Applying security design analysis to a service-based system

Software - Practice and Experience

Volumn 35, Issue 9, 2005, Pages 873-897

  Chivers, Howard ^a   Fletcher, Martyn ^a  

^a UNIVERSITY OF YORK   (United Kingdom)

Author keywords

Design; Distributed systems; Grid; Risk; Security; Service based

Indexed keywords

COMPUTER APPLICATIONS; COMPUTER ARCHITECTURE; CONSTRAINT THEORY; DATA PROCESSING; DISTRIBUTED COMPUTER SYSTEMS; PROJECT MANAGEMENT; REAL TIME SYSTEMS; RISK ASSESSMENT;

DISTRIBUTED SYSTEMS; GRIDS; SECURITY; SERVICE-BASED;

SECURITY OF DATA;

EID: 22144449985     PISSN: 00380644     EISSN: None     Source Type: Journal    
DOI: 10.1002/spe.693     Document Type: Conference Paper

References (27)

1. Alberts C, Dorofee A. OCTAVE Method Implementation Guide Version 2.0. Carnegie Mellon, Software Engineering Institute, CERT Coordination Centre. Available at: http://www.cert.org/octave/download/intro.html.
2. Risk Management Guide for Information Technology Systems. National Institute of Standards and Technology (NIST), SP 800-30, January 2002. Available at: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf.
3. Information Security Management Part 2: Specification for Information Security Management Systems. British Standards Institution, BS 7799-2, 1999.
4. Soo Hoo K, Sudbury AW, Jaquith AR. Tangible ROI through secure software engineering. Secure Business Quarterly 2001; 1(2). Available at: http://www.sbq.com/sbq/rosi/.
5. Drappa A, Ludewig J. Simulation in software engineering training. Proceedings of the 22nd International Conference on Software Engineering, Limerick, Ireland. ACM Press: New York, 2000; 199-208.
6. Fowler M. Refactoring: Improving the Design of Existing Code (The Addison-Wesley Object Technology Series). Addison-Wesley Longman: Reading, MA, 1999.
7. Jackson T, Austin J, Fletcher M, Jessop M. Delivering a Grid enabled Distributed Aircraft Maintenance Environment (DAME). Proceedings of the UK e-Science All Hands Meeting, Nottingham, U.K., 2003. EPSRC, 2003. Available at: http://www.nesc.ac.uk/events/ahm2003/AHMCD/.
8. Foster I, Kesselman C (eds.). The Grid 2: Blueprint for a New Computing Infrastructure. Morgan Kaufmann: San Mateo, CA, 2003.
9. Chivers H, Fletcher M. Adapting security risk analysis to service-based systems. Proceedings of the Grid Security Practice and Experience Workshop, Oxford, U.K. Technical Report YCS 380, Department of Computer Science, University of York, 2004.
10. Chivers H. Security and systems engineering. Technical Report YCS 378, Department of Computer Science, University of York, June 2004.
11. An Introduction to Computer Security: The NIST Handbook. National Institute of Standards and Technology (NIST), SP 800-12, October 1995. Available at: http://csrc.nist.gov/publications/nistpubs/800-12/.
12. Information Security Management Part 1: Code of Practice for Information Security Management, British Standards Institution, BS 7799-1, 1999.
13. Schneier B. Beyond Fear: Thinking Sensibly about Security in an Uncertain World. Springer: New York, 2003.
14. Baskerville R. Information systems security design methods: Implications for information systems development. ACM Computing Surveys 1993; 25(4):375-414.
15. Straub DW, Welke RJ. Coping with systems risk: Security planning models for management decision-making. MIS Quarterly 1998; 22(4):441-469.
16. Information Security Risk Assessment: Practices of Leading Organizations. United States General Accounting Office, GAO/AIMD-00-33, November 1999.
17. CRAMM Risk Assessment Tool Overview. Insight Consulting Limited. Available at: http://www.cramm.com/riskassessment.htm.
18. Dardenne A, Lamsweerde Av, Fickas S. Goal-directed requirements acquisition. Science of Computer Programming 1993; 20(1-2):3-50.
19. Lamsweerde Av. Goal-oriented requirements engineering: A guided tour. Proceedings of the 5th IEEE International Symposium on Requirements Engineering (RE '01), Toronto, Canada. IEEE Computer Society Press: Los Alamitos, CA, 2001; 249-263.
20. Chung L, Nixon BA. A dealing with non-functional requirements: Three experimental studies of a process-oriented approach. Proceedings of the 17th International Conference on Software Engineering, Seattle, WA. ACM Press: New York, 1995; 25-37.
21. Mylopoulos J, Chung L, Nixon B. Representing and using nonfunctional requirements: A process-oriented approach. IEEE Transactions on Software Engineering 1992; 18(6):483-497.
22. Chung L. Dealing with security requirements during the development of information systems. Proceedings of the 5th International Conference on Advanced Information Systems Engineering (CAiSE '93) (Lecture Notes in Computer Science, vol. 685). Springer: Berlin, 1993.
23. Antón AI, Earp JB. Strategies for developing policies and requirements for secure electronic commerce systems. Recent Advances in Secure and Private E-Commerce, Ghosh AK (ed.). Kluwer Academic Publishers, 2001; 29-46.
24. Moffett JD, Nuseibeh BA. A framework for security requirements engineering. Technical Report YCS-2003-368, Department of Computer Science, University of York, 20 August 2003.
25. Cysneiros LM, Leite JCSdP. Using UML to reflect non-functional requirements. Proceedings of the 2001 Conference of the Centre for Advanced Studies on Collaborative Research, Toronto, Ontario, Canada. IBM Press, 2001; 202-216.
26. Dimitrakos T, Raptis D, Ritchie B, Stølen K. Model-based security risk analysis for Web applications: The CORAS approach. Proceedings of the EuroWeb 2002. St Anne's College, Oxford, U.K. (Electronic Workshops in Computing). British Computer Society: Swindon, U.K., 2002. Available at: http://ewic.bcs.org/conferences/2002/euroweb/index.htm.
27. Braber Fd, Dimitrakos T, Gran BA, Lund MS, Stølen K, Aagedal JØ. Model-based risk management using UML and UP. UML and the Unified Process, Favre L (ed.). IRM Press: Hershey, PA, 2003; 332-357.