Octotrike.org
Home Docs Tools Papers Talks Contact
¤ RE 2012 Presentation
Writing Security Objectives

Security requirements are even more challenging to elicit and specify than most non-functional requirements, due to intelligent post-deployment attackers who change the rules after the product has been shipped, stakeholders' differing definitions of security, the lack of widely accepted scales and pre-deployment meters, security experts' tendency to focus on security technology rather than the goals that motivate it, and the inherent difficulties of describing a negative.

In this interactive tutorial, participants learn a structure for specifying high-level security requirements, and a method for eliciting these security objectives. After a brief introduction to security objectives, participants construct a simple example from start to finish. Participants define attackers, balance stakeholders' conflicting security needs, choose a useful level of abstraction for modeling high-level security goals, generate threats to prioritize, and prioritize the negative security outcomes that really matter. The tutorial concludes with a brief discussion of how to use security objectives, and how to integrate security objectives into an Agile development lifecycle.

Tools and examples used in the tutorial are free and open source (and will be available below by the beginning of the conference); participants may wish to bring a laptop with Excel 2010 or later.



Octopus

News

31 Jul 2012
Brenda Larcom will be presenting a half-day tutorial on using the current Trike spreadsheet to write security objectives at IEEE RE 2012, September 25 in Chicago, IL.

1 Jul 2012
First official spreadsheet release, 1.5.06.

1 Jul 2012
New SVN and web site organization to support parallel development of the standalone and spreadsheet tools.

Thanks

SourceForge.net Logo

Copyright 2004-2008 Brenda Larcom, Eleanor Saitta, and Stephanie Smith. Copyright 2009-2012 Brenda Larcom and Eleanor Saitta. All rights reserved.