76,875 research outputs found
Model-Based Security Testing
Security testing aims at validating software system requirements related to
security properties like confidentiality, integrity, authentication,
authorization, availability, and non-repudiation. Although security testing
techniques are available for many years, there has been little approaches that
allow for specification of test cases at a higher level of abstraction, for
enabling guidance on test identification and specification as well as for
automated test generation.
Model-based security testing (MBST) is a relatively new field and especially
dedicated to the systematic and efficient specification and documentation of
security test objectives, security test cases and test suites, as well as to
their automated or semi-automated generation. In particular, the combination of
security modelling and test generation approaches is still a challenge in
research and of high interest for industrial applications. MBST includes e.g.
security functional testing, model-based fuzzing, risk- and threat-oriented
testing, and the usage of security test patterns. This paper provides a survey
on MBST techniques and the related models as well as samples of new methods and
tools that are under development in the European ITEA2-project DIAMONDS.Comment: In Proceedings MBT 2012, arXiv:1202.582
A Business Goal Driven Approach for Understanding and Specifying Information Security Requirements
In this paper we present an approach for specifying and prioritizing\ud
information security requirements in organizations. It is important\ud
to prioritize security requirements since hundred per cent security is\ud
not achievable and the limited resources available should be directed to\ud
satisfy the most important ones. We propose to link explicitly security\ud
requirements with the organization’s business vision, i.e. to provide business\ud
rationale for security requirements. The rationale is then used as a\ud
basis for comparing the importance of different security requirements.\ud
A conceptual framework is presented, where the relationships between\ud
business vision, critical impact factors and valuable assets (together with\ud
their security requirements) are shown
Understanding and Specifying Information Security Needs to Support the Delivery of High Quality Security Services
In this paper we present an approach for specifying and prioritizing information security requirements in organizations. It is important to prioritize security requirements since hundred per cent security is\ud
not achievable and the limited resources available should be directed to satisfy the most important ones. We propose to explicitly link security requirements with the organization’s business vision, i.e. to provide business\ud
rationale for security requirements. The rationale is then used as a basis for comparing the importance of different security requirements.\ud
Furthermore we discuss how to integrate the aforementioned solution concepts into a service level management process for security services, which is an important step in IT Governance. We validate our approach by way of a focus group session
Recommended from our members
Pattern-driven security, privacy, dependability and interoperability management of iot environments
Achieving Security, Privacy, Dependability and Interoperability (SPDI) is of paramount importance for the ubiquitous deployment and impact maximization of Internet of Things (IoT) applications. Nevertheless, said requirements are not only difficult to achieve at system initialization, but also hard to prove and maintain at run-time. This paper highlights an approach to tackling the above challenges, through the definition of pattern language and a framework that can guarantee SPDI in IoT orchestrations. By integrating pattern reasoning engines at the various layers of the IoT infrastructure, and a machine-processable representation of said pattern through Drools rules, the proposed framework can provide ways to fulfill SPDI requirements at design time, and also provide the means to guarantee those SPDI properties and manage the orchestrations accordingly. Moreover, an application example of the framework is presented in an Industrial IoT monitoring environment
- …