A framework to support alignment of secure software engineering with legal regulations

Software and Systems Modeling

Volumn 10, Issue 3, 2011, Pages 369-394

  Islam, Shareeful ^a   Mouratidis, Haralambos ^b   Jürjens, Jan ^c,d  

^a TECHNICAL UNIVERSITY OF MUNICH   (Germany)

^b UNIVERSITY OF EAST LONDON   (United Kingdom)

^c TU DORTMUND UNIVERSITY   (Germany)

^d Fraunhofer Institute for Software and Systems Engineering (ISST)   (Germany)

Author keywords

Legal constraints; Modelling regulations; Non functional properties; Secure software engineering; Secure Tropos; Security requirements; UMLsec

Indexed keywords

LEGAL CONSTRAINT; MODELLING REGULATIONS; NON FUNCTIONAL PROPERTIES; SECURE SOFTWARE ENGINEERING; SECURE TROPOS; SECURITY REQUIREMENTS; UMLSEC;

COMPUTER SOFTWARE;

LAWS AND LEGISLATION;

EID: 79959729769     PISSN: 16191366     EISSN: 16191374     Source Type: Journal    
DOI: 10.1007/s10270-010-0154-z     Document Type: Article

References (43)

1. Herrmann, A., Kerkow, D., Doerr, J.: Exploring the Characteristics of NFR Methods-a Dialogue about two Approaches, REFSQ-Workshop on Requirements Engineering for Software Quality (2007), Foundations of Software Quality (2007).
2. Herrmann, A., Paech B.: MOQARE: misuse-oriented quality requirements engineering. Requir. Eng. J. 13(1), 73-86 (2008).
3. van Lamsweerde, A., Letier, E.: Handling obstacles in goal-oriented requirements engineering. IEEE Trans. Softw. Eng. Special Issue on Exception Handling 26(10), 978-1005 (2000).
4. Siena, A., Mylopoulos, J., Perini, A., Susi, A.: From laws to requirements. In: 1st International Workshop on Requirements Engineering and Law (Relaw'08).
5. Bundesdatenschutzgesetz - Federal Data Protection Act (as of 15 November 2006), http://www.bfdi.bund.de.
6. Haley, C. B., Laney, R., Moffett, J. D., Nuseibeh, B.: Arguing satisfaction of security requirements. In: Integrating Security and Software Engineering: Advances and Future Visions, pp. 16-43. Idea Publishing Group, Miami (2006).
7. Haley C. B., Laney R. C., Moffett J. D., Nuseibeh B.: Security requirements engineering: a framework for representation and analysis. IEEE Trans. Softw. Eng. 34(1), 133-153 (2008).
8. Common attack pattern enumeration and classification (CAPEC). http://capec.mitre.org/.
9. Firesmith, D.: Engineering security requirements. J. Obj. Technol. 2(1) http://www.jot.fm/issues/issues_2003_01/column6 (2003).
10. Mellado D., Medina E., Piattini M.: A common criterion based security requirements engineering process for the development of secure information system. Comput. Stand. Interfaces 29, 244-253 (2007).
11. Massacci, F., Prest, M., Zannone, N.: Using a security requirements engineering methodology in practice: the compliance with the Italian data protection legislation, Technical Report DIT-04-103 (2004).
12. Sindre G., Opdahl A. L.: Eliciting security requirements with misuse cases. Requir. Eng. 10(1), 34-44 (2005).
13. Sartor, G.: Fundamental legal concepts: a formal and teleological characterisation, EUI working paper LAW No. 2006/11.
14. Mouratidis H., Giorgini P.: Integrating Security and Software Engineering: Advances and Future Visions. Idea Group Publishing, Miami (2006).
15. Mouratidis, H., Jürjens, J., Fox, J.: Towards a comprehensive framework for secure systems development, CAiSE 2006. Lecture Notes in Computer Science, vol. 4001, pp. 48-62. Springer, Berlin (2006).
16. Mouratidis H., Giorgini P., Manson G.: When security meets software engineering: a case of modelling secure information systems. Inf. Syst. Elsevier 30(8), 609-629 (2005).
17. Mouratidis, H.: A security oriented approach in the development of multiagent systems: applied to the management of the health and social care needs of older people in England. PhD thesis, University of Sheffield, UK (2004).
18. Mouratidis H., Giorgini P.: Security Attack Testing (SAT)-testing the security of information systems at design time. Inf. Syst. 32(8), 1166-1183 (2007).
19. Mouratidis, H., Giorgini, P.: Integrating security and software engineering: an introduction. In: Integrating Security and Software Engineering: Advances and Future Actions, pp. 1-14. Idea Publishing Group, Miami (2006).
20. Mouratidis, H., Giorgini, P.: Secure tropos: a security-oriented extension of the tropos methodology. Int. J. Softw. Eng. Knowl. Eng. (IJSEKE) 17(2), 285-309 (2007).
21. Information society, Summary of legislation, European Commission, http://europa.eu/legislation_summaries/information_society/index_en.htm.
22. Saltzer, J., Schroeder, M.: The protection of information in computer systems. Proc. IEEE 63(9), 1278-1308 (1975).
23. Jürjens J.: Secure Systems Development with UML. Springer, Berlin (2004).
24. Jürjens, J., Shabalin, P.: Tools for Secure Systems Development with UML. FASE 2004/05 special issue of the International Journal on Software Tools for Technology Transfer, 9(5-6), 527-544. Springer, Berlin (2007).
25. Jürjens, J.: Sound methods and effective tools for model-based security engineering with UML. ICSE 2005, ACM, pp. 322-331, (2005).
26. Chung L., Nixon B. A., Yu E., Mylopoulos, J.: Non-Functional Requirements in Software Engineering. Kluwer Academic Publishers, Dordrecht (1999).
27. May, M. J., Gunter, C. A., Lee, I.: Privacy APIs: access control techniques to analyze and verify legal privacy policies. In: Proceedings of the 19th Computer Security Foundations Workshop (2006).
28. Medical Privacy-National Standards to Protect the Privacy of Personal Health Information. Office for Civil Rights, US Department of Health and Human Services. http://www.hhs.gov/ocr/hipaa/finalreg.html (2000).
29. Mead, N. R.: Identifying security requirements using the security quality requirements engineering (SQUARE) method. In: Integrating Security and Software Engineering, pp. 44-69. Idea Publishing Group, Miami (2006).
30. Online news of November 15, 2004, http://digital.dmreview.com/dmreview.
31. Bresciani, P., Giorgini, P., Giunchiglia, F., Mylopoulos, J., Perini, A.: TROPOS: an agent oriented software development methodology. In: Journal of Autonomous Agents and Multi-Agent Systems, 8(3), 203-236. Kluwer Academic Publishers, Dordrecht (2004).
32. Devanbu, P., Stubblebine, S.: Software engineering for security: a roadmap. In: Proceedings of ICSE 2000 (the Conference of the Future of Software Engineering) (2000).
33. Giorgini, P., Massacci, F., Mylopoulos, J., Zannone, N.: Modelling security requirements through ownership, permission and delegation. In: Proceedings of the 13th IEEE International Requirements Engineering Conference (RE'05), IEEE Computer Society Press, 29 August-2 September (2005).
34. Otto, P. N., Antón, A. I.: Addressing legal requirements in requirements engineering. In: 15th IEEE International R.E. Conference (2007).
35. Privacy Guidelines for Developing Software Products and Services, Version 3. 1, September, 2008, http://download.microsoft.com.
36. Darimont, R., Lemoine, M.: Goal-oriented analysis of regulations. In: Proceedings of the CAISE06 Workshop on Regulations Modelling and their Validation and Verification (ReMo2V '06). Luxemburg, 5-9 June 2006. http://sunsite.informatik.rwth-aachen.de/Publications/CEUR-WS/Vol-241.
37. Islam, S., Dong, W.: Security requirements addressing security risks for improving software quality. In: Workshop-Band Software-Qualitätsmodellierung und -bewertung (SQMB '08), Technical Report TUM-I0811, Technische Universität München, 2008, Munich, Germany (2008).
38. Islam, S., Jürjens, J.: Incorporating security requirements from legal regulations into UMLsec model, Modelling Security Workshop (MODSEC08). In: Association with MODELS '08, Toulouse, France, September (2008).
39. Ghanavati, S., Amyot, D., Peyton, L.: Towards a framework for tracking legal compliance in healthcare. In: Krogstie, J., Opdahl, A. L., Sindre, G. (eds.) 19th International Conference on Advanced Information Systems Engineering (CAiSE'07), pp. 218-232. Springer, Berlin (2007).
40. Breaux, T. D. Vail, M. W., Antón, A. I.: Towards regulatory compliance: extracting rights and obligations to align requirements with regulations. In: Proceedings of the 13th IEEE International Conference on Requirement Engineering (2006).
41. Breaux, T. D, Antón, A. I.: Analyzing regulator rules for privacy and security requirements. IEEE Trans. Softw. Eng. 34(1), 5-20 (2008).
42. Breaux, T. D., Antón, A. I.: Deriving semantic models from privacy policies. In: IEEE 6th Workshop on Policies for Distributed Systems and Networks, Stockholm, Sweden, pp. 67-76 (2005).
43. Hohfeld, W. N.: Fundamental legal conceptions as applied in judicial reasoning. Yale Law J. 23(1) (1913).