Security Assurance Cases -- State of the Art of an Emerging Approach

Security Assurance Cases (SAC) are a form of structured argumentation used to reason about the security properties of a system. After the successful adoption of assurance cases for safety, SACs are getting significant traction in recent years, especially in safety-critical industries (e.g., automotive), where there is an increasing pressure to be compliant with several security standards and regulations. Accordingly, research in the field of SAC has flourished in the past decade, with different approaches being investigated. In an effort to systematize this active field of research, we conducted a systematic literature review (SLR) of the existing academic studies on SAC. Our review resulted in an in-depth analysis and comparison of 51 papers. Our results indicate that, while there are numerous papers discussing the importance of security assurance cases and their usage scenarios, the literature is still immature with respect to concrete support for practitioners on how to build and maintain a SAC. More importantly, even though some methodologies are available, their validation and tool support is still lacking

A Rapid Prototyping Language Workbench for Textual DSLs based on Xtext: Vision and Progress

Metamodel-based DSL development in language workbenches like Xtext allows language engineers to focus more on metamodels and domain concepts rather than grammar details. However, the grammar generated from metamodels often requires manual modification, which can be tedious and time-consuming. Especially when it comes to rapid prototyping and language evolution, the grammar will be generated repeatedly, this means that language engineers need to repeat such manual modification back and forth. Previous work introduced GrammarOptimizer, which automatically improves the generated grammar using optimization rules. However, the optimization rules need to be configured manually, which lacks user-friendliness and convenience. In this paper, we present our vision for and current progress towards a language workbench that integrates GrammarOptimizer's grammar optimization rules to support rapid prototyping and evolution of metamodel-based languages. It provides a visual configuration of optimization rules and a real-time preview of the effects of grammar optimization to address the limitations of GrammarOptimizer. Furthermore, it supports the inference of a grammar based on examples from model instances and offers a selection of language styles. These features aim to enhance the automation level of metamodel-based DSL development with Xtext and assist language engineers in iterative development and rapid prototyping. Our paper discusses the potential and applications of this language workbench, as well as how it fills the gaps in existing language workbenches.Comment: 6 pages, 3 figure

The state of adoption and the challenges of systematic variability management in industry

Handling large-scale software variability is still a challenge for many organizations. After decades of research on variability management concepts, many industrial organizations have introduced techniques known from research, but still lament that pure textbook approaches are not applicable or efficient. For instance, software product line engineering—an approach to systematically develop portfolios of products—is difficult to adopt given the high upfront investments; and even when adopted, organizations are challenged by evolving their complex product lines. Consequently, the research community now mainly focuses on re-engineering and evolution techniques for product lines; yet, understanding the current state of adoption and the industrial challenges for organizations is necessary to conceive effective techniques. In this multiple-case study, we analyze the current adoption of variability management techniques in twelve medium- to large-scale industrial cases in domains such as automotive, aerospace or railway systems. We identify the current state of variability management, emphasizing the techniques and concepts they adopted. We elicit the needs and challenges expressed for these cases, triangulated with results from a literature review. We believe our results help to understand the current state of adoption and shed light on gaps to address in industrial practice.This work is supported by Vinnova Sweden, Fond Unique Interminist´eriel (FUI) France, and the Swedish Research Council. Open access funding provided by University of Gothenbur

Involving External Stakeholders in Project Courses

Problem: The involvement of external stakeholders in capstone projects and project courses is desirable due to its potential positive effects on the students. Capstone projects particularly profit from the inclusion of an industrial partner to make the project relevant and help students acquire professional skills. In addition, an increasing push towards education that is aligned with industry and incorporates industrial partners can be observed. However, the involvement of external stakeholders in teaching moments can create friction and could, in the worst case, lead to frustration of all involved parties. Contribution: We developed a model that allows analysing the involvement of external stakeholders in university courses both in a retrospective fashion, to gain insights from past course instances, and in a constructive fashion, to plan the involvement of external stakeholders. Key Concepts: The conceptual model and the accompanying guideline guide the teachers in their analysis of stakeholder involvement. The model is comprised of several activities (define, execute, and evaluate the collaboration). The guideline provides questions that the teachers should answer for each of these activities. In the constructive use, the model allows teachers to define an action plan based on an analysis of potential stakeholders and the pedagogical objectives. In the retrospective use, the model allows teachers to identify issues that appeared during the project and their underlying causes. Drawing from ideas of the reflective practitioner, the model contains an emphasis on reflection and interpretation of the observations made by the teacher and other groups involved in the courses. Key Lessons: Applying the model retrospectively to a total of eight courses shows that it is possible to reveal hitherto implicit risks and assumptions and to gain a better insight into the interaction...Comment: Abstract shortened since arxiv.org limits length of abstracts. See paper/pdf for full abstract. Paper is forthcoming, accepted August 2017. Arxiv version 2 corrects misspelled author nam

Collaborative traceability management: a multiple case study from the perspectives of organization, process, and culture

Traceability is crucial for many activities in software and systems engineering including monitoring the development progress, and proving compliance with standards. In practice, the use and maintenance of trace links are challenging as artifacts undergo constant change, and development takes place in distributed scenarios with multiple collaborating stakeholders. Although traceability management in general has been addressed in previous studies, there is a need for empirical insights into the collaborative aspects of traceability management and how it is situated in existing development contexts. The study reported in this paper aims to close this gap by investigating the relation of collaboration and traceability management, based on an understanding of characteristics of the development effort. In our multiple exploratory case study, we conducted semi-structured interviews with 24 individuals from 15 industrial projects. We explored which challenges arise, how traceability management can support collaboration, how collaboration relates to traceability management approaches, and what characteristics of the development effort influence traceability management and collaboration. We found that practitioners struggle with the following challenges: (1) collaboration across team and tool boundaries, (2) conveying the benefits of traceability, and (3) traceability maintenance. If these challenges are addressed, we found that traceability can facilitate communication and knowledge management in distributed contexts. Moreover, there exist multiple approaches to traceability management with diverse collaboration approaches, i.e., requirements-centered, developer-driven, and mixed approaches. While traceability can be leveraged in software development with both agile and plan-driven paradigms, a certain level of rigor is needed to realize its benefits and overcome challenges. To support practitioners, we provide principles of collaborative traceability management. The main contribution of this paper is empirical evidence of how culture, processes, and organization impact traceability management and collaboration, and principles to support practitioners with collaborative traceability management. We show that collaboration and traceability management have the potential to be mutually beneficial—when investing in one, also the other one is positively affected

SoK: Security of Microservice Applications: A Practitioners' Perspective on Challenges and Best Practices

Cloud-based application deployment is becoming increasingly popular among businesses, thanks to the emergence of microservices. However, securing such architectures is a challenging task since traditional security concepts cannot be directly applied to microservice architectures due to their distributed nature. The situation is exacerbated by the scattered nature of guidelines and best practices advocated by practitioners and organizations in this field. This research paper we aim to shay light over the current microservice security discussions hidden within Grey Literature (GL) sources. Particularly, we identify the challenges that arise when securing microservice architectures, as well as solutions recommended by practitioners to address these issues. For this, we conducted a systematic GL study on the challenges and best practices of microservice security present in the Internet with the goal of capturing relevant discussions in blogs, white papers, and standards. We collected 312 GL sources from which 57 were rigorously classified and analyzed. This analysis on the one hand validated past academic literature studies in the area of microservice security, but it also identified improvements to existing methodologies pointing towards future research directions.Comment: Accepted at the 17th International Conference on Availability, Reliability and Security (ARES 2022

Large-Scale Open Self-Organising Systems: Managing Complexity with Hierarchies, Monitoring, Adaptation, and Principled Design

Systems of a very large scale — including several thousand independent components interacting and working together — become increasingly ubiquitous in mission-critical operations. A prominent example for this development are power management systems that have grown tremendously in size and complexity with the increased installation of distributed energy resources such as small solar installations and biogas plants. Other examples include civil protection and disaster management systems as well as planet-wide logistics systems. Centralised control in such systems is unable to process the amount of data that is produced and to make timely control decisions. The key to handling the complexity is thus increasing their autonomy, i.e., the ability of the individual component to make decisions on its own, based on its locally available information and in coordination with other components in the system. Full decentralisation, however, means that it becomes impossible to make optimal decisions since the limited knowledge of the decision maker forces it to ignore over-arching issues. This thesis thus proposes to use hierarchical system structures in which agents have regional knowledge and are able to delegate decisions to superiors if their information is insufficient. For this purpose, it introduces methods for hierarchical self-organisation that create a hierarchical structure that is suitable to make timely, yet good decisions. It further details a monitoring infrastructure for hierarchically structured systems that can be automatically transformed from system requirements models and allows to detect misbehaviour in a hierarchical system. For this purpose, the correct behaviour of the system is defined in the same requirements, using hard constraints that define a corridor of correct behaviour and soft constraints — specified with constraint relationships — that define optimal behaviour. This monitoring infrastructure is coupled to controllers that can reconfigure a hierarchical system by solving constraint satisfaction problems — based on the same constraints as the monitoring infrastructure — and use model synthesis and abstraction to propagate information and control decisions through a hierarchical system. Finally, an agent-oriented software engineering process allows the development of open self-organising multi-agent systems in an agile, iterative-incremental way by incorporating important aspects of these systems into the process and providing important guidelines.Sehr große Systeme – d.h., solche, in denen mehrere tausend unabhängige Komponenten miteinander interagieren und zusammenarbeiten – werden immer wichtiger in missions-kritischen Umgebungen. Ein prominentes Beispiel hierfür sind Energiemanagementsysteme, die durch die starke Verbreitung dezentraler Energieerzeuger auf Basis erneuerbarer Energien einen enormen Größen- und Komplexitätszuwachs erfahren haben. Weitere Beispiele sind Zivilschutz und Katastrophenmanagementsysteme sowie globale Logistiksysteme. In solchen Systemen ist die bisherige, zentralisierte Kontrolle nicht mehr oder nur noch stark eingeschränkt in der Lage, die anfallenden Daten zu verarbeiten und rechtzeitig Kontrollentscheidungen zu treffen. Der Schlüssel, um mit dieser Komplexität umzugehen, ist die Erhöhung der Autonomie der Systeme, also der Fähigkeit der einzelnen Komponenten, eigene Entscheidungen auf Basis der lokal verfügbaren Informationen und auf Basis von Koordination mit anderen Komponenten im System zu treffen. Eine vollständige Dezentralisierung bedeutet allerdings, dass es unmöglich wird, optimale Entscheidungen zu treffen, da die eingeschränkte Information, die bei dem einzelnen Entscheider vorliegen, dazu führt, dass übergeordnete Themen unter Umständen ignoriert werden. Im Rahmen dieser Dissertation wird daher vorgeschlagen, hierarchische Systemstrukturen einzusetzen, in denen die einzelne Komponente – im folgenden auch Agent genannt – regionales Wissen über die Umgebung besitzt und in der Lage ist, Entscheidungen an übergeordnete Instanzen abzutreten, wenn die eigene Informationslage ungenügend ist. Zu diesem Zweck wird ein hierarchisches Selbstorganisationsverfahren eingeführt, das hierarchische Strukturen etabliert, in denen Entscheidungen zeitnah und mit hoher Qualität getroffen werden können. Weiterhin wird eine Infrastruktur zur Systembeobachtung entwickelt, die auf Basis der Hierarchie Fehlverhalten des Systems entdecken kann. Diese Infrastruktur kann automatisch per Modelltransformation aus den zuvor erhobenen Anforderungen abgeleitet werden. In diesen wird das korrekte Verhalten des Systems spezifiziert, indem ein Verhaltenskorridor angegeben wird, bestehend aus harten Constraints — also Nebenbedingungen — und aus weichen Constraints, die wiederum mit Hilfe von Constraint Relationships ausgedrückt werden und optimales Verhalten angeben. Diese Infrastruktur wird gekoppelt mit Kontrollverfahren, die das System zur Laufzeit umkonfigurieren und adaptieren, indem sie Constraint Satisfaction Probleme lösen, die auf den selben Nebenbedingungen basieren wie die Verhaltenskorridore. Modellsynthese und -abstraktion propagieren diese Informationen und Kontrollentscheidungen dabei in der Hierarchie, so dass der richtige Entscheidungsträger immer die notwendigen Daten vorliegen hat. Ein agentenorientierter Software-Entwicklungsprozess erlaubt es schließlich, offene selbstorganisierende Multiagentensysteme in einer agilen, iterativ-inkrementellen Art und Weise zu erstellen, bei der die wichtigen und einmaligen Aspekte dieser Systemklasse berücksichtigt werden und entsprechende Hilfsmittel und Richtlinien zur Verfügung stellt