Framework for Engineering Complex Security
Requirements Patterns
Ral Mazo
Panthon Sorbonne University
90, rue de Tolbiac,
75013 Paris, France
raul.mazo@univ-paris1.fr
AbstractSecurity management and business assets
protection have been a paramount concern for many years. Due
to the flood of arising innovative technologies such as cloud
computing or big data, security approaches have constantly
evolved toward more sophisticate solutions, aiming to tackle
always more complex security issues. Nowadays, integrated
frameworks are necessary to manage this complexity. Pattern-
based approaches for reusing security solutions have proven its
usefulness, but mostly in the frame of simple security matters.
Acknowledging this, the scientific community has recently
considered how these patterns could also be used to address the
complexity caused by the association of multiple security criteria.
Approaches based on the combination of simple security
patterns have emerged and have resulted in the elaboration of
methods for designing systems of security patterns and systems
managing these collections of patterns. Nonetheless, in that
domain, we have observed that researches are mostly focused on
the definition of security solutions and do not address the
complexity of the security requirements yet. In this paper we
present a proposal for addressing this issue by means of a
framework for engineering reusable security patterns for
complex systems called COPERATE (COmPlex sEcurity
Requirements pAtTErns). To show the feasibility of our
approach, this framework is used for defining a complex security
requirement and its corresponding pattern for an excerpt of a
case taken from the cloud-computing domain.
KeywordsInformation security; security management;
security pattern; security requirements; pattern modelling
I. INTRODUCTION
Security has moved from being considered by information
systems designers as a technical topic to becoming a critical
issue in our society [2]. With the growing use of information
systems, these kind of systems are becoming more and more
complex. Nowadays, information systems must comply with
new usages, requirements, and deployment technologies that
permanently expose them to new vulnerabilities. There is no
single week without an announcement indicating that the
information system of some private or public organization was
attacked. Attacks to information systems may target strategic
data such as information exchanged by CEOs, financial data,
R&D documents, customers and human resources information,
etc. The consequences for organizations are manifold:
deterioration of the image and brand, disturbance of activity,
financial losses, and even threats to the socio-economic,
political and military ecosystems.
Christophe Feltus
Luxembourg Institute of Science and Technology
5 Avenue des Hauts-Fourneaux,
4362 Esch-sur-Alzette, Luxembourg
christophe.feltus@list.lu
However, with the growing need to implement information
technology security measures and the larger application scope,
analysts and requirements engineers have to face two major
challenges: the reuse of the, often tacit, knowledge about
security and the engineering of this reusable knowledge. A new
discipline called Security Requirements Engineering (SRE) is
intended to tackle these challenges: the first challenge is
usually faced by means of security patterns and the second one
by means of systems of security patterns. However, there are
still several difficulties regarding the maturity of the SRE
methods to deal with security requirements. For instance,
Zuccato et al. [20] report that (1) SRE is in practice frequently
performed by security non-experts, (2) security expertise is
scarce, and (3) security requirements and their dependencies
are often not directly known by requirements engineers. In
addition to the lack of explicit and reusable security
knowledge, there is the lack of organization of that reusable
knowledge in a process compatible with the requirements
engineering practices. To cope with this issue, this paper
proposes a framework for engineering reusable security
requirements patterns in the context of the current requirements
engineering practices for complex systems. In particular, the
proposed framework consists in a set of tools that gathers
simple and complex patterns models and metamodels
[5][8][14], patterns engineering methods [6][10], and a security
pattern template library. There are several advantages of using
this framework. Some of these advantages are associated with
the fact of considering security during early stages of
information systems development, like for instance allowing
information systems developers to envisage threats and their
consequences and countermeasures before a system is in place.
Other advantages are associated with the possibility of
managing groups of security requirements and their associated
patterns.
From a methodological perspective, the framework
proposed in this paper has been built with a Design Science
approach, as explained by Hevner et al. [7]. The designed
artefact is a framework for engineering complex security
requirements patterns that defines a CSRP (complex security
requirements pattern) model and a CSRE (complex security
requirements engineering) method. The CSRP model is
designed from the existing security requirements pattern model
that has been iteratively extended to integrate complex security
elements (e.g., interrelation between security criteria, mutual
influence, etc.). The information necessary to complete the
model is gathered using techniques such as observation,
interviews and surveys, document archaeology, etc. These
social science techniques are efficient to elicit requirements
and are part of common requirements engineering best
practices. Information about requirements is also extracted
using reengineering approaches and information retrieval
techniques in the available assets. Identification, location and
extraction of features, reusable assets or patterns can help
during the model creation. Afterwards, the collection of
security requirements patterns is built iteratively, by
intertwined design and experimental validation activities. The
elaboration of the CSRE method is based on a risk
management method that allows analysing threats on the
information system in order to derive security requirements to
mitigate security risks.
Fortunately, this paper is not the first one intending to
tackle these issues; on the contrary, it is based on previous
efforts of the requirements engineering community. In
particular, the framework proposed in this paper is a step
towards the integration and the extension of the method for
using security patterns to model and analyze security
requirements proposed by Konrad et al. [8], the PABRE
framework for pattern-based requirements elicitation proposed
by Renault et al. [15], the methods for constructing and using
requirements patterns proposed by Franch et al. [5] and
Fernandez et al. [4], and the idea of creating system of security
design patterns proposed by Nguyen et al [12].
The rest of this paper is organized as follows: Section II
presents the related work found in literature about security
patterns requirements engineering and shows the novelty of our
proposal with respect to the current state of the art. Section III
presents the framework that we propose in this paper and
illustrates it with a running example taken from the cloud
computing area. Section IV concludes the paper with some
discussions about our early experiences using the framework
and presents an agenda for future researches in reusable
security patterns for complex systems.
II. RELATED WORK
Knowledge management in Requirements Engineering
(RE) is a current issue of the research community. The concept
of requirements patterns is explored, among others, by Franch
et al. [5] (see white boxes in Figure 1). However, the research
on this topic is currently wide and not yet focused on specific
disciplines of RE [15], although there are some initiatives in
the field of Security Requirements Engineering (SRE). In that
regard, Souag et al. [17] argue that reusable knowledge for
SRE constitutes a major ingredient of the SRE methods.
Security patterns consist in a set of specific problem-solution
associations which aim to solve and facilitate the automatic
treatment of recurring security issues, from the requirements
engineering phase up to their design and implementation.
Security patterns have already been examined by a plethora of
researchers [6][10][13][16][18].
Two of the most relevant contributions on SRE are: the
work of Fernandez et al. [4], which provides an overview of a
method for security system development involving a full range
of security patterns; and the work of Konrad et al. [8], which
explains that the security needs of a system highly depend on
the environment in which it is deployed, and that using security
patterns may help the developer to gain security insight for
checking the consistency of a specific design and
implementation with security properties.
The framework proposed in this paper aims to organize the
elements that should be taken into account to build and manage
complex security patterns for a particular information system in
function of the complexity level of the security criteria that
should be considered (vertical axis) and the security
deployment life cycle of the information system (horizontal
axis), as illustrated on Figure 1. This framework extends
previous work achieved in the context of the PABRETM
Framework [14][15], which mainly defines the elements of
simple security requirements pattern (SSRP) [5] and Security
Requirements Engineering (SRE) [18].
III. MOTIVATING SCENARIO: A DATA ACCESS APPLICATION IN A
CLOUD-BASED ENVIRONMENT
Cloud computing offers a plethora of arriving complex
security requirements for the reason that it associated
traditional security requirements and new requirements
associated to the internet-based and shared processing of the
information. In this context, a data retrieval system on the
cloud is used as a running example to explain to what extend
the traditional security protections may not be handled
separately anymore but must be regarded has a complex
integration of security patterns. For instance, in traditional
information systems, access to information requires the
deployment of two isolated and independent security
requirements patterns, respectively: a pattern for the
management of the access rights (Re1: user authentication)
and a pattern for the encryption of the data (Re2: data
confidentiality). In a cloud computing-based environment,
the access rights and the data encryption should not be
separately handled by these two patterns. Instead, they should
be composed into a new unique complex security requirements
pattern that takes into account the complex relations between
the two simple patterns taken separately. In order to do so,
the new requirements pattern should associate encryption
requirements and traditional access control mechanisms like
for instance RBAC (role based access control). This means that
although we may consider Re1 and Re2 separately in
traditional architectures of information systems, in a cloud
environment it will be necessary to consider them as a unique
new complex requirement Re3, where Re3 is not equivalent to
Re1 + Re2 but Re3=Re1Re2 with Re1Re2 being > (Re1 +
Re2). Indeed, as explained hereafter, in cloud computing user
authentication may, for instance, not be performed in clear
but by means of encryption tools.
To solve CSR (such as Re3), the deployment of a set of
simple security patterns achieved separately is no more
sufficient. Indeed, in case of an access to a traditional
information system, the user first needs to identify himself in
clear and then successively deploy encryption mechanism to
confidentially communicate with the system. In this case, a
conventional network sniffer may know that there is a
communication between the user and the system but may not
read the content of the data. The situation is different in a
cloud-computing context where network sniffing most often
implies a malicious act [19], which needs to be faced by the
cloud service provider. This service provider must guarantee
the confidentiality of the data but also the anonymity of the
user who access the system.
Hence, in this case, we observe that the requirements
patterns of deploying an access control mechanism to
guarantee user authentication (Re1) and an encryption
mechanism to guarantee confidentiality (Re2) independently
(and formalised Re1 + Re2) do not offer the necessary security
protection to preserve user anonymity anymore. In this case,
both requirements must be integrated to form what we call a
Complex Security Requirements Pattern (Re3), representing
Re1Re2. In other words, the integration of the security
requirements Re1 and Re2 is used to simultaneously achieve
user authentication and data encryption that guarantees the
confidentially and privacy of the users while they log on the
information system.
IV. COPERATE: COMPLEX SECURITY REQUIREMENTS
PATTERN FRAMEWORK
This section presents a first iteration of the framework for
engineering complex security requirements patterns
(COPERATE) and an exploitation of this framework for
dealing with complex security requirements from the cloud-
computing field.
A) The COPERATE framework
Although it is worth to note that most of security engineers
exploit the patterns independently from each other, we also
observe that few have addressed the exploitation of systems of
patterns. Some researchers, such as Nguyen et al [12], highlight
that security patterns must also be organized in systems in
order to offer additional and complementary benefits (e.g.,
coordination, optimisation, avoidance of redundancy, etc.).
This statement is supported by the literature review and
analysis on security patterns made by Nguyen et al. [11], in
which the authors argue that a security pattern solely cannot
help to secure a system against different threats. Thus, it is
necessary to build a system of security patterns in which inter-
pattern relations are specified.
Figure 1. Overview of the COPERATE framework
Considering this new paradigm, the selection of the most
appropriate pattern(s) for a given design challenge is no more
conceivable without knowing the environment in which the
pattern will exist, on the one hand, and the controls which are
made available by the system of security patterns (SSP) and to
be deployed by the security engineer, on the other hand. Based
on Nguyen et al. [11], the same authors propose in [12] an
approach to automatically compose security design patterns
considering multiple security concerns (e.g., authorization,
authentication, identification, etc.) and the inter-pattern
relationships.
As illustrated in Figure 1, SRE methods have proposed
discovering simple security requirements pattern and
identifying the appropriate security pattern necessary to fulfil
these requirements. To address more complex security criteria,
assembling security patterns in systems of patterns appears to
be a promising approach. However, to the best of our
knowledge, it does not exist a repository of Complex Security
Requirements Patterns (CSRP) yet nor RE methods to associate
the right systems of patterns to the right CSRP (grey boxes on
Figure 1). The objective of the framework is to provide the
definition of complex security requirements patterns and more
especially how they can be fulfilled by a system of security
patterns.
B) Using the COPERATE framework
This section illustrates how the general framework for
complex security requirements patterns may be used in order to
discover complex security patterns. Therefore, we present the
usage of the framework in the context of our motivating
scenario. First, we figure out the evolution from traditional
security requirements engineering to complex security
requirements engineering; and second, based on this evolution,
we illustrate how complex security patterns need to be
specified to face arising complex security needs.
1) From (standard) Security Requirements Engineering
(SRE) to Complex Security Requirements Engineering (CSRE)
Security requirements engineering is a dedicated part of the
requirements engineering process that aims, in the context of
the security pattern domain, at discovering recurring simple
security requirements and at identifying the appropriate
security patterns necessary to mitigate specific and recurring
security requirements. According to Alexander [1], each
pattern describes a problem which occurs over and over again
in our environment, and then describes the core of the solution
to that problem, in such a way that you can use this solution a
million times over, without ever doing it the same way twice.
In that regard, we consider that CSRP is a type of security
requirements pattern itself composed of, at least, two security
requirements patterns and, at least, one association of security
requirements patterns (cf. Figure 2).
A complex security requirements engineering (CSRE)
method is a type of security requirements engineering (SRE)
method that exists under the condition that the security
requirements pattern is of a type CSRP. The relation between
the security requirements pattern and security requirements
engineering, called discovers in Figure 2, is defined by
Franch et al. [5] as the most general relationship that implies
all the forms and all the forms parts of the related patterns.
Figure 2. UML class diagram for the CSRE conceptual model
2) Towards Complex Security Requirements Pattern
(CSRP)
In practice, the execution of the CSRE method is supported
by a risk management method. In the context of information
security, risk management methods are defined to analyse
threats on the information system in order to derive security
requirements to mitigate security risks. The security risks may
derive from the threats and vulnerabilities of the information
system itself or of its environment. Detecting or defining
systems of security patterns appears hence strongly influenced,
and may be supported, by risk analysis, at two levels: (1) at the
definition of the security requirements for the design of the
system of security patterns, or (2) at the deployment of the SSP
to validate that new risks have not been generated on the
information system, after the deployment.
Whether the strategy to deal with security requirements is
the first one, security requirements engineers will need to know
how to deal with complex security requirements like Re3 (see
Section III). According to the COPERATE framework,
engineers should decompose Re3 into a set of simple
security requirements. These simple security requirements
are composed of the traditional requirements Re1 and Re2 and
of a new security requirement generated by the cloud
computing context, named Re3 and corresponding to the
protection of the privacy of the user, and hence, the
confidentiality of the access rights. Accordingly, we have got
Re3 that corresponds to Re1 + Re2 + Re3, and Re3 that may
also be expressed in a function of Re1 and Re2 such as Re3=
Re1Re2 - (Re1 + Re2).
The pattern necessary to formalise Re3, according to the
metamodel for software requirements patterns proposed by
Franch et al. [5], is composed of a pattern form, which is
associated to one or more constraints. In addition, the pattern
necessary to formalise Re3 is composed of a fixed part and an
extended part. Both the fixed and extended parts must conform
to some part constraints (e.g., for declaring multiplicities or
dependencies among parts [5], or for expressing condition of
existence) and as a result, may be represented by means of
regular expressions including predefined operators.
Accordingly, Re3 may be expressed by a security pattern.
This pattern exists if the information system exploits a cloud
computing solution (type of condition of existence). The
composition of Re3 may be represented by one of the
following two modelling options:
Option 1. The new CSRP is composed of two fixed parts
which are (1) the Simple Security Requirements Pattern
(SSRP1) necessary to fulfil the user authentication
requirement (Re1) and (2) the SSRP2 necessary to fulfil the
data confidentiality requirement (Re2). Additionally, this
CSRP is also composed of an extended part dedicated to
fulfil Re3 and that corresponds, for instance, to a dedicated
part of the requirements for a software extension for
managing user confidentiality authentication for data
access.
Option 2. The new CSRP corresponds to a dedicated new
extension to be used in parallel to SSRP1 and SSRP2. This
CSRP is composed of a fixed part corresponding to the
requirements for a software extension and, potentially, of
an extended part that could refer to additional requirements
like the type of encryption or the data access right model
[3] (e.g., RBAC, DAC, MAC, or OrBAC).
In the context of our cloud-computing example, both
options are conceivable. Choosing one of these options
depends on the security engineer preferences and on the way he
decides to construct the SSP3 (System of Security Patterns
cf. Figure 1) necessary to fulfil Re3. However, it is worth to
note that the first option is easier to deploy because it is mainly
based on experienced patterns (i.e., security pattern 1 and
security pattern 2) although the second option provides the
advantage of being redesigned and tailored especially for a
dedicated security complex case. Hence, this second option fits
better the needs but requires more expertise from the security
engineer in charge of defining the information system security
controls.
V. DISCUSSION AND FUTURE RESEARCHS
Previous section has proposed the COPERATE framework
for addressing the problem of complex security requirements
necessary to express complex security issues associated with
the composition of multiple security criteria like
confidentiality, availability, privacy, and so forth. This
framework has been designed in order to naturally fit the
evolution of the pattern and security literature such as depicted
in the Related Work section.
 In this paper, we have sketched a CSRE representation to
support the modelling of complex security requirements
patterns and we have proposed two modelling options for
expressing complex security patterns following this model.
Both options are compatible with the metamodel for software
requirements patterns proposed by Franch et al. [5]. Finally, we
have illustrated, based on an excerpt of a case taken from a
cloud-computing domain, how these options may be
instantiated to a real complex security example related to the
confidentiality and the privacy of the users who access the
information system and how the corresponding system of
security patterns is elaborated accordingly.
The COPERATE framework is achieved in the frame of a
Design Science research approach [7] and this paper only
exposes an initial iteration of the construction of the framework
(i.e., complex security requirements engineering method and
the complex security requirements pattern). This initiative is
coherent in the context of Design Science but is obviously not
complete and ready to market yet. In short, the objective of this
paper is to pave the way to future research in the area of
reusable security patterns. In order to do so, there are three
research questions that still need to be answered in future
researches:
Q1. How may security requirements patterns be extended to
consider complex security requirements? The answer to this
question will consist (1) in extending the security requirements
pattern semantic with the appropriate elements necessary to
represent security requirements related to system with complex
security properties and (2) in sampling some important
complex security requirements patterns.
Q2. How may Requirements Engineering help identifying
the right SSP to fulfil CSRP? The answer to this question will
allow discovering to what extend Requirements Engineering is
appropriate for identifying/detecting/building SSP in order to
fulfil complex security criteria. A Q2 nested question is How
may SSP be designed on the bases of risk management
approaches? The answer to this question will result in the
definition of a methodological framework embracing models,
templates and guidelines required by the security professionals.
Q3. What are the next challenges to be addressed to
automate the design and implementation of SSP considering
CSRP? The answer will allow understanding the new research
challenges and the concrete requirements from the market.
In addition, a more stable version of the CSRP model
should be designed from the existing security requirements
pattern model that will be iteratively extended to integrate
complex security elements (e.g., interrelation between security
criteria, mutual influence, etc.) Alike for this paper, the
information necessary to design the model will be gathered
using observation, interviews and surveys. Information about
requirements will be also extracted using reengineering
approaches and information retrieval techniques in the
available assets similar to the ones used to extract common
requirements in product line engineering [9]. The elaboration
of the CSRE method will be completed based on a more
systematic review and integration of the risk management
methods. In addition, the framework presented in this paper
will be validated by means of a more expensed case, integrated
in the PABRE [15] framework, as presented in Figure 1.
REFERENCES
[1] Alexander, C.. The timeless way of building. Vol. 1. New York: Oxford
University Press, 1979.
[2] G. Denker, L. Kagal, T. Finin. Security in the Semantic Web using
o
OWL. Iformation Security Technical Report., vol. 10, n 1, 2005.
[3] C. Feltus. Preliminary Literature Review of Policy Engineering
Methods; Toward Responsibility Concept. ICTTA 2008. IEEE.
[4] E. B. Fernandez, N. Yoshioka, H. Washizaki, J. Jurjens, M. VanHilst,
and G. Pernul. "Using security patterns to develop secure systems".
Software Engineering for Secure Systems: Industrial and Research
Perspectives, pp. 16-31, 2011.
[5] X. Franch, C. Quer, S. Renault, C. Guerlain, and C. Palomares.
"Constructing and Using Software Requirements Patterns", Managing
Requirements Knowledge, edited by Walid Maalej and Anil Kumar
Thurimella, pp. 95116. Berlin, Heidelberg: Springer Verlag, 2013.
[6] L. A. Hermoye, A. van Lamsweerde, D. E. Perry. "Attack Patterns for
Security Requirements Engineering", Requirements Engineering. 2006.
[7] A. R. Hevner, S. T. March, J. Park, and S. Ram. 2004. Design science in
information systems research. MIS Q. 28, 1 (March 2004), 75-105.
[8] S. Konrad, B. H. Cheng, L. A. Campbell, and, R. Wassermann. "Using
security patterns to model and analyze security requirements", IEEE
International Conference on Requirements Engineering (RE), 2003.
[9] A. Lora-Michiels, C. Salinesi, R. Mazo. "A Method based on
Association Rules to Construct Product Line Models". 4th International
Workshop on Variability Modelling of Software-intensive Systems, pp.
147-150. Linz-Austria, January 2010.
[10] H. Mouratidis, M. Weiss, and P. Giorgini. "Modelling Secure Systems
Using an Agent-Oriented Approach and Security Patterns", International
Journal of Software Engineering and Knowledge Engineering, vol. 16,
pp. 471498, 2006.
[11] P. Nguyen, J. Klein, and Y. Le Traon. Model-Driven Security with
Modularity and Reusability for Secure Systems Development, STAF-
DS, 2014.
[12] P. Nguyen, J. Klein, and Y. Le Traon. "Model-Driven Security with A
System of Aspect-Oriented Security Design Patterns" Proceedings of the
2nd Workshop on View-Based, Aspect-Oriented and Orthographic
Software Modelling, ACM, 2014.
[13] T. Okubo, H. Kaiya, and N. Yoshioka. "Effective Security Impact
Analysis with Patterns for Software Enhancement", Sixth International
Conference on Availability, Reliability and Security (ARES), 2011.
[14] S. Renault, O. Mendez-Bonilla, X. Franch, and C. Quer. "A Pattern-
Based Method for Building Requirements Documents in Call-for-Tender
Processes", International Journal of Computer Science and Applications
6, no. 5, pp. 175202, 2009.
[15] S. Renault, O. Mndez-Bonilla, X. Franch, and C. Quer. "PABRE:
pattern-based requirements elicitation", International Conference on
Research Challenges in Information Science (RCIS), pp. 81-92, 2009.
[16] Schumacher, M., Fernandez-Buglioni, E., Hybertson, D., Buschmann,
F., & Sommerlad, P. (2013). Security Patterns: Integrating security and
systems engineering. John Wiley & Sons.
[17] A. Souag, R. Mazo, C. Salinesi, I. Comyn-Wattiau. "Reusable
knowledge in security requirements engineering: a systematic mapping
study", Requirements Engineering Journal, Springer London, 2015.
[18] A. Souag, C. Salinesi, R. Mazo, I. Comyn-Wattiau. "A Security
Ontology for Security Requirements Elicitation", International
Symposium on Engineering Secure Software and Systems (ESSoS),
Lecture Notes in Computer Science Series, Milan-Italy, 2015.
[19] Z. Trabelsi, H. Rahmani, K. Kaouech and M. Frikha, "Malicious sniffing
systems detection platform," Applications and the Internet, 2004.
Proceedings. 2004 International Symposium on, 2004, pp. 201-207.
[20] Zuccato, A., Daniels N., Jampathom C. "Service Security Requirement
Profiles for Telecom: How Software Engineers May Tackle Security". In
the Sixth International Conference on Availability, Reliability and
Security (ARES), 2011.