Ontology-Based Support for Security Requirements Specification Process

The security requirements specification (SRS) is an integral aspect of the development of secured information systems and entails the formal documentation of the security needs of a system in a correct and consistent way. However, in many cases there is lack of sufficiently experienced security experts or security requirements (SR) engineer within an organization, which limits the quality of SR that are specified. This paper presents an approach that leverages ontologies and requirements boilerplates in order to alleviate the effect of lack of highly experienced personnel for SRS. It also offers a credible starting point for the SRS process. A preliminary evaluation of the tool prototype – ReqSec tool - was used to demonstrate the approach and to confirm its usability to support the SRS process. The tool helps to reduce the amount of effort required, stimulate discovery of latent security threats, and enables the specification of good quality SR

Software security requirements engineering: State of the art

Software Engineering has established techniques, methods and technology over two decades. However, due to the lack of understanding of software security vulnerabilities, we have not been so successful in applying software engineering principles that have been established for the past at least 25 years, when developing secure software systems. Therefore, software security can not be just added after a system has been built and delivered to customers as seen in today’s software applications. This keynote paper provides concise methods, techniques, and best practice requirements guidelines on software security and also discusses an Integrated-Secure SDLC model (IS-SDLC), which will benefit practitioners, researchers, learners, and educators

Method Families Concept: Application to Decision-Making Methods

International audienceThe role of variability in Software engineering grows increasingly as it allows developing solutions that can be easily adapted to a specific context and reusing existing knowledge. In order to deal with variability in the method engineering (ME) domain, we suggest applying the notion of method families. Method components are organized as a method family, which is configured in the given situation into a method line. In this paper, we motivate the concept of method families by comparing the existing approaches of ME. We detail then the concept of method families and illustrate it with a family of decision-making (DM) methods that we call MADISE

Developing a comprehensive information security framework for mHealth: a detailed analysis

It has been clearly shown that mHealth solutions, which is the use of mobile devices and other wireless technology to provide healthcare services, deliver more patient-focused healthcare, and improve the overall efficiency of healthcare systems. In addition, these solutions can potentially reduce the cost of providing healthcare in the context of the increasing demands of the aging populations in advanced economies. These solutions can also play an important part in intelligent environments, facilitating real-time data collection and input to enable various functionalities. However, there are several challenges regarding the development of mHealth solutions: the most important of these being privacy and data security. Furthermore, the use of cloud computing is becoming an option for the healthcare sector to store healthcare data; but storing data in the cloud raises serious concerns. This paper investigates how data are managed both on mHealth devices as well as in the cloud. Firstly, a detailed analysis of the entire mHealth domain is undertaken to determine domain-specific features and a taxonomy for mHealth, from which a set of security requirements are identified in order to develop a new information security framework. It then examines individual information security frameworks for mHealth devices and the cloud, noting similarities and differences. Furthermore, key mechanisms to implement the new framework are discussed and the new framework is then presented. Finally, the paper presents how the new framework could be implemented in order to develop an Advanced Digital Medical Platform

Information channel diagrams: an approach for modelling information flows

In this article, the ‘information channel diagram' (ICD) approach is introduced as a diagrammatical tool for modelling information flow during the delivery phase of organisations in which goods are deployed or delivered to customers. An initial review and evaluation of current tools for modelling information flow will be conducted based on the characteristics of information flow during the delivery phases in organisations. Diagrammatic primitives and a prescribed modelling methodology for developing an ICD will be presented, and a case scenario of the delivery phase of an organisation within the health care sector will be applied to demonstrate the use of the ICD. The article concludes by discussing some applications, generalisation potential and limitations of the ICD approa