Balancing Product and Process Assurance for Evolving Security Systems

Wolfgang Raschke, Massimiliano Zilli, Philipp Baumgartner, Johannes Loinig, Christian Steger, Christian Josef Kreiner

Research output: Contribution to journalArticleResearchpeer-review

Abstract

At present, security-related engineering usually requires a big up-front design (BUFD) regarding security requirements and security design. In addition to the BUFD, at the end of the development, a security evaluation process can take up to several months. In today’s volatile markets customers want to be able to influence the software design during the development process. Agile processes have proven to support these demands. Nevertheless, there is a clash between traditional security design and evaluation processes. In this paper, the authors propose an agile security evaluation method for the Common Criteria standard.
This method is complemented by an implementation of a change detection analysis for model-based security requirements. This system facilitates the agile security evaluation process to a high degree. However, the application of the proposed evaluation method is limited by several constraints. The authors discuss these constraints and show how traditional certification schemes could be extended to better support modern industrial software development processes.
LanguageEnglish
Pages47
Number of pages29
JournalInternational Journal of Secure Software Engineering
Volume6
Issue number1
DOIs
StatusPublished - 2015

Fingerprint

Security systems
Software design
Software engineering

Cite this

Balancing Product and Process Assurance for Evolving Security Systems. / Raschke, Wolfgang; Zilli, Massimiliano; Baumgartner, Philipp; Loinig, Johannes; Steger, Christian; Kreiner, Christian Josef.

In: International Journal of Secure Software Engineering, Vol. 6, No. 1, 2015, p. 47.

Research output: Contribution to journalArticleResearchpeer-review

Raschke, Wolfgang ; Zilli, Massimiliano ; Baumgartner, Philipp ; Loinig, Johannes ; Steger, Christian ; Kreiner, Christian Josef. / Balancing Product and Process Assurance for Evolving Security Systems. In: International Journal of Secure Software Engineering. 2015 ; Vol. 6, No. 1. pp. 47
@article{8c254134c1134ed1bb4db2700040b664,
title = "Balancing Product and Process Assurance for Evolving Security Systems",
abstract = "At present, security-related engineering usually requires a big up-front design (BUFD) regarding security requirements and security design. In addition to the BUFD, at the end of the development, a security evaluation process can take up to several months. In today’s volatile markets customers want to be able to influence the software design during the development process. Agile processes have proven to support these demands. Nevertheless, there is a clash between traditional security design and evaluation processes. In this paper, the authors propose an agile security evaluation method for the Common Criteria standard. This method is complemented by an implementation of a change detection analysis for model-based security requirements. This system facilitates the agile security evaluation process to a high degree. However, the application of the proposed evaluation method is limited by several constraints. The authors discuss these constraints and show how traditional certification schemes could be extended to better support modern industrial software development processes.",
author = "Wolfgang Raschke and Massimiliano Zilli and Philipp Baumgartner and Johannes Loinig and Christian Steger and Kreiner, {Christian Josef}",
year = "2015",
doi = "10.4018/ijsse.2015010103",
language = "English",
volume = "6",
pages = "47",
journal = "International Journal of Secure Software Engineering",
issn = "1947-3036",
publisher = "IGI Global Publishing",
number = "1",

}

TY - JOUR

T1 - Balancing Product and Process Assurance for Evolving Security Systems

AU - Raschke,Wolfgang

AU - Zilli,Massimiliano

AU - Baumgartner,Philipp

AU - Loinig,Johannes

AU - Steger,Christian

AU - Kreiner,Christian Josef

PY - 2015

Y1 - 2015

N2 - At present, security-related engineering usually requires a big up-front design (BUFD) regarding security requirements and security design. In addition to the BUFD, at the end of the development, a security evaluation process can take up to several months. In today’s volatile markets customers want to be able to influence the software design during the development process. Agile processes have proven to support these demands. Nevertheless, there is a clash between traditional security design and evaluation processes. In this paper, the authors propose an agile security evaluation method for the Common Criteria standard. This method is complemented by an implementation of a change detection analysis for model-based security requirements. This system facilitates the agile security evaluation process to a high degree. However, the application of the proposed evaluation method is limited by several constraints. The authors discuss these constraints and show how traditional certification schemes could be extended to better support modern industrial software development processes.

AB - At present, security-related engineering usually requires a big up-front design (BUFD) regarding security requirements and security design. In addition to the BUFD, at the end of the development, a security evaluation process can take up to several months. In today’s volatile markets customers want to be able to influence the software design during the development process. Agile processes have proven to support these demands. Nevertheless, there is a clash between traditional security design and evaluation processes. In this paper, the authors propose an agile security evaluation method for the Common Criteria standard. This method is complemented by an implementation of a change detection analysis for model-based security requirements. This system facilitates the agile security evaluation process to a high degree. However, the application of the proposed evaluation method is limited by several constraints. The authors discuss these constraints and show how traditional certification schemes could be extended to better support modern industrial software development processes.

U2 - 10.4018/ijsse.2015010103

DO - 10.4018/ijsse.2015010103

M3 - Article

VL - 6

SP - 47

JO - International Journal of Secure Software Engineering

T2 - International Journal of Secure Software Engineering

JF - International Journal of Secure Software Engineering

SN - 1947-3036

IS - 1

ER -