Abstract
In this chapter, we introduce a three-layered framework for maintaining security in software evolution at design time and run time. Additionally, we present a suite of five approaches that employ the framework. Two approaches focus on design-time use of knowledge extracted from natural-language documents to identify potential steps for co-evolving the system’s design and on integrating architecture model information with program code. A third approach bridges design time and run time to support architects as the software evolves. The two remaining approaches focus on run-time security maintenance. The fourth approach monitors run-time information in order to detect suspicious behaviour, which is reacted to automatically by adapting the system with mitigation, while the fifth approach focuses on interdisciplinary changes in automation software. In combination, the approaches address current challenges for security maintenance at design time and run time.
Chapter PDF
Similar content being viewed by others
References
C. Aldrich and Lidia Auret.Unsupervised process monitoring and fault diagnosis with machine learning methods. Advances in computer vision and pattern recognition. London, New York: Springer, 2013.isbn: 1447151852.
A. Bauer, J. Jürjens, and Y. Yu. “Run-Time Security Traceability for Evolving Systems”. In:The Computer Journal54.1 (2011), pp. 58–87.http://dx.doi.org/10.1093/comjnl/bxq042.
A. Averbakh, K. Niklas, and K. Schneider. “Knowledge from Document Annotations as By-Product in Distributed Software Engineering”. In:The 26th Int. Conf. on Software Eng. and Knowledge Engineering(2014).
L. V. Allen and D. M. Tilbury. “Anomaly Detection Using Model Generation for Event-Based Systems Without a Preexisting Formal Model”. In:Systems, Man and Cybernetics, Part A: Systems and Humans, IEEE Transactions on42.3 (2012), pp. 654–668.issn: 1083–4427.https://doi.org/10.1109/TSMCA.2011.2170418.
Jens Bürger et al. “A framework for semi-automated co-evolution of security knowledge and system models”. In:Journal of Systems and Software139 (2018), pp. 142–160.issn: 0164-1212.https://doi.org/10.1016/j.jss.2018.02.003.
Brian Chess and Gary McGraw. “Static Analysis for Security”. In:IEEE Security & Privacy2.6 (2004), pp. 76–79.
David Evans and David Larochelle. “Improving Security using Extensible Lightweight Static Analysis”. In:IEEE Software 19.1 (2002), pp. 42–51.
Stefan Gärtner. “Heuristische und wissensbasierte Sicherheitsprüfung von Softwareentwicklungsartefakten basierend auf natürlichsprachlichen Informationen”. PhD thesis. 2016.
C. Haubeck et al. “An active service-component architecture to enable self-awareness of evolving production systems”. In:IEEE International Conference on Emerging Technology and Factory Automation (ETFA). 2014.https://doi.org/10.1109/ETFA.2014.7005157.
S. Hashtrudi Zad, R. H. Kwong, and W. M. Wonham. “Fault diagnosis in discreteevent systems: framework and model reduction”. In:IEEE Transactions on Automatic Control 48.7 (2003), pp. 1199–1212.https://doi.org/10.1109/TAC.2003.814099.
Christopher Haubeck, Winfried Lamersdorf, and Alexander Fay. “A Knowledge Carrying Service-Component Architecture for Smart Cyber Physical Systems: An Example based on self-documenting production systems”. In:International Workshop on Engineering Service-Oriented Applications and Cloud Services, in conjunction with ICSOC. 2018.
Rolf Isermann.Fault-Diagnosis Systems: An Introduction from Fault Detection to Fault Tolerance. Berlin and Heidelberg: Springer-Verlag Berlin Heidelberg, 2006.isbn: 3540241124.url:http://dx.doi.org/10.1007/3-540-30368-5.
J. Bürger et al. “Restoring Security of Long-Living Systems by Co-Evolution”. In:39th Annual IEEE Computer Software and Applications Conf. (COMPSAC 2015). 6 pp. IEEE Computer Soc. 2015.
J. Bürger, J. Jürjens, and S.Wenzel. “Restoring Security of Evolving Software Models using Graph-Transformation”. In:Int. Journal on Software Tools for Technology Transfer (STTT) (2015). Springer Online First.https://doi.org/10.1007/s1000901403648.
Marco Konersmann. “A Process for Explicitly Integrated Software Architecture”. In:Softwaretechnik-Trends 36.2 (2016). ISSN: 0720–8928.url:http://pi.informatik.uni-siegen.de/stt/36_2/01_Fachgruppenberichte/WSRE2016/WSRE2016_24_DFF_2016_paper_4.pdf.
Marco Konersmann. “Explicitly Integrated Architecture - An Approach for Integrating Software Architecture Model Information with Program Code”. PhD thesis. University of Duisburg-Essen, Mar. 2018.
L. Montrieux et al. “Tool Support for Code Generation from a UMLsec Property”. In:25th IEEE/ACM Int. Conf. on Automated Software Eng. (ASE’10). 2010.http://doi.acm.org/10.1145/1858996.1859074.
J. Ladiges et al. “Evolution of Production Facilities and its Impact on Non-Functional Requirements”. In:IEEE International Conference on Industrial Informatics (INDIN). 2013.
Jan Ladiges et al. “Evolution Management of Production Facilities by Semi-Automated Requirement Verification”. In:at - Automatisierungstechnik. Vol. 62. 11. Berlin, Oct. 2014, pp. 781–793.
J. Ladiges et al. “Supporting Commissioning of Production Plants by Model-Based Testing and Model Learning”. In:International Symposium on Industrial Electronics (ISIE). 2015.
Jan Ladiges, Alexander Fay, and Winfried Lamersdorf. “Automated Determining of Manufacturing Properties and Their Evolutionary Changes from Event Traces”. In:Intelligent Industrial Systems2.2 (2016), pp. 163–178.issn: 2199-854X.url:http://dx.doi.org/10.1007/s40903-016-0048-7.
D. Lefebvre and E. Leclercq. “Stochastic Petri Net Identification for the Fault Detection and Isolation of Discrete Event Systems”. In:IEEE Transactions on Systems, Man and Cybernetics, Part A: Systems and Humans41.2 (2011), pp. 213–225.https://doi.org/10.1109/TSMCA.2010.2058102.
Heiko Mantel. “A Uniform Framework for the Formal Specification and Verification of Information Flow Security”. In: (2003).
Gail C. Murphy et al. “An Empirical Study of Static Call Graph Extractors”. In:ACM Transactions on Software Engineering and Methodology (TOSEM)7.2 (1998), pp. 158–191.
Oliver Niggemann and Christian Frey. “Data-driven anomaly detection in cyberphysical production systems”. In:at - Automatisierungstechnik 63.10 (2015).issn: 0178-2312.https://doi.org/10.1515/auto-2015-0060.
Object Management Group.OMG Meta Object Facility (MOF) Core Specification, Version 2.5.1. Object Management Group (OMG), Nov. 2016.url:http://www.omg.org/spec/MOF/2.5.1.
I. Omoronyia et al. “Caprice: a tool for engineering adaptive privacy”. In:Proc. of the 27th IEEE/ACM Int. Conf. on Automated Software Eng. - ASE 2012 (2012), p. 354.https://doi.org/10.1145/2351676.2351745.url:http://dl.acm.org/citation.cfm?doid=2351676.2351745.
I. Omoronyia et al. “Engineering adaptive privacy: On the role of privacy awareness requirements”. In:Proc. - Int. Conf. on Software Engineering(2013), pp. 632–641.issn: 02705257.https://doi.org/10.1109/ICSE.2013.6606609.
R. Pham et al. “Tailoring video recording to support efficient GUI testing and debugging”. In:Software Quality Journal(June 2013), pp. 1–20.url:http://dx.doi.org/10.1007/s11219-013-9206-2.
T. Ruhroth and J. Jürjens. “Supporting Security Assurance in the Context of Evolution: Modular Modeling and Analysis with UMLsec”. In: IEEE: 14th Int. Symp. on High-Assurance Systems Eng. (HASE 2012). IEEE CS, Oct. 2012.https://doi.org/10.1109/HASE.2012.35.
M. Roth, J.-J Lesage, and L. Litz. “Black-box identification of discrete event systems with optimal partitioning of concurrent subsystems”. In:American Control Conference (ACC). 2010.
T. Ruhroth et al. “Towards Adaptation and Evolution of Domain-specific Knowledge for Maintaining Secure Systems”. In:15th Int. Conf. of Product Focused Software Development and Process Improvement (Profes’14). Vol. 8892. LNCS. Springer, 2014, pp. 239–253.https://doi.org/10.1007/978-3-319-13835-0_17.
Kurt Schneider. “Rationale as a By-Product”. In:Rationale Management in Software Engineering. Ed. by Allen H. Dutoit et al. Springer-Verlag Berlin Heidelberg, 2006, pp. 91–109.isbn: 978-3-540-30997-0.https://doi.org/10.1007/978-3-540-30998-7_4.
Kurt Schneider.Experience and Knowledge Management in Software Engineering. Springer-Verlag, 2009.
Fabien Patrick Viertel, Oiver Karras, and Schneider Kurt. “Vulnerability Recognition by Execution Trace Difierentiation”. In:2017 ACM/IEEE International Symposium on Software Performance (SSP), Karlsruhe. Software Technik Trends, 2017.
Birgit Vogel-Heuser et al. “Evolution of software in automated production systems: Challenges and Research Directions”. In:Journal of Systems and Software 110 (2015), pp. 54–84.issn: 0164-1212.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Copyright information
© 2019 The Author(s)
About this chapter
Cite this chapter
Jürjens, J. et al. (2019). Maintaining Security in Software Evolution. In: Reussner, R., Goedicke, M., Hasselbring, W., Vogel-Heuser, B., Keim, J., Märtin, L. (eds) Managed Software Evolution. Springer, Cham. https://doi.org/10.1007/978-3-030-13499-0_9
Download citation
DOI: https://doi.org/10.1007/978-3-030-13499-0_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-13498-3
Online ISBN: 978-3-030-13499-0
eBook Packages: Computer ScienceComputer Science (R0)