{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2022,4,4]],"date-time":"2022-04-04T23:23:31Z","timestamp":1649114611829},"reference-count":28,"publisher":"IGI Global","issue":"1","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2015,1]]},"abstract":"<jats:p>At present, security-related engineering usually requires a big up-front design (BUFD) regarding security requirements and security design. In addition to the BUFD, at the end of the development, a security evaluation process can take up to several months. In today's volatile markets customers want to be able to influence the software design during the development process. Agile processes have proven to support these demands. Nevertheless, there is a clash between traditional security design and evaluation processes. In this paper, the authors propose an agile security evaluation method for the Common Criteria standard. This method is complemented by an implementation of a change detection analysis for model-based security requirements. This system facilitates the agile security evaluation process to a high degree. However, the application of the proposed evaluation method is limited by several constraints. The authors discuss these constraints and show how traditional certification schemes could be extended to better support modern industrial software development processes.<\/jats:p>","DOI":"10.4018\/ijsse.2015010103","type":"journal-article","created":{"date-parts":[[2015,2,13]],"date-time":"2015-02-13T13:30:39Z","timestamp":1423834239000},"page":"47-75","source":"Crossref","is-referenced-by-count":0,"title":["Balancing Product and Process Assurance for Evolving Security Systems"],"prefix":"10.4018","volume":"6","author":[{"given":"Wolfgang","family":"Raschke","sequence":"first","affiliation":[{"name":"Institute for Technical Informatics, Graz University of Technology, Graz, Austria"}]},{"given":"Massimiliano","family":"Zilli","sequence":"additional","affiliation":[{"name":"Institute for Technical Informatics, Graz University of Technology, Graz, Austria"}]},{"given":"Philip","family":"Baumgartner","sequence":"additional","affiliation":[{"name":"NXP Semiconductors Austria GmbH, Gratkorn, Austria"}]},{"given":"Johannes","family":"Loinig","sequence":"additional","affiliation":[{"name":"NXP Semiconductors Austria GmbH, Gratkorn, Austria"}]},{"given":"Christian","family":"Steger","sequence":"additional","affiliation":[{"name":"Institute for Technical Informatics, Graz University of Technology, Graz, Austria"}]},{"given":"Christian","family":"Kreiner","sequence":"additional","affiliation":[{"name":"Institute for Technical Informatics, Graz University of Technology, Graz, Austria"}]}],"member":"2432","reference":[{"key":"ijsse.2015010103-0","unstructured":"Altmanninger, K., Brosch, P., Kappel, G., Langer, P., Seidl, M., Wieland, K., & Wimmer, M. (2009, October). Why model versioning research is needed!? an experience report. In Proceedings of the MoDSE-MCCM 2009 Workshop@ MoDELS (Vol. 9)."},{"key":"ijsse.2015010103-1","first-page":"3","article-title":"Introduction to IEC 61508.","volume":"Volume 55","author":"R.Bell","year":"2006","journal-title":"Proceedings of the 10th Australian workshop on Safety critical systems and software"},{"key":"ijsse.2015010103-2","first-page":"47","article-title":"Towards agile security assurance.","author":"K.Beznosov","year":"2004","journal-title":"Proceedings of the 2004 workshop on New security paradigms"},{"key":"ijsse.2015010103-3","first-page":"175","article-title":"Extending software change impact analysis into cots components.","author":"S. A.Bohner","year":"2002","journal-title":"In Software Engineering Workshop, 2002. Proceedings. 27th Annual NASA Goddard\/IEEE"},{"issue":"2","key":"ijsse.2015010103-4","first-page":"29","article-title":"Model differences in the eclipse modeling framework. UPGRADE","volume":"9","author":"C.Brun","year":"2008","journal-title":"The European Journal for the Informatics Professional"},{"key":"ijsse.2015010103-5","author":"A.Cockburn","year":"2006","journal-title":"Agile software development: the cooperative game"},{"key":"ijsse.2015010103-6","author":"M.Cohn","year":"2010","journal-title":"Succeeding with agile: software development using Scrum"},{"key":"ijsse.2015010103-7","unstructured":"Common Criteria. (2002). Reuse of evaluation results and evidence."},{"key":"ijsse.2015010103-8","unstructured":"Common Criteria. (2012). Common criteria for information technology security evaluation (Part 1-3, Version 3.1., Revision 4)."},{"key":"ijsse.2015010103-9","unstructured":"Do, R. T. C. A. (1992). 178B: Software considerations in airborne systems and equipment certification."},{"key":"ijsse.2015010103-10","doi-asserted-by":"publisher","DOI":"10.1145\/1183088.1183090"},{"key":"ijsse.2015010103-11","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-84628-806-7_4"},{"issue":"1","key":"ijsse.2015010103-12","first-page":"133","article-title":"Security requirements engineering: A framework for representation and analysis. Software Engineering","volume":"34","author":"C. B.Haley","year":"2008","journal-title":"IEEE Transactions on"},{"key":"ijsse.2015010103-13","doi-asserted-by":"crossref","unstructured":"Hawkins, R., & Kelly, T. (2010, October). A structured approach to selecting and justifying software safety evidence. In System Safety 2010, 5th IET International Conference on (pp. 1-6). IET.","DOI":"10.1049\/cp.2010.0825"},{"key":"ijsse.2015010103-14","doi-asserted-by":"crossref","unstructured":"Hilburn, T. B., Ardis, M., Johnson, G., Kornecki, A. J., & Mead, N. (2013). Software assurance competency model.","DOI":"10.21236\/ADA610368"},{"key":"ijsse.2015010103-15","unstructured":"ISO, C. (2011). 26262, road vehicles\u2013Functional safety. ISO Standard."},{"key":"ijsse.2015010103-16","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-21470-7_5"},{"key":"ijsse.2015010103-17","article-title":"The emergence of change at the interface of system and embedded software design.","author":"M. S.Kilpinen","year":"2007","journal-title":"Conference on Systems Engineering Research"},{"key":"ijsse.2015010103-18","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-39179-8_30"},{"key":"ijsse.2015010103-19","doi-asserted-by":"crossref","unstructured":"Mantel, H. (2002). On the composition of secure systems. In Security and Privacy, 2002. Proceedings. 2002 IEEE Symposium on (pp. 88-101). IEEE.","DOI":"10.1109\/SECPRI.2002.1004364"},{"key":"ijsse.2015010103-20","doi-asserted-by":"publisher","DOI":"10.1002\/spip.429"},{"key":"ijsse.2015010103-21","doi-asserted-by":"publisher","DOI":"10.1109\/ESPRE.2014.6890525"},{"key":"ijsse.2015010103-22","unstructured":"Raschke, W., Zilli, M., Loinig, J., Weiss, R., Steger, C., & Kreiner, C. (2014a). Where does all this waste come from. In Industrial Proceedings of the 18th EuroSPI Conference (pp. 3.1-3.10). DELTA, Denmark."},{"key":"ijsse.2015010103-23","unstructured":"Reiner, M., Sauberer, G., & Messnarz, R. (2014). European Certification and Qualification Association \u2013 Developments in Europe and World Wide. In Industrial Proceedings of the 18th EuroSPI Conference (pp. 3.1-3.10). DELTA, Denmark."},{"key":"ijsse.2015010103-24","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-45853-0_12"},{"key":"ijsse.2015010103-25","unstructured":"Team, C. P. (2002). Capability maturity model\u00ae integration (CMMI SM), version 1.1. Software Engineering Institute, Carnegie Mellon University, Pittsburg, PA, Tech. Rep. SEI-2002-TR-012."},{"key":"ijsse.2015010103-26","doi-asserted-by":"publisher","DOI":"10.1007\/s10270-012-0311-7"},{"key":"ijsse.2015010103-27","author":"K. E.Wiegers","year":"2002","journal-title":"Peer reviews in software: A practical guide"}],"container-title":["International Journal of Secure Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.igi-global.com\/viewtitle.aspx?TitleId=123454","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,8,20]],"date-time":"2019-08-20T22:45:35Z","timestamp":1566341135000},"score":1,"resource":{"primary":{"URL":"http:\/\/services.igi-global.com\/resolvedoi\/resolve.aspx?doi=10.4018\/ijsse.2015010103"}},"subtitle":[""],"short-title":[],"issued":{"date-parts":[[2015,1]]},"references-count":28,"journal-issue":{"issue":"1"},"URL":"https:\/\/doi.org\/10.4018\/ijsse.2015010103","relation":{},"ISSN":["1947-3036","1947-3044"],"issn-type":[{"value":"1947-3036","type":"print"},{"value":"1947-3044","type":"electronic"}],"subject":[],"published":{"date-parts":[[2015,1]]}}}