Using Security Patterns to Tailor Software Process - Knowledge ...

Elaborating a methodology for software processes tailoring
is important to ease the tailoring task. The efficiency of the
processes elaborated from the framework will depend of the
rules of association pattern to process areas. An initial
framework has been elaborated from the Rational Unified
Process and activities proposed by the literature; from the
security requirements proposed by the SSE-CMM e by the
ISO/IEC 27001 Standard; and from security patterns described
by Schumacher et al. [4], Rosado [5], Romanosky [7],
Kienzle, among others.
The framework proposes a way to organize different
elements used to elaborate new process. The organization can
define patterns, processes elements and association rules that
are adequate to their reality. The framework can be updated
and must improve with time and as the team gets more
experience. Results of post-mortem analysis of projects can
help in this task.
Future work includes the definition of criterion associated
to the security rules that seek to facilitate the prioritization of
patterns to be applied in determined context and the
experimentation of processes tailored by SMT in real projects.
[12] Fontoura, Lisandra Manzoni; Price, Roberto Tom. Systematic
Approach to Risk Management in Software Projects through
Process Tailoring. In: International Conference on Software
Engineering and Knowledge Engineering (SEKE'2008), 2008,
Redwood City. Proceedings of the 20th International Conference
on Software Engineering and Knowledge Engineering. Skokie:
Knowledge Systems Institute Graduate School.
[13] Fontoura, M. L. “PRiMA: Project Risk Management Approach”.
Tese (Doutorado em Ciência da Computação). Universidade
Federal do Rio Grande do Sul – UFRGS. Porto Alegre, Brazil.
2006.
[14] Shuya, A. “Welcome to the IBM Rational Unified Process and
Certification”. In: IBM Rational Software.
Available at: Acessed jan. de 2010, 2008.
[15] Hartmann, J.; Fontoura, L. M.; Price, R. T. Tailoring Software
Processes with Organizational Patterns Languages using Risk
Analysis.In: Simpósio Brasileiro em Engenharia de Software,
SBES, 19., 2005, Uberlândia.Rio de Janeiro: PUCRJ, 2005.
[16] Yoder, J. and Barcalow J. (1997) “Architectural Patterns for
Enabling Application Security”, In: 4th Conference on Pattern
Languages of Programs. Edinburgh, United Kingdom.
[17] Paes, C. E. B. e Hirata, C. M. 2007. RUP extension for the
development of secure systems. In: Portal ACM, Pontifícia
Universidade Católica de São Paulo - Instituto Tecnológico de
Aeronáutica – São Paulo, Brazil.
ACKNOWLEDGMENT
We want to express our gratitude to CAPES (Coordenação
de Aperfeiçoamento de Pessoal de Nível Superior) for the
financial support and a special gratitude to the organizations
Animati and Elevata and their projects managers Jean Carlo
Albiero Berni and Marcio Puntel for all their feedback and the
very useful scientific discussions.
REFERENCES
[1] Kroll, J., Fontoura M. L., Wagner, R., (2010) “Usando Padrões
para o Desenvolvimento da Gestão da Segurança de Sistemas de
Informação baseado na Norma ISO/IEC 21827:2008”. In:
Simpósio Brasileiro de Sistemas de Informação, Marabá, Pará.
[2] SSE-CMM, 2003, Systems Security Engineering Capability
Maturity Model SSE-CMM Model Description Document, Version
3.0, Carnegie Mellon University, Pennsylvania, USA.
[3] Schumacher, M., Fernandez, E. B., Hybertson, D., Buschmann, F.
and Sommerlad, P.. 2006. Security Patterns, J.Wiley& Sons,
England.
[4] Mellado D., Medina, F. E., Piattini M., 2008 Security Requirements
Variability for Software Product Lines In: IEEE. University of
Castilla La-Mancha – Spain.
[5] Rosado, David G. 2006A Study of Security Architectural Patterns.
In Proceedings of the First International Conference on
Availability, Reliability and Security (ARES’06).
[7] Romanosky, S. (2003) “Operational security patterns”, In:
EuroPLoP.
Available
on accessed in January 2010.
[8] Kienzle, D. M. and Elder, M. C. (2002) “Security Patterns for Web
Application Development”, Final Technical Report, Univ. of
Virginia.
[9] Coplien, James. Sofware Patterns. Originally published by SIGS
Books and Multimedia,1996.
[10] Ambler, S. W. (1998) “An introduction to process patterns”, in
SIGS Books/Cambridge University Press.
[11] Scarfone, K., Souppaya, M., Cody, A. and Orebaugh, A. (2008)
“Technical Guide to Information Security Testing and Assessment:
Recommendations of the National Institute of Standards and
Technology”, National Institute of Standards and Technology
(NIST) Special Publication 800-115.