Conferences >Workshop on Empirical Require...

Towards agile security risk management in RE and beyond

Download PDF
Download References
Request Permissions
Save to
Alerts

Abstract:

Little attention has been given so far to the process of security risk management at the early stages of system development. Security has been addressed by isolated secur...Show More

Metadata

Abstract:

Little attention has been given so far to the process of security risk management at the early stages of system development. Security has been addressed by isolated security assurance practices, some of which consider risks and mitigations but they do not provide an overview of the overall security state of the system being developed. This paper takes the position that (1) these isolated security assurance practices should be fully integrated and should be embedded in short iterations of risk assessment, treatment and acceptance, providing input for updating security requirements and for security risk management, and that (2) available empirical data from public catalogs and databases should be used as a source of expertise, to leverage past experiences, and therefore reduce, although not eliminate, subjectivity of human judgment. Borrowing from the agile software development and project management philosophy, we introduce the idea of a light weight, agile approach to security risk management integrated to the development life cycle.

Published in: Workshop on Empirical Requirements Engineering (EmpiRE 2011)

Date of Conference: 30-30 August 2011

Date Added to IEEE Xplore: 17 October 2011

ISBN Information:

ISSN Information:

DOI: 10.1109/EmpiRE.2011.6046253

Conference Location: Trento, Italy

Contents

I. Introduction

“Just about every software system deployed today must defend itself from malicious adversaries” [1]. Building defenses, however, requires a clear overview of security risks which change across the development life cycle for many reasons, e.g., new threats arise, new vulnerabilities are reported, risks are introduced at different phases of development. Therefore, assuming that security requirements should be neatly engineered up-front and frozen for the rest of the development life cycle (independent of the development paradigm adopted) is rather unrealistic. In practice, new security requirements are discovered along the development life cycle, some of them will have to be addressed by the system and some will be accepted as residual risks. Security risk management has the potential to help in making such decisions in an informed way, providing a clearer overview of the state of system security, when deployed.

References is not available for this document.

MIT Libraries

MIT Libraries

Towards agile security risk management in RE and beyond

Abstract:

Metadata

Abstract:

ISSN Information:

I. Introduction

References

IEEE Account

Purchase Details

Profile Information

Need Help?

MIT Libraries

MIT Libraries

Towards agile security risk management in RE and beyond

Alerts

Abstract:

Metadata

Abstract:

ISSN Information:

I. Introduction

References