Evolution of security engineering artifacts: a state of the art survey

Security is an important quality aspect of modern open software systems. However, it is challenging to keep such systems secure because of evolution. Security evolution can only be managed adequately if it is considered for all artifacts throughout the software development lifecycle. This article provides state of the art on the evolution of security engineering artifacts. The article covers the state of the art on evolution of security requirements, security architectures, secure code, security tests, security models, and security risks as well as security monitoring. For each of these artifacts the authors give an overview of evolution and security aspects and discuss the state of the art on its security evolution in detail. Based on this comprehensive survey, they summarize key issues and discuss directions of future research

Quantifying usability of domain-specific languages: An empirical study on software maintenance

A domain-specific language (DSL) aims to support software development by offering abstractions to a particular domain. It is expected that DSLs improve the maintainability of artifacts otherwise produced with general-purpose languages. However, the maintainability of the DSL artifacts and, hence, their adoption in mainstream development, is largely dependent on the usability of the language itself. Unfortunately, it is often hard to identify their usability strengths and weaknesses early, as there is no guidance on how to objectively reveal them. Usability is a multi-faceted quality characteristic, which is challenging to quantify beforehand by DSL stakeholders. There is even less support on how to quantitatively evaluate the usability of DSLs used in maintenance tasks. In this context, this paper reports a study to compare the usability of textual DSLs under the perspective of software maintenance. A usability measurement framework was developed based on the cognitive dimensions of notations. The framework was evaluated both qualitatively and quantitatively using two DSLs in the context of two evolving object-oriented systems. The results suggested that the proposed metrics were useful: (1) to early identify DSL usability limitations, (2) to reveal specific DSL features favoring maintenance tasks, and (3) to successfully analyze eight critical DSL usability dimensions.This work was funded by B. Cafeo CAPES PhD Scholarship, and CNPq scholarship grant number 141688/2013-0; A. Garcia FAPERJ - distinguished scientist grant (number E-26/102.211/2009), CNPq - productivity grants (number 305526/2009-0 and 308490/2012-6), Universal project grants (number 483882/2009-7 and 485348/2011-0), and PUC-Rio (productivity grant).info:eu-repo/semantics/publishedVersio

INFORMATION FUSION IN CONTINUOUS ASSURANCE

We extend continuous assurance research by proposing a novel continuous assurance architecture grounded in information fusion research. Existing continuous assurance architectures focus primarily on methods of monitoring assurance clients’ systems to detect anomalous activities and have not addressed the question of how to process the detected anomalies. Consequently, actual implementations of these systems typically detect a large number of anomalies, with the resulting information overload leading to suboptimal decision making due to human information processing limitations. The proposed architecture addresses these issues by performing anomaly detection, aggregation and evaluation. Within the proposed architecture, artifacts developed in prior continuous assurance, ontology, and artificial intelligence research are used to perform the detection, aggregation and evaluation information fusion tasks. The architecture contributes to the academic continuous assurance literature and has implications for practitioners involved in the development of more robust and useful continuous assurance system

Conformance checking in UML artifact-centric business process models

Business artifacts have appeared as a new paradigm to capture the information required for the complete execution and reasoning of a business process. Likewise, conformance checking is gaining popularity as a crucial technique that enables evaluating whether recorded executions of a process match its corresponding model. In this paper, conformance checking techniques are incorporated into a general framework to specify business artifacts. By relying on the expressive power of an artifact-centric specification, BAUML, which combines UML state and activity diagrams (among others), the problem of conformance checking can be mapped into the Petri net formalism and its results be explained in terms of the original artifact-centric specification. In contrast to most existing approaches, ours incorporates data constraints into the Petri nets, thus achieving conformance results which are more precise. We have also implemented a plug-in, within the ProM framework, which is able to translate a BAUML into a Petri net to perform conformance checking. This shows the feasibility of our approach.Peer ReviewedPostprint (author's final draft

Healthcare systems protection: All-in-one cybersecurity approach

Cyber risks are increasingly widespread as healthcare organizations play a defining role in society. Several studies have revealed an increase in cybersecurity threats in the industry, which should concern us all. When it comes to cybersecurity, the consequences can be felt throughout the organization, from the smallest processes to the overall ability of the organization to function. Typically, a cyberattack results in the disclosure of confidential information that undermines your competitive advantage and overall trust. Healthcare as a critical sector has, like many other sectors, a late bet on its transformation to cybersecurity across the board. This dissertation reinforces this need by presenting a value-added solution that helps strengthen the internal processes of healthcare units, enabling their primary mission of saving lives while ensuring the confidentiality and security of patient and institutional data. The solution is presented as a technological composite that translates into a methodology and innovative artifact for integration, monitoring, and security of critical medical infrastructures based on operational use cases. The approach that involves people, processes, and technology is based on a model that foresees the evaluation of potential assets for integration and monitoring, as well as leveraging the efficiency in responding to security incidents with the formal development of a process and mechanisms for alert and resolution of exposure and attack scenarios. On a technical level, the artifact relies on the integration of a medical image archiving system (PACS) into a SIEM to validate application logs that are linked to rules to map anomalous behaviors that trigger the incident management process on an IHS platform with custom-developed features. The choice for integration in the validation prototype of the PACS system is based not only on its importance in the orchestration of activities in the organization of a health institution, but also with the recent recommendations of various cybersecurity agencies and organizations for the importance of their protection in response to the latest trends in cyberattacks. In line with the results obtained, this approach will have full applicability in a real operational context, following the latest practices and technologies in the sector.Os riscos cibernéticos estão cada vez mais difundidos à medida que as organizações de cuidados de saúde desempenham um papel determinante na sociedade. Vários estudos revelaram um aumento das ameaças de cibersegurança no setor, o que nos deve preocupar a todos. Quando se trata de cibersegurança, as consequências podem ser sentidas em toda a organização, desde os mais pequenos processos até à sua capacidade global de funcionamento. Normalmente, um ciberataque resulta na divulgação de informações confidenciais que colocam em causa a sua vantagem competitiva e a confiança geral. O healthcare como setor crítico apresenta, como muitos outros setores, uma aposta tardia na sua transformação para a cibersegurança de forma generalizada. Esta dissertação reforça esta necessidade apresentando uma solução de valor acrescentado que ajuda a potenciar os processos internos das unidades de saúde possibilitando a sua missão principal de salvar vidas, aumentando a garantia de confidencialidade e segurança dos dados dos pacientes e instituições. A solução apresenta-se como um compósito tecnológico que se traduz numa metodologia e artefacto de inovação para integração, monitorização e segurança de infraestruturas médicas críticas baseado em use cases de operação. A abordagem que envolve pessoas, processos e tecnologia assenta num modelo que prevê a avaliação de potenciais ativos para integração e monitorização, como conta alavancar a eficiência na resposta a incidentes de segurança com o desenvolvimento formal de um processo e mecanismos para alerta e resolução de cenários de exposição e ataque. O artefacto, a nível tecnológico, conta com a integração do sistema de arquivo de imagem médica (PACS) num SIEM para validação de logs aplicacionais que estão associados a regras que mapeiam comportamentos anómalos que originam o despoletar do processo de gestão de incidentes numa plataforma IHS com funcionalidades desenvolvidas à medida. A escolha para integração no protótipo de validação do sistema PACS tem por base não só a sua importância na orquestração de atividades na orgânica duma instituição de saúde, mas também com as recentes recomendações de várias agências e organizações de cibersegurança para a importância da sua proteção em resposta às últimas tendências de ciberataques. Em linha com os resultados auscultados, esta abordagem terá total aplicabilidade em contexto real de operação, seguindo as mais recentes práticas e tecnologias no sector

Pushing the Limits: Testing, Magnetometry and Ontario Lithic Scatters

Lithic scatters, small ephemeral clusters of stone artifacts on cultivated surfaces, lie on the periphery of archaeology. These sites are often too ephemeral to be fully understood through standardized fieldwork methodologies mandated in Ontario CRM archaeology and yet, they are widely regarded as worth documenting with hundreds now recorded. In this thesis, it is argued that what are small artifact scatters on the surface can belie more complex subsurface finds of significant cultural and historical value. As such, there is a need to reconsider the approaches made to the investigation of these sites. Geophysical techniques applied early in a scatter’s investigation, particularly magnetometry, have the ability to facilitate the extraction of more pertinent data about past peoples and their activities from such sites. Archaeological work was carried out at two sites near Kitchener, Ontario, in order to evaluate whether surface and excavated artifact densities correlate with preserved subsurface cultural deposits. This work also included a direct and positive attempt at one of the sites to test the utility of magnetometry in this process

Konsistente Feature Modell gesteuerte Softwareproduktlinien Evolution

SPLs are an approach to manage families of closely related software systems in terms of configurable functionality. A feature model captures common and variable functionalities of an SPL on a conceptual level in terms of features. Reusable artifacts, such as code, documentation, or tests are related to features using a feature-artifact mapping. A product of an SPL can be derived by selecting features in a configuration. Over the course of time, SPLs and their artifacts are subject to change. As SPLs are particularly complex, their evolution is a challenging task. Consequently, SPL evolution must be thoroughly planned well in advance. However, plans typically do not turn out as expected and, thus, replanning is required. Feature models lean themselves for driving SPL evolution. However, replanning of feature-model evolution can lead to inconsistencies and feature-model anomalies may be introduced during evolution. Along with feature-model evolution, other SPL artifacts, especially configurations, need to consistently evolve. The work of this thesis provides remedy to the aforementioned challenges by presenting an approach for consistent evolution of SPLs. The main contributions of this thesis can be distinguished into three key areas: planning and replanning feature-model evolution, analyzing feature-model evolution, and consistent SPL artifact evolution. As a starting point for SPL evolution, we introduce Temporal Feature Models (TFMs) that allow capturing the entire evolution timeline of a feature model in one artifact, i.e., past history, present changes, and planned evolution steps. We provide an execution semantics of feature-model evolution operations that guarantees consistency of feature-model evolution timelines. To keep feature models free from anomalies, we introduce analyses to detect anomalies in feature-model evolution timelines and explain these anomalies in terms of their causing evolution operations. To enable consistent SPL artifact evolution, we generalize the concept of modeling evolution timelines in TFMs to be applicable for any modeling language. Moreover, we provide a methodology that enables involved engineers to define and use guidance for configuration evolution.Softwareproduktlinien (SPLs) ermöglichen es, konfigurierbare Funktionalität von eng verwandten Softwaresystemen zu verwalten. In einem Feature Modell werden gemeinsame und variable Funktionalitäten einer SPL auf Basis abstrakter Features modelliert. Wiederverwendbare Artefakte werden in einem Feature-Artefakt Mapping Features zugeordnet. Ein Produkt einer SPL kann abgeleitet werden, indem Features in einer Konfiguration ausgewählt werden. Im Laufe der Zeit müssen sich SPLs und deren Artefakte verändern. Da SPLs ganze Softwarefamilien modellieren, ist deren Evolution eine besonders herausfordernde Aufgabe, die gründlich im Voraus geplant werden muss. Feature Modelle eignen sich besonders als Planungsmittel einer SPL. Umplanung von Feature Modell Evolution kann jedoch zu Inkonsistenzen führen und Feature Modell Anomalien können im Zuge der Evolution eingeführt werden. Im Anschluss an die Feature Modell Evolution muss die Evolution anderer SPL Artefakte, insbesondere Konfigurationen, konsistent modelliert werden. In dieser Arbeit wird ein Ansatz zur konsistenten Evolution von SPLs vorgestellt, der die zuvor genannten Herausforderungen adressiert. Die Beiträge dieser Arbeit lassen sich in drei Kernbereiche aufteilen: Planung und Umplanung von Feature Modell Evolution, Analyse von Feature Modell Evolution und konsistente Evolution von SPL Artefakten. Temporal Feature Models (TFMs) werden als Startpunkt für SPL Evolution eingeführt. In einem TFM wird die gesamte Evolutionszeitlinie eines Feature Modells in einem Artefakt abgebildet, was sowohl vergangene Änderungen, den aktuellen Zustand, als auch geplante Änderungen beinhaltet. Auf Basis einer Ausführungssemantik wird die Konsistenz von Feature Modell Evolutionszeitlinien sichergestellt. Um Feature Modelle frei von Anomalien zu halten, werden Analysen eingeführt, welche die gesamte Evolutionszeitlinie eines Feature Modells auf Anomalien untersucht und diese mit verursachenden Evolutionsoperationen erklärt. Das Konzept zur Modellierung von Feature Modell Evolutionszeitlinien aus TFMs wird verallgemeinert, um die gesamte Evolution von Modellen beliebiger Modellierungssprachen spezifizieren zu können. Des Weiteren wird eine Methodik vorgestellt, die beteiligten Ingenieuren eine geführte Evolution von Konfigurationen ermöglicht