research-article

A systems-of-systems security framework for requirements definition in cloud environment

Authors:

Sara B. O. Gennari Carturan,

Denise Hideko GoyaAuthors Info & Claims

ECSA '19: Proceedings of the 13th European Conference on Software Architecture - Volume 2

Pages 235 - 240

https://doi.org/10.1145/3344948.3344977

Published: 09 September 2019 Publication History

Abstract

There are many aspects that involve the development of secure software. Regardless of the development model, the verification and validation of security must always be present, in all environments and stages. Systems-of-Systems (SoS) refer to a complex system that comprises other systems (the constituent systems), which have operational and managerial independence, geographical distribution, emergent behavior, and evolutionary development processes. By integrating cloud computing applications and services into a complex existing system, many challenges arise, especially those related to security issues. In this paper, it is proposed a security framework to guide the planning and definition phases of security requirements for SoS considering agile methods for application development and a DevSecOps approach. By using a checklist and some questions to identify which security aspects should be included, security drivers were obtained to integrate cloud computing in a SoS context, taking into account the perspectives of existing IT Governance Model, IT Operational Model, and IT Processes. Additionally, it is emphasized the need for a human resources management that aims at the positive acceptance of organizational change by all involved.

References

[1]

ISO/IEC 27000:2018, Information technology - Security techniques - Information security management systems - Overview and vocabulary

[2]

ISO/IEC 27001:2013, Information technology - Security techniques - Information security management systems - Requirements

[3]

M. P. Correia and P. J. Sousa. 2017. Secure Software. (2nd. ed.). ISBN-13: 9789727228584

[4]

Systems Security Engineering - Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. NIST Special Publication 800-160. Updated March 2018.

[5]

INCOSE Systems Engineering Handbook, 4th Edition, John Wiley & Sons Inc., 2015

[6]

A. Habl, O. Kipouridis and J. Fottner, "Deploying microservices for a cloud-based design of system-of-systems in intralogistics", IEEE 15th International Conference on Industrial Informatics (INDIN), July 2017, Emden, Germany

[7]

L. Riungu-Kalliosaari, L. E. Lwakatare and S. Makinen T. Männistö. DevOps Adoption Benefits and Challenges in Practice: A Case Study. Product-Focused Software Process Improvement: 17th International Conference, PROFES 2016, Trondheim, Norway, November 22--24, 2016, Proceedings (pp.590--597).

[8]

ISO/IEC 27017:2015, Information technology - Security techniques - Code of practice for information security controls based on ISO/IEC 27002 for cloud services

[9]

Project Management Institute (PMI) - PMBOK® Guide. A Guide to the Project Management Body of Knowledge, 6th. ed., 2017.

[10]

H. Kezner, "Project Management: A Systems Approach to Planning, Scheduling and Controlling", 12th. ed., Wiley, 2017.

[11]

M. Rokeach. The nature of human values. 1973. New York, NY. The Free Press.

[12]

M. Rokeach. Understanding human values - Individual and Societal.2008.New York, NY. The Free Press.

[13]

R. A. Noe, J. R. Hollenbeck, B. Gerhart and P. M. Wright. Human resource management: Gaining a competitive advantage. 2017.

[14]

P. Boxall and J. Purcell. Strategy and Human Resource Management. 3rd. ed., 2011.

[15]

S. H. Schwartz. An Overview of the Schwartz Theory of Basic Values. Online Readings in Psychology and Culture. 2012.

[16]

S. H. Schwartz. Universals in the Content and Structure of Values: Theoretical Advances and Empirical Tests in 20 Countries, Advances in Experimental Social Psychology Vol. 25, Elsevier, pp. 1--65

Cited By

Ramaj XSánchez-Gordón MGkioulos VColomo-Palacios R(2024)On DevSecOps and Risk Management in Critical Infrastructures: Practitioners' Insights on Needs and GoalsProceedings of the 2024 ACM/IEEE 4th International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS) and 2024 IEEE/ACM Second International Workshop on Software Vulnerability10.1145/3643662.3643954(45-52)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1145/3643662.3643954
Olivero MBertolino ADominguez-Mayo FEscalona MMatteucci I(2024)A systematic mapping study on security for systems of systemsInternational Journal of Information Security10.1007/s10207-023-00757-023:2(787-817)Online publication date: 1-Apr-2024
https://dl.acm.org/doi/10.1007/s10207-023-00757-0
Ramaj XSánchez-Gordón MGkioulos VChockalingam SColomo-Palacios R(2022)Holding on to Compliance While Adopting DevSecOps: An SLRElectronics10.3390/electronics1122370711:22(3707)Online publication date: 12-Nov-2022
https://doi.org/10.3390/electronics11223707
Show More Cited By

Recommendations

Implementing Secure DevOps assessment for highly regulated environments
ARES '17: Proceedings of the 12th International Conference on Availability, Reliability and Security

Secure DevOps has become a standard option for entities seeking to streamline and increase comprehensive participation by all stakeholders in their secure Security Development Lifecycle (SDLC)[1]. In most case in industry, academia, and government, ...
Major challenges of systems-of-systems with cloud and DevOps: a financial experience report
SESoS-WDES '19: Proceedings of the 7th International Workshop on Software Engineering for Systems-of-Systems and 13th Workshop on Distributed Software Development, Software Ecosystems and Systems-of-Systems

The term Systems-of-Systems (SoS) refers to a complex system that comprises other systems (the constituent systems), which have operational and managerial independence, geographical distribution, emergent behavior, and evolutionary development ...
Modeling continuous security: A conceptual model for automated DevSecOps using open-source software over cloud (ADOC)
Abstract
Agile software development methodology and DevOps, together, have helped the business to achieve agility and velocity in delivering time-to-market applications and services. Open-source software (OSS) and cloud technologies are taking ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ECSA '19: Proceedings of the 13th European Conference on Software Architecture - Volume 2

September 2019

286 pages

ISBN:9781450371421

DOI:10.1145/3344948

Editors:
Laurence Duchien
University of Lille, France
,
Catia Trubiani
Gran Sasso Science Institute (GSSI), Italy
,
Riccardo Scandariato
Chalmers | University of Gothenburg, Sweden
,
Raffaela Mirandola
Polytecnico di Milano, Italy
,
Elena Maria Navarro Martinez
Universidad de Castilla-La Mancha, Spain
,
Danny Weyns
Katholieke Universiteit Leuven, Belgium
,
Anne Koziolek
Karlsruhe Institute of Technology, Germany
,
Patrizia Scandurra
University of Bergamo, Italy
,
Clément Quinton
University of Lille, France

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 September 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ECSA

ECSA: European Conference on Software Architecture

September 9 - 13, 2019

Paris, France

Acceptance Rates

ECSA '19 Paper Acceptance Rate 48 of 72 submissions, 67%;

Overall Acceptance Rate 48 of 72 submissions, 67%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
313
Total Downloads

Downloads (Last 12 months)26
Downloads (Last 6 weeks)1

Reflects downloads up to 15 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ramaj XSánchez-Gordón MGkioulos VColomo-Palacios R(2024)On DevSecOps and Risk Management in Critical Infrastructures: Practitioners' Insights on Needs and GoalsProceedings of the 2024 ACM/IEEE 4th International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS) and 2024 IEEE/ACM Second International Workshop on Software Vulnerability10.1145/3643662.3643954(45-52)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1145/3643662.3643954
Olivero MBertolino ADominguez-Mayo FEscalona MMatteucci I(2024)A systematic mapping study on security for systems of systemsInternational Journal of Information Security10.1007/s10207-023-00757-023:2(787-817)Online publication date: 1-Apr-2024
https://dl.acm.org/doi/10.1007/s10207-023-00757-0
Ramaj XSánchez-Gordón MGkioulos VChockalingam SColomo-Palacios R(2022)Holding on to Compliance While Adopting DevSecOps: An SLRElectronics10.3390/electronics1122370711:22(3707)Online publication date: 12-Nov-2022
https://doi.org/10.3390/electronics11223707
Ramaj XSánchez-Gordón MChockalingam SColomo-Palacios R(2022)Unveiling the Safety Aspects of DevSecOps: Evolution, Gaps and TrendsRecent Advances in Computer Science and Communications10.2174/266625581666622080414391816:3Online publication date: Mar-2022
https://doi.org/10.2174/2666255816666220804143918
Dias RZacarias RVarella Jdos Santos R(2022)Investigating Information Security in Systems-of-SystemsProceedings of the XVIII Brazilian Symposium on Information Systems10.1145/3535511.3535523(1-8)Online publication date: 16-May-2022
https://dl.acm.org/doi/10.1145/3535511.3535523
Ibrahim AYousef AMedhat W(2022)DevSecOps: A Security Model for Infrastructure as Code Over the Cloud2022 2nd International Mobile, Intelligent, and Ubiquitous Computing Conference (MIUCC)10.1109/MIUCC55081.2022.9781709(284-288)Online publication date: 8-May-2022
https://doi.org/10.1109/MIUCC55081.2022.9781709
McZara JKafle SShin D(2020)Modeling and Analysis of Dependencies between Microservices in DevSecOps2020 IEEE International Conference on Smart Cloud (SmartCloud)10.1109/SmartCloud49737.2020.00034(140-147)Online publication date: Nov-2020
https://doi.org/10.1109/SmartCloud49737.2020.00034
Ahmed ZFrancis S(2019)Integrating Security with DevSecOps: Techniques and Challenges2019 International Conference on Digitization (ICD)10.1109/ICD47981.2019.9105789(178-182)Online publication date: Nov-2019
https://doi.org/10.1109/ICD47981.2019.9105789

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents