Using Security Patterns to Tailor Software Process - Knowledge ...
Using Security Patterns to Tailor Software Process - Knowledge ...
Using Security Patterns to Tailor Software Process - Knowledge ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Elaborating a methodology for software processes tailoring<br />
is important <strong>to</strong> ease the tailoring task. The efficiency of the<br />
processes elaborated from the framework will depend of the<br />
rules of association pattern <strong>to</strong> process areas. An initial<br />
framework has been elaborated from the Rational Unified<br />
<strong>Process</strong> and activities proposed by the literature; from the<br />
security requirements proposed by the SSE-CMM e by the<br />
ISO/IEC 27001 Standard; and from security patterns described<br />
by Schumacher et al. [4], Rosado [5], Romanosky [7],<br />
Kienzle, among others.<br />
The framework proposes a way <strong>to</strong> organize different<br />
elements used <strong>to</strong> elaborate new process. The organization can<br />
define patterns, processes elements and association rules that<br />
are adequate <strong>to</strong> their reality. The framework can be updated<br />
and must improve with time and as the team gets more<br />
experience. Results of post-mortem analysis of projects can<br />
help in this task.<br />
Future work includes the definition of criterion associated<br />
<strong>to</strong> the security rules that seek <strong>to</strong> facilitate the prioritization of<br />
patterns <strong>to</strong> be applied in determined context and the<br />
experimentation of processes tailored by SMT in real projects.<br />
[12] Fon<strong>to</strong>ura, Lisandra Manzoni; Price, Rober<strong>to</strong> Tom. Systematic<br />
Approach <strong>to</strong> Risk Management in <strong>Software</strong> Projects through<br />
<strong>Process</strong> <strong>Tailor</strong>ing. In: International Conference on <strong>Software</strong><br />
Engineering and <strong>Knowledge</strong> Engineering (SEKE'2008), 2008,<br />
Redwood City. Proceedings of the 20th International Conference<br />
on <strong>Software</strong> Engineering and <strong>Knowledge</strong> Engineering. Skokie:<br />
<strong>Knowledge</strong> Systems Institute Graduate School.<br />
[13] Fon<strong>to</strong>ura, M. L. “PRiMA: Project Risk Management Approach”.<br />
Tese (Dou<strong>to</strong>rado em Ciência da Computação). Universidade<br />
Federal do Rio Grande do Sul – UFRGS. Por<strong>to</strong> Alegre, Brazil.<br />
2006.<br />
[14] Shuya, A. “Welcome <strong>to</strong> the IBM Rational Unified <strong>Process</strong> and<br />
Certification”. In: IBM Rational <strong>Software</strong>.<br />
Available at: Acessed jan. de 2010, 2008.<br />
[15] Hartmann, J.; Fon<strong>to</strong>ura, L. M.; Price, R. T. <strong>Tailor</strong>ing <strong>Software</strong><br />
<strong>Process</strong>es with Organizational <strong>Patterns</strong> Languages using Risk<br />
Analysis.In: Simpósio Brasileiro em Engenharia de <strong>Software</strong>,<br />
SBES, 19., 2005, Uberlândia.Rio de Janeiro: PUCRJ, 2005.<br />
[16] Yoder, J. and Barcalow J. (1997) “Architectural <strong>Patterns</strong> for<br />
Enabling Application <strong>Security</strong>”, In: 4th Conference on Pattern<br />
Languages of Programs. Edinburgh, United Kingdom.<br />
[17] Paes, C. E. B. e Hirata, C. M. 2007. RUP extension for the<br />
development of secure systems. In: Portal ACM, Pontifícia<br />
Universidade Católica de São Paulo - Institu<strong>to</strong> Tecnológico de<br />
Aeronáutica – São Paulo, Brazil.<br />
ACKNOWLEDGMENT<br />
We want <strong>to</strong> express our gratitude <strong>to</strong> CAPES (Coordenação<br />
de Aperfeiçoamen<strong>to</strong> de Pessoal de Nível Superior) for the<br />
financial support and a special gratitude <strong>to</strong> the organizations<br />
Animati and Elevata and their projects managers Jean Carlo<br />
Albiero Berni and Marcio Puntel for all their feedback and the<br />
very useful scientific discussions.<br />
REFERENCES<br />
[1] Kroll, J., Fon<strong>to</strong>ura M. L., Wagner, R., (2010) “Usando Padrões<br />
para o Desenvolvimen<strong>to</strong> da Gestão da Segurança de Sistemas de<br />
Informação baseado na Norma ISO/IEC 21827:2008”. In:<br />
Simpósio Brasileiro de Sistemas de Informação, Marabá, Pará.<br />
[2] SSE-CMM, 2003, Systems <strong>Security</strong> Engineering Capability<br />
Maturity Model SSE-CMM Model Description Document, Version<br />
3.0, Carnegie Mellon University, Pennsylvania, USA.<br />
[3] Schumacher, M., Fernandez, E. B., Hybertson, D., Buschmann, F.<br />
and Sommerlad, P.. 2006. <strong>Security</strong> <strong>Patterns</strong>, J.Wiley& Sons,<br />
England.<br />
[4] Mellado D., Medina, F. E., Piattini M., 2008 <strong>Security</strong> Requirements<br />
Variability for <strong>Software</strong> Product Lines In: IEEE. University of<br />
Castilla La-Mancha – Spain.<br />
[5] Rosado, David G. 2006A Study of <strong>Security</strong> Architectural <strong>Patterns</strong>.<br />
In Proceedings of the First International Conference on<br />
Availability, Reliability and <strong>Security</strong> (ARES’06).<br />
[7] Romanosky, S. (2003) “Operational security patterns”, In:<br />
EuroPLoP.<br />
Available<br />
on accessed in January 2010.<br />
[8] Kienzle, D. M. and Elder, M. C. (2002) “<strong>Security</strong> <strong>Patterns</strong> for Web<br />
Application Development”, Final Technical Report, Univ. of<br />
Virginia.<br />
[9] Coplien, James. Sofware <strong>Patterns</strong>. Originally published by SIGS<br />
Books and Multimedia,1996.<br />
[10] Ambler, S. W. (1998) “An introduction <strong>to</strong> process patterns”, in<br />
SIGS Books/Cambridge University Press.<br />
[11] Scarfone, K., Souppaya, M., Cody, A. and Orebaugh, A. (2008)<br />
“Technical Guide <strong>to</strong> Information <strong>Security</strong> Testing and Assessment:<br />
Recommendations of the National Institute of Standards and<br />
Technology”, National Institute of Standards and Technology<br />
(NIST) Special Publication 800-115.