them the IS Success Model and the Technology Acceptance Model (TAM). Although these approaches contribute to theoretical understanding of the adoption and use of IS in mass-markets, they are criticized for not being able to drive actionable insights on IS design as they consider the IT artifact as a black-box (i.e., they do not sufficiently address the system internal characteristics). We argue that IS needs to embrace market research techniques to understand and empirically assess user preferences and perceptions in order to integrate the "voice of the customer" in a mass-market scenario. More specifically, conjoint analysis (CA), from market research, can add user preference measurements for designing high-utility IS. CA has gained popularity in IS research, however little guidance is provided for its application in the domain. We aim at supporting the design of mass-market IS by establishing a reliable understanding of consumer’s preferences for multiple factors combing functional, non-functional and economic aspects. The results include a “Framework for Conjoint Analysis Studies in IS” and methodological guidance for applying CA. We apply our findings to the privacy-aware design of mass-market IS and evaluate their implications on user adoption. We contribute to both academia and practice. For academia, we contribute to a more nuanced conceptualization of the IT artifact (i.e., system) through a feature-oriented lens and a preference-based approach. We provide methodological guidelines that support researchers in studying user perceptions and preferences for design variations and extending that to adoption. Moreover, the empirical studies for privacy- aware design contribute to a better understanding of the domain specific applications of CA for IS design and evaluation with a nuanced assessment of user preferences for privacy-preserving features. For practice, we propose guidelines for integrating the voice of the customer for successful IS design. -- Les technologies cloud et mobiles ont fait Ă©merger une nouvelle catĂ©gorie de produits informatiques qui s’adressent Ă  des utilisateurs hĂ©tĂ©rogĂšnes par le biais de systĂšmes d'information (SI) distribuĂ©s. Les termes “SI de masse” sont employĂ©s pour dĂ©signer ces nouveaux systĂšmes. Une conception rĂ©ussie de ceux-ci passe par une phase essentielle de comprĂ©hension des besoins et des facteurs d'adoption des utilisateurs. Pour ce faire, la recherche en SI suggĂšre plusieurs thĂ©ories et modĂšles tels que le “IS Success Model” et le “Technology Acceptance Model”. Bien que ces approches contribuent Ă  la comprĂ©hension thĂ©orique de l'adoption et de l'utilisation des SI de masse, elles sont critiquĂ©es pour ne pas ĂȘtre en mesure de fournir des informations exploitables sur la conception de SI car elles considĂšrent l'artefact informatique comme une boĂźte noire. En d’autres termes, ces approches ne traitent pas suffisamment des caractĂ©ristiques internes du systĂšme. Nous soutenons que la recherche en SI doit adopter des techniques d'Ă©tude de marchĂ© afin de mieux intĂ©grer les exigences du client (“Voice of Customer”) dans un scĂ©nario de marchĂ© de masse. Plus prĂ©cisĂ©ment, l'analyse conjointe (AC), issue de la recherche sur les consommateurs, peut contribuer au dĂ©veloppement de systĂšme SI Ă  forte valeur d'usage. Si l’AC a gagnĂ© en popularitĂ© au sein de la recherche en SI, des recommandations quant Ă  son utilisation dans ce domaine restent rares. Nous entendons soutenir la conception de SI de masse en facilitant une identification fiable des prĂ©fĂ©rences des consommateurs sur de multiples facteurs combinant des aspects fonctionnels, non-fonctionnels et Ă©conomiques. Les rĂ©sultats comprennent un “Cadre de rĂ©fĂ©rence pour les Ă©tudes d'analyse conjointe en SI” et des recommandations mĂ©thodologiques pour l'application de l’AC. Nous avons utilisĂ© ces contributions pour concevoir un SI de masse particuliĂšrement sensible au respect de la vie privĂ©e des utilisateurs et nous avons Ă©valuĂ© l’impact de nos recherches sur l'adoption de ce systĂšme par ses utilisateurs. Ainsi, notre travail contribue tant Ă  la thĂ©orie qu’à la pratique des SI. Pour le monde universitaire, nous contribuons en proposant une conceptualisation plus nuancĂ©e de l'artefact informatique (c'est-Ă -dire du systĂšme) Ă  travers le prisme des fonctionnalitĂ©s et par une approche basĂ©e sur les prĂ©fĂ©rences utilisateurs. Par ailleurs, les chercheurs peuvent Ă©galement s'appuyer sur nos directives mĂ©thodologiques pour Ă©tudier les perceptions et les prĂ©fĂ©rences des utilisateurs pour diffĂ©rentes variations de conception et Ă©tendre cela Ă  l'adoption. De plus, nos Ă©tudes empiriques sur la conception d’un SI de masse sensible au respect de la vie privĂ©e des utilisateurs contribuent Ă  une meilleure comprĂ©hension de l’application des techniques CA dans ce domaine spĂ©cifique. Nos Ă©tudes incluent notamment une Ă©valuation nuancĂ©e des prĂ©fĂ©rences des utilisateurs sur des fonctionnalitĂ©s de protection de la vie privĂ©e. Pour les praticiens, nous proposons des lignes directrices qui permettent d’intĂ©grer les exigences des clients afin de concevoir un SI rĂ©ussi
    • 

    corecore