V-Model Role Engineering

The paper focuses on role engineering which is an important topic in the development of access control system, particularly when considering Role Based Access Control – RBAC models. Despite the wide use of RBAC in various applications, the role engineering process is not a standardized approach. The paper aims to define a methodology and a process model for role engineeringInformation security, access control systems, role based access control systems – RBAC, engineering methodologies, security policies, access control models

Why We Cannot (Yet) Ensure the Cybersecurity of Safety-Critical Systems

There is a growing threat to the cyber-security of safety-critical systems. The introduction of Commercial Off The Shelf (COTS) software, including Linux, specialist VOIP applications and Satellite Based Augmentation Systems across the aviation, maritime, rail and power-generation infrastructures has created common, vulnerabilities. In consequence, more people now possess the technical skills required to identify and exploit vulnerabilities in safety-critical systems. Arguably for the first time there is the potential for cross-modal attacks leading to future ‘cyber storms’. This situation is compounded by the failure of public-private partnerships to establish the cyber-security of safety critical applications. The fiscal crisis has prevented governments from attracting and retaining competent regulators at the intersection of safety and cyber-security. In particular, we argue that superficial similarities between safety and security have led to security policies that cannot be implemented in safety-critical systems. Existing office-based security standards, such as the ISO27k series, cannot easily be integrated with standards such as IEC61508 or ISO26262. Hybrid standards such as IEC 62443 lack credible validation. There is an urgent need to move beyond high-level policies and address the more detailed engineering challenges that threaten the cyber-security of safety-critical systems. In particular, we consider the ways in which cyber-security concerns undermine traditional forms of safety engineering, for example by invalidating conventional forms of risk assessment. We also summarise the ways in which safety concerns frustrate the deployment of conventional mechanisms for cyber-security, including intrusion detection systems

Combined automotive safety and security pattern engineering approach

Automotive systems will exhibit increased levels of automation as well as ever tighter integration with other vehicles, traffic infrastructure, and cloud services. From safety perspective, this can be perceived as boon or bane - it greatly increases complexity and uncertainty, but at the same time opens up new opportunities for realizing innovative safety functions. Moreover, cybersecurity becomes important as additional concern because attacks are now much more likely and severe. However, there is a lack of experience with security concerns in context of safety engineering in general and in automotive safety departments in particular. To address this problem, we propose a systematic pattern-based approach that interlinks safety and security patterns and provides guidance with respect to selection and combination of both types of patterns in context of system engineering. A combined safety and security pattern engineering workflow is proposed to provide systematic guidance to support non-expert engineers based on best practices. The application of the approach is shown and demonstrated by an automotive case study and different use case scenarios.EC/H2020/692474/EU/Architecture-driven, Multi-concern and Seamless Assurance and Certification of Cyber-Physical Systems/AMASSEC/H2020/737422/EU/Secure COnnected Trustable Things/SCOTTEC/H2020/732242/EU/Dependability Engineering Innovation for CPS - DEIS/DEISBMBF, 01IS16043, Collaborative Embedded Systems (CrESt

Web development evolution: the assimilation of web engineering security

In today’s e-commerce environment, information is an incredibly valuable asset. Surveys indicate that companies are suffering staggering financial losses due to web security issues. Analyzing the underlying causes of these security breaches shows that a significant proportion of them are caused by straightforward design errors in systems and not by failures in security mechanisms. There is significant research into security mechanisms but there is little research into the integration of these into software design processes, even those processes specifically designed for Web Engineering. Security should be designed into the application development process upfront through an independent flexible methodology that contains customizable components

Web development evolution: the assimilation of web engineering security

In today’s e-commerce environment, information is an incredibly valuable asset. Surveys indicate that companies are suffering staggering financial losses due to web security issues. Analyzing the underlying causes of these security breaches shows that a significant proportion of them are caused by straightforward design errors in systems and not by failures in security mechanisms. There is significant research into security mechanisms but there is little research into the integration of these into software design processes, even those processes specifically designed for Web Engineering. Security should be designed into the application development process upfront through an independent flexible methodology that contains customizable components

Issues Affecting Security Design Pattern Engineering

Security Design Patterns present the tried and tested design decisions made by security engineers within a well documented format. Patterns allow for complex security concepts, and mechanisms, to be expressed such that non domain experts can make use of them. Our research is concerned with the development of pattern languages for advanced crypto-systems. From our experience developing pattern languages we have encountered several recurring issues within security design pattern engineering. These issues, if not addressed, will affect the adoption of security design patterns. This paper describes these issues and discusses how they could be addressed