A systematic review of security requirements engineering

Service-oriented architecture (SOA) is gaining momentum as an emerging distributed system architecture for business-to-business collaborations. This momentum can be observed in both industry and academic research. SOA presents new challenges and opportunities for testing and verification, leading to an upsurge in research. This paper surveys the previous work undertaken on testing and verification of service-centric systems, which in total are 177 papers, showing the strengths and weaknesses of current strategies and testing tools and identifying issues for future work. Copyright © 2012 John Wiley & Sons, Ltd.

Testing and verification in service-oriented architecture: a survey

Formal verification approaches and standards in the cloud computing

This paper compares six model checkers (ALLOY, CADP, FDR2, NUSMV, PROB, SPIN) for the validation of information system specifications. The same case study (a library system) is specified using each model checker. Fifteen properties of various types are checked using temporal logics (CTL and LTL), first-order logic and failure-divergence (FDR2). Three characteristics are evaluated: ease of specifying information system i) behavior, ii) properties, and iii) the number of IS entity instances that can be checked. The paper then identifies the most suitable features required to validate information systems using a model checker.

http://www.dmi.usherb.ca/~frappier/Papers/ICFEM2010.pdf

Comparison of model checking tools for information systems

Formal verification of complex business processes based on high-level Petri nets

Information systems have to respond well to the changing business environment. Thus, they must have architecture which withstands the change. To design such systems, business process modeling is effective, however, the models include often abstractness and arbitrariness. Therefore, there have been efforts that validate rigorousness of the models. They have defined semantics of the models and applied various logics and formal methods to verification of the rigorousness. This paper focuses on formal verification of the models and surveys the efforts. We also discuss the prospect of the solutions. The establishment of the verification will be surely helpful toward solving the problems on business process reengineering, business process management, service-oriented architecture, and so on.

/pdf/a-survey-of-formal-verification-for-business-process-fe87lcghfh.pdf

A Survey of Formal Verification for Business Process Modeling

This paper proposes a formalization and verification technique for security specifications, based on common criteria. Generally, it is difficult to define reliable security properties that should be applied to validate an information system. Therefore, we have applied security functional requirements that are defined in the ISO/IEC 15408 common criteria to the formal verification of security specifications. We formalized the security criteria of ISO/IEC 15408 and developed a process, using Z notation, for verifying security specifications. We also demonstrate some examples of the verification instances using the theorem prover Z/EVES. In the verification process, one can verify strictly whether specifications satisfy the security criteria defined in ISO/IEC 15408.

Formal verification of security specifications with common criteria

An intrinsic difficulty in ensuring security of information systems is that assailants (crackers) are active persons who can get knowledge and skills day after day and then continuously attack target information systems always with new techniques. Therefore, designers, developers, users, and maintainers of information systems with high security requirements need continuous supports for their tasks to protect the systems from assailants. However, until now, there is no systematic methodology proposed for this purpose. Based on our consideration that the continuous supports for system designers, developers, users, and maintainers only can be provided by a standard, formal, and consistent methodology, this paper proposes the new concept of security engineering environment and presents a real security engineering environment we are developing based on ISO/IEC information security standards in order to provide designers, developers, users, and maintainers with standard, formal, and consistent supports for design, development, operation, and maintenance of information systems with high security requirements.

A Security Engineering Environment Based on ISO/IEC Standards: Providing Standard, Formal, and Consistent Supports for Design, Development, Operation, and Maintenance of Secure Information Systems

Security facilities of information systems with high security requirements should be consistently and continuously developed, used, and maintained based on some common standards of information security. However, there is no engineering environment that can support all tasks in security engineering consistently and continuously. To construct a security engineering environment, a database that can manage all data concerning all tasks in security engineering is indispensable. This paper presents an Information Security Engineering Database System, named "ISEDS," that we are developing based on ISO standards, and shows its some possible applications. ISEDS manages data of ISO standards of information security and various cases of system development and maintenance. We adopted the international standard ISO/IEC 15408 (Common Criteria) for information security evaluation as one of ISO standards to underlie ISEDS, and implemented major functions of ISEDS and its application tools to manage and use data oflSO/IEC 15408. Developers, users, and maintainers can create, correct, and verify specification documents of security facilities with the application tools.

ISEDS: An Information Security Engineering Database System Based on ISO Standards

COBIT is a collection of good practices and processes for IT governance. It provides the effective measures, indicators and activities for enterprise. COBIT has also been applied to the other governance, e. g., software process, security governance, IT service management. However, since COBIT is too general-purpose, it requires deep expert knowledge for the implementation of each application. Although the guideline of security management is also published, its contents are abstract. Therefore, we examined the contents of COBIT and defined a framework which specializes in security engineering from the guideline. This paper presents the framework and its application to information systems development. The framework effectively utilizes the COBIT-based security management and solves various subjects of security in the development.

Shoichi Morimoto

Papers

A Survey of Formal Verification for Business Process Modeling

Formal verification of security specifications with common criteria

A Security Engineering Environment Based on ISO/IEC Standards: Providing Standard, Formal, and Consistent Supports for Design, Development, Operation, and Maintenance of Secure Information Systems

ISEDS: An Information Security Engineering Database System Based on ISO Standards

Application of COBIT to Security Management in Information Systems Development