A problem-based threat analysis in compliance with common criteria

Proceedings - 2013 International Conference on Availability, Reliability and Security, ARES 2013

Volumn , Issue , 2013, Pages 111-120

  Beckers, Kristian ^a   Hatebur, Denis ^b   Heisel, Maritta ^a  

^a UNIVERSITY OF DUISBURG ESSEN   (Germany)

^b ITESYS Institute for Technical Systems GmbH   (Germany)

Author keywords

Common Criteria; Document Generation; Model driven Engineering; Problem Frames; Security Requirements Engineering; Security Standards

Indexed keywords

COMMON CRITERIA; DOCUMENT GENERATION; MODEL-DRIVEN ENGINEERING; PROBLEM FRAMES; SECURITY REQUIREMENTS ENGINEERING; SECURITY STANDARDS;

SOFTWARE DESIGN;

SECURITY OF DATA;

EID: 84892423647     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/ARES.2013.21     Document Type: Conference Paper

References (25)

1. ISO/IEC, "Common Criteria for Information Technology Security Evaluation," International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), ISO/IEC 15408, 2009.
2. B. Fabian, S. Gurses, M. Heisel, T. Santen, and H. Schmidt, "A comparison of security requirements engineering methods," Requirements Engineering-Special Issue on Security Requirements Engineering, vol. 15, no. 1, pp. 7-40, 2010.
3. F. Massacci, J. Mylopoulos, and N. Zannone, "Security Requirements Engineering: The SIModeling Language and the Secure Tropos Methodology," in AIIS, ser. SCI, Z. Ras and L.-S. Tsay, Eds. Springer, 2010, vol. 265, pp. 147-174.
4. A. van Lamsweerde, Requirements Engineering: From System Goals to UML Models to Software Specifications. John Wiley &Sons, 2009.
5. M. S. Lund, B. Solhaug, and K. Stølen, Model-Driven Risk Analysis: The CORAS Approach. Springer, 2010.
6. M. Jackson, Problem Frames. Analyzing and structuring software development problems. Addison-Wesley, 2001.
7. D. Hatebur, Pattern and Component-based Development of Dependable Systems. Deutscher Wissenschafts-Verlag (DWV) Baden-Baden, September 2012.
8. UML Revision Task Force, "OMG Object Constraint Language: Reference," February 2010. [Online]. Available: http://www.omg.org/ docs/formal/10-02-02.pdf
9. I. Cote, D. Hatebur, M. Heisel, and H. Schmidt, "UML4PF-a tool for problem-oriented requirements analysis," in Proceedings of RE. IEEE Computer Society, 2011, pp. 349-350.
10. UML Revision Task Force, OMG Unified Modeling Language: Superstructure, Object Management Group (OMG), May 2010.
11. D. Hatebur and M. Heisel, "A UML profile for requirements analysis of dependable software," in Proceedings of the International Conference on Computer Safety, Reliability and Security (SAFECOMP) (LNCS 6351), E. Schoitsch, Ed. Springer, 2010, pp. 317-331.
12. D. Hatebur, M. Heisel, and H. Schmidt, "A formal metamodel for problem frames," in Proceedings of the International Conference on Model Driven Engineering Languages and Systems (MODELS), vol. 5301. Springer Berlin / Heidelberg, 2008, pp. 68-82.
13. K. Beckers, I. Cote, D. Hatebur, S. Faßbender, and M. Heisel, "Common Criteria CompliAnt Software Development (CC-CASD)," in Proceedings 28th Symposium on Applied Computing. ACM, 2013, pp. 937-943. [Online]. Available: http://dl.acm.org
14. BSI, "Protection Profile for the Gateway of a Smart Metering System (Gateway PP)," Bundesamt fur Sicherheit in der Informationstechnik (BSI)-Federal Office for Information Security Germany, Version 01.01.01(final draft), 2011, https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/SmartMeter/ PP-SmartMeter.pdf? blob=publicationFile.
15. D. Mellado, E. Fernandez-Medina, and M. Piattini, "A comparison of the common criteria with proposals of information systems security requirements," in Proceedings of ARES, 2006, p. 8 pp.
16. D. Mellado, E. Fernandez-Medina, and M. Piattini, "Applying a security requirements engineering process," in ESORICS 2006, ser. LNCS 4189, D. Gollmann, J. Meier, and A. Sabelfeld, Eds. Springer Berlin / Heidelberg, 2006, pp. 192-206.
17. A. Bialas, "Ontology-based security problem definition and solution for the common criteria compliant development process," in Dependability of Computer Systems, vol. DepCos-RELCOMEX '09. Fourth International Conference on, 2009, pp. 3-10.
18. A. Bia?as, "Ontological approach to the it security development," in Internet-Technical Development and Applications, ser. Advances in Intelligent and Soft Computing, E. Tkacz and A. Kapczynski, Eds. Springer Berlin / Heidelberg, 2009, vol. 64, pp. 261-269.
19. S. Ardi and N. Shahmehri, "Introducing vulnerability awareness to common criteria's security targets," in Software Engineering Advances, 2009. ICSEA '09. Fourth International Conference on, 2009, pp. 419-424.
20. L. Lin, B. Nuseibeh, D. C. Ince, and M. Jackson, "Using abuse frames to bound the scope of security problems," in RE, 2004, pp. 354-355.
21. K. Schneider, E. Knauss, S. Houmb, S. Islam, and J. Jurjens, "Enhancing security requirements engineering by organizational learning," Requirements Engineering, vol. 17, pp. 35-56, 2012.
22. N. Mayer, P. Heymans, and R. Matulevicius, "Design of a modelling language for information system security risk management," in RCIS, 2007, pp. 121-132.
23. A. Ekelhart, S. Fenz, and T. Neubauer, "Aurum: A framework for information security risk management," in HICSS, 2009, pp. 1-10.
24. D. Dhillon, "Developer-driven threat modeling: Lessons learned in the trenches," IEEE Security and Privacy, vol. 9, no. 4, pp. 41-47, Jul. 2011.
25. ISO/IEC, "Information technology-Security techniques-Information security management systems-Requirements," International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), ISO/IEC 27001, 2005.