Towards a Catalogue of Reusable Security Requirements, Vulnerabilities and Threats

Organizations are giving more importance to secure their systems due to the increasing number of cyber-attacks and inherent complexity. The aim of our work is help organizations plan and consider these security concerns from the very beginning, since the requirements and design phases, and not just later in the implementation or deployment phases. Consider security-by-design and security-by-default principles are good approaches to avoid rework costs or to mitigate security flaws. However, there is not yet a suitable approach to specify security requirements in a rigorous and systematic way. In this paper we propose an approach that allows the definition and specification of security-specific concerns like security requirements but also vulnerabilities, risks or threats. We discuss this approach based on two key parts: First, we introduce the RSLingo RSL language, that is a rigorous requirements specification language, and discuss how it is extended to support such security-specific concepts. Second, we claim the relevance for a catalogue of reusable security-specific specifications and then we show concrete examples of defining and using such specifications. The proposed catalogue can be easily used and extended by the community and involves currently 52 goals, 12 vulnerabilities and 31 risks; these concerns are defined into 9 packages each one representing a distinct asset

Specification languages for embedded systems : a survey

Requirements specification is an important part of the software development process. Use of well developed techniques, tools, and languages during requirements specification is especially crucial for complex embedded software systems. Four langauges appropriate for the specification of software requirements for complex embedded systems (RSL, PAISLey, Statecharts, and SCR) are reviewed in detail here. In addition, other representation languages with features relevant to the embedded software systems domain are mentioned. Conclusions about the current status of embedded systems requirements specification and indications of further research are given

Rigorous Specification of Use Cases with the RSL Language

RSL language supports the specification of requirements in a systematic, rigorous and consistent way. RSL includes a large set of constructs to produce requirements specifications at different level of abstraction, different writing styles and different types of requirements (e.g., goals, functional requirements, quality requirements, constraints, user stories, and use cases) and tests. This paper focuses only on the RSL views related with use cases, including those constructs directly relevant to the specification of data-intensive information systems, namely: actors, use cases, data entities, state machines, and their respective relationships. The explanation and discussion is held by an illustrative example that shows how to produce such specifications. RSL offers an innovative approach that improves the way requirements specifications are defined and validated. In spite of other proposals, RSL is the first that integrates a large number of inter-related constructs that can be represented in a consistent and systematic way

The utilization of requirement statement methodologies in the United States Navy and their impact on systems acquisition.

http://archive.org/details/utilizationofreq00pet

Data collection procedures for the Software Engineering Laboratory (SEL) database

This document is a guidebook to collecting software engineering data on software development and maintenance efforts, as practiced in the Software Engineering Laboratory (SEL). It supersedes the document entitled Data Collection Procedures for the Rehosted SEL Database, number SEL-87-008 in the SEL series, which was published in October 1987. It presents procedures to be followed on software development and maintenance projects in the Flight Dynamics Division (FDD) of Goddard Space Flight Center (GSFC) for collecting data in support of SEL software engineering research activities. These procedures include detailed instructions for the completion and submission of SEL data collection forms

Predicting Software Development Cost for Command and Control Systems

In the past, the Department of Defense (DoD) has relied upon commercial software estimating tools. However, these tools are somewhat unreliable when it comes to estimating military systems, particularly Command and Control Systems. The purpose of this study was to develop a parametric model using linear regression to estimate software development costs for DoD Command and Control systems. The developed model is unique in a few ways. First, the model is derived from Department of Defense command and control data. Second, while traditional models require volumes of variables to create estimates, the developed model only requires a few key variables to estimate the amount of effort necessary to complete a project. The key variables were selected through analyzing common variables used in software cost estimating

Next generation software environments : principles, problems, and research directions

The past decade has seen a burgeoning of research and development in software environments. Conferences have been devoted to the topic of practical environments, journal papers produced, and commercial systems sold. Given all the activity, one might expect a great deal of consensus on issues, approaches, and techniques. This is not the case, however. Indeed, the term "environment" is still used in a variety of conflicting ways. Nevertheless substantial progress has been made and we are at least nearing consensus on many critical issues.The purpose of this paper is to characterize environments, describe several important principles that have emerged in the last decade or so, note current open problems, and describe some approaches to these problems, with particular emphasis on the activities of one large-scale research program, the Arcadia project. Consideration is also given to two related topics: empirical evaluation and technology transition. That is, how can environments and their constituents be evaluated, and how can new developments be moved effectively into the production sector

Model Based Testing - From requirements to tests

A automação de testes de software reduz significativamente o esforço, o tempo e o custo total do processo de testes ao longo do ciclo de desenvolvimento do produto. Model-Based Testing (MBT) é uma técnica de teste de software em que casos de teste são gerados a partir de um modelo, um formato intermediário de requisitos, que fornece vários detalhes técnicos de um determinado sistema de software. Desta forma, é possível obter casos de teste a partir de modelos de requisitos para conseguir uma automação e sistematização do processo de teste, de acordo com os critérios de cobertura definidos.RSL, termo para "Requirement Specification Language", é uma linguagem formal para apoiar e melhorar a produção de especificação de requisitos de sistema (SRS). Desenvolvido no Instituto Superior Técnico da Universidade de Lisboa, esta abordagem organiza diferentes aspectos da Engenharia de Requisitos (RE) em vários níveis através de um conjunto de expressões lógicas. Estas expressões são definidas através de padrões linguísticos, regras gramaticais que mapeiam a produção de frases textuais compreensíveis e coerentes. Desta forma, reduz-se a lacuna entre a representação de requisitos e da linguagem natural, a principal fonte de problemas de qualidade dos requisitos (incorreção, inconsistência, incompletude e ambiguidade).Este trabalho de dissertação apresenta o TSL - "Testing Specification Language", uma abordagem MBT para especificação formal e legível de casos de teste que se baseia na nomenclatura e gramática definida pelo RSL. Pela aplicação de técnicas de design de testes por caixa preta, o TSL permite a construção de três padrões de teste de requisitos, na perspectiva de testes de aceitação, que estão expressos na abordagem RSL. Nomeadamente, Análise de Domínio (criação de classes de equivalência e análise de valores limite para a definição de valores de dados estruturais); Testes de casos de uso (derivação de testes a partir dos vários fluxos de evento explícitos pelos casos de uso); e testes de máquinas de estado (extração de sequência de estados a partir de autómatos finitos).A metodologia desenvolvida foi aplicada num estudo de caso, um sistema fictício e simples de informação empresarial , denominado de "Billing System". Este exemplo permite ilustrar como o TSL suporta o ciclo de desenvolvimento de testes como um processo automizado e a verificação da consistência interna dos modelos de especificação RSL, levando a uma maior qualidade de requisitos.Automating software testing can significantly reduce the effort, time and cost of software testing throughout the entire development life cycle. Model-Based Testing (MBT) is a software testing technique upon which test cases are generated from a model, an intermediate format requirements document, which provides multiple technical concerns of a given software system. This way it is possible to obtain test cases from requirements models to achieve an automation and systematization of the test process, according to certain coverage criteria. RSL stands for "Requirements Specification Language", which is a formal language to support and improve the production of system requirements specification (SRS). Developed at Instituto Superior Técnico, Universidade de Lisboa, this approach arranges the different aspects of Requirement Engineering (RE) into several views containing a set of logical constructs. These constructs are defined as linguistic patterns, grammatical rules that guide the production of understandable and coherent textual sentences. Closing the gap of requirements representation and natural language, which is the root of many requirements quality problems (incorrection, inconsistency, incompleteness, and ambiguousness). This research presents the TSL, acronym for "Testing Specification Language", a model-based testing approach for formal and human-readable specification of test cases that is based on the nomenclature and grammar defined by RSL. By applying Black-Box testing design techniques, TSL allows the construction of three different requirement test patterns, from the perspective of acceptance tests, that are expressed in the RSL approach. Namely, Domain Analysis (equivalence partitioning and boundary value analysis for the definition of structural data class values); Use Case Testing (derivation of tests from the various process flows expressed by the use cases); and State Machine Testing (covering the sequence of states from event-based state transitions). The methodology developed was applied in a case study, a simple fictitious business information system, named "Billing system". This illustrates how TSL supports the testing development cycle as an end-to-end process and the verification of the internal consistency of RSL specification models, leading to an increasing quality of requirements