nach oben

International Journal on Software Tools for Technology Transfer

Erschienen in:

01.06.2015 | Introduction

A process for mastering security evolution in the development lifecycle

verfasst von: Michael Felderer, Basel Katt

Erschienen in: International Journal on Software Tools for Technology Transfer | Ausgabe 3/2015

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Continuous system evolution makes it challenging to keep software systems permanently secure as changes either in the system itself or its environment may cause new threats and vulnerabilities. Therefore, suitable activities aligned with the software development process are required to master security evolution. This introduction to the special section on eternal security evolution presents a process for handling security evolution throughout the software development lifecycle and uses this process to position the individual contributions. We first present the underlying security development process comprising the phases initialization, security analysis, security design, security implementation, security testing, and security deployment. On this basis, we define the security evolution process comprising the activities security requirements review, adaptation of design models, code fixing and patch development, regression testing as well as re-deployment. Finally, the defined security evolution activities are discussed in context of the four articles on eternal security evolution presented in this special section of the International Journal on Software Tools for Technology Transfer.

Nächster Artikel Security risk analysis of system changes exemplified within the oil and gas domain

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Lehman, M.: On understanding laws, evolution, and conservation in the large-program lifecycle. J. Syst. Softw. 1, 213–221 (1980)CrossRef

Lehman, M.: Software’s future: managing evolution. IEEE Softw 15(1), 40–44 (1998)CrossRef

Windmüller, S., Neubauer, J., Steffen, B., Howar, F., Bauer, O.: Active continuous quality control. In: Proceedings of the 16th international ACM sigsoft symposium on component-based software engineering, pp. 111–120. ACM (2013)

Hein, D., Saiedian, H.: Secure software engineering: learning from the past to address future challenges. Inf. Secur. J.: Glob. Perspect. 18(1), 8–25 (2009)

De Win, B., Scandariato, R., Buyens, K., Grégoire, J., Joosen, W.: On the secure software development process: clasp, sdl and touchpoints compared. Inf. Softw. Technol. 51, 1152–1171 (2009)CrossRef

Gregoire, J., Buyens, K., Win, B.D., Scandariato, R., Joosen, W.: On the secure software development process: clasp and sdl compared. In: Proceedings of the 3rd international workshop on software engineering for secure systems, pp. 1. IEEE Computer Society (2007)

Noopur, D.: Secure software development life cycle processes. Technical report, Technical report CMU/SEI-2005-TN-024, Software Engineering Institute (2006)

McGraw, G.: Software security. Secur. Priv. IEEE 2(2), 80–83 (2004)CrossRef

Howard, M., Lipner, S.: The Security Development Lifecycle: SDL: A Process for Developing Demonstrably More Secure Software. Microsoft Press, Redmond (2006)

10.

Kissel, R., Stine, K.M., Scholl, M.A., Rossman, H., Fahlsing, J., Gulick, J.: Sp 800–64 rev. 2. Security considerations in the system development life cycle. Technical report, Gaithersburg, MD, United States (2008)

11.

OWASP: Comprehensive, lightweight application security process. http://www.owasp.org (2006)

12.

Radatz, J., Geraci, A., Katki, F.: IEEE standard glossary of software engineering terminology. IEEE Stand 610121990, 121990 (1990)

13.

Kissel, R., Stine, K.M., Scholl, M.A., Rossman, H., Fahlsing, J., Gulick, J.: Sp 800–64 rev. 2. Security considerations in the system development life cycle (2008)

14.

Felderer, M., Katt, B., Kalb, P., Jürjens, J., Ochoa, M., Paci, F., Tun, T.T., Yskout, K., Scandariato, R., Piessens, F., Vanoverberghe, D., Fourneret, E., Gander, M., Solhaug, B., Breu, R.: Evolution of security engineering artifacts: a state of the art survey. Int. J. Secur. Softw. Eng. (IJSSE) 5(4), 48–98 (2014)CrossRef

15.

Howard, M.: Building more secure software with improved development processes. IEEE Secur. Priv. 2(6), 63–65 (2004)CrossRef

16.

Viega, J.: Building security requirements with CLASP. ACM SIGSOFT Softw Eng Notes 30(4), 1–7 (2005)CrossRef

17.

Mcgraw, G.: Software Security: Building Security In (Addison-Wesley Software Security Series). Addison-Wesley Professional, Boston (2006)

18.

Davis, N., Humphrey, W., Redwine Jr, S.T., Zibulski, G., McGraw, G.: Processes for producing secure software. Secur. Priv. IEEE 2(3), 18–25 (2004)CrossRef

19.

Redwine, T.S., Noopur, D.: Processes to produce secure software. National Cyber Security Summit-USA (2004)

20.

Felderer, M., Agreiter, B., Zech, P., Breu, R.: A classification for model-based security testing. In: VALID 2011, the 3rd international conference on advances in system testing and validation lifecycle, pp. 109–114 (2011)

21.

Byers, D., Shahmehri, N.: Design of a process for software security. In: Availability, reliability and security, 2007. ARES 2007. In: The 2nd international conference on, pp. 301–309. IEEE (2007)

22.

Refsdal, A., Solhaug, B., Stølen, K.: Security risk analysis of system changes exemplified within the oil and gas domain. Int J Softw Tools Technol Transfer (2015, in this issue). doi:10.1007/s10009-014-0351-0

23.

Vanoverberghe, D., Piessens, F.: Policy ignorant caller-side inline reference monitoring. Int J Softw Tools Technol Transfer (2015, in this issue). doi:10.1007/s10009-014-0348-8

24.

Bürger, J., Jürjens, J., Wenzel, S.: Restoring security of evolving software models using graph transformation. Int J Softw Tools Technol Transfer (2015, in this issue). doi:10.1007/s10009-014-0364-8

25.

Felderer, M., Fourneret, E.: A systematic classification of security regression testing approaches. Int J Softw Tools Technol Transfer (2015, in this issue). doi:10.1007/s10009-015-0365-2

26.

Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis: The CORAS Approach. Springer Science & Business Media, Berlin (2010)

Titel: A process for mastering security evolution in the development lifecycle
verfasst von: Michael Felderer
Basel Katt
Publikationsdatum: 01.06.2015
Verlag: Springer Berlin Heidelberg
Erschienen in: International Journal on Software Tools for Technology Transfer / Ausgabe 3/2015
Print ISSN: 1433-2779
Elektronische ISSN: 1433-2787
DOI: https://doi.org/10.1007/s10009-015-0371-4

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 3/2015

Restoring security of evolving software models using graph transformation

Statistical model checking for biological systems

Workflows for quantitative data analysis in the social sciences

A systematic classification of security regression testing approaches

Policy ignorant caller-side inline reference monitoring

Incremental test case generation using bounded model checking: an application to automatic rating