Time filter

Source Type

Berlin, Germany

Burger J.,TU Dortmund | Jurjens J.,TU Dortmund | Wenzel S.,Fraunhofer ISST
International Journal on Software Tools for Technology Transfer | Year: 2015

Security certification of complex systems requires a high amount of effort. As a particular challenge, today’s systems are increasingly long-living and subject to continuous change. After each change of some part of the system, the whole system needs to be re-certified from scratch (since security properties are not in general modular), which is usually far too much effort. When models for software get changed, this can lead to security weaknesses that are also part of the software system that is derived from those models. Hence, it is important to check the models with respect to security properties and correct them respectively. To address this challenge, we present an approach which not only finds security weaknesses but can also correct them in a tool-supported way. As time goes by, a diverse number of changing requirements that may be security-related and non-security-related lead to an evolving system that met its security requirements at design time but can contain vulnerabilities with respect to meanwhile updated security knowledge. Supported by patterns we can describe and detect potential flaws that may arise in models, such as inconsistencies in security requirements. Potential violations can be formalized in the patterns as well as the correction alternatives to fix these. It is based on graph transformation and can be applied to different types of models and violations. For flaw detection, these patterns are used as the left-hand sides of graph transformation rules. Using graph transformation, we can further correct the models and establish that they no longer violate the security requirements under investigation. The approach is supported by a tool which can check whether these patterns arise in models and assist the user in correcting the security vulnerabilities. © 2014, Springer-Verlag Berlin Heidelberg. Source

Beckers K.,University of Duisburg - Essen | Schmidt H.,University of Duisburg - Essen | Kuster J.-C.,Fraunhofer ISST | Fassbender S.,TU Dortmund
Proceedings of the 2011 6th International Conference on Availability, Reliability and Security, ARES 2011 | Year: 2011

The ISO 27000 is a well-established series of information security standards. The scope for applying these standards can be an organisation as a whole, single business processes or even an IT application or IT infrastructure. The context establishment and the asset identification are among the first steps to be performed. The quality of the results produced when performing these steps has a crucial influence on the subsequent steps such as identifying loss, vulnerabilities, possible attacks and defining countermeasures. Thus, a context analysis to gather all necessary information in the initial steps is important, but is not offered in the standard. In this paper, we focus on the scope of cloud computing systems and present a way to support the context establishment and the asset identification described in ISO 27005. A cloud system analysis pattern and different kinds of stakeholder templates serve to understand and describe a given cloud development problem, i.e. the envisaged IT systems and the relevant parts of the operational environment. We illustrate our support using an online banking cloud scenario. © 2011 IEEE. Source

Wenzel S.,TU Dortmund | Wessel C.,TU Dortmund | Humberg T.,Fraunhofer ISST | Jurjens J.,TU Dortmund
CLOSER 2012 - Proceedings of the 2nd International Conference on Cloud Computing and Services Science | Year: 2012

Cloud computing is yet one of the leading developments and depicts the biggest progress in web technologies. It offers a convenient way for using shared and easy accessible resources, in both a web-based and demandoriented sense. However, cloud computing brings concept-based risks, e.g. the risk of private data becoming publicly available. Outsourcing of services into a cloud computing environment arises numerous compliance and security-problems for the potential customer. Legal as well as business requirements have to be met after migration to a cloud environment. Compliance to laws, industry-specific regulations and other rules have to be kept. In this paper we present the research project SecureClouds and our ongoing research towards security and compliance analysis of processes which are to be outsourced into the cloud. We further show a first prototype of an analytic tool-environment that allows us to examine whether outsourcing of a business process is possible while keeping all security and compliance requirements. Source

Apfelbeck C.,Custom Solution Development | Fritz M.,Custom Solution Development | Jurjens J.,Fraunhofer ISST | Jurjens J.,TU Dortmund | Zweihoff J.,TU Dortmund
Proceedings - International Computer Software and Applications Conference | Year: 2015

In this paper, we develop an approach to preserve validity of executable batch-job specifications during changes at run-time based on Petri-nets. The approach in particular supports changing batch-job specifications while they are being executed, which makes it particularly important to ensure that the change preserves the critical properties. The approach supports verification of the batch-job specifications that are subject to change against these properties and correction of those batch-job specifications that become invalid by the change. The developed approach was implemented and validated in an industrial application context. © 2015 IEEE. Source

Otto B.,TU Dortmund | Barenfanger R.,University of St. Gallen | Steinbuss S.,Fraunhofer ISST
28th Bled eConference: #eWellbeing - Proceedings | Year: 2015

Digitization is affecting almost all areas of business and society. It brings about opportunities for enterprises to design a digital business model. While a significant amount of research exist examining the conceptual foundation of business models in general, no comprehensive approach is available that helps enterprises in designing a digital business model. This paper addresses this gap and proposes Digital Business Engineering as a method for digital business model design. The activities are structured into six phases, namely End-to-End Customer Design, Business Ecosystem Design, Digital Product/Service Design, Digital Capability Design, Data Mapping, and Digital Technology Architecture Design. The method development follows principles of design-oriented research. Five case studies are used to analyse method requirements and evaluate it within is natural context. Source

Discover hidden collaborations