Abstract:
Many software-intensive systems have significant safety and security ramifications and need to have their associated safety- and security-related requirements properly engineered. Unfortunately, inadequate requirements are a major cause of accidents involving software-intensive systems, and poor security requirements often impede the early incorporation of security concerns into the architecture. In practice, there is very little interaction between the requirements, safety, and security disciplines and little collaboration between their respective communities. Most requirements engineers, safety engineers, and security engineers know little about their respective disciplines. Safety and security engineering typically concentrates on architectures and designs rather than requirements because hazard and threat analysis typically depends on the identification of hardware and software components, the failure of which can cause accidents and vulnerabilities in which can enable attacks. This leads to safety- and security-related requirements that are often ambiguous, incomplete, and even missing.
This tutorial covers the intersection of safety-, security-, and requirements engineering. Safety and security have much in common, with related concepts, analysis techniques, and goals: to protect valuable assets from unauthorized harm due to dangers (hazards and threats), which naturally suggests a risk-based approach to requirements analysis. It tutorial begins with a single common realistic example of a safety and security critical system that will be used throughout to provide good examples of safety- and security-related requirements. The tutorial provides a consistent ontology of safety, security, and requirements concepts, provides clear definitions and descriptions of the different kinds of safety- and security-related requirements and finishes with a practical process for producing them.
Presenter:
Donald Firesmith is a senior member of the technical staff at the Software Engineering Institute (SEI), working in the Acquisition Support Program where he helps the US Department of Defense acquire large complex software-intensive systems. With over 30 years of industry experience, he has published 6 software and system engineering books in the areas of process, method engineering, object orientation, and system architecture engineering. He is currently completing his 7th book on the engineering of safety- and security-related requirements. He is the primary author of the recently published book: The Method Framework for Engineering System Architectures (MFESA). He is the developer of the Quality Assessment of System Architectures and their Requirements (QUASAR) method. He has also published dozens of technical articles, spoken at numerous international conferences, and has been the program chair or on the program committee of several conferences. He has taught several hundred courses in industry
and numerous tutorials at conferences. He is also the founding chair of the OPEN Process Framework (OPF) Repository organization www.opfro.org, which provides the world's largest free open-source website documenting over 1,100 reusable method components.