Evolution of Security Engineering Artifacts: A State of the Art Survey

  title={Evolution of Security Engineering Artifacts: A State of the Art Survey},
  author={Michael Felderer and Basel Katt and Philipp Kalb and Jan J{\"u}rjens and Mart{\'i}n Ochoa and Federica Paci and Le Minh Sang Tran and Thein Than Tun and Koen Yskout and Riccardo Scandariato and Frank Piessens and Dries Vanoverberghe and Elizabeta Fourneret and Matthias Gander and Bj{\o}rnar Solhaug and Ruth Breu},
  journal={Int. J. Secur. Softw. Eng.},
Security is an important quality aspect of modern open software systems. However, it is challenging to keep such systems secure because of evolution. Security evolution can only be managed adequately if it is considered for all artifacts throughout the software development lifecycle. This article provides state of the art on the evolution of security engineering artifacts. The article covers the state of the art on evolution of security requirements, security architectures, secure code… 
A process for mastering security evolution in the development lifecycle
  • M. Felderer, Basel Katt
  • Computer Science
    International Journal on Software Tools for Technology Transfer
  • 2015
This introduction to the special section on eternal security evolution presents a process for handling security evolution throughout the software development lifecycle and uses this process to position the individual contributions.
Challenges in Secure Software Evolution - The Role of Software Architecture
Five key challenges in maintaining security properties during software evolution are described and how architecture supports mastering them are shown and shown.
Security Testing: A Survey
Systematic Mapping of the Literature on Secure Software Development
There is a diversity of methodologies, models, and tools with specific objectives in each secure software development stage, and the most frequent topics are vulnerability scanning and penetration testing in each stage.
A systematic classification of security regression testing approaches
A systematic classification of available security regression testing approaches based on a solid study of background and related work is presented to sketch which parts of the research area seem to be well understood and evaluated, and which ones require further research.
Evolution of a Secure Voice Communication System
The goal of the thesis is to find a general solution on how to evolve a system from secure one- to-one into secure many-to-many communication, without violating any of the system’s security requirements along the way.
Guidelines for Systematic Mapping Studies in Security Engineering
This chapter provides methodological support for systematic mapping studies in security engineering based on examples from published security engineering papers and uses published mapping studies to describe the tailoring of this process for security engineering.
A Six Sigma Security Software Quality Management
It is concluded that utilising Monte Carlo Simulations in a Six Sigma DMAIC structured framework is better than conventional approaches using static analysis methods to improve software quality and achieve the zero-defects quality assurance goal, while assigning quality confidence levels to scheduled product releases.
On the Modeling of Automotive Security: A Survey of Methods and Perspectives
This paper aims to give a comprehensive introduction to the topic of security models for the Intelligent Transport System (ITS), a survey of the current methodologies for security modeling is conducted, and a classification scheme is subsequently proposed.
Distributed Control Systems Security for CPS
To address the security ofDCSs, it is important to understand the bridging features between DCSs and the CPSs in order to protect them from cyberattacks against known and unknown vulnerabilities.


Security patterns: comparing modeling approaches
Addressing the challenges of developing secure software systems remains an active research area in software engineering. Current research efforts have resulted in the documentation of recurring
Security Requirements Engineering for Evolving Software Systems: A Survey
It is suggested that a cross fertilization of the areas of software evolution and security engineering would address the problem of maintaining compliance to security requirements of software systems as they evolve.
Supporting Security Assurance in the Context of Evolution: Modular Modeling and Analysis with UMLsec
This paper presents a modular approach to security assurance based on the extension mechanisms available for the Unified Modeling Language (UML), in particular using so-called profiles, which allows us to define analysis models which can be exchanged easily whenever the threat model changes due to system evolution.
Incremental Security Verification for Evolving UMLsec models
This work investigates the security analysis of UMLsec models by means of a changespecific notation allowing multiple evolution paths and sound algorithms supporting the incremental verification process of evolving models, validated by a tool implementation of these verification techniques that extends the existing UML Sec tool support.
Security and Trust Requirements Engineering
This paper critically review the state of the art in security requirements engineering and discusses the motivations that led to the Secure Tropos methodology, a formal framework for modelling and analyzing security, that enhances the agent-oriented software development methodology i*/Tropos.
A Tool for Managing Evolving Security Requirements
SeCMER, a tool for requirements evolution management developed in the context of the SecureChange project, is presented, which supports automatic detection of requirement changes and violation of security properties using change-driven transformations.
On the importance of the separation-of-concerns principle in secure software engineering
This position paper argues that attempts to separate security aspects from other aspects of an application (even though in many cases not completely successful) are a necessary means to raise the security level of most applications.
Evolution of Security Requirements Tests for Service-Centric Systems
This paper presents a model-driven method to system level security testing of service-centric systems focusing on the aspect of requirements, system and test evolution, and highlights the specifics for the evolution of security requirements.
From goal-driven security requirements engineering to secure design
The presented approach, which is based on the integration of a goal-driven security requirements engineering (GDSRE) methodology and a model-based security engineering (MBSE) method, provides a structured process to translate the results of the GDSRE method to a design, which satisfies these requirements.
A Survey of Modeling and Analysis Approaches for Architecting Secure Software Systems
A survey for researchers involved in the problem of systematically modelling and analyzing software architecture design that have security properties is presented, which includes a discussion of semi-formal, formal, integrated semi- formal and formal, and aspect-oriented approaches.