Security Requirements as Code: Example from VeriDevOps Project

Khaled Ismaeel; Alexandr Naumchev; Andrey Sadovykh; Dragos Truscan; Eduard Paul Enoiu; Cristina Seceleanu

doi:10.1109/REW53955.2021.00063

Security Requirements as Code: Example from VeriDevOps Project

Khaled Ismaeel, Alexandr Naumchev, Andrey Sadovykh, Dragos Truscan, Eduard Paul Enoiu, Cristina Seceleanu

Information Technology

Research output: Chapter in Book/Conference proceeding › Published conference proceeding › Scientific › peer-review

4 Citations (Scopus)

148 Downloads (Pure)

Abstract

This position paper presents and illustrates the concept of security requirements as code - a novel approach to security requirements specification. The aspiration to minimize code duplication and maximize its reuse has always been driving the evolution of software development approaches. Object-Oriented programming (OOP) takes these approaches to the state in which the resulting code conceptually maps to the problem that the code is supposed to solve. People nowadays start learning to program in the primary school. On the other hand, requirements engineers still heavily rely on natural language based techniques to specify requirements. The key idea of this paper is: artifacts produced by the requirements process should be treated as input to the regular object-oriented analysis. Therefore, the contribution of this paper is the presentation of the major concepts for the security requirements as the code method that is illustrated with a real industry example from the VeriDevOps project.

Original language	English
Title of host publication	Proceedings - 29th IEEE International Requirements Engineering Conference Workshops, REW 2021
Editors	Tao Yue, Mehdi Mirakhorli
Publisher	IEEE
Pages	357-363
Number of pages	7
ISBN (Electronic)	978-1-6654-1898-0
ISBN (Print)	978-1-6654-1899-7
DOIs	https://doi.org/10.1109/REW53955.2021.00063
Publication status	Published - 2021
MoE publication type	A4 Article in a conference publication
Event	IEEE International Requirements Engineering Conference Workshops - Duration: 20 Sept 2021 → 24 Sept 2021

Conference

Conference	IEEE International Requirements Engineering Conference Workshops
Abbreviated title	REW
Period	20/09/21 → 24/09/21

Funding

This project is supported by end-user companies including Fagor Arrasate (FAGOR). FAGOR produces smart industry equipment that needs to be secured. One of the challenges is that the infrastructure is controlled by Industry PCs (IPCs) to be configured according to the standard guidelines (STIGs). The application of the security policies has to be periodically verified. Thus the guidelines in natural language have to be mapped to specific scripts for configuration and verification. ACKNOWLEDGMENT This work has received funding from Horizon 2020 programme under grant agreement No. 957212 - VeriDevOps project.

Keywords

development
requirements as code
seamless
security
software

Access to Document

10.1109/REW53955.2021.00063

REW2021-SecRecAsCode-cameraReadyAccepted author manuscript, 128 KBLicence: Publisher rights policy

https://urn.fi/URN:NBN:fi-fe202201148549

Cite this

@inproceedings{486143f19c98431cb67fac23fd132c33,

title = "Security Requirements as Code: Example from VeriDevOps Project",

abstract = "This position paper presents and illustrates the concept of security requirements as code - a novel approach to security requirements specification. The aspiration to minimize code duplication and maximize its reuse has always been driving the evolution of software development approaches. Object-Oriented programming (OOP) takes these approaches to the state in which the resulting code conceptually maps to the problem that the code is supposed to solve. People nowadays start learning to program in the primary school. On the other hand, requirements engineers still heavily rely on natural language based techniques to specify requirements. The key idea of this paper is: artifacts produced by the requirements process should be treated as input to the regular object-oriented analysis. Therefore, the contribution of this paper is the presentation of the major concepts for the security requirements as the code method that is illustrated with a real industry example from the VeriDevOps project. ",

keywords = "development, requirements as code, seamless, security, software",

author = "Khaled Ismaeel and Alexandr Naumchev and Andrey Sadovykh and Dragos Truscan and Enoiu, \{Eduard Paul\} and Cristina Seceleanu",

note = "Funding Information: This project is supported by end-user companies including Fagor Arrasate (FAGOR). FAGOR produces smart industry equipment that needs to be secured. One of the challenges is that the infrastructure is controlled by Industry PCs (IPCs) to be configured according to the standard guidelines (STIGs). The application of the security policies has to be periodically verified. Thus the guidelines in natural language have to be mapped to specific scripts for configuration and verification. Funding Information: ACKNOWLEDGMENT This work has received funding from Horizon 2020 programme under grant agreement No. 957212 - VeriDevOps project. Publisher Copyright: {\textcopyright} 2021 IEEE.; IEEE International Requirements Engineering Conference Workshops, REW ; Conference date: 20-09-2021 Through 24-09-2021",

year = "2021",

doi = "10.1109/REW53955.2021.00063",

language = "English",

isbn = "978-1-6654-1899-7",

pages = "357--363",

editor = "Tao Yue and Mehdi Mirakhorli",

booktitle = "Proceedings - 29th IEEE International Requirements Engineering Conference Workshops, REW 2021",

publisher = "IEEE",

address = "United States",

}

Ismaeel, K, Naumchev, A, Sadovykh, A, Truscan, D, Enoiu, EP & Seceleanu, C 2021, Security Requirements as Code: Example from VeriDevOps Project. in T Yue & M Mirakhorli (eds), Proceedings - 29th IEEE International Requirements Engineering Conference Workshops, REW 2021. IEEE, pp. 357-363, IEEE International Requirements Engineering Conference Workshops, 20/09/21. https://doi.org/10.1109/REW53955.2021.00063

Security Requirements as Code: Example from VeriDevOps Project. / Ismaeel, Khaled; Naumchev, Alexandr; Sadovykh, Andrey et al.
Proceedings - 29th IEEE International Requirements Engineering Conference Workshops, REW 2021. ed. / Tao Yue; Mehdi Mirakhorli. IEEE, 2021. p. 357-363.

Research output: Chapter in Book/Conference proceeding › Published conference proceeding › Scientific › peer-review

TY - GEN

T1 - Security Requirements as Code

T2 - IEEE International Requirements Engineering Conference Workshops

AU - Ismaeel, Khaled

AU - Naumchev, Alexandr

AU - Sadovykh, Andrey

AU - Truscan, Dragos

AU - Enoiu, Eduard Paul

AU - Seceleanu, Cristina

N1 - Funding Information: This project is supported by end-user companies including Fagor Arrasate (FAGOR). FAGOR produces smart industry equipment that needs to be secured. One of the challenges is that the infrastructure is controlled by Industry PCs (IPCs) to be configured according to the standard guidelines (STIGs). The application of the security policies has to be periodically verified. Thus the guidelines in natural language have to be mapped to specific scripts for configuration and verification. Funding Information: ACKNOWLEDGMENT This work has received funding from Horizon 2020 programme under grant agreement No. 957212 - VeriDevOps project. Publisher Copyright: © 2021 IEEE.

PY - 2021

Y1 - 2021

N2 - This position paper presents and illustrates the concept of security requirements as code - a novel approach to security requirements specification. The aspiration to minimize code duplication and maximize its reuse has always been driving the evolution of software development approaches. Object-Oriented programming (OOP) takes these approaches to the state in which the resulting code conceptually maps to the problem that the code is supposed to solve. People nowadays start learning to program in the primary school. On the other hand, requirements engineers still heavily rely on natural language based techniques to specify requirements. The key idea of this paper is: artifacts produced by the requirements process should be treated as input to the regular object-oriented analysis. Therefore, the contribution of this paper is the presentation of the major concepts for the security requirements as the code method that is illustrated with a real industry example from the VeriDevOps project.

AB - This position paper presents and illustrates the concept of security requirements as code - a novel approach to security requirements specification. The aspiration to minimize code duplication and maximize its reuse has always been driving the evolution of software development approaches. Object-Oriented programming (OOP) takes these approaches to the state in which the resulting code conceptually maps to the problem that the code is supposed to solve. People nowadays start learning to program in the primary school. On the other hand, requirements engineers still heavily rely on natural language based techniques to specify requirements. The key idea of this paper is: artifacts produced by the requirements process should be treated as input to the regular object-oriented analysis. Therefore, the contribution of this paper is the presentation of the major concepts for the security requirements as the code method that is illustrated with a real industry example from the VeriDevOps project.

KW - development

KW - requirements as code

KW - seamless

KW - security

KW - software

UR - https://www.scopus.com/pages/publications/85118455050

U2 - 10.1109/REW53955.2021.00063

DO - 10.1109/REW53955.2021.00063

M3 - Published conference proceeding

AN - SCOPUS:85118455050

SN - 978-1-6654-1899-7

SP - 357

EP - 363

BT - Proceedings - 29th IEEE International Requirements Engineering Conference Workshops, REW 2021

A2 - Yue, Tao

A2 - Mirakhorli, Mehdi

PB - IEEE

Y2 - 20 September 2021 through 24 September 2021

ER -

Security Requirements as Code: Example from VeriDevOps Project

Abstract

Conference

Funding

Keywords

Access to Document

Other files and links

Fingerprint

VeriDevOps: Automated Protection and Prevention to Meet Security Requirements in DevOps Environments

Cite this

Security Requirements as Code: Example from VeriDevOps Project

Abstract

Conference

Funding

Keywords

Access to Document

Other files and links

Fingerprint

Projects

VeriDevOps: Automated Protection and Prevention to Meet Security Requirements in DevOps Environments

Cite this