Modeling Security and Privacy Requirements: a Use Case-Driven Approach

[en] Context: Modern internet-based services, ranging from food-delivery to home-caring, leverage the availability of multiple programmable devices to provide handy services tailored to end-user needs. These services are delivered through an ecosystem of device-specific software components and interfaces (e.g., mobile and wearable device applications). Since they often handle private information (e.g., location and health status), their security and privacy requirements are of crucial importance. Defining and analyzing those requirements is a significant challenge due to the multiple types of software components and devices integrated into software ecosystems. Each software component presents peculiarities that often depend on the context and the devices the component interact with, and that must be considered when dealing with security and privacy requirements. Objective: In this paper, we propose, apply, and assess a modeling method that supports the specification of security and privacy requirements in a structured and analyzable form. Our motivation is that, in many contexts, use cases are common practice for the elicitation of functional requirements and should also be adapted for describing security requirements. Method: We integrate an existing approach for modeling security and privacy requirements in terms of security threats, their mitigations, and their relations to use cases in a misuse case diagram. We introduce new security-related templates, i.e., a mitigation template and a misuse case template for specifying mitigation schemes and misuse case specifications in a structured and analyzable manner. Natural language processing can then be used to automatically report inconsistencies among artifacts and between the templates and specifications. Results: We successfully applied our approach to an industrial healthcare project and report lessons learned and results from structured interviews with engineers. Conclusion: Since our approach supports the precise specification and analysis of security threats, threat scenarios and their mitigations, it also supports decision making and the analysis of compliance to standards.

Centre de recherche :

Interdisciplinary Centre for Security, Reliability and Trust (SnT) > SVV - Software Verification and Validation

Disciplines :

Sciences informatiques

Auteur, co-auteur :

MAI, Xuan Phu ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

Göknil, Arda ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

Shar, Lwin Khin; Nanyang Technological University > School of Computer Science and Engineering

PASTORE, Fabrizio ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

BRIAND, Lionel ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

Shaame, Shaban; Everdream Soft

Co-auteurs externes :

yes

Langue du document :

Anglais

Titre :

Modeling Security and Privacy Requirements: a Use Case-Driven Approach

Date de publication/diffusion :

2018

Titre du périodique :

Information and Software Technology

ISSN :

0950-5849

eISSN :

1873-6025

Maison d'édition :

Elsevier Science, Amsterdam, Pays-Bas

Volume/Tome :

100

Pagination :

165-182

Peer reviewed :

Peer reviewed vérifié par ORBi

URL complémentaire :

https://www.sciencedirect.com/science/article/abs/pii/S0950584918300703

Projet européen :

H2020 - 694277 - TUNE - Testing the Untestable: Model Testing of Complex Software-Intensive Systems

Projet FnR :

FNR11213850 - Enhanced Daily Living And Health 2 – An Incentive Based Service, 2015 (01/06/2016-30/11/2018) - Lionel Briand

Organisme subsidiant :

FNR - Fonds National de la Recherche
CER - Conseil Européen de la Recherche
CE - Commission Européenne
European Union

Disponible sur ORBilu :

depuis le 19 avril 2018

Statistiques

Nombre de vues

502 (dont 43 Unilu)

Nombre de téléchargements

388 (dont 11 Unilu)

Voir plus de statistiques

citations Scopus^®

citations Scopus^®
sans auto-citations

OpenCitations

citations OpenAlex

citations WoS^™

Bibliographie

USC Credit Union, System providing home-banking. [Online]. Available: https://member.usccreditunion.org/.
Spotify, System providing music streaming software and services. [Online]. Available: https://www.spotify.com.
DeliveryHero, System providing food delivery software and services, Visited in 2017. [Online]. Available: https://www.deliveryhero.com/.
FitBit, System providing personal training software services, 2017[Online]. Available: https://www.fitbit.com.
Jain, A.K., Shanbhag, D., Addressing security and privacy risks in mobile applications. IT Professional 14:5 (2012), 28–33.
Bortz, A., Boneh, D., Exposing private information by timing web applications. WWW’07, 2007, 621–628.
Larman, C., Applying UML and Patterns:An Introduction to Object-Oriented Analysis and Design and the Unified Process. 2002, Prentice Hall Professional.
McDermott, J., Fox, C., Using abuse case models for security requirements analysis. ACSAC’99, 1999.
McDermott, J., Abuse-case-based assurance arguments. ACSAC’01, 2001.
Firesmith, D.G., Security use cases. Journal of Object Technology 2:3 (2003), 53–64.
Opdahl, A.L., Sindre, G., Experimental comparison of attack trees and misuse cases for security threat identification. Information and Software Technology 51 (2009), 916–932.
Rostad, L., An extended misuse case notation: Including vulnerabilities and the insider threat. REFSQ’06, 2006, 33–43.
Sindre, G., Opdahl, A.L., Eliciting security requirements with misuse cases. Requirements Engineering 10 (2005), 34–44.
Sindre, G., Opdahl, A.L., Templates for misuse case description. REFSQ’01, 2001.
Yue, T., Briand, L.C., Labiche, Y., Facilitating the transition from use case models to analysis models: Approach and experiments. ACM Transactions on Software Engineering and Methodology 22:1 (2013), 1–38.
Wang, C., Pastore, F., Goknil, A., Briand, L.C., Iqbal, M.Z.Z., Automatic generation of system test cases from use case specifications. ISSTA’15, 2015, 385–396.
Wang, C., Pastore, F., Goknil, A., Briand, L.C., Iqbal, M.Z.Z., UMTG: a toolset to automatically generate system test cases from use case specifications. ESEC/FSE’15, 2015, 942–945.
Hajri, I., Goknil, A., Briand, L.C., Stephany, T., Applying product line use case modeling in an industrial automotive embedded system: Lessons learned and a refined approach. MODELS’15, 2015, 338–347.
Hajri, I., Goknil, A., Briand, L.C., Stephany, T., Configuring use case models in product families. Software and Systems Modeling, 2016.
Hajri, I., Goknil, A., Briand, L.C., Stephany, T., PUMConf: a tool to configure product specific use case and domain models in a product line. FSE’16, 2016, 1008–1012.
Hajri, I., Goknil, A., Briand, L.C., Stephany, T., Incremental reconfiguration of product specific use case models for evolving configuration decisions. REFSQ’17, 2017, 3–21.
Hajri, I., Goknil, A., Briand, L.C., A change management approach in product lines for use case-driven development and testing. REFSQ Workshops, 2017.
Hajri, I., Goknil, A., Briand, L.C., Stephany, T., Change impact analysis for evolving configuration decisions in product line use case models. Journal of Systems and Software, 2018.
Hansen, M., Jensen, M., Rost, M., Protection goals for privacy engineering. SPW’15, 2015, 159–166.
Solove, D.J., A taxanomy of privacy. University of Pennsylvania Law Review 154:3 (2006), 477–560.
Pfitzmann, A., Hansen, M., A Terminology for Talking about Privacy by Data Minimization: Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management. Technical Report, 2010, TU Dresden.
ISO-IEC, ISO/IEC 29100:2011 information technology - security techniques - privacy framework.
OECD, OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Technical Report, 1980, Organisation of Economic Co-Operation and Development.
US Federal Trade Commission, Privacy online: A report to congress, https://www.ftc.gov/sites/default/files/documents/reports/privacy-online-report-congress/priv-23a.pdf.
X.P. Mai, RMCM-V: a tool for checking consistencies between misuse case diagram, specifications, and restricted misuse case modeling templates, 2017, https://sites.google.com/site/rmcmverifier/.
Papyrus, https://www.eclipse.org/papyrus.
IBM Doors, http://www.ibm.com/software/products/ca/en/ratidoor.
EDLAH2: Active and Assisted Living Programme, http://www.aal-europe.eu/projects/edlah2/.
Deterding, S., Dixon, D., Khaled, R., Nacke, L., From game design elements to gamefulness: Defining ”gamification”. MindTrek’11, 2011, ACM, 9–15.
iCare, http://www.icare247.eu/edlah2/.
Cockburn, A., Writing effective use cases. 2001, Addison-Wesley.
Armour, F., Miller, G., Advanced Use Case Modeling: Software Systems. 2001, Addison-Wesley.
Kulak, D., Guiney, E., Use Cases: Requirements in Context. 2003, Addison-Wesley.
OWASP, OWASP Top 10 Mobile Security Risks, https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10.
OWASP Top 10 Web Security Risks, https://www.owasp.org/index.php/Top_10_2013-Top_10.
Turpe, S., The trouble with security requirements. RE’17, 2017, 122–133.
Fabian, B., Gurses, S., Heisel, M., Santen, T., Schmidt, H., A comparison of security requirements engineering methods. Requirements Engineering 15 (2010), 7–40.
Mellado, D., Blanco, C., Sanchez, L.E., Fernandez-Medina, E., A systematic review of security requirements engineering. Computer Standards & Interfaces 32 (2010), 153–165.
Souag, A., Mazo, R., Salinesi, C., Comny-Wattiau, I., Reusable knowledge in security requirements engineering: a systematic mapping study. Requirements Engineering 21 (2016), 251–283.
Salini, P., Kanmani, S., Survey and analysis on security requirements engineering. Computers and Electrical Engineering 38 (2012), 1785–1797.
Tondel, I.A., Jaatun, M.G., Meland, P.H., Security requirements for the rest of us: A survey. IEEE Software 25:1 (2008), 20–27.
Anthonysamy, P., Rashid, A., Chitchyan, R., Privacy requirements: present & future. ICSE-SEIS’17, 2017, 13–22.
Beckers, K., Comparing privacy requirements engineering approaches. ARES’12, 2012, 574–581.
Gurses, S., Berendt, B., Santen, T., Multilateral security requirements analysis for preserving privacy in ubiquitous environments. UKDU’06, 2006.
Gurses, S., Santen, T., Contextualizing security goals—a method for multilateral security requirements elicitation. Sicherheit’06, 2006, 42–53.
Mead, N.R., Hough, E.D., Stehney, T.R., Security Quality Requirements Engineering (SQUARE) Methodology. CMU/SEI-2005-TR-009, 2005, Carnegie Mellon Software Engineering Institute.
Lodderstedt, T., Basin, D.A., Doser, J., SecureUML: A UML-based modeling language for model-driven security. UML’02, 2002, 426–441.
Jürjens, J., Secure Systems Development with UML. 2003, Springer.
Liu, L., Yu, E., Mylopoulos, J., Security and privacy requirements analysis within a social setting. RE’03, 2003, 151–161.
Elahi, G., Yu, E., A goal oriented approach for modeling and analyzing security trade-offs. ER’07, 2007, 375–390.
Giorgini, P., Massacci, F., Mylopoulos, J., Zannone, N., Modeling security requirements through ownership, permission and delegation. RE’05, 2005, 167–176.
van Lamsweerde, A., Elaborating security requirements by construction of intentional anti-models. ICSE’04, 2004, 148–157.
Mouratidis, H., Giorgini, P., Secure tropos: a security-oriented extension of the tropos methodology. International Journal of Software Engineering and Knowledge Engineering 17:2 (2007), 285–309.
Pasquale, L., Spoletini, P., Salehie, M., Cavallaro, L., Nuseibeh, B., Automating trade-off analysis of security requirements. Requirements Engineering 21:4 (2016), 481–504.
Kalloniatis, C., Kavakli, E., Gritzalis, S., Addressing privacy requirements in system design: The pris method. Requirements Engineering 13:3 (2008), 241–255.
Lin, L., Nuseibeh, B., Ince, D., Jackson, M., Using abuse frames to bound the scope of security problems. RE’04, 2004, 354–355.
Hatebur, D., Heisel, M., Schmidt, H., Security engineering using problem frames. ETRICS’06, 2006, 238–253.
Hatebur, D., Heisel, M., Schmidt, H., Analysis and component-based realization of security requirements. AReS’08, 2008, 195–203.
Haley, C.B., Laney, R., Moffett, J.D., Nuseibeh, B., Security requirements engineering: A framework for representation and analysis. IEEE Transactions on Software Engineering 34:1 (2008), 133–153.
Haley, C.B., Laney, R., Moffett, J.D., Nuseibeh, B., Picking battles: the impact of trust assumptions on the elaboration of security requirements. iTrust’04, 2004, 347–354.
Thomas, K., Bandara, A.K., Price, B.A., Nuseibeh, B., Distilling privacy requirements for mobile applications. ICSE’14, 2014, 871–882.
den Braber, F., Hogganvik, I., Lund, M.S., Stolen, K., Vraalsen, F., Model-based security analysis in seven steps — a guided tour to the CORAS method. BT Technology Journal, 2007, 101–117.
Asnar, Y., Giorgini, P., Massacci, F., Zannone, N., From trust to dependability through risk analysis. ARES’07, 2007, 19–26.
Cailliau, A., van Lamsweerde, A., Assessing requirements-related risks through probabilistic goals and obstacles. Requirements Engineering 18:2 (2013), 129–146.
van Lamsweerde, A., Requirements Engineering: from System Goals to UML Models to Software Specifications. 2009, John Wiley and Sons.
Asnar, Y., Giorgini, P., Mylopoulos, J., Goal-driven risk assessment in requirements engineering. Requirements Engineering 16 (2011), 101–116.
Mayer, N., Dubois, E., Rifaut, A., Requirements engineering for improving business/it alignment in security risk management methods. Enterprise Interoperability II, 2007, 15–26.
Common Criteria for Information Technology Securitys Evaluation, 2006, http://www.commoncriteriaportal.org.
Mellado, D., Fernandez-Medina, E., Piattini, M., A comparison of the Common Criteria with proposals of information systems security requirements. ARES’06, 2006, 654–661.
Mellado, D., Fernandez-Medina, E., Piattini, M., Applying a security requirements engineering process. ESORICS’06, 2006, 192–206.
Rannenberg, K., Pfitzmann, A., Müller, G., IT security and multilateral security. Multilateral Security in Communications–Technology, Infrastructure, Economy, 1999, 21–29.
Spiekermann, S., Cranor, L.F., Engineering privacy. IEEE Transactions on Software Engineering 35:1 (2009), 67–82.
Jackson, M., Problem Frames: Analysing and Structuring Software Development Problems. 2001, Addison-Wesley.
Alexander, I., Misuse cases: Use cases with hostile intent. IEEE Software 20:1 (2003), 58–66.
Alexander, I., Misuse cases help to elicit non-functional requirements. Computing & Control Engineering Journal 14:1 (2003), 40–45.
Alexander, I., Initial industrial experience of misuse cases in trade-off analysis. RE’02, 2002, 61–70.
Rosado, D.G., Fernandez-Medina, E., Lopez, J., Applying a UML extension to build use cases diagrams in a secure mobile grid application. ER’09 Workshops, 2009, 126–136.
Sindre, G., Opdahl, A.L., Brevik, G.F., Generalization/specialization as a structuring mechanism for misuse cases. SREIS’02, 2002.
Sindre, G., Firesmith, D.G., Opdahl, A.L., A reuse-based approach to determining security requirements. REFSQ’03, 2003.
Deng, M., Wuyts, K., Scandariato, R., Preneel, B., Joosen, W., A privacy threat analysis framework: Supporting the elicitation and fulfillment of privacy requirements. Requirements Engineering 16:1 (2011), 3–32.
Omoronyia, I., Salehie, M., Ali, R., Kaiya, H., Nuseibeh, B., Misuse case techniques for mobile privacy. PriMo’11, 2011.
El-Attar, M., Towards developing consistent misuse case models. Journal of Systems and Software 85:2 (2012), 323–339.
El-Attar, M., Using SMCD to reduce inconsistencies in misuse case models: A subject-based empirical evaluation. Journal of Systems and Software 87 (2014), 104–118.
van Lamsweerde, A., Elaborating security requirements by construction of intentional anti-models. ICSE’04, 2004, 148–157.
Swiderski, F., Snyder, W., Threat Modeling. 2004, Microsoft Press, Redmond, WA, USA.
Rashid, A., Naqvi, S.A.A., Ramdhany, R., Edwards, M., Chitchyan, R., Babar, M.A., Discovering unkown known security requirements. ICSE’16, 2016, 866–876.
Glaser, B., Strauss, A., The Discovery of Grounded Theory. 1967, Aldine Publishing Co.
Johnson, C., A Handbook of Accident and Incident Reporting. 2003, Glasgow University Press.
Hong, J.I., Ng, J.D., Lederer, S., Landay, J.A., Privacy risk models for designing privacy-sensitive ubiquitous computing systems. DIS’04, 2004, 91–100.
Breaux, T.D., Hibshi, H., Rao, A., Eddy, a formal language for specifying and analyzing data flow specifications for conflicting privacy requirements. Requirements Engineering 19:3 (2014), 281–307.
Breaux, T.D., Rao, A., Formal analysis of privacy requirements specifications for multi-tier applications. RE’13, 2013, 14–23.
Whittle, J., Wijesekera, D., Hartong, M., Executable misuse cases for modeling security concerns. ICSE’08, 2008, 121–130.
Sindre, G., Mal-activity diagrams for capturing attacks on business processes. REFSQ’07, 2007, 355–366.
Song, E., Reddy, R., France, R., Ray, I., Georg, G., Alexander, R., Verifiable composition of access control and application features. SACMAT’05, 2005, 120–129.
Jürjens, J., Towards development of secure systems using umlsec. FASE’01, 2001, 187–200.
Schneier, B., Modelling security threats. Dr. Dobb's Journal, 1999.
Lin, L., Nuseibeh, B., Ince, D., Jackson, M., Moffett, J., Introducing abuse frames for analysing security requirements. RE’03, 2003, 371–372.
Großmann, J., Seehusen, F., Combining security risk assessment and security testing based on standards. RISK’15, 2015, 18–33.
Etsi-eg-203-251: Methods for testing & specification; risk-based security assessment and testing methodologies, 2015.
Kim, Y.-G., Cha, S., Threat scenario-based security risk analysis using use case modeling in information systems. Security and Communication Networks 5:3 (2012), 293–300.
CVSS: Common Vulnerability Scoring System, 2018, https://www.first.org/cvss/.
CWE/SANS Top 25 Most Dangerous Software Errors, http://cwe.mitre.org/top25/.
The STRIDE Threat Model, https://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx.
Arora, C., Sabetzadeh, M., Briand, L.C., Zimmer, F., Automated checking of conformance to requirements templates using natural language processing. IEEE Transactions on Software Engineering 41:10 (2015), 944–968.
Arora, C., Sabetzadeh, M., Goknil, A., Briand, L.C., Zimmer, F., Change impact analysis for natural language requirements: An nlp approach. RE’15, 2015, 6–15.
Arora, C., Sabetzadeh, M., Goknil, A., Briand, L.C., Zimmer, F., NARCIA: an automated tool for change impact analysis in natural language requirements. ESEC/FSE’15, 2015, 962–965.
H. Cunningham, et al. Developing language processing components with gate version 8 (a user guide), http://gate.ac.uk/sale/tao/tao.pdf.
The GATE workbench, http://gate.ac.uk/.
Oppenheim, A.N., Questionnaire Design, Interviewing and Attitude Measurement. 2005, Continuum.
[Online]. Available: https://goo.gl/forms/OrAZcZLvsVm5tUN13.
Jacobson, I., Object-Oriented Software Engineering: A Use Case Driven Approach. 2004, Addison Wesley Longman Publishing Co., Inc., Redwood City, CA, USA.