A Framework to Support Alignment of Secure Software Engineering with Legal Regulations

Article English OPEN
Islam, Shareeful ; Mouratidis, Haralambos (2010)
  • Subject:

Regulation compliance is getting more and more important for software systems that process and manage sensitive information. Therefore, identifying and analysing relevant legal regulations and aligning them with security requirements become necessary for the effective development of secure software systems. Nevertheless, Secure Software Engineering Modelling Languages (SSEML) use different concepts and terminology from those used in the legal domain for the description of legal regulations. This situation, together with the lack of appropriate background and knowledge of laws and regulations, introduces a challenge for software developers. In particular, it makes difficult to perform (i) the elicitation of appropriate security requirements from the relevant laws and regulations; and (ii) the correct tracing of the security requirements throughout the development stages. This paper presents a framework to support the consideration of laws and regulations during the development of secure software systems. In particular, the framework enables software developers (i) to correctly elicit security requirements from the appropriate laws and regulations; and (ii) to trace these requirements throughout the development stages in order to ensure that the design indeed supports the required laws and regulations. Our framework is based on existing work from the area of secure software engineering, and it complements this work with a novel and structured process and a well-defined method. A practical case study is employed to demonstrate the applicability of our work.
  • References (8)

    [1] A. Herrmann, D. Kerkow and J. Doerr, Exploring the Characteristics of NFR Methods - a Dialogue about two Approaches, REFSQ - Workshop on Requirements Engineering for Software Quality (2007), Foundations of Software Quality, 2007.

    [2] A. Herrmann and B. Paech, MOQARE: misuse-oriented quality requirements engineering, Requirements Engineering Journal, vol 13, Number 1, January 2008.

    [3] A. van Lamsweerde and E. Letier, Handling Obstacles in Goal-Oriented Requirements Engineering, IEEE Transactions on Software Engineering, Special Issue on Exception Handling, Vol 26, no 10, October 2000, pp. 978-1005.

    [4] A. Siena, J. Mylopoulos, A. Perini and A. Susi, From Laws to Requirements, 1st International Workshop on Requirements Engineering and Law (Relaw'08).

    [5] Bundesdatenschutzgesetz - Federal Data Protection Act (as of 15 November 2006), http://www.bfdi.bund.de.

    [6] C. B. Haley, R. Laney, J. D. Moffett and B. Nuseibeh, Arguing Satisfaction of Security Requirements, in Integrating Security and Software Engineering: Advances and Future Visions, pp. 16-43, Idea Publishing Group, 2006.

    [7] C. B. Haley, R. C. Laney, J. D. Moffett, and B. Nuseibeh, Security requirements engineering: A framework for representation and analysis. IEEE Trans. Software Eng., 34(1):133-153, 2008.

    [8] Common attack pattern enumeration and classification (CAPEC). http://capec.mitre.org/.

  • Metrics
    views in OpenAIRE
    views in local repository
    downloads in local repository

    The information is available from the following content providers:

    From Number Of Views Number Of Downloads
    ROAR at University of East London - IRUS-UK 0 161
Share - Bookmark