Conference Publishing Services (CPS) http://www.computer.org/cps

Copyright © 2008 by The Institute of Electrical and Electronics Engineers, Inc.

All rights reserved.

Copyright and Reprint Permissions: Abstracting is permitted with credit to the source. Libraries may photocopy beyond the limits of US copyright law, for private use of patrons, those articles in this volume that carry a code at the bottom of the first page, provided that the per-copy fee indicated in the code is paid through the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923.

Other copying, reprint, or republication requests should be addressed to: IEEE Copyrights Manager, IEEE Service Center, 445 Hoes Lane, P.O. Box 133, Piscataway, NJ 08855-1331.

The papers in this book comprise the proceedings of the meeting mentioned on the cover and title page. They reflect the authors’ opinions and, in the interests of timely dissemination, are published as presented and without change.

Their inclusion in this publication does not necessarily constitute endorsement by the editors, the IEEE Computer Society, or the Institute of Electrical and Electronics Engineers, Inc.

IEEE Computer Society Order Number E3372 BMS Part Number CFP0891B-CDR

ISBN 978-0-7695-3372-8 Library of Congress Number 2008930370

Additional copies may be ordered from:

IEEE Computer Society IEEE Service Center IEEE Computer Society

Customer Service Center 445 Hoes Lane Asia/Pacific Office

10662 Los Vaqueros Circle P.O. Box 1331 Watanabe Bldg., 1-4-2

P.O. Box 3014 Piscataway, NJ 08855-1331 Minami-Aoyama

Los Alamitos, CA 90720-1314 Tel: + 1 732 981 0060 Minato-ku, Tokyo 107-0062

Tel: + 1 800 272 6657 Fax: + 1 732 981 9667 JAPAN

Fax: + 1 714 821 4641 http://shop.ieee.org/store/ Tel: + 81 3 3408 3118 http://computer.org/cspress

[email protected]

[email protected] Fax: + 81 3 3408 3553 [email protected]

Individual paper REPRINTS may be ordered at: <[email protected]>

Editorial production by Patrick Kellenberger Cover art production by Patrick Kellenberger

IEEE Computer Society

Conference Publishing Services (CPS)

http://www.computer.org/cps

Proceedings

The Third International Conference on Software Engineering Advances

ICSEA 2008

Includes

ENTISY 2008: International Workshop on Enterprise Information Systems

26-31 October 2008 Sliema, Malta

Editors Herwig Mannaert

Tadashi Ohta Cosmin Dini Robert Pellerin

Los Alamitos, California Washington

•

Preface

ICSEA 2008

The Third International Conference on Software Engineering Advances (ICSEA 2008), held between October 26 and October 31, 2008 in Sliema, Malta, is a multi-track event covering related topics on designing, implementing, and testing software.

The conference covers fundamentals on designing, implementing, testing, validating and maintaining various kinds of software. The tracks treat the topics from theory to practice, in terms of methodologies, design, implementation, testing, use cases, tools, and lessons learnt. The conference topics cover classical and advanced methodologies, open source, agile software, as well as software deployment and software economics and education.

The conference had the following tracks:

• Advances in fundamentals for software development

• Advanced mechanisms for software development

• Advanced design tools for developing software

• Advanced facilities for accessing software

• Software performance

• Software security, privacy, safeness

• Advances in software testing

• Specialized software advanced applications

• Open source software

• Agile software techniques

• Software deployment and maintenance

• Software economics, adoption, and education

• Improving research productivity ICSEA 2008 also included:

• ENTISY 2008: International Workshop on Enterprise Information Systems

Similar to the previous edition, this event continued to be very competitive in its selection process and very well perceived by the international software engineering community. As such, it is attracting excellent contributions and active participation from all over the world. We were very pleased to receive a large amount of top quality contributions.

We take here the opportunity to warmly thank all the members of the ICSEA 2008 technical program committee as well as the numerous reviewers. The creation of such a broad and high quality conference program would not have been possible without their involvement. We also kindly thank all the authors that dedicated much of their time and efforts to contribute to the ICSEA 2008. We truly believe that thanks to all these efforts, the final conference program consists of top quality contributions.

This event could also not have been a reality without the support of many individuals, organizations and sponsors. We also gratefully thank the members of the ICSEA 2008 organizing committee for their help in handling the logistics and for their work that is making this professional meeting a success.

We hope the ICSEA 2008 was a successful international forum for the exchange of ideas and results between academia and industry and to promote further progress in networking research.

We hope Malta provided a pleasant environment during the conference and everyone saved some time for exploring this historic island.

ICSEA 2008 Chairs

Herwig Mannaert, Universiteit Antwerp, Begium

Tadashi Ohta, Soka University, Tokyo, Japan

Cosmin Dini, Université de Franche-Comté, France

Robert Pellerin, Ecole Polytechnique Montreal, Canada

The Third International Conference on Software

Engineering Advances

ICSEA 2008

Table of Contents

Preface...xii Committees...xiv

ICSEA 1: Applications

Security Requirements Engineering Process for Software Product Lines: A

Case Study ...1 Daniel Mellado, Eduardo Fernández-Medina, and Mario Piattini

The Impact of Decision-Making on Information System Dependability ...7 Heli Tervo, Miia-Maarit Saarelainen, Jarmo J. Ahonen, and Hanna-Miina Sihvonen

High Performance Computing for the Simulation of Cardiac Electrophysiology ...13 Ross McFarlane and Irina V. Biktasheva

The Evaluation of Reliability Based on the Software Architecture in Neural

Networks ...19 Maryam Harirforoush, Mirali Seyyedi, and Nooraldeen Mirzaee

ICSEA 2: Design Tools

Automatic Elicitation of Network Service Specification ...25 M. Ohba, K. Egashira, and T. Ohta

Web Services for Software Development: The Case of a Web Service That

Composes Web Services ...31 Olivia Graciela Fragoso-Diaz, René Santaolaya-Salgado,

and Silvana De Gyves-Avila

Process for Contract Extraction ...37 René Santaolaya-Salgado, Liliana Badillo-Sánchez,

and Olivia Graciela Fragoso-Diaz

Tool Support for the UML Automation Profile - For Domain-Specific Software

Development in Manufacturing ...43 Timo Vepsäläinen, David Hästbacka, and Seppo Kuikka

A UML Based Methodology to Ease the Modeling of a Set of Related Systems ...51 Firas Alhalabi, Mathieu Maranzana, and Jean-Louis Sourrouille

ICSEA 3: Mechanisms I

Analysis of a Distributed e-Voting System Architecture against Quality

of Service Requirements ...58 J. Paul Gibson, Eric Lallet, and Jean-Luc Raffy

Reuse through Requirements Traceability ...65 Rob Pooley and Craig Warren

An Object Memory Management Prototype Based on Mark and Sweep

Algorithm Using Separation of Concerns ...71 Hamid Mcheick, Aymen Sioud, and Joumana Dargham

A Design Methodology of Systolic Architectures Based on a Petri Net Extension. Application to a Stereovision Hardware/Software Processing

Improvement ...77 Alexandre Abellard and Patrick Abellard

Towards a Generic Approach for Model Composition ...83 Adil Anwar, Sophie Ebersold, Mahmoud Nassar, Bernard Coulette,

and Abdelaziz Kriouile

ICSEA 4: Mechanisms II

Can We Transform Requirements into Architecture? ...91 Hermann Kaindl and Jürgen Falb

Application Development over Software-as-a-Service Platforms ...97 Javier Espadas, David Concha, and Arturo Molina

Development of the Tool for Generation of UML Class Diagram

from Two-Hemisphere Model ...105 Oksana Nikiforova and Natalya Pavlova

Using OCR Template Generation and Transformation as Meta-Modeling

Supporting Process ...113 Ignacio González Alonso, M. P. Almudena García Fuente, and J. A. López Brugos

Experience with Model Sharing in Data Mining Environments ...118 Georges Edouard Kouamou and Dieudonné Tchuente

ICSEA 5: Open Source

Development of a Quality Assurance Framework for the Open Source

Development Model ...123 Tobias Otte, Robert Moreton, and Heinz D. Knoell

Inheritance, 'Warnings' and Potential Refactorings: An Empirical Study ...132 E. Nasseri and S. Counsell

Practical Verification of an Embedded Beowulf Architecture Using Standard

Cluster Benchmarks ...140 M. R. Fowler, E. Stipidis, and F. H. Ali

Agent-Based Group Decision Making ...146 Abdelkader Adla

Industrial Application Development with Open Source Approach ...152 Showole Aminat, Suhaimi Ibrahim, and Shamsul Sahibuddin

ICSEA 6: Deployment and Maintenance I

Evaluating SLA Management Process Model within Four Companies ...158 Mira Kajko-Mattsson and Christos Makridis

A Benchmark for Embedded Software Processes Used by Special-Purpose

Machine Manufacturers ...166 Valentin Plenk

Patients and Physicians Interface - Biotelemetric System Architecture ...172 Ondrej Krejcar and Petr Fojcik

DRESREM 2: An Analysis System for Multi-document Software Review Using

Reviewers' Eye Movements ...177 Hidetake Uwano, Akito Monden, and Ken-ichi Matsumoto

Standardization and Agile Business Processes ...184 Jaroslav Král and Michal Žemlička

ICSEA 7: Deployment and Maintenance II

A Case Study on SW Product Line Architecture Evaluation: Experience in

the Consumer Electronics Domain ...192 Kangtae Kim, Hyungrok Kim, Sundeok Kim, and Gihun Chang

Comparative Evaluation of Change Propagation Approaches towards Resilient

Software Evolution ...198 Noraini Ibrahim, Wan M. Nasir Wan Kadir, and Safaai Deris

Analyzing Software Evolvability of an Industrial Automation Control System: A

Case Study ...205 Hongyu Pei Breivold, Ivica Crnkovic, Rikard Land, and Magnus Larsson

The Impact of Test Driven Development on the Evolution of a Reusable

Framework of Components – An Industrial Case Study ...214 Odd Petter N. Slyngstad, Jingyue Li, Reidar Conradi, Harald Ronneberg,

Einar Landre, and Harald Wesenberg

A Cross Platform Development Workflow for C/C++ Applications ...224 Martin Wojtczyk and Alois Knoll

ICSEA 8: Software Testing

Data Flow Testing of SQL-Based Active Database Applications ...230 Plinio S. Leitao-Junior, Plinio R. S. Vilela, and Mario Jino

Application of Clustering Methods for Analysing of TTCN-3 Test Data Quality ...237 Diana Vega, George Din, Stefan Taranu, and Ina Schieferdecker

A Tale of Two Daily Build Projects ...245 Saam Koroorian and Mira Kajko-Mattsson

On the Effectiveness of Manual and Automatic Unit Test Generation ...252 Alberto Bacchelli, Paolo Ciancarini, and Davide Rossi

ICSEA 9: Agile Software Techniques

Using XP in Telecommunication Software Development ...258 Ensar Gul, Taylan Şekerci, Aziz C. Yücetürk, and Ünal Yildirim

Towards a Selection Model for Software Engineering Tools in Small

and Medium Enterprises (SMEs) ...264 Lornel Rivas, María Pérez, Luis E. Mendoza, and Anna Grimán

Analyzing Work Productivity and Program Quality in Collaborative

Programming ...270 Rafael Duque and Crescencio Bravo

Goal Sketching with Activity Diagrams ...277 Kenneth Boness and Rachel Harrison

An Iterative Meta-Lifecycle for Software Development, Evolution

and Maintenance ...284 Claudine Toffolon and Salem Dakhli

ICSEA 10: Software Economics, Adoption, & Education

Using Actor Object Operations Structures to Understand Project Requirements

Complexities ...290 Joseph Kibombo Balikuddembe and Anet E. Potgieter

Interdisciplinary Project-Based Learning in Ergonomics for Software

Engineers: A Case Study ...295 A. Branzan Albu, K. Malakuti, H. Tuokko, W. Lindstrom-Forneri, and K. Kowalski

An Innovative Approach to Teaching an Undergraduate Software Engineering

Course ...301 Cynthia Y. Lester

Do Software Intellectual Property Rights Affect the Performance of Firms?

Case Study of South Korea ...307 Dukrok Suh, Junseok Hwang, and Donghyun Oh

ICSEA 11: Advances in Fundamentals I

Daidalos II: Implementing a Scenario Driven Process ...313 Frances Cleary, Antonio Romero, Juergen Jaehnert, and Yongzheng Liang

A Persistent Object Store as Platform for Integrated Database Programming

and Querying Languages ...319 Markus Kirchberg and Alexei Tretiakov

Model-Driven Development of Human Tasks for Workflows ...329 Stefan Link, Philip Hoyer, Thomas Schuster, and Sebastian Abeck

A Software Machine Analysis and Design Methodology ...336 Arun Mukhija

Alternative/Exceptional Scenario Generation with Differential Scenario ...346 Masayuki Makino and Atsushi Ohnishi

ICSEA 12: Advances in Fundamentals II

Dynamic Software Architectures: Formally Modelling Structure and Behaviour

with Pi-ADL ...352 Flavio Oquendo

Exploring the Concept of Systems Theoretic Stability as a Starting Point for

a Unified Theory on Software Engineering ...360 Herwig Mannaert, Jan Verelst, and Kris Ven

Experiences on Analysis of Requirements Quality ...367 Petra Heck and Päivi Parviainen

Model-Driven Language Engineering: The ASMETA Case Study ...373 Angelo Gargantini, Elvinia Riccobene, and Patrizia Scandurra

Assurance-Driven Design ...379 Jon G. Hall and Lucia Rapanotti

ICSEA 13: Advances in Fundamentals III

Enhanced Approaches in Defect Detection and Prevention Strategies in Small

and Medium Scale Industries ...389 V. Suma and T. R. Gopalakrishnan Nair

Adapting Software Development Process towards the Model Driven

Architecture ...394 Vladimirs Nikulsins and Oksana Nikiforova

Non-functional Requirements to Architectural Concerns: ML and NLP

at Crossroads ...400 Gokhan Gokyer, Semih Cetin, Cevat Sener, and Meltem T. Yondem

A Comparative Evaluation of Using Genetic Programming for Predicting Fault

Count Data ...407 Wasif Afzal and Richard Torkar

A Formal Definition of Complex Software ...415 Marc Aiguier, Pascale Le Gall, and Mbarka Mabrouki

ICSEA 14: Advances in Fundamentals IV

System Design with Object Oriented Petri Nets Formalism ...421 Radek Kočí and Vladimír Janoušek

Integrated Software Architecture Management and Validation ...427 Georg Buchgeher and Rainer Weinreich

A Component Model Family for Vehicular Embedded Systems ...437 Tomáš Bureš, Jan Carlson, Séverine Sentilles, and Aneta Vulgarakis

A SysML Profile for Classical DEVS Simulators ...445 Mara Nikolaidou, Vassilis Dalakas, Loreta Mitsi, George-Dimitrios Kapos,

and Dimosthenis Anagnostopoulos

Advances in Software Design Methods for Concurrent, Real-Time

and Distributed Applications ...451 Hassan Gomaa

ICSEA 15: Advances in Fundamentals V

Impact Analysis from Multiple Perspectives: Evaluation of Traceability

Techniques ...457 Salma Imtiaz, Naveed Ikram, and Saima Imtiaz

An Approach to Addressing Entity Model Variability within Software Product

Lines ...465 Joerg Bartholdt, Roy Oberhauser, and Andreas Rytina

Stakeholder Identification Methods in Software Requirements: Empirical

Findings Derived from a Systematic Review ...472 Carla Pacheco and Ivan Garcia

Incremental Verification of Large ScaleWorkflows Based on Extended

Correctness ...478 Osamu Takaki, Izumi Takeuti, Takahiro Seino, Noriaki Izumi, and Koichi Takahashi

A Comparative Evaluation of State-of-the-Art Approaches for Web Service

Composition ...488 Sayed Gholam Hassan Tabatabaei, Wan Mohd Nasir Wan Kadir,

and Suhaimi Ibrahim

ICSEA 16: ENTISY

Determinants of Advance Planning and Scheduling Systems Adoption ...494 Pierre Hadaya and Robert Pellerin

E-Sales Diffusion in Europe: Quantitative Analysis and Modelling of First

Adoption and Assimilation Processes ...500 Luca Canetta, Naoufel Cheikhrouhou, and Remy Glardon

Simulating the ERP Diffusion Behavior in Industrial Networks ...510 Kim St-Georges, Adnene Hajji, Robert Pellerin, and Ali Gharbi

MOFIS: New Conceptual Modeling Framework for Handling Value Adding

Networks Complexity ...516 Souleiman Naciri, Min-Jung Yoo, and Rémy Glardon

An Exploratory Study of ERP Assimilation in Developing Countries: The Case

of Three Tunisian Companies ...523 Rafa Kouki, Robert Pellerin, and Diane Poulin

Author Index ...531

Security Requirements Engineering Process for Software Product Lines:

A Case Study

Daniel Mellado National Competition Commission, IT Department;

Madrid, Spain

[email protected]

Eduardo Fernández-Medina University of Castilla La- Mancha, Alarcos Research Group, Information Systems

and Technologies Department; Spain.

[email protected]

Mario Piattini University of Castilla La- Mancha, Alarcos Research

Group, Information Systems and Technologies

Department; Spain.

[email protected]

Abstract

The majority of the current product line practices in requirements engineering do not adequately address security requirements engineering despite the fact that security requirements engineering is both a central task and a critical success factor in product line development due to the complexity and extensive nature of product lines. Therefore, our contribution is to present and to demonstrate the applicability of our proposed security quality requirements engineering process (SREPPLine), which is based on a security requirements decision model driven by security standards along with a security variability model. We shall demonstrate our proposal by describing part of a real case study as a preliminary validation of these models. The final aim of this approach is to deal with security requirements variability from the early stages of the product line development in a systematic way, in order to facilitate conformance of the products with the most relevant security standards with regard to the management of security requirements, such as ISO/IEC 27001 and ISO/IEC 15408.

1. Introduction

In the search for improved software quality and high productivity, software product line (SPL) engineering has proven to be one of the most successful paradigms for developing a diversity of similar software applications and software-intensive systems at low costs, in a short time, and with high quality, by exploiting commonalities and variabilities among

products to achieve high levels of reuse [2, 3].

In software intensive systems, such as SPL, security is a cross-cutting concern and should consequently be subject to careful requirements analysis and decision making. Moreover, in SPL engineering, security is one of the most important attributes with regard to quality, given that a weakness in security may cause problems in all the products in a product line. In addition, many requirements engineering practices must be appropriately tailored to the specific demands of product lines [1]. Hence, specifying requirements for a SPL is a challenging task [12] and specifying security quality requirements for an SPL is even more challenging due to the varying security properties required in different products.

Therefore, the discipline known as Security Requirements Engineering is essential for secure SPL and products development, because it provides techniques, methods, standards and systematic and repeatable procedures for tackling SPL security requirement issues throughout the SPL development lifecycle both to ensure the definition of security quality requirements and to manage the variability of security properties. Nevertheless, software engineering methodologies and standard proposals of SPL engineering have traditionally ignored security requirements and security variability issues. Although some of them include a few security requirements activities, most of them focus only on the design of implementation aspects of SPL development.

The Third International Conference on Software Engineering Advances The Third International Conference on Software Engineering Advances

Fig. 1 Software Product Line Security Requirements Engineering Framework As an evolution of our previous “generic” security

requirements engineering process (SREP) [10], in [11]

we presented the Security quality Requirements Engineering Process for Software Product Lines (SREPPLine) in [11], in which we described the most important tasks of the activities its subprocesses of it (shown in Fig. 1), along with its workflows. In this paper, we shall describe part of a real case study focusing on security requirements artefacts variability for a Public Registry Online Product Line performed at a Spanish Public Institution IT Department as a preliminary validation of the application of SREPPLine. The aim of our approach is to deal with the security requirements artefacts and their variability from the early stages of the SPL development and its products in a systematic way, in order to facilitate the conformance of SPL products to the most relevant security standards with regard to the management of security requirements, such as ISO/IEC 27001 [7] and ISO/IEC 15408 (Common Criteria) [6]. To this end, we will propose a systematic and iterative process based on a security requirements decision model driven by security standards in order to assist in SPL products security certification along with a security variability model to manage the variability and traceability of the security requirements artefacts of the SPL and its products.

The remainder of this paper is structured as follows.

In Section 2, we will outline our Security quality Requirements Engineering Process for software Product Lines (SREPPLine). In Section 3, due to space

restrictions we will only describe part of a real case study of SREPPLine as a preliminary validation of it.

Finally, in Section 4, we will discuss our contributions and future work.

2. SREPPLine: security quality requirements engineering process for software product lines

A software product line is a set of software- intensive systems sharing a common, managed set of features [8] which satisfy the specific needs of a particular market segment or mission and which are developed from a common set of core assets in a prescribed way [3]. The software product line engineering paradigm differentiates two processes:

domain engineering and application engineering [13].

SREPPLine is an add-in of activities, which can be incorporated into an organization’s SPL development process model providing it with a security requirements engineering approach.

It is a security features or security goals based process which is driven by risk and security standards (concretely ISO/IEC 27001 and Common Criteria) and deals with security requirements and their related artefacts from the early stages of SPL development in a systematic and intuitive way especially tailored to SPL based development. It is based on the use of the latest and widely validated security requirements techniques, such as security use cases [4] or misuse cases [14], along with the integration of the Common Criteria

(CC) components and ISO/IEC 27001 controls into the SPL lifecycle in order to facilitate SPL products security certification. Moreover, our proposed process suggests using a method to carry out the risk assessment which conforms to ISO/IEC 13335 [5], and concretely it uses Magerit [9] for both SPL risk assessment and SPL products risk assessment.

Furthermore, SREPPLine has the aim of minimizing the necessary security standards knowledge as well as security expert participation during SPL products development. To this end, it provides a Security Core Assets Repository to facilitate security artefacts reuse and to implement the Security Variability Model and the Security Requirement Decision Model, which assist in the management of the variability and traceability of the security requirements related artefacts of the SPL and its products. These models are the basis through which the activities of SREPPLine capture, represent and share knowledge about security requirements for SPL and help to certify them against security standards. In essence, it is a knowledge repository with a structure to support security requirements reasoning in SPL.

As is described in Fig. 1 our process, which is integrated into the proposed framework for SPL engineering of Pohl et al. in [13], is composed of two subprocesses (shown in Fig.1): Product Line Security Domain Requirements Engineering (PLSecDomReq) subprocess and Product Line Security Application Requirements Engineering (PLSecAppReq) subprocess.

3. SRPEPPLine in practice

We illustrate the SREPPLine applicability in SPL engineering with the Public Registry Online Product Line of a Spanish Public Administration. This SPL may have several different configurations for different public institutions within Spanish Public Administration. It has a common set of system functionality that forms the deliverable core and a variable set of configurable parameters and non functional requirements. Therefore, this Public Registry Online Product Line is an SPL whose members vary through system configuration and online business services and yet retain the same core functionalities.

This example concentrates on the results from the PLSecAppReq (subprocess of SREPPLine) application to application engineering in order to develop a Public Registry Online in a Spanish Public Institution from the Public Registry Online Product Line and it is focused on the security features of the Public Registry Online platform. This example has had to be simplified

and summed up in order to enable points of the model to be easily illustrated in this article.

The Public Registry Online Product Line provides the variability as represented by the variability model in Fig. 2. It offers different variants (V) for the different ‘online requests’ which are the business services offered by the Public Registry Online Product Line, which could be selected by the application stakeholder. During PLSecAppReq activity 1 (“Application Security Variability Management”), the Security Requirements Decision Model together with the Security Variability Model enabled the security requirements engineer to communicate the relevant security related variations points (VP), security related variants and their dependences (security artefacts, security standards and other functional and non-functional requirements) to stakeholders. Once the stakeholders informed the security requirements engineer of their security goals and of the features necessary for the application (or product), the result of this activity was a set of domain security goals and features of the SPL, which did not completely fulfill the stakeholders security goals for the application.

In this example, we selected the security features:

user authenticity and secure submissions. As is shown in Fig. 2, for the variation point ‘user authenticity’

different authenticity methods are selectable from the Public Registry Online Product Line. It offers the security variants: ‘password‘ and ‘electronic certificate’. For the variation point ‘secure submissions’ three security variants are selectable:

‘http’, ‘SSL’ and ‘https’.

In activity 2 of PLSecAppReq (“Application Security Artefacts Instantiation and Sec-Deltas Analysis”) application security artefacts from the set of domain security features obtained in the previous activity were instantiated. Throughout the Security Requirements Decision Model and the Security Variability Model the appropriate security artefacts (that is, the security variants) for the specific application (product) which would as far as possible satisfy the application security goals, were selected.

The result of this activity was a set of security requirements and their related artefacts, which did not completely fulfill the stakeholders’ application requirements. In this example, at the VP ‘secure submissions’ we selected the security variant ’https’

because the stakeholders selected the ‘public view’

variant and due to the security links (or traceability links) established on the Security Requirements Decision Model of the Public Registry Online Product Line. At the VP ‘user authenticity’ we selected the security variant ‘e-certificate’ because the stakeholders

selected the ‘online requests’ feature for the Public Registry Online of the Institution.

In activity 3 “Application Specific Security Artefacts Development” the sec-deltas analysis was performed. The sec-deltas occur when stakeholder security requirements cannot be completely satisfied by security domain requirements artefacts. During the sec-deltas analysis, sec-deltas to the security domain variability model resulting from stakeholders’ security features/goals were analyzed. Due to the particular stakeholders needs for the Public Registry Online of the Institution we had to add one more variant to the

‘online requests’ to allow online requests of ‘retirement pension’. This kind of request necessitated the attachment of documentation. Therefore we identified one sec-delta (depicted as a discontinued line in Fig. 2) because the SPL did not provide any security feature to ensure secure attachments; we therefore added one more security variation point for the ‘file documentation’ to the application variability model, as is shown in Fig. 2. This VP offers the variants: ‘signed file’ and ‘pdf’. Next, the impact of the security variability model sec-deltas on the corresponding security artefacts was analyzed. The results of this analysis were the security application variability model (shown in Fig. 2) along with the security requirements artefacts deltas (assets, threats, etc.).

Finally, these sec-deltas were communicated to the security risk expert who estimated the risks of carrying out or not carrying out the security requirements deltas (activity 4 “Application Risk Assessment”) as shown in Table 1. For example, the estimated security risk for not carrying out the security variant ‘signed files’ was

‘high’ (risk of 4 in a scale of 0 to 5). The first number of each cell in the table is the value of the assets; the second number of each cell is the degradation value of the assets caused by the threat expressed as a percentage; the third value is the accumulated impact to the assets; and the last value is the accumulated risk to the assets, according to Magerit [17] method.

In the “Application Security Requirements Negotiation and Prioritization” activity (activity 5 of PLSecAppReq), after the application risk assessment of the sec-deltas was performed, it was communicated to the security architect and to the security requirements engineer who estimated the realisation effort based on the sec-deltas and their associated risks.

The stakeholders used this estimation to decide whether or not the security requirements deltas should

be carried out and which security standard the application should fulfil. In this example we performed a slight economical analysis by balancing the risk with the economical impact of implementing countermeasures. Thereby we reached an agreement with the stakeholders about taking into account those security requirements associated with those threats that imply high or very high risk (risk of 4 or 5) whatever the conflicts with other requirements. However, for the security requirements with a risk which was lower than high (that is, from 3 to 1, medium to low) we had to reach trade-offs mainly with other non-functional requirements mainly, especially with regard to performance and interface accessibility (as is shown in Fig. 2, the system had to fulfil the WAI, Web Accessibility Initiative, level ‘AA’). As a result of this activity, the application security requirements and the corresponding security requirements artefacts and security application variability model were defined.

Next, in the “Application Security Requirements Specification” activity (activity 6 of PLSecAppReq) the application security artefacts, the sec-deltas and the traces between application security artefacts and the corresponding domain security artefacts were formally specified and documented. Moreover, the security application variability model and the traceability links of the application security artefacts to the application- specific variability model were documented, such as the security requirement specification in XML shown in Fig. 2. The estimated risk and realisation costs were even related to the sec-deltas in order to ensure that decisions about sec-deltas were traceable.

Finally, in activity 7 (“Application Security Requirements Inspection”) the security requirements artefacts variability consistency between the application and domain artefacts of the Public Registry Online Product Line was verified. We also verified whether the security requirements satisfied the stakeholders’ security needs and application security goals, and whether the security requirements conformed to ISO/IEC 27001 control objectives, to Common Criteria assurance requirements and to the IEEE 830-1998 standard.

Fig. 2 Example: Public Registry Online security variability model and security artefacts

Table 1 Part of the risk assessment of the Public Registry Online

4. Conclusions

Security requirements issues are extremely important in SPL because a weakness in security can cause problems throughout the lifecycle of a line.

Although there have been several attempts to fill the gap between requirements engineering and SPL requirements engineering, no systematic approach with which to define security quality requirements and to manage their variability and their related security

artefacts to the models of an SPL is available.

The contribution of this work is that of providing a systematic approach for the management of the security requirements and their variability from the early stages of product line development, in order to facilitate the conformance of the SPL products to the most relevant security standards with regard to the management of security requirements, such as ISO/IEC 27001 and ISO/IEC 15408 (Common Criteria). Our proposal defines a systematic process based on a security requirements decision model driven by

security standards to assist in SPL security requirements definition and to facilitate products security certification. Moreover, a security variability model with which to manage the variability and traceability of the security requirements related artefacts of the SPL and its products is proposed and preliminarily validated in a case study. Consequently, our proposal allows us to make security variants selection in the requirements level instead of in the design level, as well as providing a cross-cutting view of the security variability across all security development artefacts and assisting in maintaining the different views of variable security requirements artefacts consistent.

Finally, further work is also required to refine the prototype of our CARE (Computer Aided Requirements Engineering) tool which we have developed to support SREPPLine and the Security Resources Repository (which was one of the lessons learned in the case study performed at the Spanish Public Administration partially described in this paper), in order to assist in the complex management and maintainability of the variability and traceability relations. Furthermore, we shall carry out a refinement of our approach by proving it with a complete and exhaustive real case study of SREPPLine and its CARE-tool in order to validate and illustrate SREPPLine in far greater depth, with the aim of providing an holistic framework for security requirements engineering in SPL.

5. Acknowledgments

This paper is part of the ESFINGE (TIN2006- 15175-C05-05) and ELEPES (TIN2006-27690-E) projects of the Ministry of Education and Science (Spain), and of the MISTICO (PBC-06-0082) project of the Castilla – La Mancha Regional Government.

8. References

[1] A. Birk and G. Heller, "Challenges for requirements engineering and management in software product line development", International Conference on Requirements Engineering (REFSQ 2007), pp. 300-305, 2007.

[2] J. Bosh, Design & Use of Software Architectures:

Pearson Education Limited, 2000.

[3] P. Clements and L. Northrop, Software Product Lines: Practices and Patterns: Addison-Wesley, 2002.

[4] D. G. Firesmith, "Engineering Security Requirements", Journal of Object Technology, vol. 2, pp. 53-68, 2003.

[5] ISO/IEC, "ISO/IEC 13335 Information technology - Security techniques - Management of information and communications technology security - Part 1: Concepts and models for information and communications technology security management", 2004.

[6] ISO/IEC, "ISO/IEC 15408:2005 Information technology - Security techniques - Evaluation criteria for IT security, (Common Criteria v3.0)", 2005.

[7] ISO/IEC, "ISO/IEC 27001 Information technology -- Security techniques -- Information security management systems -- Requirements."

2006.

[8] K. Kang, S. Cohen, J. A. Hess, W. E. Novak, and S. A. Peterson, "Feature-Oriented Domain Analysis (FODA) Feasibility Study": Software Engineering Institute, Carnegie-Mellon University, 1990.

[9] F. López, M. A. Amutio, J. Candau, and J. A.

Mañas, Methodology for Information Systems Risk Analysis and Management: Ministry of Public Administration, 2005.

[10] D. Mellado, E. Fernández-Medina, and M.

Piattini, "Applying a Security Requirements Engineering Process", 11th European Symposium on Research in Computer Security (ESORICS 2006), vol. Springer LNCS 4189, pp. 192-206, 2006.

[11] D. Mellado, E. Fernández-Medina, and M.

Piattini, "Towards security requriements management for software product lines: a security domain requirements engineering process", in Computer Standards & Interfaces, vol. 30, 2008, pp. 361-371.

[12] E. Niemelä and A. Immonen, "Capturing quality requirements of product family architecture", in Information & Software Technology, vol. 49, 2007, pp. 1107-1120.

[13] K. Pohl, G. Böckle, and F. v. d. Linden, Software Product Line Engineering. Foundations, Principles and Techniques. Berlin Heidelberg:

Springer, 2005.

[14] G. Sindre and A. L. Opdahl, "Eliciting security requirements with misuse cases", Requirements Engineering 10, vol. 1, pp. 34-44, 2005.

IEEE Computer Society Conference Publications

Operations Committee ations Committee

CPOC Chair CPOC Chair Chita R. Das Chita R. Das

Professor, Penn State University Professor, Penn State University

Board Members Board Members

Mike Hinchey, Director, Software Engineering Lab, NASA Goddard Mike Hinchey, Director, Software Engineering Lab, NASA Goddard

Paolo Montuschi, Professor, Politecnico di Torino Paolo Montuschi, Professor, Politecnico di Torino Jeffrey Voas, Director, Systems Assurance Technologies, SAIC Jeffrey Voas, Director, Systems Assurance Technologies, SAIC Suzanne A. Wagner, Manager, Conference Business Operations Suzanne A. Wagner, Manager, Conference Business Operations Wenping Wang, Associate Professor, University of Hong Kong Wenping Wang, Associate Professor, University of Hong Kong

IEEE Computer Society Executive Staff IEEE Computer Society Executive Staff

Angela Burgess, Executive Director Angela Burgess, Executive Director Alicia Stickley, Senior Manager, Publishing Services Alicia Stickley, Senior Manager, Publishing Services Thomas Baldwin, Senior Manager, Meetings & Conferences Thomas Baldwin, Senior Manager, Meetings & Conferences

IEEE Computer Society Publications IEEE Computer Society Publications

The world-renowned IEEE Computer Society publishes, promotes, and distributes a wide variety of authoritative computer science and engineering texts. These books are available from most retail outlets. Visit the CS Store at http://www.computer.org/portal/site/store/index.jsp for a list of products.

The world-renowned IEEE Computer Society publishes, promotes, and distributes a wide variety of authoritative computer science and engineering texts. These books are available from most retail outlets. Visit the CS Store at http://www.computer.org/portal/site/store/index.jsp for a list of products.

IEEE Computer Society Conference Publishing Services (CPS) IEEE Computer Society Conference Publishing Services (CPS)

The IEEE Computer Society produces conference publications for more than 250 acclaimed international conferences each year in a variety of formats, including books, CD-ROMs, USB Drives, and on-line publications.

For information about the IEEE Computer Society’s Conference Publishing Services (CPS), please e-mail:

[email protected] or telephone +1-714-821-8380. Fax +1-714-761-1784. Additional information about Conference Publishing Services (CPS) can be accessed from our web site at: http://www.computer.org/cps

IEEE Computer Society / Wiley Partnership

The IEEE Computer Society and Wiley partnership allows the CS Press Authored Book program to produce a number of exciting new titles in areas of computer science and engineering with a special focus on software engineering. IEEE Computer Society members continue to receive a 15% discount on these titles when purchased through Wiley or at: http://wiley.com/ieeecs. To submit questions about the program or send proposals, please e- mail [email protected] or telephone +1-714-816-2112. Additional information regarding the Computer Society’s authored book program can also be accessed from our web site at:

http://www.computer.org/portal/pages/ieeecs/publications/books/about.html

Revised: 21 January 2008

CPS Online is our innovative online collaborative conference publishing system designed to speed the delivery of price quotations and provide conferences with real-time access to all of a project's publication materials during production, including the final papers. The CPS Online workspace gives a conference the opportunity to upload files through any Web browser, check status and scheduling on their project, make changes to the Table of Contents and Front Matter, approve editorial changes and proofs, and communicate with their CPS editor through discussion forums, chat tools, commenting tools and e-mail.

The following is the URL link to the CPS Online Publishing Inquiry Form:

http://www.ieeeconfpublishing.org/cpir/inquiry/cps_inquiry.html