1 / 23

Capturing, Organizing, and Reusing Knowledge of NFRs: An NFR Pattern Approach

Learn about the TJX incident, the largest credit card theft in history, and explore the importance of capturing, organizing, and reusing knowledge of non-functional requirements (NFRs) to prevent such incidents. This paper presents a pattern approach for managing NFR knowledge.

Download Presentation

Capturing, Organizing, and Reusing Knowledge of NFRs: An NFR Pattern Approach

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Sam Supakkul1 Tom Hill2 Ebenezer Akin Oladimeji3 Lawrence Chung1 1The University of Texas at Dallas 2 EDS, an HP company 3 Verizon Communications Capturing, Organizing, and Reusing Knowledge of NFRs:An NFR Pattern Approach

  2. Security = “bad things to be prevented” * The TJX incident, the largest credit card theft in history • To prevent such incident, we need to know: • Meaning of credit card security? • Problems suffered by TJX? • Root causes of those problems? • Mitigation alternatives of the problems and their causes? • Choosing and developing the mitigations with consideration of other organizational needs? * C. Haley and B. Nuseibeh, IEEE TSE, 2008

  3. Difficult to get technical details from case reports The TJX case attack scenario • Developed after: • reading over 30 articles • studying computer security • educated assumptions Problem: Lack of security knowledge

  4. Problem: Difficult to possess necessary NFRs related knowledge

  5. A solution: Applying NFRs knowledge captured as patterns

  6. Goal Pattern Name: FISMA Security Objectives Objective: refine Security Domain: <none> Model: Known uses: FISMA, US military Goal pattern captures a definition of an NFR

  7. Problem pattern Name: TJX Security Problems Domain: Objective: break Privacy[Payment card info] Model: Experiences: TJX Problem pattern captures an undesirable situation that can hurt an NFR

  8. Causal Attribution Pattern Name: Unauthorized Server Access Causes Domain: <none> Objective: make Unauthorized Access [Server] Model: Experiences: TJX Causal Attribution pattern captures causes and root causes of a problem

  9. Problem classification Undesirable situation Undesirable operation Vulnerability

  10. Problem mitigation classification Prevent/limit the effect on the goal Undesirable situation Prevent the operation from causing the undesirable situation Undesirable operation Prevent the operation from being realized Vulnerability Change environment to that with more acceptable risks

  11. Solution Alternatives Pattern Name: Unauthorized Server Access Mitigation Domain: <none> Objective: hurt Unauthorized access [server] Model: Experiences: Name: Masquerading User Login Mitigation Domain: <none> Objective: break Masquerading user login Model: Experiences: Name: Clear text ID/password Mitigation Domain: <none> Objective: break Clear text ID/password Mitigation Model: Experiences:

  12. Alternatives Selection Pattern select select select Name: Usability Driven Unauthorized Server Access Mitigation Domain: Objective: select Unauthorized Server Access Mitigation, Masquerading User Login Mitigation, Clear Text ID/Password Mitigation Model: Experiences:

  13. Result of a selection pattern Goal Pattern Problem Pattern Casual Pattern Alternatives Patterns project Selection Pattern

  14. Requirements Pattern What are requirements?

  15. Requirements Requirement Specification Program World Machine Assumption Requirements “requirements that indicate what the customer needs from the system, described in terms of its effect on the environment” [Gunter, Gunter, Jackson, Zave, IEEE Software 2000] Problem Frames Specifications Requirements Requirements [R. Seater, D. Jackson, IWAAPF’06] Goals assignable to agents in the software-to-be [van Lamsweerde, ICSE00]

  16. Requirements Pattern Name: Strong password requirements Domain: Objective: make Non-dictionary password, Frequently changed password Model: Experiences:

  17. Pattern organization

  18. Pattern specialization • Properties • Specialization of context/topic • More restrictive content

  19. Pattern aggregation Pre-assembled patterns into an aggregate pattern -Ready-to-use -More cohesive knowledge -Narrower applicability • Manual application of multiple patterns • Know which patterns to use • Know which order to apply • But flexible

  20. Pattern classification/meta-pattern [Supakkul, Hill, Oladimeji, Chung, PLoP09]

  21. Pattern operations Search operation Apply operation Examples of the apply operation

  22. Conclusion • Contributions • Capturing and reusing different kinds of NFR knowledge using patterns • Organization of patterns along the 3 dim. • Future work • More precise definition of the concepts • Tool support to verify the concepts • More case studies to validate the general applicability for other NFRs

  23. Capturing, Organizing, and Reusing Knowledge of NFRs:An NFR Pattern Approach Sam Supakkul1 Tom Hill2 Ebenezer Akin Oladimeji3 Lawrence Chung1 1The University of Texas at Dallas 2 EDS, an HP company 3 Verizon Communications Thank you

More Related