ABSTRACT
In order to gain their customers' trust, software vendors can certify their products according to security standards, e.g., the Common Criteria (ISO 15408). However, a Common Criteria certification requires a comprehensible documentation of the software product. The creation of this documentation results in high costs in terms of time and money.
We propose a software development process that supports the creation of the required documentation for a Common Criteria certification. Hence, we do not need to create the documentation after the software is built. Furthermore, we propose to use an enhanced version of the requirements-driven software engineering process called ADIT to discover possible problems with the establishment of Common Criteria documents. We aim to detect these issues before the certification process. Thus, we avoid expensive delays of the certification effort. ADIT provides a seamless development approach that allows consistency checks between different kinds of UML models. ADIT also supports traceability from security requirements to design documents. We illustrate our approach with the development of a smart metering gateway system.
- S. Ardi and N. Shahmehri. Introducing vulnerability awareness to common criteria's security targets. In Software Engineering Advances, 2009. ICSEA '09. Fourth International Conference on, pages 419--424, sept. 2009. Google ScholarDigital Library
- A. Bialas. Ontology-based security problem definition and solution for the common criteria compliant development process. In Dependability of Computer Systems, 2009. DepCos-RELCOMEX '09. Fourth International Conference on, pages 3--10, 30 2009-july 2 2009. Google ScholarDigital Library
- A. Bialas. Ontological approach to the it security development. In E. Tkacz and A. Kapczynski, editors, Internet -- Technical Development and Applications, volume 64 of Advances in Intelligent and Soft Computing, pages 261--269. Springer Berlin/Heidelberg, 2009.Google Scholar
- BSI. Protection Profile for the Gateway of a Smart Metering System (Gateway PP). Version 01.01.01(final draft), Bundesamt für Sicherheit in der Informationstechnik (BSI) -Federal Office for Information Security Germany, 2011. https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/SmartMeter/PP-SmartMeter.pdf?___blob=publicationFile.Google Scholar
- S.-C. Chang and C.-F. Fan. Construction of an ontology-based common criteria review tool. In Computer Symposium (ICS), 2010 International, pages 907--912, dec. 2010.Google ScholarCross Ref
- D. Coleman, P. Arnold, S. Bodoff, C. Dollin, H. Gilchrist, F. Hayes, and P. Jeremaes. Object-Oriented Development: The Fusion Method. Prentice Hall, 1994. (out of print). Google ScholarDigital Library
- I. Côté. A Systematic Approach to Software Evolution. Deutscher Wissenschafts-Verlag (DWV) Baden-Baden, 2012.Google Scholar
- I. Côté, D. Hatebur, M. Heisel, and H. Schmidt. UML4PF -- a tool for problem-oriented requirements analysis. In Proceedings of the International Conference on Requirements Engineering (RE), pages 349--350. IEEE Computer Society, 2011. Google ScholarDigital Library
- B. Fabian, S. Gürses, M. Heisel, T. Santen, and H. Schmidt. A comparison of security requirements engineering methods. Requirements Engineering -- Special Issue on Security Requirements Engineering, 15(1):7--40, 2010. Google ScholarDigital Library
- D. Hatebur. Pattern and Component-based Development of Dependable Systems. Deutscher Wissenschafts-Verlag (DWV) Baden-Baden, 2012.Google Scholar
- D. Hatebur and M. Heisel. A UML profile for requirements analysis of dependable software. In SAFECOMP, pages 317--331, 2010. Google ScholarDigital Library
- D. Hatebur, M. Heisel, and H. Schmidt. A formal metamodel for problem frames. In Proceedings of the International Conference on Model Driven Engineering Languages and Systems (MODELS), volume 5301, pages 68--82. Springer Berlin/Heidelberg, 2008. Google ScholarDigital Library
- ISO/IEC. Information technology - Security techniques - Information security management systems - Requirements. ISO/IEC 27001, International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), 2005.Google Scholar
- ISO/IEC. Common Criteria for Information Technology Security Evaluation. ISO/IEC 15408, International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), 2009.Google Scholar
- M. Jackson. Problem Frames. Analyzing and structuring software development problems. Addison-Wesley, 2001. Google ScholarDigital Library
- D. Mellado, E. Fernandez-Medina, and M. Piattini. A comparison of the common criteria with proposals of information systems security requirements. In Availability, Reliability and Security, 2006. ARES 2006. The First International Conference on, page 8 pp., april 2006. Google ScholarDigital Library
- D. Mellado, E. Fernández-Medina, and M. Piattini. Applying a security requirements engineering process. In D. Gollmann, J. Meier, and A. Sabelfeld, editors, Computer Security -- ESORICS 2006, volume 4189 of Lecture Notes in Computer Science, pages 192--206. Springer Berlin/Heidelberg, 2006. Google ScholarDigital Library
- T. Rottke, D. Hatebur, M. Heisel, and M. Heiner. A problem-oriented approach to common criteria certification. In Proceedings of the 21st International Conference on Computer Safety, Reliability and Security, SAFECOMP '02, pages 334--346, London, UK, UK, 2002. Springer-Verlag. Google ScholarDigital Library
- UML Revision Task Force. OMG Unified Modeling Language (UML), Superstructure. http://www.omg.org/spec/UML/2.3/Superstructure/PDF.Google Scholar
- UML Revision Task Force. OMG Object Constraint Language: Reference, February 2010.Google Scholar
- L. Yin and F.-L. Qiu. A novel method of security requirements development integrated common criteria. In Computer Design and Applications (ICCDA), 2010 International Conference on, volume 5, pages V5--531--V5--535, june 2010.Google ScholarCross Ref
Index Terms
- Common criteria compliant software development (CC-CASD)
Recommendations
Secure systems development based on the common criteria: the PalME project
Security is a very important issue in information processing, especially in open network environments like the Internet. The Common Criteria (CC) is the standard requirements catalogue for the evaluation of security critical systems. Using the CC, a ...
A Problem-Based Threat Analysis in Compliance with Common Criteria
ARES '13: Proceedings of the 2013 International Conference on Availability, Reliability and SecurityIn order to gain their customers' trust, software vendors can certify their products according to security standards, e.g., the Common Criteria (ISO 15408). A Common Criteria certification requires a comprehensible documentation of the software product, ...
A common criteria based security requirements engineering process for the development of secure information systems
In order to develop security critical Information Systems, specifying security quality requirements is vitally important, although it is a very difficult task. Fortunately, there are several security standards, like the Common Criteria (ISO/IEC 15408), ...
Comments