A common criteria based security requirements engineering process for the development of secure information systems

https://doi.org/10.1016/j.csi.2006.04.002Get rights and content

Abstract

In order to develop security critical Information Systems, specifying security quality requirements is vitally important, although it is a very difficult task. Fortunately, there are several security standards, like the Common Criteria (ISO/IEC 15408), which help us handle security requirements. This article will present a Common Criteria centred and reuse-based process that deals with security requirements at the early stages of software development in a systematic and intuitive way, by providing a security resources repository as well as integrating the Common Criteria into the software lifecycle, so that it unifies the concepts of requirements engineering and security engineering.

Introduction

In the last years we have observed more and more organizations becoming heavily dependent on Information Systems (IS). Nevertheless, software applications are increasingly ubiquitous, heterogeneous, mission-critical and vulnerable to unintentional or intentional security incidents [4], [10], so that it is absolutely vital that IS are properly ensured from the very beginning [1], [14], due to the potential losses faced by organizations that put their trust in all these IS and because it is cost-effective and also brings about more robust designs. Therefore, security is among the non-functional requirements which are more seriously taken into account nowadays.

However, increasing the complexity of applications and services carries out a correspondingly greater difficulty in developing security critical IS. In order to try to solve this problem in the last few years it has been developed a huge collection of security standards which make it easier the task of developing security critical standards. There are several standards, such as ISO/IEC 17799, ISO/IEC 13335 or ISO/IEC 15408, and each one helps us deal with security requirements in a way along all the IS development cycle. Although these standards do not give methodological support. In addition, despite of this spectacular growth there do not exist development processes that facilitate systematic treatment of security requirements within all stages of the software development lifecycle.

A very important part in the software development process for the achievement of secure software systems is that known as Security Requirements Engineering which provides techniques, methods and standards for tackling this task in the IS development cycle. It should involve the use of repeatable and systematic procedures in an effort to ensure that the set of requirements obtained is complete, consistent and easy to understand and analyzable by the different actors involved in the development of the system [11]. A good requirements specification document should include both functional (related to the services which the software or system should provide), and non-functional requirements (related to aspects known as features of quality, performance, portability, security, etc).

After having performed a comparative analysis of several relevant proposals of IS security requirements, as those of Toval et al. 2001 [20], Popp et al. 2003 [18], Firesmith 2003 [7], Breu et al. 2004 [3], etc., in Ref. [16], we concluded that those proposals did not reach the desired level of integration into the development of IS, nor are specific enough for a systematic and intuitive treatment of IS security requirements at the first stages of software development. Therefore, in this article we will present the Security Requirements Engineering Process (SREP), which describes how to integrate security requirements into the software engineering process in a systematic and intuitive way. In order to achieve this goal, our approach is based on the integration of the Common Criteria (CC) (ISO/IEC 15408) into the software lifecycle model, which helps us specify security requirements, as well as specify the security attributes of products, and to determine if products actually meet their claims. Furthermore, we suggest evaluating the security of the IS along with the security engineering process by using the CC assurance requirements and the Systems Security Engineering Capability Maturity Model (SSE-CMM) at the same time, with the help of the approach of Jongsook Lee et al. (CC_SSE-CMM) [12]. Therefore, both standards allow us to deal with security requirements along all the IS development lifecycle, together with the reuse of security requirements which are compatible with the CC Framework subset, so that it can be assured that a security product with a high reliability will be developed by conducting a CC-based security development process, along with the help of the SSE-CMM evaluation. Moreover, SREP has been developed by taking into account the standard ISO/IEC 17799:2005, thus it conforms to the sections about security requirements of this standard (sections: 0.3, 0.4, 0.6 and 12.1). In addition, in order to support this method and make easy the treatment and specification of the security requirements, assets, security objectives and threats, we will propose the use of several concepts and techniques: a security resources repository (with assets, threats, requirements, etc), the use of UMLSec [18], misuse cases [19], threat/attack trees, and security uses cases [7]. These latter techniques will be used following the criteria of effectiveness, and they will allow us to integrate security aspects into an IS development process from the beginning, for example by expressing security-related information within the diagrams in a UML system specification thanks to UMLSec.

To describe our proposal, we will rely on the process description patterns used in the Unified Process (UP) [2], since it is a use-case and risk-driven, architecture-centric, iterative and incremental development process framework that leverages the Object Management Group's (OMG) UML and that is compliant with the OMG's Software Process Engineering Meta-model (SPEM). According to the UP the remainder of this article is set out as follows: first of all, we will briefly explain the security standards which are used by SREP. In Section 3, we will outline an overview of our Security Requirements Engineering Process. Section 4 will explain the activities and artifacts of SREP. Section 5 we will define the roles which intervene in the process. We will describe the iterations in Section 6. And, in Section 7 we will present the related work. Lastly, our conclusions and further research will be set out in Section 8.

Section snippets

Security standards

There is a highly sophisticated collection of security standards, but the most important ones regarding security requirements and which SREP uses are summarized as follows.

The Common Criteria (CC) [8] is an international standard (ISO/IEC 15408) for computer security. Its purpose is to allow users to specify their security requirements, to allow developers to specify the security attributes of their products, and to allow evaluators to determine if products actually meet their claims. In

A general overview of SREP

The Security Requirements Engineering Process (SREP) is an asset-based and risk-driven method for the establishment of security requirements in the development of secure Information Systems and whose focus seeks to build security concepts at the early phases of the development lifecycle. Basically, this process describes how to integrate the ISO/CC into the software lifecycle model together with the use of a security resources repository to support reuse of security requirements (modelled with

Activities and artifacts

Starting from the concept of iterative software construction of the UP, we will propose a micro-process, made up of nine activities which are repeatedly performed at each iteration throughout the iterative and incremental development, but with different emphasis depending on where the iteration is situated within the lifecycle, and each iteration will generate internal (or external) releases of various artifacts which altogether constitute a baseline. As the Security Requirements Specification

Roles

The roles defined here constitute a supplement to the roles in software engineering, the difference is that these roles are especially focused on security and also require special training and are based on [21]. In Table 1, it is represented the participation of each role in each activity of SREP:

  • Business modeller. He/she describes the business processes, the roles involved and the artifacts produced or used in the process. He/she helps develop artifacts in SREP (like misuse cases, etc.) and

Iterations

We propose an iterative and incremental security requirements engineering process, so that each iteration coincides with an iteration within a phase of the UP. This is because the UP lifecycle is divided into a sequence of phases, which may include many iterations, and each one concludes with a major milestone. This philosophy lets us take into account changing requirements, facilitates reuse and correct errors over several iterations, risks are discovered and mitigated earlier, and the process

Related work

Extensive work has been carried out on security requirements during the last few years, and there are several works that deals with security requirements at the early stages of the development lifecycle, the same as SREP. Next, there are summarized those proposals particularly close in topic to ours and parallelly it is also explained their relation to SREP.

SQUARE (Security Quality Requirements Engineering Methodology) [15] is a model made up of nine steps in which it is provided a means for

Conclusions and further research

In our present so-called Information Society the increasingly crucial nature of IS with corresponding levels of new legal and governmental requirements is obvious. For this reason, the development of more and more sophisticated approaches to ensuring the security of information is becoming a need. Information Security is usually only tackled from a technical viewpoint at the implementation stage, even though it is an important aspect, but we believe it is fundamental to deal with security at

Acknowledgments

This article has been produced in the context of the DIMENSIONS (PBC-05-012-2) Project of the Consejería de Ciencia y Tecnología de la Junta de Comunidades de Castilla-La Mancha along with the FEDER and the CALIPO (TIC2003-07804-CO5-03) and RETISTIC (TIC2002-12487-E) projects of the Dirección General de Investigación del Ministerio de Ciencia y Tecnología.

Daniel Mellado is MSc in Computer Science form the Autonomous University of Madrid (Spain), and a PhD student at the Escuela Superior de Informática of the Castilla- La Mancha University (Spain). He is civil servant in the Information Technology Centre of the National Social Security Institute (in Madrid, Spain), where he works as IT analyst. His research activities are security requirements engineering, security in information systems and secure software process improvement. He is author of

References (21)

There are more references available in the full text version of this article.

Cited by (0)

Daniel Mellado is MSc in Computer Science form the Autonomous University of Madrid (Spain), and a PhD student at the Escuela Superior de Informática of the Castilla- La Mancha University (Spain). He is civil servant in the Information Technology Centre of the National Social Security Institute (in Madrid, Spain), where he works as IT analyst. His research activities are security requirements engineering, security in information systems and secure software process improvement. He is author of several papers on security requirements and improvement of secure software development process.

Eduardo Fernández-Medina is PhD and MSc in Computer Science. He is Assistant Professor at the Escuela Superior de Informática of the Universidad de Castilla- La Mancha at Ciudad Real (Spain). His research activities are security requirements, security in databases, data warehouses, web services and information systems, and also in security metrics. He is the co-editor of several books and chapter books on these subjects, and has several dozens of papers in national and international conferences. He participates at the ALARCOS research group of the Department of Computer Science at the University of Castilla- La Mancha, in Ciudad Real (Spain). He belongs to various professional and research associations (ATI, AEC, AENOR, IFIP, WG11.3, etc).

Mario Piattini is MSc and PhD in Computer Science from the Politechnical University of Madrid. He is certified information system auditor by ISACA (Information System Audit and Control Association). He is Associate Professor at the Escuela Superior de Informática of the Castilla- La Mancha University (Spain). He is author of several books and papers on databases, security, software engineering and information systems. He leads the ALARCOS research group of the Department of Computer Science at the University of Castilla- La Mancha, in Ciudad Real (Spain). His research interests are: advanced database design, database quality, software metrics, object-oriented metrics and software maintenance.

View full text