Show simple item record

AuthorNhlabatsi, Armstrong
AuthorYu, Yijun
AuthorZisman,
Authorrea
AuthorTun, Thein
AuthorKhan, Niamul
AuthorBandara, Arosha
AuthorKhan, Khaled M.
AuthorNuseibeh, Bashar
Available date2024-04-02T06:04:49Z
Publication Date2015
Publication NameProceedings - 2015 IEEE/ACM 8th International Symposium on Software and Systems Traceability, SST 2015
ResourceScopus
URIhttp://dx.doi.org/10.1109/SST.2015.14
URIhttp://hdl.handle.net/10576/53790
AbstractSecurity control specifications of software systems are designed to meet their security requirements. It is difficult to know both the value of assets and the malicious intention of attackers at design time, hence assumptions about the operational environment often reveal unexpected flaws. To diagnose the causes of violations in security requirements it is necessary to check these design-time assumptions. Otherwise, the system could be vulnerable to potential attacks. Addressing such vulnerabilities requires an explicit understanding of how the security control specifications were defined from the original security requirements. However, assumptions are rarely explicitly documented and monitored during system operation. This paper proposes a systematic approach to monitoring design-time assumptions explicitly as logs, by using trace ability links from requirements to specifications. The work also helps identify which alternative specifications of security control can be used to satisfy a security requirement that has been violated based on the logs. The work is illustrated by an example of an electronic patient record system.
Languageen
PublisherInstitute of Electrical and Electronics Engineers Inc.
SubjectAssumptions
Causal Traceability
Security
TitleManaging Security Control Assumptions Using Causal Traceability
TypeConference Paper
Pagination43-49
dc.accessType Abstract Only


Files in this item

FilesSizeFormatView

There are no files associated with this item.

This item appears in the following Collection(s)

Show simple item record