Companies and professionals are currently demanding increasingly more specialized profiles, and i... more Companies and professionals are currently demanding increasingly more specialized profiles, and it is therefore desirable for future graduates to have obtained one or more international professional certificates in computing security and auditing, or to at least to have received the preparation required to obtain them. It is therefore of the utmost importance that new studies be focused on professional needs without losing the scientific rigor demanded in engineers. If this objective is to be achieved, it is fundamental that these new study plans be oriented toward facilitating the attainment of these professional certificates. In this paper we establish transversal guidelines for the implementation of content related to computing security in all the subjects, materials and modules of the new degree in Computer Engineering. This will fit perfectly with the material already being taught, will be an enriching element and will allow students to obtain the basic minimum knowledge on security required by any computer engineer from the beginning of their education. The security-related content that is required to be taught during the degree course will additionally be focused on industry and presentday society by means of existing professional security and auditing certificates that will provide future professionals with the knowledge and skills needed as regards security.
Lecture Notes in Business Information Processing, 2015
The emergence of cloud computing as a major trend in the IT industry signifies that corporate use... more The emergence of cloud computing as a major trend in the IT industry signifies that corporate users of this paradigm are confronted with the challenge of securing their systems in this new environment. An important aspect of that, includes the secure migration of an organization's legacy systems, which run in data centers that are completely controlled by the organization, to a cloud infrastructure, which is managed outside the scope of the client's premises and may even be totally offshore. This paper makes two important contributions. Firstly, it presents a process (SMiLe2Cloud) and a framework that supports secure migration of corporate legacy systems to the cloud. We propose a process based on a continuous improvement cycle that starts with a Knowledge Discovery Meta-Model (KDM) set of models from which a security model for legacy system migration to the cloud is derived. Secondly, it provides a set of clauses (derived from the models) for security cloud providers and custom security cloud controls.
ABSTRACT Las empresas y los profesionales están demandando perfiles cada vez más especializados, ... more ABSTRACT Las empresas y los profesionales están demandando perfiles cada vez más especializados, por lo que es deseable que los futuros graduados cuenten con una o varias certificaciones profesionales internacionales en seguridad y auditoría informática, o al menos que tengan el camino preparado para conseguirlas. Por lo tanto es muy importante que los nuevos estudios estén muy enfocados a las necesidades profesionales, sin perder el rigor científico exigible en una ingeniería, y para conseguir este objetivo es fundamental que estos nuevos planes de estudio tengan una orientación que facilite el acercamiento hacia las certificaciones profesionales. En este artículo establecemos una guía transversal para la implantación de contenidos relacionados con la seguridad informática en todas las asignaturas, materias y módulos del nuevo grado de Ingeniería Informática, que encajen perfectamente con las materias que se cursan, que sirvan de elemento enriquecedor y que sirva a los alumnos para adquirir los conocimientos básicos de seguridad mínimos que a cualquier ingeniero informático se le exige desde el principio de su formación. Además, esos contenidos de seguridad que se deben cursar en el grado están enfocados en la industria y en la sociedad actual, a través de las certificaciones profesionales en seguridad y auditoría existentes que acreditan a los futuros profesionales de los conocimientos y habilidades en temas de seguridad necesarios. I. INTRODUCCION lo largo del curso 2009-2010 se empezó a implantar el primer curso del Grado en Ingeniería Informática en la Universidad de Castilla-La Mancha. Los detalles del grado, que ha sido adaptado al Espacio Europeo de Educación Superior (EEES) [1, 2], se recogen en una Memoria de Grado, que entre otras cosas ofrece información sobre su organización en módulos, que a su vez contiene materias, y que éstas están formadas por asignaturas, que son definidas en términos de unos descriptores generales, basándose en las recomendaciones de los principales currículos internacionales [3-9]. Para estas asignaturas, se incluye también información sobre las competencias a las que da cuenta, las prácticas David G. Rosado, Universidad de Castilla La Mancha, Spain, [email protected] L. E. Sánchez, PROMETEO, Escuela Politécnica del Ejército extensión Latacunga (ESPEL), Latacunga (Cotopaxi), Ecuador, [email protected] Daniel Mellado, Agencia Tributaria, Spain, [email protected] Eduardo Fernández-Medina, Universidad de Castilla La Mancha, Spain, [email protected] docentes, métodos de evaluación, etc., y en todo caso, queda para el momento de la implantación de las asignaturas, el trabajo de definir detalladamente los contenidos de las mismas. De entre todas las asignaturas definidas en el grado, hay varias dedicadas exclusivamente a seguridad y auditoría, y hay otras asignaturas que definen implícitamente aspectos de seguridad ya sea en las competencias a alcanzar o en los descriptores a desarrollar. De cualquiera de las maneras, hay que detallar el contenido de seguridad y auditoría de todas estas asignaturas que se ajusten a sus competencias y descriptores de forma coordinada, y que se acerquen lo máximo posible a las necesidades que demanda la sociedad a través de las principales certificaciones profesionales de seguridad y auditoría [10-12]. Los contenidos de seguridad y auditoría dentro del grado en Ingeniería Informática deben estar perfectamente acoplados y organizados de forma que sea una progresión de conocimientos conforme se vaya avanzando en el grado, tengan una relación directa entre contenidos, estén ajustados a las competencias y objetivos de las asignaturas y estén orientados a las necesidades más demandadas por la sociedad [13, 14]. Las certificaciones profesionales internacionales son un excelente recurso para medir la demanda existente de profesionales en seguridad y auditoría que el mercado requiere [15-17]. Estas certificaciones definen un contenido especializado en seguridad y auditoría que podemos utilizar para incorporarlos en el grado ajustándolos y adaptándolos a las competencias, descriptores y objetivos de cada asignatura del grado. Por lo tanto, con este trabajo pretendemos definir los contenidos, competencias, objetivos, prácticas docentes, etc. de cada asignatura donde se definan implícita o explícitamente temas de seguridad y auditoría descritos en el plan de estudios del grado, intentando que ese contenido se acerque lo máximo posible a los contenidos y competencias definidas en las principales certificaciones profesionales en seguridad y auditoría, de forma que haya una relación entre los contenidos de seguridad del grado y los contenidos de seguridad exigidos por las certificaciones profesionales que marcan las necesidades del mercado. Esto se debe hacer sin condicionar excesivamente la implantación del grado, pero de modo que se favorezca un acercamiento a estas certificaciones, tanto para que el alumno tenga una mejor…
Information Systems Security is one of the most pressing challenges confronting all kinds of pres... more Information Systems Security is one of the most pressing challenges confronting all kinds of present-day organizations. Although many companies have discovered how critical information is to the success of their business or operations, very few have managed to be effective in maintaining their information secure, avoiding unauthorized access, preventing intrusions, stopping secret information disclosure, etc. Security is currently a widespread and growing concern that affects all areas of society: business, domestic, financial, government, and so on. In fact, the so-called information society is increasingly dependent on a wide range of software systems whose mission is critical, such as air traffic control systems, financial systems, or public health systems. The potential losses that are confronted by businesses and organizations that rely on all these hardware and software systems have therefore led to a situation in which it is crucial for information systems to be properly secured from the outset.
Jornadas de Ingeniería del Software y Bases de Datos, 2006
The method of manufacturing metal oxide varistors wherein pressed blocks of selected mixtures of ... more The method of manufacturing metal oxide varistors wherein pressed blocks of selected mixtures of metal oxide powders and additives are joined to form a single varistor unit by vertically stacking and firing the blocks at a high temperature. Sintering of these stacked blocks during the firing cycle results in a strong mechanical and electrical bond between the adjacent blocks in the stack.
Nowadays, security solutions are focused mainly on providing security defences; instead of solvin... more Nowadays, security solutions are focused mainly on providing security defences; instead of solving one of the main reasons for security problems that refers to appropriate information systems (IS) design. Fortunately there are several standards, like the Common Criteria, which help to deal with the security requirements along all the IS development cycle. In this paper a comparative analysis of eight
The concepts of Service-Oriented Architectures and Software Product Lines are currently being pai... more The concepts of Service-Oriented Architectures and Software Product Lines are currently being paid a considerable amount of attention, both in research and in practice. Both disciplines promise to make the development of flexible, cost-effective software systems possible and to support high levels of reuse, and may sometimes be complementary to each other. In both paradigms, security is a critical issue, although most of the existing product line practices do not comprise all the security requirements engineering activities or provide automated support through which to perform these activities, despite the fact that it is widely accepted that the application of any requirements engineering process or methodology is much more difficult without a CARE (Computer-Aided Requirements Engineering) tool, since it must be performed manually. Therefore, this chapter shall present a tool denominated as SREPPLineTool, which provides automated support through which to facilitate the application of the security quality requirements engineering process for software product lines, SREPPLine. SREPPLineTool simplifies the management of security requirements in product lines by providing us with a guided, systematic and intuitive manner in which to deal with them from the early stages of product line development, thus
Proceedings of the Fourth European Conference on Software Architecture: Companion Volume, 2010
ABSTRACT A lack of security metrics signifies that it is not possible to measure the success of s... more ABSTRACT A lack of security metrics signifies that it is not possible to measure the success of security policies, mechanisms and implementations, and security cannot, in turn, be improved if it cannot be measured. The importance of the use of metrics to obtain security quality is thus widely accepted. However, the definition of security metrics concerns a discipline which is still in its first stages of development, meaning that few documented resources or works centring on this subject exist to date. In this paper we shall therefore study the latest existing models with which to define security metrics and their components as aspects that have a bearing on the quality of software products with the intention that this will serve as a basis for continued advancement in research into this area of knowledge.
Cloud computing is a new paradigm that combines several computing concepts and technologies of th... more Cloud computing is a new paradigm that combines several computing concepts and technologies of the Internet creating a platform for more agile and cost-effective business applications and IT infrastructure. The adoption of Cloud computing has been increasing for some time and the maturity of the market is steadily growing. Security is the question most consistently raised as consumers look to move their data and applications to the cloud. We justify the importance and motivation of security in the migration of legacy systems and we carry out an analysis of different approaches related to security in migration processes to cloud with the aim of finding the needs, concerns, requirements, aspects, opportunities and benefits of security in the migration process of legacy systems.
2008 Third International Conference on Availability, Reliability and Security, 2008
Software product line engineering has proven to be one of the most successful paradigms for devel... more Software product line engineering has proven to be one of the most successful paradigms for developing a diversity of similar software applications and software-intensive systems at low costs, in short time, and with high quality, by exploiting commonalities and variabilities among products to achieve high levels of reuse. At the same time, due to the complexity and extensive nature of
Resumen-Los requisitos de seguridad para Sistemas Informáticos son cada vez más complejos debido ... more Resumen-Los requisitos de seguridad para Sistemas Informáticos son cada vez más complejos debido a su grado de proliferación, diversificación y conectividad, de manera que se hace muy complicado securizarlos, ya que sin un proceso o metodología sistemática los requisitos de seguridad suelen ser añadidos tarde en el proceso de desarrollo o ser agrupados separadamente del diseño funcional. En este artículo se muestra, a través de un caso de estudio real, como de una forma guiada, sistemática e intuitiva se pueden tratar los requisitos de seguridad en paralelo con los otros tipos de requisitos y desde las primeras fases del desarrollo de software, mediante la aplicación del proceso de ingeniería de requisitos de seguridad que hemos desarrollado, SREP (Security Requirements Engineering Process), que se basa fundamentalmente en la integración de los Criterios Comunes en el proceso de desarrollo software y en la utilización de un repositorio de recursos de seguridad.
Security and requirements engineering are two of the most important factors of success in the dev... more Security and requirements engineering are two of the most important factors of success in the development of a software product line (SPL) due to the complexity and extensive nature of them, given that a weakness in security can cause problems throughout the products of a product line. Goal-driven security requirements engineering approaches, such as Secure Tropos, have been proposed in the literature as a suitable paradigm for elicitation of security requirements and their analysis on both a social and a technical dimension. Nevertheless, on one hand, goal-driven security requirements engineering methodologies are not appropriately tailored to the specific demands of SPL, while on the other hand specific proposals of SPL engineering have traditionally ignored security requirements. This paper presents work that fills this gap by proposing "SecureTropos-SPL" framework, an extension to Secure Tropos to support SPL security requirements engineering which is based on security goals and driven by security risks.
This article was originally published in a journal published by Elsevier, and the attached copy i... more This article was originally published in a journal published by Elsevier, and the attached copy is provided by Elsevier for the author's benefit and for the benefit of the author's institution, for non-commercial research and educational use including without limitation use in instruction at your institution, sending it to specific colleagues that you know, and providing a copy to your institution's administrator. All other uses, reproduction and distribution, including without limitation commercial reprints, selling or licensing copies or access, or posting on open internet sites, your personal or institution's website or repository, are prohibited. For exceptions, permission may be sought for such use through Elsevier's permissions site at: http://www.elsevier.com/locate/permissionusematerial A u t h o r ' s p e r s o n a l c o p y A common criteria based security requirements engineering process for the development of secure information systems
One of the most important aspects in the achievement of secure software systems in the software d... more One of the most important aspects in the achievement of secure software systems in the software development process is what is known as Security Requirements Engineering. However, very few reviews focus on this theme in a systematic, thorough and unbiased manner, that is, none of them perform a systematic review of security requirements engineering, and there is not, therefore, a sufficiently good context in which to operate. In this paper we carry out a systematic review of the existing literature concerning security requirements engineering in order to summarize the evidence regarding this issue and to provide a framework/background in which to appropriately position new research activities.
Daniel Mellado Centro Informático del Instituto Nacional de la Seguridad Social, Gerencia de Info... more Daniel Mellado Centro Informático del Instituto Nacional de la Seguridad Social, Gerencia de Informática de la Seguridad Social, Ministerio de Trabajo y Asuntos Sociales. Madrid, España [email protected] Eduardo FernándezMedina Grupo ALARCOS Departamento de Tecnologías y Sistemas de Información. Universidad de Castilla-La Mancha Paseo de la Universidad 4, 13071 Ciudad Real, España [email protected] Mario Piattini Grupo ALARCOS Departamento de Tecnologías y Sistemas de Información. Universidad de Castilla-La Mancha Paseo de la Universidad 4, 13071 Ciudad Real, España [email protected]
Resumen. Tanto la seguridad como la ingeniería de requisitos son factores clave para el éxito en ... more Resumen. Tanto la seguridad como la ingeniería de requisitos son factores clave para el éxito en el desarrollo de una línea de productos software, debido a que la compleja estructura de dependencias entre las características de la línea de productos y de cada ...
Companies and professionals are currently demanding increasingly more specialized profiles, and i... more Companies and professionals are currently demanding increasingly more specialized profiles, and it is therefore desirable for future graduates to have obtained one or more international professional certificates in computing security and auditing, or to at least to have received the preparation required to obtain them. It is therefore of the utmost importance that new studies be focused on professional needs without losing the scientific rigor demanded in engineers. If this objective is to be achieved, it is fundamental that these new study plans be oriented toward facilitating the attainment of these professional certificates. In this paper we establish transversal guidelines for the implementation of content related to computing security in all the subjects, materials and modules of the new degree in Computer Engineering. This will fit perfectly with the material already being taught, will be an enriching element and will allow students to obtain the basic minimum knowledge on security required by any computer engineer from the beginning of their education. The security-related content that is required to be taught during the degree course will additionally be focused on industry and presentday society by means of existing professional security and auditing certificates that will provide future professionals with the knowledge and skills needed as regards security.
Lecture Notes in Business Information Processing, 2015
The emergence of cloud computing as a major trend in the IT industry signifies that corporate use... more The emergence of cloud computing as a major trend in the IT industry signifies that corporate users of this paradigm are confronted with the challenge of securing their systems in this new environment. An important aspect of that, includes the secure migration of an organization's legacy systems, which run in data centers that are completely controlled by the organization, to a cloud infrastructure, which is managed outside the scope of the client's premises and may even be totally offshore. This paper makes two important contributions. Firstly, it presents a process (SMiLe2Cloud) and a framework that supports secure migration of corporate legacy systems to the cloud. We propose a process based on a continuous improvement cycle that starts with a Knowledge Discovery Meta-Model (KDM) set of models from which a security model for legacy system migration to the cloud is derived. Secondly, it provides a set of clauses (derived from the models) for security cloud providers and custom security cloud controls.
ABSTRACT Las empresas y los profesionales están demandando perfiles cada vez más especializados, ... more ABSTRACT Las empresas y los profesionales están demandando perfiles cada vez más especializados, por lo que es deseable que los futuros graduados cuenten con una o varias certificaciones profesionales internacionales en seguridad y auditoría informática, o al menos que tengan el camino preparado para conseguirlas. Por lo tanto es muy importante que los nuevos estudios estén muy enfocados a las necesidades profesionales, sin perder el rigor científico exigible en una ingeniería, y para conseguir este objetivo es fundamental que estos nuevos planes de estudio tengan una orientación que facilite el acercamiento hacia las certificaciones profesionales. En este artículo establecemos una guía transversal para la implantación de contenidos relacionados con la seguridad informática en todas las asignaturas, materias y módulos del nuevo grado de Ingeniería Informática, que encajen perfectamente con las materias que se cursan, que sirvan de elemento enriquecedor y que sirva a los alumnos para adquirir los conocimientos básicos de seguridad mínimos que a cualquier ingeniero informático se le exige desde el principio de su formación. Además, esos contenidos de seguridad que se deben cursar en el grado están enfocados en la industria y en la sociedad actual, a través de las certificaciones profesionales en seguridad y auditoría existentes que acreditan a los futuros profesionales de los conocimientos y habilidades en temas de seguridad necesarios. I. INTRODUCCION lo largo del curso 2009-2010 se empezó a implantar el primer curso del Grado en Ingeniería Informática en la Universidad de Castilla-La Mancha. Los detalles del grado, que ha sido adaptado al Espacio Europeo de Educación Superior (EEES) [1, 2], se recogen en una Memoria de Grado, que entre otras cosas ofrece información sobre su organización en módulos, que a su vez contiene materias, y que éstas están formadas por asignaturas, que son definidas en términos de unos descriptores generales, basándose en las recomendaciones de los principales currículos internacionales [3-9]. Para estas asignaturas, se incluye también información sobre las competencias a las que da cuenta, las prácticas David G. Rosado, Universidad de Castilla La Mancha, Spain, [email protected] L. E. Sánchez, PROMETEO, Escuela Politécnica del Ejército extensión Latacunga (ESPEL), Latacunga (Cotopaxi), Ecuador, [email protected] Daniel Mellado, Agencia Tributaria, Spain, [email protected] Eduardo Fernández-Medina, Universidad de Castilla La Mancha, Spain, [email protected] docentes, métodos de evaluación, etc., y en todo caso, queda para el momento de la implantación de las asignaturas, el trabajo de definir detalladamente los contenidos de las mismas. De entre todas las asignaturas definidas en el grado, hay varias dedicadas exclusivamente a seguridad y auditoría, y hay otras asignaturas que definen implícitamente aspectos de seguridad ya sea en las competencias a alcanzar o en los descriptores a desarrollar. De cualquiera de las maneras, hay que detallar el contenido de seguridad y auditoría de todas estas asignaturas que se ajusten a sus competencias y descriptores de forma coordinada, y que se acerquen lo máximo posible a las necesidades que demanda la sociedad a través de las principales certificaciones profesionales de seguridad y auditoría [10-12]. Los contenidos de seguridad y auditoría dentro del grado en Ingeniería Informática deben estar perfectamente acoplados y organizados de forma que sea una progresión de conocimientos conforme se vaya avanzando en el grado, tengan una relación directa entre contenidos, estén ajustados a las competencias y objetivos de las asignaturas y estén orientados a las necesidades más demandadas por la sociedad [13, 14]. Las certificaciones profesionales internacionales son un excelente recurso para medir la demanda existente de profesionales en seguridad y auditoría que el mercado requiere [15-17]. Estas certificaciones definen un contenido especializado en seguridad y auditoría que podemos utilizar para incorporarlos en el grado ajustándolos y adaptándolos a las competencias, descriptores y objetivos de cada asignatura del grado. Por lo tanto, con este trabajo pretendemos definir los contenidos, competencias, objetivos, prácticas docentes, etc. de cada asignatura donde se definan implícita o explícitamente temas de seguridad y auditoría descritos en el plan de estudios del grado, intentando que ese contenido se acerque lo máximo posible a los contenidos y competencias definidas en las principales certificaciones profesionales en seguridad y auditoría, de forma que haya una relación entre los contenidos de seguridad del grado y los contenidos de seguridad exigidos por las certificaciones profesionales que marcan las necesidades del mercado. Esto se debe hacer sin condicionar excesivamente la implantación del grado, pero de modo que se favorezca un acercamiento a estas certificaciones, tanto para que el alumno tenga una mejor…
Information Systems Security is one of the most pressing challenges confronting all kinds of pres... more Information Systems Security is one of the most pressing challenges confronting all kinds of present-day organizations. Although many companies have discovered how critical information is to the success of their business or operations, very few have managed to be effective in maintaining their information secure, avoiding unauthorized access, preventing intrusions, stopping secret information disclosure, etc. Security is currently a widespread and growing concern that affects all areas of society: business, domestic, financial, government, and so on. In fact, the so-called information society is increasingly dependent on a wide range of software systems whose mission is critical, such as air traffic control systems, financial systems, or public health systems. The potential losses that are confronted by businesses and organizations that rely on all these hardware and software systems have therefore led to a situation in which it is crucial for information systems to be properly secured from the outset.
Jornadas de Ingeniería del Software y Bases de Datos, 2006
The method of manufacturing metal oxide varistors wherein pressed blocks of selected mixtures of ... more The method of manufacturing metal oxide varistors wherein pressed blocks of selected mixtures of metal oxide powders and additives are joined to form a single varistor unit by vertically stacking and firing the blocks at a high temperature. Sintering of these stacked blocks during the firing cycle results in a strong mechanical and electrical bond between the adjacent blocks in the stack.
Nowadays, security solutions are focused mainly on providing security defences; instead of solvin... more Nowadays, security solutions are focused mainly on providing security defences; instead of solving one of the main reasons for security problems that refers to appropriate information systems (IS) design. Fortunately there are several standards, like the Common Criteria, which help to deal with the security requirements along all the IS development cycle. In this paper a comparative analysis of eight
The concepts of Service-Oriented Architectures and Software Product Lines are currently being pai... more The concepts of Service-Oriented Architectures and Software Product Lines are currently being paid a considerable amount of attention, both in research and in practice. Both disciplines promise to make the development of flexible, cost-effective software systems possible and to support high levels of reuse, and may sometimes be complementary to each other. In both paradigms, security is a critical issue, although most of the existing product line practices do not comprise all the security requirements engineering activities or provide automated support through which to perform these activities, despite the fact that it is widely accepted that the application of any requirements engineering process or methodology is much more difficult without a CARE (Computer-Aided Requirements Engineering) tool, since it must be performed manually. Therefore, this chapter shall present a tool denominated as SREPPLineTool, which provides automated support through which to facilitate the application of the security quality requirements engineering process for software product lines, SREPPLine. SREPPLineTool simplifies the management of security requirements in product lines by providing us with a guided, systematic and intuitive manner in which to deal with them from the early stages of product line development, thus
Proceedings of the Fourth European Conference on Software Architecture: Companion Volume, 2010
ABSTRACT A lack of security metrics signifies that it is not possible to measure the success of s... more ABSTRACT A lack of security metrics signifies that it is not possible to measure the success of security policies, mechanisms and implementations, and security cannot, in turn, be improved if it cannot be measured. The importance of the use of metrics to obtain security quality is thus widely accepted. However, the definition of security metrics concerns a discipline which is still in its first stages of development, meaning that few documented resources or works centring on this subject exist to date. In this paper we shall therefore study the latest existing models with which to define security metrics and their components as aspects that have a bearing on the quality of software products with the intention that this will serve as a basis for continued advancement in research into this area of knowledge.
Cloud computing is a new paradigm that combines several computing concepts and technologies of th... more Cloud computing is a new paradigm that combines several computing concepts and technologies of the Internet creating a platform for more agile and cost-effective business applications and IT infrastructure. The adoption of Cloud computing has been increasing for some time and the maturity of the market is steadily growing. Security is the question most consistently raised as consumers look to move their data and applications to the cloud. We justify the importance and motivation of security in the migration of legacy systems and we carry out an analysis of different approaches related to security in migration processes to cloud with the aim of finding the needs, concerns, requirements, aspects, opportunities and benefits of security in the migration process of legacy systems.
2008 Third International Conference on Availability, Reliability and Security, 2008
Software product line engineering has proven to be one of the most successful paradigms for devel... more Software product line engineering has proven to be one of the most successful paradigms for developing a diversity of similar software applications and software-intensive systems at low costs, in short time, and with high quality, by exploiting commonalities and variabilities among products to achieve high levels of reuse. At the same time, due to the complexity and extensive nature of
Resumen-Los requisitos de seguridad para Sistemas Informáticos son cada vez más complejos debido ... more Resumen-Los requisitos de seguridad para Sistemas Informáticos son cada vez más complejos debido a su grado de proliferación, diversificación y conectividad, de manera que se hace muy complicado securizarlos, ya que sin un proceso o metodología sistemática los requisitos de seguridad suelen ser añadidos tarde en el proceso de desarrollo o ser agrupados separadamente del diseño funcional. En este artículo se muestra, a través de un caso de estudio real, como de una forma guiada, sistemática e intuitiva se pueden tratar los requisitos de seguridad en paralelo con los otros tipos de requisitos y desde las primeras fases del desarrollo de software, mediante la aplicación del proceso de ingeniería de requisitos de seguridad que hemos desarrollado, SREP (Security Requirements Engineering Process), que se basa fundamentalmente en la integración de los Criterios Comunes en el proceso de desarrollo software y en la utilización de un repositorio de recursos de seguridad.
Security and requirements engineering are two of the most important factors of success in the dev... more Security and requirements engineering are two of the most important factors of success in the development of a software product line (SPL) due to the complexity and extensive nature of them, given that a weakness in security can cause problems throughout the products of a product line. Goal-driven security requirements engineering approaches, such as Secure Tropos, have been proposed in the literature as a suitable paradigm for elicitation of security requirements and their analysis on both a social and a technical dimension. Nevertheless, on one hand, goal-driven security requirements engineering methodologies are not appropriately tailored to the specific demands of SPL, while on the other hand specific proposals of SPL engineering have traditionally ignored security requirements. This paper presents work that fills this gap by proposing "SecureTropos-SPL" framework, an extension to Secure Tropos to support SPL security requirements engineering which is based on security goals and driven by security risks.
This article was originally published in a journal published by Elsevier, and the attached copy i... more This article was originally published in a journal published by Elsevier, and the attached copy is provided by Elsevier for the author's benefit and for the benefit of the author's institution, for non-commercial research and educational use including without limitation use in instruction at your institution, sending it to specific colleagues that you know, and providing a copy to your institution's administrator. All other uses, reproduction and distribution, including without limitation commercial reprints, selling or licensing copies or access, or posting on open internet sites, your personal or institution's website or repository, are prohibited. For exceptions, permission may be sought for such use through Elsevier's permissions site at: http://www.elsevier.com/locate/permissionusematerial A u t h o r ' s p e r s o n a l c o p y A common criteria based security requirements engineering process for the development of secure information systems
One of the most important aspects in the achievement of secure software systems in the software d... more One of the most important aspects in the achievement of secure software systems in the software development process is what is known as Security Requirements Engineering. However, very few reviews focus on this theme in a systematic, thorough and unbiased manner, that is, none of them perform a systematic review of security requirements engineering, and there is not, therefore, a sufficiently good context in which to operate. In this paper we carry out a systematic review of the existing literature concerning security requirements engineering in order to summarize the evidence regarding this issue and to provide a framework/background in which to appropriately position new research activities.
Daniel Mellado Centro Informático del Instituto Nacional de la Seguridad Social, Gerencia de Info... more Daniel Mellado Centro Informático del Instituto Nacional de la Seguridad Social, Gerencia de Informática de la Seguridad Social, Ministerio de Trabajo y Asuntos Sociales. Madrid, España [email protected] Eduardo FernándezMedina Grupo ALARCOS Departamento de Tecnologías y Sistemas de Información. Universidad de Castilla-La Mancha Paseo de la Universidad 4, 13071 Ciudad Real, España [email protected] Mario Piattini Grupo ALARCOS Departamento de Tecnologías y Sistemas de Información. Universidad de Castilla-La Mancha Paseo de la Universidad 4, 13071 Ciudad Real, España [email protected]
Resumen. Tanto la seguridad como la ingeniería de requisitos son factores clave para el éxito en ... more Resumen. Tanto la seguridad como la ingeniería de requisitos son factores clave para el éxito en el desarrollo de una línea de productos software, debido a que la compleja estructura de dependencias entre las características de la línea de productos y de cada ...
Uploads
Papers by daniel mellado