Software Vulnerabilities, Prevention and Detection Methods: A Review [PDF
Willy Jimenez, Amel Mammar, Ana Cavalli (Télécom SudParis)
A qualitative evaluation of model-based security activitiesfor software development [PDF
Erkuden Rios (European Software Institute),
Per Håkon Meland (SINTEF), Shanai Ardi (Linköping
University), Alessandra Bagnato (TXT e-solutions),
JosteinJensen (SINTEF), Wissam Mallouli
(Montimage), Fabio Raiteri (TXT e-solutions), Txus
Sanchez (European Software Institute), Inger Anne
Automatic Generation of Security-Aware GUI Models [PPT
Michael Schläpfer, Marina Egea, David Basin
(ETH Zürich) and Manuel Clavel (IMDEA Software
Institute,Universidad Complutense de
|| KEYNOTE speaker
Model-based Security Engineering for Evolving Systems [PDF
Jan Jurjens, Open University (UK) and
Toward model-based security engineering: developing asecurity analysis DSML [PPT
Véronique Normand and EdithFélix (Thales
Research & Technology)
From Security Modelling to Run-time SecurityMonitoring [PDF
Antti Evesti, Eila Ovaska and Reijo
Savola(VTT Technical Research Centre of
|| Round Table Discussion Panel
Evesti Antti ,Reijo Savola
- Alessandra Bagnato, TXT e-solutions (Italy)
- Per Håkon Meland, SINTEF (Norway)
- Erkuden Rios, European Software Institute (Spain)
- Bernhard Rumpe, RWTH Aachen University (Germany)
- Nahid Shahmehri, Linköping University (Sweden)
Software security and reliability is rapidly becoming one of the most pressing issues in software engineering since software has become a critical component in almost all systems that society relies on. The level of risk the society faces from intentional or unintentional failures in these systems has increased in an almost uncontrolled fashion:
- With software controlling, protecting, and affecting more and more critical information and systems, the consequences of failure has increased significantly.
- As software becomes more complex, it tends to contain more flaws, and as it becomes more networked, its exposure to potential adversaries increases.
- Software-intensive systems are increasingly becoming viable financial and political targets for well-funded and well-motivated attackers, thus increasing the overall threat tothese systems.
Today, security is often an afterthought when developing software, rarely included in the early phases of software development, and mostly focused on detecting problems,rather than on preventing them in the first place.
Despite a rash of new programming paradigms, methodologies, and development environments, the ever increasing number of vulnerabilities found in softwareclearly shows that a different approach is called for.Software developers use models extensively, particularly in the early phases of software development, in order to improve software quality.
This workshop would like to discuss how software security can be improved through the MDA approach.
The main discussion topics will be:
- How security specialists can capture their security expertise in form of reusable models, in particular threat and vulnerability models
- How the security requirements and goals can be traced all along the development process
- How security models and profiles can be merged with system models in different abstraction levels
- How security models can be shared and reused
- How developers can benefit from these reusable models for specification and design (e.g. through sharing tool artifacts such as security design patterns)
- How security testing can be improved through security models.
- Which are the requirements on tools to support the creation, transformation and use of security models.
The workshop will try to bring together people from both academia and industry, from all the different areas that want to/might play an active role in domain of security solutions and issue in MDA, to discuss problems, highlight possible solutions, disseminate success stories and also draft a possible research agenda.
The workshop addresses problems and solutions for Security in MDA. The topics of interest include, but are not restricted to:
- Security Modelling
- Security requirements tracking in MDA
- Model-based security testing
- Transformation of model-based security knowledge
- Interoperability between security models
- Platform dependent and platform independent models for security solutions
- Model-based behavior analysis
- Security Tools using security models
- Security design patterns in MDA
- Abuse and Misuse cases
- Standards for modeling and sharing vulnerabilities and security issue knowledge
- Standards for storing and querying vulnerabilities and security issue knowledge bases
- Requirements for new security improved tools
- Security models and design patterns integration within IDE
The workshop is open to contributions that focus on the "broad" spectrum on security in MDA related activities and in particular industrialexperience report, progress, new methods and solutions in that context.
We would like to invite papers that explain and exemplify relevant issues and problems related to the security and reliability incomplex software systems in MDA context,papers that present established solutions to well-known problems and also papers that discuss success stories.
In all these cases, we expect well-focused contributions to help participants understand problems, open issues, and available solutions, and also to foster rich and fruitful discussions.
The emphasis should be on defining and setting problems, on technical details of proposed solutions, or on the rationale behind success stories.Papers should be written in Springer LNCS style and limited to 10 pages (see http://www.springer.de/comp/lncs/authors.html for details). The emphasis should be on defining and setting problems, on technical details of proposed solutions, or on the rationale behind success stories. As the workshop will apply double-blind reviews process, the papers should not indicate their authors. Submissions should be sent by email attachment (Word format) to alessandra.bagnato <at> txt.it.
The paper selection will be based upon the relevance of a paper to the main topics, on its quality and on the potential to stimulate discussion in the workshop. Accepted papers will be published in Workshop proceedings CTIT Proceedings series available in the Faculty of Electrical Engineering, Mathematics & Computer Science University of Twente (ISBN number to be communicated).
Important dates (tentative)
- Paper submission: 23 April 2009
- Notification of acceptance: 1 May 2009
- Final manuscript due: 15 May 2009
- Workshop: 24 June 2009
- Habtamu Abie, Norwegian Computing Center
- Alessandra Bagnato, TXT e-solutions
- Ruth Breu, University of Insbruck
- Ana Cavalli, Telecom SudParis (France)
- Estíbaliz Delgado, European Software Institute
- Marina Egea Gonzalez, ETH Zürich
- Jan Jurjens, Computing Department, The Open University
- Filippo Lanubile, Università degli Studi di Bari
- Xabier Larrucea, European Software Institute
- Amel Mammar, Telecom SudParis (France)
- Jason Xabier Mansell, European Software Insitute
- Per Håkon Meland, SINTEF
- Matteo Meucci, OWASP-Italy Chair, OWASP Testing Guide lead
- Charles Bastos Rodriguez, Atos Research & Innovation Security Unit
- Bernhard Rumpe, RWTH Aachen University
- Nahid Shahmehri, Linköping University
- Ståle Walderhaug, SINTEF