Secure Software & Service Engineering

Security has traditionally been considered once the system is implemented and deployed as an after-the-fact property. This has led to poor security solutions in the form of patches that solve security problems only when a security incident has already happened and caused damage. The area of secure software engineering takes a preventive approach by considering security in every phase of the Software Development Life Cycle (SDLC)[1]. We have approached this area both by spanning the whole SDLC and by focusing on concrete stages.

Regarding works in the first direction, we proposed a complete development process for mobile grid systems that incorporates security in every phase of the SDLC and that includes automated tool support for the tasks involved in each phase[2][3][4]. This work was done under auspices of the FP6 EU project GREDIA, which concentrated on creating services in grid environments where mobile applications came into place. The FP7 project SPIKE also worked towards the creation of collaborative services but using a service bus environment for building alliances among involved entities in the collaboration. We at NICS concentrated in both cases in the security framework for seamless interaction.

Another contribution in this direction is the integration of assurance cases with system development[5][6]. The goal is to map different phases of the SDLC and its artefacts (e.g. use case or component diagrams) into claims about the security of the system, in such a way that any change in the system can predict changes in the evidence or arguments about its security.

On the other hand, we are also concerned about security in concrete phases of the SDLC. During requirements, given that users and developers find easier to express their security needs at high levels of abstractions, we proposed a UML-based framework for integrating security and functional requirements in business processes. This framework includes a translation to a formal notation for consistency checking, validation and verification[7], and was further elaborated in order to include support for authentication and authorization services[8].

We also developed a UML profile for trust and reputation that allows requirements engineers to include trust and reputation considerations right in the beginning of the software specification and design[9]. The idea is that software analysts and requirements engineers can elicit the trust relationships in the system, as well as all the information about them, including how they can evolve over the system lifetime. The profile also provides support for specifying reputation information.

The Future Internet (FI) comprises complex scenarios where systems are composed of heterogeneous devices that interact to provide end-users with services. Research has been framed in this setting within the NESSoS EU project, where we have considered security, and in particular trust and reputation, in different phases of the SDLC. During the requirements engineering phase, trust can be a useful indicator for early threats identification for Socio-Technical Systems (STS). Not only do these systems consider the information systems, but also the relationships between different stakeholders that interact with each other. We proposed a trust model that can be applied onto STSs in order to identify threats (e.g. confidentiality threat to a resource) early in the analysis phase, before the actual design and implementation takes place[10].

Considering how security, and in particular trust and reputation, can be integrated during later phases of the SDLC, including architecture, design and implementation, is a major goal of our research. In this direction, we are building a development framework that assists during the implementation of trust and reputation models onto services and applications[11]. This framework can be useful under multiple settings of the FI, including the Cloud[12] and self-adaptive systems, that is, systems that can change their structure and behaviour at runtime in response to changes in the environment. In the latter, it is of special relevance to analyse how trust can be used to drive the reconfiguration process of the system[13].

For the full list of publications on this area, click here.


  1. W.. Joosen, J. Lopez, F.. Martinelli, and F.. Massacci, "Engineering Secure Future Internet Services",
    Future Internet Assembly 2011: Achievements and Technological Promises (FIA 2011), LNCS 6656, Springer Berlin Heidelberg, pp. 177-191, 2011. More..


          In this paper we analyze the need and the opportunity forestablishing a discipline for engineering secure Future Internet Services,typically based on research in the areas of software engineering, of serviceengineering and security engineering. Generic solutions that ignore thecharacteristics of Future Internet services will fail, yet it seems obviousto build on best practices and results that have emerged from variousresearch communities.The paper sketches various lines of research and strands within each lineto illustrate the needs and to sketch a community wide research plan. Itwill be essential to integrate various activities that need to be addressedin the scope of secure service engineering into comprehensive softwareand service life cycle support. Such a life cycle support must deliverassurance to the stakeholders and enable risk and cost management forthe business stakeholders in particular. The paper should be considereda call for contribution to any researcher in the related sub domains inorder to jointly enable the security and trustworthiness of Future Internetservices.

  2. D. G. Rosado, E. Fernandez-Medina, and J. Lopez, "Security Services Architecture for Secure Mobile Grid Systems",
    Journal of Systems Architecture, vol. 57, Elsevier, pp. 240-258, 2011. (I.F.: 0.444)More..


     Mobile Grid, is a full inheritor of the Grid with the additional feature that it supports mobile users andresources. Security is an important aspect in Grid based systems, and it is more complex to ensure thisin a mobile platform owing to the limitations of resources in these devices. A Grid infrastructure that supportsthe participation of mobile nodes and incorporates security aspects will thus play a significant rolein the development of Grid computing. The idea of developing software through systematic developmentprocesses to improve software quality is not new. However, many information systems such as those ofGrid Computing are still not developed through methodologies which have been adapted to their mostdifferentiating features. The lack of adequate development methods for this kind of systems in whichsecurity is taken into account has encouraged us to build a methodology to develop them, offering adetailed guide for their analysis, design and implementation. It is important to use software V&V techniques,according to IEEE Std. 1012 for Software Verification and Validation, to ensure that a software systemmeets the operational needs of the user. This ensures that the requirements for the system arecorrect, complete, and consistent, and that the life-cycle products correctly design and implement systemrequirements. This paper shows part of a development process that we are elaborating for the constructionof information systems based on Grid Computing, which are highly dependent on mobile devices inwhich security plays a highly important role. In the design activity of the process, we design a securityarchitecture which serves as a reference for any mobile Grid application that we wish to build since thissecurity architecture defines a complete set of security services which will be instantiated depending onthe requirements and features found in previous activities of the process. A V&V task is also defined in thedesign activity to validate and verify both the architecture built and the traceability of the artifacts generatedin this activity. In this paper, we will present the service-oriented security architecture for MobileGrid Systems which considers all possible security services that may be required for any mobile Grid application.

    Impact Factor: 0.444
    Journal Citation Reports® Science Edition (Thomson Reuters, 2011)

  3. D. G. Rosado, E. Fernandez-Medina, J. Lopez, and M. Piattini, "Analysis of Secure Mobile Grid Systems: A Systematic Approach",
    Information and Software Technology, vol. 52, Elsevier, pp. 517-536, May 2010. DOI (I.F.: 1.527)More..


    Developing software through systematic processes is becoming more and more important due to the growing complexity of software development. It is important that the development process used integrates security aspects from the first stages at the same level as other functional and non-functional requirements. Systems which are based on Grid Computing are a kind of systems that have clear differentiating features in which security is a highly important aspect. The Mobile Grid, which is relevant to both Grid and Mobile Computing, is a full inheritor of the Grid with the additional feature that it supports mobile users and resources. A development methodology for Secure Mobile Grid Systems is proposed in which the security aspects are considered from the first stages of the life-cycle and in which the mobile Grid technological environment is always present in each activity. This paper presents the analysis activity, in which the requirements (focusing on the grid, mobile and security requirements) of the system are specified and which is driven by reusable use cases through which the requirements and needs of these systems can be defined. These use cases have been defined through a UML-extension for security use cases and Grid use cases which capture the behaviour of this kind of systems. The analysis activity has been applied to a real case.

    Impact Factor: 1.527
    Journal Citation Reports® Science Edition (Thomson Reuters, 2010)

  4. D. G. Rosado, E. Fernandez-Medina, and J. Lopez, "Obtaining Security Requirements for a Mobile Grid System",
    International Journal of Grid and High Performance Computing, vol. 1, IGI-Global, pp. 1-17, Jan 2009. DOI More..


    Mobile Grid includes the characteristics of the Grid systems together with the peculiarities of Mobile Computing, withthe additional feature of supporting mobile users and resources ina seamless, transparent, secure and efficient way. Security ofthese systems, due to their distributed and open nature, isconsidered a topic of great interest. We are elaborating amethodology of development to build secure mobile grid systemsconsidering security on all life cycle. In this paper we present thepractical results applying our methodology to a real case,specifically we apply the part of security requirements analysis toobtain and identify security requirements of a specific applicationfollowing a set of tasks defined for helping us in the definition,identification and specification of the security requirements onour case study. The methodology will help us to build a securegrid application in a systematic and iterative way.

  5. J. L. Vivas, I. Agudo, and J. Lopez, "A methodology for security assurance-driven system development",
    Requirements Engineering, vol. 16, no. 1, Springer, pp. 55-73, Mar 2011. DOI (I.F.: 0.971)More..


    In this work, we introduce an assurance methodology that integrates assurance case creation with system development. It has been developed in order to provide trust and privacy assurance to the evolving European project PICOS (Privacy and Identity Management for Community Services), an international research project focused on mobile communities and community-supporting services, with special emphasis on aspects such as privacy, trust, and identity management. The leading force behind the approach is the ambition to develop a methodology for building and maintaining security cases throughout the system development life cycle in a typical system engineering effort, when much of the information relevant for assurance is produced and feedback can be provided to system developers. The first results of the application of the methodology to the development of the PICOS platform are presented.

    Impact Factor: 0.971
    Journal Citation Reports® Science Edition (Thomson Reuters, 2011)

  6. A. Acien, A. Nieto, G. Fernandez, and J. Lopez, "A comprehensive methodology for deploying IoT honeypots",
    15th International Conference on Trust, Privacy and Security in Digital Business (TrustBus 2018), vol. LNCS 11033, Springer Nature Switzerland AG, pp. 229–243, 09/2018. DOI More..


    Recent news have raised concern regarding the security on the IoT field. Vulnerabilities in devices are arising and honeypots are an excellent way to cope with this problem. In this work, current solutions for honeypots in the IoT context, and other solutions adaptable to it are analyzed in order to set the basis for a methodology that allows deployment of IoT honeypot.

  7. J. L. Vivas, J. A. Montenegro, and J. Lopez, "Towards Business Process-Driven Framework for Security Engineering with the UML",
    6th International Conference on Information Security (ISC’03), LNCS 2851, Springer-Verlag, pp. 381-395, October, 2003. More..


    A challenging task in security engineering concerns the specification and integration of security with other requirements at the top level of requirements engineering. Empirical studies show that it is commonly at the business process level that customers and end users are able to express their security needs. In addition, systems are often developed by automating existing manual business processes. Since many security notions belongs conceptually to the world of business processes, it is natural to try to capture and express them in the context of business models in which moreover customers and end users feel most comfortable. In this paper, based on experience drawn from an ongoing work within the CASENET project \cite{CASENET}, we propose a UML-based business process-driven framework for the development of security-critical systems.

  8. J. Lopez, J. A. Montenegro, J. L. Vivas, E. Okamoto, and E. Dawson, "Specification and Design of Advanced Authentication and Authorization Services",
    Computer Standards & Interfaces, vol. 27, no. 5, Elsevier, pp. 467-478, Jun 2005. DOI (I.F.: 0.62)More..


    A challenging task in security engineering concerns the specification and integration of security with other requirements at the top level of requirements engineering. Empirical studies show that it is common at the business process level that customers and end users are able to express their security needs. Among the security needs of Internet applications, authentication and authorization services are outstanding and, sometimes, privacy becomes a parallel requirement. In this paper, we introduce a methodology for the specification of security requirements and use a case study to apply our solution. We further detail the resulting system after extending it with an Authentication and Authorization Infrastructure.

    Impact Factor: 0.62
    Journal Citation Reports® Science Edition (Thomson Reuters, 2005)

  9. F. Moyano, C. Fernandez-Gago, and J. Lopez, "Towards Engineering Trust-aware Future Internet Systems",
    3rd International Workshop on Information Systems Security Engineering (WISSE 2013), X. Franch, and P. Soffer Eds., LNBIP 148, Springer-Verlag, pp. 490-501, Jun 2013. DOI More..


    Security must be a primary concern when engineering Future Internet (FI) systems and applications. In order to achieve secure solutions, we need to capture security requirements early in the Software Development Life Cycle (SDLC). Whereas the security community has traditionally focused on providing tools and mechanisms to capture and express hard security requirements (e.g. confidentiality), little attention has been paid to other important requirements such as trust and reputation. We argue that these soft security requirements can leverage security in open, distributed, heterogeneous systems and applications and that they must be included in an early phase as part of the development process. In this paper we propose a UML extension for specifying trust and reputation requirements, and we apply it to an eHealth case study.

  10. F. Paci, C. Fernandez-Gago, and F. Moyano, "Detecting Insider Threats: a Trust-Aware Framework",
    8th International Conference on Availability, Reliability and Security, IEEE, pp. 121-130, Nov 2013. DOI More..


    The number of insider threats hitting organizations and big enterprises is rapidly growing. Insider threats occur when trusted employees misuse their permissions on organizational assets. Since insider threats know the organization and its processes, very often they end up undetected. Therefore, there is a pressing need for organizations to adopt preventive mechanisms to defend against insider threats. In this paper, we propose a framework for insiders identification during the early requirement analysis of organizational settings and of its IT systems. The framework supports security engineers in the detection of insider threats and in the prioritization of them based on the risk they represent to the organization. To enable the automatic detection of insider threats, we extend the SI* requirement modeling language with an asset model and a trust model. The asset model allows associating security properties and sensitivity levels to assets. The trust model allows specifying the trust level that a user places in another user with respect to a given permission on an asset. The insider threats identification leverages the trust levels associated with the permissions assigned to users, as well as the sensitivity of the assets to which access is granted. We illustrate the approach based on a patient monitoring scenario.

  11. F. Moyano, C. Fernandez-Gago, and J. Lopez, "Building Trust and Reputation In: A Development Framework for Trust Models Implementation",
    8th International Workshop on Security and Trust Management (STM 2012), A. Jøsang, P. Samarati, and M. Petrocchi Eds., LNCS 7783, Springer, pp. 113-128, 2013. DOI More..


    During the last years, many trust and reputation models have been proposed, each one targeting different contexts and purposes, and with their own particularities. While most contributions focus on defining ever-increasing complex models, little attention has been paid to the process of building these models inside applications during their implementation. The result is that models have traditionally considered as ad-hoc and after-the-fact solutions that do not always fit with the design of the application. To overcome this, we propose an object-oriented development framework onto which it is possible to build applications that require functionalities provided by trust and reputation models. The framework is extensible and flexible enough to allow implementing an important variety of trust models. This paper presents the framework, describes its main components, and gives examples on how to use it in order to implement three different trust models.


  12. F. Moyano, C. Fernandez-Gago, and J. Lopez, "A Framework for Enabling Trust Requirements in Social Cloud Applications",
    Requirements Engineering, vol. 18, issue 4, Springer London, pp. 321-341, Nov 2013. DOI (I.F.: 1.147)More..


    Cloud applications entail the provision of a huge amount of heterogeneous, geographically-distributed resources managed and shared by many different stakeholders who often do not know each other beforehand. This raises numerous security concerns that, if not addressed carefully, might hinder the adoption of this promising computational model. Appropriately dealing with these threats gains special relevance in the social cloud context, where computational resources are provided by the users themselves. We argue that taking trust and reputation requirements into account can leverage security in these scenarios by incorporating the notions of trust relationships and reputation into them. For this reason, we propose a development framework onto which developers can implement trust-aware social cloud applications. Developers can also adapt the framework in order to accommodate their application-specific needs.

    Impact Factor: 1.147
    Journal Citation Reports® Science Edition (Thomson Reuters, 2013)

  13. Citekey moyano13ifiptm not found