6th International Conference on Information Security (ISC’03), LNCS 2851, Springer-Verlag, pp. 381-395, October, 2003. More..
Abstract
A challenging task in security engineering concerns the specification and integration of security with other requirements at the top level of requirements engineering. Empirical studies show that it is commonly at the business process level that customers and end users are able to express their security needs. In addition, systems are often developed by automating existing manual business processes. Since many security notions belongs conceptually to the world of business processes, it is natural to try to capture and express them in the context of business models in which moreover customers and end users feel most comfortable. In this paper, based on experience drawn from an ongoing work within the CASENET project \cite{CASENET}, we propose a UML-based business process-driven framework for the development of security-critical systems.
Computer Standards & Interfaces, vol. 27, no. 5, Elsevier, pp. 467-478, Jun 2005. DOI (I.F.: 0.62)More..
Abstract
A challenging task in security engineering concerns the specification and integration of security with other requirements at the top level of requirements engineering. Empirical studies show that it is common at the business process level that customers and end users are able to express their security needs. Among the security needs of Internet applications, authentication and authorization services are outstanding and, sometimes, privacy becomes a parallel requirement. In this paper, we introduce a methodology for the specification of security requirements and use a case study to apply our solution. We further detail the resulting system after extending it with an Authentication and Authorization Infrastructure.
Computer Standards and Interfaces, vol. 32, no. 5-6, Elsevier, pp. 230-245, Oct 2010. DOI (I.F.: 0.868)More..
Abstract
This paper describes the security framework that is to be developed for the generic grid platform created for the project GREDIA. This platform is composed of several components that need to be secured. The platform uses the OGSA standards, so that the security framework will follow GSI, the portion of Globus that implements security. Thus, we will show the security features that GSI already provides and we will outline which others need to be created or enhanced.
International Conference on Computer Systems and Technologies (CompSysTech09), ACM, pp. 11.7.1-11.7.6, 2009. DOI More..
Abstract
Assurance has been a major topic for critical systems. Assurance is usually associated with safety conditions but has also an important role for checking security requirements. Security is best assured if it is addressed holistically, systematically, and from the very beginning in the software’s development process. We propose to integrate assurance and system development by letting the different stages of the system development life-cycle be mapped to the structure of the assurance case.
Requirements Engineering, vol. 16, no. 1, Springer, pp. 55-73, Mar 2011. DOI (I.F.: 0.971)More..
Abstract
In this work, we introduce an assurance methodology that integrates assurance case creation with system development. It has been developed in order to provide trust and privacy assurance to the evolving European project PICOS (Privacy and Identity Management for Community Services), an international research project focused on mobile communities and community-supporting services, with special emphasis on aspects such as privacy, trust, and identity management. The leading force behind the approach is the ambition to develop a methodology for building and maintaining security cases throughout the system development life cycle in a typical system engineering effort, when much of the information relevant for assurance is produced and feedback can be provided to system developers. The first results of the application of the methodology to the development of the PICOS platform are presented.
7th IFIP Conference on Multimedia and Communications Security (CMS’03), LNCS 2828, Springer-Verlag, pp. 158-171, October, 2003. More..
Abstract
Security services are essential for ensuring secure communications. Typically no consideration is given to security requirements during the initial stages of system development. Security is only added latter as an afterthought in function of other factors such as the environment into which the system is to be inserted, legal requirements, and other kinds of constraints. In this work we introduce a methodology for the specification of security requirements intended to assist developers in the design, analysis, and implementation phases of protocol development. The methodology consists of an extension of the ITU-T standard requirements language MSC and HMSC, called SRSL, defined as a high level language for the specification of security protocols. In order to illustrate it and evaluate its power, we apply the new methodology to a real world example, the integration of an electronic notary system into a web-based multi-users service platform.
IEEE Globecom 2003 - Communications Security Track, IEEE Press, pp. 1506-1510, December, 2003. More..
Abstract
In order to study the security systems, we have developed a methodology for the application to the analysis of cryptographic protocols of the formal analysis techniques commonly used in communication protocols. In particular, we have extended the design and analysis phases with security properties. Our proposal uses a specification notation based on HMSC/MSC, which can be automatically translated into a generic SDL specification.
Security in Distributed, Grid, Mobile, and Pervasive Computing, Y.. Xiao Eds., Auerbach Publications, pp. 255-288, April, 2007. More.. vivas2007.pdf (321.43 KB)