Balancing Product and Process Assurance for Evolving Security Systems

Wolfgang Raschke; Massimiliano Zilli; Philipp Baumgartner; Johannes Loinig; Christian Steger; Christian Josef Kreiner

doi:10.4018/ijsse.2015010103

Balancing Product and Process Assurance for Evolving Security Systems

Wolfgang Raschke, Massimiliano Zilli, Philipp Baumgartner, Johannes Loinig, Christian Steger, Christian Josef Kreiner

Institute of Technical Informatics (4480)

Research output: Contribution to journal › Article › peer-review

Abstract

At present, security-related engineering usually requires a big up-front design (BUFD) regarding security requirements and security design. In addition to the BUFD, at the end of the development, a security evaluation process can take up to several months. In today’s volatile markets customers want to be able to influence the software design during the development process. Agile processes have proven to support these demands. Nevertheless, there is a clash between traditional security design and evaluation processes. In this paper, the authors propose an agile security evaluation method for the Common Criteria standard.
This method is complemented by an implementation of a change detection analysis for model-based security requirements. This system facilitates the agile security evaluation process to a high degree. However, the application of the proposed evaluation method is limited by several constraints. The authors discuss these constraints and show how traditional certification schemes could be extended to better support modern industrial software development processes.

Original language	English
Pages (from-to)	47
Number of pages	29
Journal	International Journal of Secure Software Engineering
Volume	6
Issue number	1
DOIs	https://doi.org/10.4018/ijsse.2015010103
Publication status	Published - 2015

Access to Document

10.4018/ijsse.2015010103

1 Finished
2 Active

Industrial Informatics
Krisper, M., Macher, G., Dobaj, J., Krug, T. & Seidl, M.
1/09/12 → …
Project: Research area
Hardware/Software-Codesign
Steger, C., Seifert, C., Stelzer, P., Feldbacher, M., Fiala, G. & Basic, F.
1/01/95 → …
Project: Research area
DAVID - Design-Flow for Java Operatingsystems on Low-End Smart Cards
Steger, C., Zilli, M. & Raschke, W.
1/01/12 → 28/02/15
Project: Research project

Cite this

@article{8c254134c1134ed1bb4db2700040b664,

title = "Balancing Product and Process Assurance for Evolving Security Systems",

abstract = "At present, security-related engineering usually requires a big up-front design (BUFD) regarding security requirements and security design. In addition to the BUFD, at the end of the development, a security evaluation process can take up to several months. In today{\textquoteright}s volatile markets customers want to be able to influence the software design during the development process. Agile processes have proven to support these demands. Nevertheless, there is a clash between traditional security design and evaluation processes. In this paper, the authors propose an agile security evaluation method for the Common Criteria standard. This method is complemented by an implementation of a change detection analysis for model-based security requirements. This system facilitates the agile security evaluation process to a high degree. However, the application of the proposed evaluation method is limited by several constraints. The authors discuss these constraints and show how traditional certification schemes could be extended to better support modern industrial software development processes.",

author = "Wolfgang Raschke and Massimiliano Zilli and Philipp Baumgartner and Johannes Loinig and Christian Steger and Kreiner, {Christian Josef}",

year = "2015",

doi = "10.4018/ijsse.2015010103",

language = "English",

volume = "6",

pages = "47",

journal = "International Journal of Secure Software Engineering",

issn = "1947-3036",

publisher = "IGI Global Publishing",

number = "1",

}

TY - JOUR

T1 - Balancing Product and Process Assurance for Evolving Security Systems

AU - Raschke, Wolfgang

AU - Zilli, Massimiliano

AU - Baumgartner, Philipp

AU - Loinig, Johannes

AU - Steger, Christian

AU - Kreiner, Christian Josef

PY - 2015

Y1 - 2015

N2 - At present, security-related engineering usually requires a big up-front design (BUFD) regarding security requirements and security design. In addition to the BUFD, at the end of the development, a security evaluation process can take up to several months. In today’s volatile markets customers want to be able to influence the software design during the development process. Agile processes have proven to support these demands. Nevertheless, there is a clash between traditional security design and evaluation processes. In this paper, the authors propose an agile security evaluation method for the Common Criteria standard. This method is complemented by an implementation of a change detection analysis for model-based security requirements. This system facilitates the agile security evaluation process to a high degree. However, the application of the proposed evaluation method is limited by several constraints. The authors discuss these constraints and show how traditional certification schemes could be extended to better support modern industrial software development processes.

AB - At present, security-related engineering usually requires a big up-front design (BUFD) regarding security requirements and security design. In addition to the BUFD, at the end of the development, a security evaluation process can take up to several months. In today’s volatile markets customers want to be able to influence the software design during the development process. Agile processes have proven to support these demands. Nevertheless, there is a clash between traditional security design and evaluation processes. In this paper, the authors propose an agile security evaluation method for the Common Criteria standard. This method is complemented by an implementation of a change detection analysis for model-based security requirements. This system facilitates the agile security evaluation process to a high degree. However, the application of the proposed evaluation method is limited by several constraints. The authors discuss these constraints and show how traditional certification schemes could be extended to better support modern industrial software development processes.

U2 - 10.4018/ijsse.2015010103

DO - 10.4018/ijsse.2015010103

M3 - Article

VL - 6

SP - 47

JO - International Journal of Secure Software Engineering

JF - International Journal of Secure Software Engineering

SN - 1947-3036

IS - 1

ER -

Balancing Product and Process Assurance for Evolving Security Systems

Abstract

Access to Document

Fingerprint

Projects

Industrial Informatics

Hardware/Software-Codesign

DAVID - Design-Flow for Java Operatingsystems on Low-End Smart Cards

Cite this