SecVolution - Beyond One-Shot Security

Information systems are exposed to constantly changing environments which require constant updating. Software "ages" not by wearing out, but by failing to keep up-to-date with its environment. Security is an increasingly important quality aspect in modern information systems. At the same time, it is particularly affected by the above-mentioned risk of "software ageing". When an information system handles assets of a company or an organization, any security loophole can be exploited by attackers. Advances in knowledge and technology of attackers are part of the above-mentioned environment of a security-relevant information system. Outdated security precautions can, therefore, permit sudden and substantial losses. Security in long-living information systems, thus, requires an on-going and systematic evolution of knowledge and software for its protection. Our objective is to develop techniques, tools, and processes that support security requirements and design analysis techniques for evolving information systems in order to ensure "lifelong" compliance to security requirements. We will build on the security requirements and design approach SecReq developed in previous joint work. As a core feature, this approach supports reusing security engineering experience gained during the development of security-critical software and feeding it back into the development process. We will develop heuristic tools and techniques that support elicitation of relevant changes in the environment. Findings will be formalized for semi-automatic security updates. During the evolution of a long-living information system, changes in the environment will be monitored and translated to adaptations that preserve or restore its security level.

Name Beyond One-Shot Security: Keeping Information Systems Secure through Environment-Driven Knowledge Evolution (SecVolution)
Funding period 2012-2015
Website SecVolution (DFG-SPP 1593)
Contact Prof. Dr. Jan Jürjens und Prof. Dr. Kurt Schneider

Publications

  • 2015
  • Jens Bürger, Stefan Gärtner, Thomas Ruhroth, Johannes Zweihoff, Jan Jürjens, Kurt Schneider: Restoring Security of Long-Living Systems by Co-Evolution, In 39th Annual IEEE Computer Software and Applications Conference (COMPSAC 2015), 2015. Bibtex.
  • Stefan Gärtner, Thomas Ruhroth, Jens Bürger, Kurt Schneider, Jan Jürjens: Towards Maintaining Long-Living Information Systems by Incorporating Security Knowledge, In Fachtagung des GI-Fachbereichs Softwaretechnik, Software Engineering (SE), Dresden, Germany, 2015. Bibtex.
  • 2014
  • Tom-Michael Hesse, Stefan Gärtner, Tobias Röhm, Barbara Paech, Kurt Schneider, Bernd Brügge: Semiautomatic Security Requirements Engineering and Evolution using Decision Documentation, Heuristics, and User Monitoring, In 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE), RE 2014, pages 1-6, 2014. Bibtex.
  • Thomas Ruhroth, Stefan Gärtner, Jens Bürger, Jan Jürjens, Kurt Schneider: Towards Adaptation and Evolution of Domain-specific Knowledge for Maintaining Secure Systems, In Proceedings of the 15th International Conference on Product Focused Software Process Improvement (PROFES), volume 8892 of LNCS. Springer, 2014. Bibtex.
  • Thomas Ruhroth, Stefan Gärtner, Jens Bürger, Jan Jürjens, Kurt Schneider: Versioning and Evolution Requirements for Model-Based System Development, In International Workshop on Comparison and Versioning of Software Models (CVSM), 2014. Bibtex.
  • Jens Bürger, Jan Jürjens, Thomas Ruhroth, Stefan Gärtner, Kurt Schneider : Model-based Security Engineering with UML: Managed Co-Evolution of Security Knowledge and Software Models, In A. Aldini and J. Lopez and F. Martinelli, Foundations of Security Analysis and Desing VII: FOSAD Tutorial Lectures, volume 8604 of Lecture Notes in Computer Science, pages 34-53, 2014. Bibtex. Abstract.
  • Stefan Gärtner, Svenja Schulz, Kurt Schneider, Steffen Förster: Eliciting Requirements for a Company-wide Data Leakage Prevention System, In GI-Fachgruppen-Treffen Requirements Engineering, Dortmund, 2014. Bibtex. Link
  • Stefan Gärtner, Thomas Ruhroth, Jens Bürger, Kurt Schneider, Jan Jürjens: Maintaining Requirements for Long-Living Software Systems by Incorporating Security Knowledge, In 22nd IEEE International Requirements Engineering Conference, pages 103--112, 2014. Bibtex. Abstract.
  • Stefan Gärtner, Jens Bürger, Kurt Schneider, Jan Jürjens: Zielgerichtete Anpassung von Software nach der Evolution von kontextspezifischem Wissen, In 1st Collaborative Workshop on Evolution and Maintenance of Long-Living Systems (EMLS), 2014. Bibtex. Link
  • 2013
  • Stefan Gärtner, Tom-Michael Hesse, Kurt Schneider, Barbara Paech: Capturing and Documentation of Decisions in Security Requirements Engineering through Heuristics, In GI-Fachgruppen-Treffen Requirements Engineering, Ilmenau, 2013. Bibtex. Link
  • 2012
  • Jan Jürjens, Kurt Schneider: On modelling non-functional requirements evolution with UML, In Modelling and Quality in Requirements Engineering (Essays Dedicated to Martin Glinz on the Occasion of His 60th Birthday. Verlagshaus Monsenstein und Vannerdat, 2012. Bibtex.