Identyfikatory
Warianty tytułu
Języki publikacji
Abstrakty
Background: Security has become more of a concern with the wide deployment of Internet-of-things (IoT) devices. The importance of addressing security risks early in the development lifecycle before pushing to market cannot be over emphasized. Aim: To this end, we propose a conceptual framework to help with identifying security concerns early in the product development lifecycle for Internet-of-things, that we refer to as SIoT (Security for Internet-of-Things). Method: The framework adopts well known security engineering approaches and best practices, and systematically builds on existing research work on IoT architecture. Results: Practitioners at a Norwegian start-up company evaluated the framework and found it useful as a foundation for addressing critical security concerns for IoT applications early in the development lifecycle. The output from using the framework can be a checklist that can be used as input during security requirements engineering activities for IoT applications. Conclusions: However, security is a multi-faced concept; therefore, users of the SIoT framework should not view the framework as a panacea to all security threats. The framework may need to be refined in the future, particularly to improve its completeness to cover various IoT contexts.
Czasopismo
Rocznik
Tom
Strony
77--95
Opis fizyczny
Bibliogr. 51 poz., tab., rys.
Twórcy
autor
- The Maersk Mc-Kinney Moller Institute, University of Southern Denmark, Software Engineering, Denmark/ Software Improvement Group, SIG Nordics
autor
- School of Business, University of South Eastern Norway, Norway, Department of Business and IT
Bibliografia
- 1. S. Lucero, “IoT platforms: Enabling the Internet of Things,” IHS Technology, Whitepaper, 2016. [Online]. https://www.esparkinfo.com/wp-content/uploads/2018/11/enabling-IOT.pdf
- 2. L. Chung, B.A. Nixon, E. Yu, and J. Mylopoulos, Non-Functional Requirements in Software Engineering , International Series in Software Engineering. Springer, 2000. [Online]. https://www.springer.com/gp/book/9780792386667
- 3. A. Olmsted, “Secure software development through non-functional requirements modeling,” in International Conference on Information Society (i-Society) , 2016, pp. 22–27.
- 4. S. Myagmar, A.J. Lee, and W. Yurcik, “Threat modeling as a basis for security requirements,” in Proceedings of the IEEE Symposium on Requirements Engineering for Information Security , 2005.
- 5. F. Swiderski and W. Snyder, Threat Modeling . Microsoft Press, 2004.
- 6. A.N. Duc, R. Jabangwe, P. Paul, and P. Abrahamsson, “Security challenges in IoT development: A software engineering perspective,” in Proceedings of the XP2017 Scientific Workshops , XP ’17. ACM, 2017, pp. 11:1–11:5.
- 7. A.S. Sani, D. Yuan, J. Jin, L. Gao, S. Yu, and Z.Y. Dong, “Cyber security framework for internet of things-based energy internet,” Future Generation Computer Systems , Vol. 93, No. 4, 2019, pp. 849–859.
- 8. I. Jacobson, I. Spence, and P.W. Ng, “Is there a single method for the internet of things?” Queue , Vol. 60, No. 11, 2017.
- 9. P. Patel and D. Cassou, “Enabling high-level application development for the Internet of Things,” Journal of Systems and Software , Vol. 103, 2015, pp. 62–84.
- 10. B. Morin, N. Harrand, and F. Fleurey, “Model-based software engineering to tame the IoT jungle,” IEEE Software , Vol. 34, No. 1, 2017, pp. 30–36.
- 11. K. Meridji, K.T. Al-Sarayreh, A. Abran, and S. Trudel, “System security requirements: A framework for early identification, specification and measurement of related software requirements,” Computer Standards and Interfaces , Vol. 66, 2019, p. 103346.
- 12. M. Ammar, G. Russello, and B. Crispo, “Internet of things: A survey on the security of IoT frameworks,” Journal of Information Security and Applications , Vol. 38, 2018, pp. 8–27. [Online]. http://www.sciencedirect.com/science/article/pii/S2214212617302934
- 13. P. Devanbu and S. Stubblebine, “Software engineering for security: A roadmap,” in ICSE ’00: Proceedings of the Conference on The Future of Software Engineering , 2000. [Online]. https://www.researchgate.net/publication/2393383_Software_Engineering_for_Security_a_Roadmap
- 14. N. Mead, “Security quality requirements engineering (SQUARE),” Software Engineering Institute, Tech. Rep., 2011.
- 15. G. Sindre and A.L. Opdahl, “Eliciting security requirements with misuse cases,” Requirements Engineering , Vol. 10, No. 1, 2005, pp. 34–44.
- 16. A. van Lamsweerde, “Elaborating security requirements by construction of intentional anti-models,” in Proceedings. 26th International Conference on Software Engineering , 2004, pp. 148–157.
- 17. Y. Yu, H. Kaiya, H. Washizaki, Y. Xiong, Z. Hu, and N. Yoshioka, “Enforcing a security pattern in stakeholder goal models,” in Proceedings of the 4th ACM workshop on Quality of protection , 2008, pp. 9–14.
- 18. S.H. Adelyar and A. Norta, “Towards a secure agile software development process,” in 10th International Conference on the Quality of Information and Communications Technology (QUATIC) , 2016, pp. 101–106.
- 19. K. Beznosov, “eXtreme security engineering: On employing XP practices to achieve “good enough security” without defining it,” in First ACM Workshop on Business Driven Security Engineering (BizSec) , 2005.
- 20. I. Ghani and N.I.A. Firdaus, “Role-based extreme programming (XP) for secure software development,” in Special Issue – Agile Symposium , 2013.
- 21. M.R.R. Ramesh and A. Tadepalligudem, “A survey on security requirement elicitation methods: classification, merits and demerits,” International Journal of Applied Engineering Research , 2016.
- 22. Q. Jing, A.V. Vasilakos, J. Wan, J. Lu, and D. Qiu, “Security of the Internet of Things: Perspectives and challenges,” Wireless Networks , 2014.
- 23. F. Wortmann and K. Fluchter, “Internet of Things,” Business and Information Systems Engineering , Vol. 57, No. 3, 2015, pp. 221–224.
- 24. H.J. La and S.D. Kim, “A service-based approach to designing cyber physical systems,” in IEEE/ACIS 9th International Conference on Computer and Information Science , 2010, pp. 895–900.
- 25. S. Babar, A. Stango, N. Prasad, J. Sen, and R. Prasad, “Proposed embedded security framework for internet of things (IoT),” in 2nd International Conference on Wireless Communication, Vehicular Technology, Information Theory and Aerospace Electronic Systems Technology (Wireless VITAE) , 2011, pp. 1–5.
- 26. A. Jacobsson, M. Boldt, and B. Carlsson, “A risk analysis of a smart home automation system,” Future Generation Computer Systems , Vol. 56, 2016, pp. 719–733.
- 27. G. Gan, Z. Lu, and J. Jiang, “Internet of things security analysis,” in International Conference on Internet Technology and Applications , 2011, pp. 1–4.
- 28. A.W. Atamli and A. Martin, “Threat-based security analysis for the internet of things,” in International Workshop on Secure Internet of Things , 2014, pp. 35–43.
- 29. D.H. Kim, J.Y. Cho, S. Kim, and J. Lim, A Study of Developing Security Requirements for Internet of Things (IoT) , 2015. [Online]. https://www.semanticscholar.org/paper/A-Study-of-Developing-Security-Requirements-for-of-Kim-Cho/
- 30. R.L. Kissel, Ed., Glossary of Key Information Security Terms . National Institute of Standards and Technology, 2013. [Online]. https://www.nist.gov/publications/glossary-key-information-security-terms-1
- 31. G. Stoneburner, “Underlying technical models for information technology security,” National Institute of Standards and Technology, Tech. Rep. 800-33, 2001.
- 32. A. Shostack, Threat Modeling: Designing for Security . Wiley, 2014.
- 33. A. Nguyen Duc, K. Khalid, T. Lønnestad, S. Bajwa Shahid, X. Wang, and P. Abrahamsson, “How do startups develop internet-of-things systems – A multiple exploratory case study,” in IEEE/ACM International Conference on Software and System Processes (ICSSP) , 2019, pp. 74–83.
- 34. A. Nguyen-Duc, X. Weng, and P. Abrahamsson, “A preliminary study of agility in business and production: Cases of early-stage hardware startups,” in Proceedings of the 12th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement , ESEM ’18. ACM, 2018, pp. 51:1–51:4.
- 35. A. Nguyen-Duc, S.M.A. Shah, and P. Ambrahamsson, “Towards an early stage software startups evolution model,” in 42th Euromicro Conference on Software Engineering and Advanced Applications (SEAA) , 2016, pp. 120–127.
- 36. M. Hassanalieragh, A. Page, T. Soyata, G. Sharma, M. Aktas, G. Mateos, B. Kantarci, and S. Andreescu, “Health monitoring and management using Internet-of-Things (IoT) sensing with cloud-based processing: Opportunities and challenges,” in IEEE International Conference on Services Computing , 2015, pp. 285–292.
- 37. X. Sun and C. Wang, “The research of security technology in the internet of things,” in Advances in Computer Science, Intelligent System and Environment , Advances in Intelligent and Soft Computing, D. Jin and S. Lin, Eds. Springer, 2011, pp. 113–119.
- 38. H. Suo, J. Wan, C. Zou, and J. Liu, “Security in the internet of things: A review,” in International Conference on Computer Science and Electronics Engineering , Vol. 3, 2012, pp. 648–651.
- 39. National Institute of Standards and Technology, “Standards for security categorization of federal information and information systems,” U.S. Department of Commerce, Tech. Rep. Federal Information Processing Standard (FIPS) 199, 2004.
- 40. F.Y. Sattarova and T.H. Kim, “IT security review: Privacy, protection, access control, assurance and system security,” International Journal of Multimedia and Ubiquitous Engineering , Vol. 2, No. 2, 2007, pp. 17–31.
- 41. L. Bass, P. Clements, and R. Kazman, Software architecture in practice . Addison-Wesley, 2003.
- 42. D. Fischer, B. Markscheffel, S. Frosch, and D. Buettner, “A survey of threats and security measures for data transmission over GSM/ UMTS networks,” in International Conference for Internet Technology and Secured Transactions , 2012, pp. 477–482.
- 43. M. Scholl, K. Stine, J. Hash, P. Bowen, L. Johnson, C. Smith, and D. Steinberg, “An introductory resource guide for implementing the health insurance portability and accountability act (HIPAA) security rule,” National Institute of Standards and Technology, Tech. Rep. 800-66, 2008. [Online]. https://csrc.nist.gov/publications/detail/sp/800-66/rev-1/final
- 44. K. Scarfone, D. Dicoi, M. Sexton, K. Scarfone, D. Dicoi, M. Sexton, C. Tibbs, and C.M. Gutierrez, “Guide to securing legacy IEEE 802.11 wireless networks recommendations of the national,” NIST, Tech. Rep. 800-48 Rev 1, 2008.
- 45. D. Gislason, Zigbee Wireless Networking . Newnes, 2008.
- 46. P. Mell and T. Grance, “The NIST definition of cloud computing,” National Institute of Standards and Technology, Tech. Rep. 800-145, 2011.
- 47. S. Caplan, “Using focus group methodology for ergonomic design,” Ergonomics , Vol. 33, No. 5, 1990, pp. 527–533.
- 48. K. Garmer, J. Ylven, and M. Karlsson, “User participation in requirements elicitation comparing focus group interviews and usability tests for eliciting usability requirements for medical equipment: A case study,” International Journal of Industrial Ergonomics , Vol. 33, No. 2, 2004, pp. 85–98. [Online]. http://www.sciencedirect.com/science/article/pii/S0169814103001318
- 49. H. Edmunds, Focus Group Research Handbook . McGraw-Hill, 2000.
- 50. P. Salini and S. Kanmani, “Survey and analysis on security requirements engineering,” Computers and Electricale Engineering , Vol. 38, No. 6, 2012, pp. 1785–1797. [Online]. http://www.sciencedirect.com/science/article/pii/S0045790612001644
- 51. M. Sliger, Agile project management with Scrum . Project Management Institute, 2011.
Uwagi
Opracowanie rekordu ze środków MNiSW, umowa Nr 461252 w ramach programu "Społeczna odpowiedzialność nauki" - moduł: Popularyzacja nauki i promocja sportu (2020).
Typ dokumentu
Bibliografia
Identyfikator YADDA
bwmeta1.element.baztech-21e6a37d-99f5-4b1e-b411-b0c09a7eb530