A Pattern Oriented Software Development Method for Agile Adaptation to Security Changes

• Project/Area Number: 24300011
• Research Category: Grant-in-Aid for Scientific Research (B)
• Allocation Type: Partial Multi-year Fund
• Section: 一般
• Research Field: Software
• Research Institution: National Institute of Informatics
• Principal Investigator: YOSHIOKA Nobukazu 国立情報学研究所, アーキテクチャ科学研究系, 准教授 (20390601)
• Co-Investigator(Kenkyū-buntansha): WASHIZAKI Hironori 早稲田大学, 理工学術院, 准教授 (70350494) ; 海谷 治彦 神奈川大学, 理学部, 教授 (30262596)
• Co-Investigator(Renkei-kenkyūsha): KAIYA Haruhiko 神奈川大学, 理学部, 教授 (30262596)
• Project Period (FY): 2012-04-01 – 2015-03-31
• Project Status: Completed (Fiscal Year 2014)
• Budget Amount: ¥17,810,000 (Direct Cost: ¥13,700,000、Indirect Cost: ¥4,110,000); Fiscal Year 2014: ¥6,240,000 (Direct Cost: ¥4,800,000、Indirect Cost: ¥1,440,000); Fiscal Year 2013: ¥7,150,000 (Direct Cost: ¥5,500,000、Indirect Cost: ¥1,650,000); Fiscal Year 2012: ¥4,420,000 (Direct Cost: ¥3,400,000、Indirect Cost: ¥1,020,000)
• Keywords: セキュリティ / ソフトウェア学 / パターン / 脆弱性分析 / セキュリティ要求 / インパクト分析

Outline of Final Research Achievements

We need a security development method to quickly adapt to changes of
security requirements. In other words, we firstly estimate the impact on a software system to change it for implementation of security countermeasures before the implementation to know the security costs with the method. Additionally, the method should allow us to apply security countermeasures semi-automatically to reduce the implementation costs. In this research, we have proposed three kinds of security patterns: threat patterns, attack patterns and countermeasure patterns with the relationships among them. In addition, we illustrate relations between these patterns and a design of applications with security stereo-types of UML.

Research Products

• [Journal Article] Requirements Refinement and Exploration of Architecture for Security and Other NFRs (2014)
  • Author(s): Takao Okubo, Nobukazu Yoshioka, Haruhiko Kaiya
  • Journal Title: The Fourth International Workshop on Information Systems Security Engineering - WISSE'14 Volume: LNBIP 178 Pages: 286-298
  • Peer Reviewed
• [Journal Article] Security Requirements Analysis using Knowledge in CAPEC (2014)
  • Author(s): Haruhiko Kaiya, Sho Kouno, Shinpei Ogata, Takuo Okubo, Nobukazu Yoshioka, Hironori Washizaki and Kenji Kaijiri
  • Journal Title: Proc. of The Fourth International Workshop on Information Systems Security Engineering - WISSE'14, LNBIP 178 Volume: - Pages: 343-348
  • DOI: 10.1007/978-3-319-07869-4_32
  • ISBN: 9783319078687, 9783319078694
  • Peer Reviewed
• [Journal Article] MASG: Advanced Misuse Case Analysis Model with Assets and Security Goals (2014)
  • Author(s): Okubo Takao, Kenji Taguchi, Kaiya Haruhiko, Yoshioka Nobukazu
  • Journal Title: Journal of Information Processing Volume: 22 Issue: 3 Pages: 536-546
  • DOI: 10.2197/ipsjjip.22.536
  • NAID: 130004726192
  • ISSN: 1882-6652
  • Peer Reviewed / Open Access
• [Journal Article] Verifying Implementation of Security Design Patterns Using a Test Template (2014)
  • Author(s): Masatoshi Yoshizawa, Takanori Kobashi, Hiroyoshi Washizaki, Yoshiaki Fukazawa, Takao Okubo, Haruhiko Kaiya and Nobukazu Yoshioka
  • Journal Title: Proceedings of 9th International Conference on Availability, Reliability and Security (ARES2014) Volume: - Pages: 178-183
  • DOI: 10.1109/ares.2014.31
  • Peer Reviewed
• [Journal Article] Security and Privacy Behavior Definition for Behavior Driven Development (2014)
  • Author(s): Takao Okubo, Yoshio Kakizaki, Yoshinori Kobashi, Hironori Washizaki, Shinpei Ogata, Haruhiko Kaiya and Nobukazu Yoshioka
  • Journal Title: Proceedings of The 15th International Conference of Product Focused Software Development and Process Improvement (PROFES 2014) Volume: - Pages: 306-309
  • DOI: 10.1007/978-3-319-13835-0_28
  • ISBN: 9783319138343, 9783319138350
  • Peer Reviewed
• [Journal Article] Validating Security Design Pattern Applications by Testing Design Models (2014)
  • Author(s): Takanori Kobashi, Nobukazu Yoshioka, Takao Okubo, Haruhiko Kaiya, Hironori Washizaki,Yoshiaki Fukazawa
  • Journal Title: International Journal of Secure Software Engineering (IJSSE) Volume: Vol.5, No.4 Issue: 4 Pages: 1-30
  • DOI: 10.4018/ijsse.2014100101
  • Peer Reviewed
• [Journal Article] Eliciting Security Requirements for an Information System using Asset Flows and Processor Deployment (2013)
  • Author(s): Haruhiko Kaiya, Junya Sakai, Shinpei Ogata and Kenji Kaijiri
  • Journal Title: International Journal of Secure Software Engineering (IJSSE), IGI Global Volume: Vol.4, Issue3 Issue: 3 Pages: 42-63
  • DOI: 10.4018/jsse.2013070103
  • Peer Reviewed
• [Journal Article] Enhancing Goal-Oriented Security Requirements Analysis Using Common Criteria-Based Knowledge (2013)
  • Author(s): Motoshi Saeki, Shinpei Hayashi, Haruhiko Kaiya
  • Journal Title: International Journal of Software Engineering and Knowledge Engineering Volume: vol.23, no.5 Issue: 05 Pages: 495-509
  • DOI: 10.1142/s0218194013500174
  • Peer Reviewed
• [Journal Article] Analyzing Impacts on Software Enhancement Caused by Security Design Alternatives with Patterns (2012)
  • Author(s): Takao Okubo, Haruhiko Kaiya, and Nobukazu Yoshioka
  • Journal Title: International Journal of Secure Software Engineering (IJSSE), IGI Global Volume: Vol.3, No.1 Issue: 1 Pages: 37-61
  • DOI: 10.4018/jsse.2012010103
  • Peer Reviewed
• [Presentation] Abstract security patterns for requirements and analysis of secure systems (2014)
  • Author(s): Eduardo B. Fernandez, Nobukazu Yoshioka, Hironori Washizaki and Joseph Yoder
  • Organizer: 17th Workshop on Requirements Engineering(WER 2014)
  • Place of Presentation: Pucon, Chili
  • Year and Date: 2014-04-23 – 2014-04-25
• [Presentation] モデルテストによるセキュリティ分析・設計パターンの適用支援 (2012)
  • Author(s): 小橋孝紀, 大久保隆夫, 海谷治彦, 吉岡信和, 伊永祥太, 鷲崎弘宜, 深潭良彰
  • Organizer: コンピュータセキュリティシンポジウム2012
  • Place of Presentation: 松江市くにびきメッセ
  • Year and Date: 2012-10-30
• [Presentation] System security requirements analysis with answer set programming (2012)
  • Author(s): Gideon D. Bibu, Nobukazu Yoshioka, Julian Padget
  • Organizer: Second IEEE International Workshop Oil Requirements Engineering for Systems, Services, and Systems-of-Systems (RESS 2012)
  • Place of Presentation: Chicago, IL, USA
  • Year and Date: 2012-09-25
• [Presentation] Mutual Refinement of Security Requirements and Architecture using Tw in Peaks Model (2012)
  • Author(s): Takao Okubo, Haruhiko Kaiya, Nobukazu Yoshioka
  • Organizer: The 6th IEEE International Workshop on Require ments Engineering for Services
  • Place of Presentation: Izmir, Turkey
  • Year and Date: 2012-07-16
• [Presentation] Goal-Oriented Security Requirements Analysis for a System used in Several Different Activities
  • Author(s): Haruhiko Kaiya, Takao Okubo, Nobuyuki Kanaya, Yuji Suzuki, Shinpei Ogata, Kenji Kaijiri and Nobukazu Yoshioka
  • Organizer: The Third International Workshop on Information Systems Security Engineering
  • Place of Presentation: Spain
• [Presentation] Validating Security Design Pattern Applications Using Model Testing
  • Author(s): Takanori Kobashi, Nobukazu Yoshioka, Takao Okubo, Haruhiko Kaiya, Hironori Washizaki,Yoshiaki Fukazawa
  • Organizer: 2013 International Conference on Availability, Reliability and Security (ARES 2013)
  • Place of Presentation: University of Regensburg, Germany
• [Presentation] Model-Assisted Access Control Implementation for Code-centric Ruby on Rails Web Application Development
  • Author(s): Seiji Munetoh and Nobukazu Yoshioka
  • Organizer: The Eight International Workshop on Frontiers in Availability, Reliability and Security (FARES 2013 )
  • Place of Presentation: University of Regensburg, Germany
• [Presentation] Security Driven Requirements Refinement and Exploration of Architecture with multiple NFR points of view
  • Author(s): Takao Okubo, Nobukazu Yoshioka and Haruhiko Kaiya
  • Organizer: 15th IEEE International Symposium on High Assurance Systems Engineering (HASE 2014)
  • Place of Presentation: Miami, Florida, USA
• [Presentation] Patterns for cloud firewalls
  • Author(s): Eduardo B. Fernandez, Nobukazu Yoshioka and Hironori Washizaki
  • Organizer: 3rd Asian Conference on Pattern Languages of Programs (AsianPLoP 2014)
  • Place of Presentation: 国立情報学研究所（学術総合センター）, 東京
• [Book] Three Misuse Patterns for Cloud Computing, In a book of "Security Engineering for Cloud Computing : Approaches and Tools" (2012)
  • Author(s): Keiko Hashizume, Nobukazu Yoshioka, Eduardo B. Fernandez
  • Total Pages: 18
  • Publisher: IGI Global