Secure software design and development : towards practical models for implementing information security into the requirements engineering process

Secure software design and development towards practical models for implementing information security into the requirements engineering process

Vaatimusmäärittelyprosessin tavoitteena on kerätä ja jalostaa ratkaisuiksi tuotteen tai palvelun sidosryhmiksi tunnistettujen osapuolten ajatuksia ja tarpeita. Näiden ratkaisujen avulla poistetaan asiakkaan liiketoiminnassa olevia ongelmia ja tuotetaan lisäarvoa. Ohjelmistokehityksessä on tällä hetk...

Full description

Bibliographic Details
Main Authors: Väyrynen, Aino-Maria, Räisänen, Elina
Other Authors: Informaatioteknologian tiedekunta, Faculty of Information Technology, Informaatioteknologia, Information Technology, Jyväskylän yliopisto, University of Jyväskylä
Format: Master's thesis
Language:eng
Published: 2020
Subjects:
security requirements
turvallisuusvaatimukset
Tietojenkäsittelytiede
Computer Science
601
vaatimusmäärittelyt
tietoturva
kyberturvallisuus
ohjelmistokehitys
vaatimustenhallinta
requirement specifications
data security
cyber security
software development
requirements engineering
Online Access: https://jyx.jyu.fi/handle/123456789/69275
_version_ 1826225754833158144
author Väyrynen, Aino-Maria Räisänen, Elina
author2 Informaatioteknologian tiedekunta Faculty of Information Technology Informaatioteknologia Information Technology Jyväskylän yliopisto University of Jyväskylä
author_facet Väyrynen, Aino-Maria Räisänen, Elina Informaatioteknologian tiedekunta Faculty of Information Technology Informaatioteknologia Information Technology Jyväskylän yliopisto University of Jyväskylä Väyrynen, Aino-Maria Räisänen, Elina Informaatioteknologian tiedekunta Faculty of Information Technology Informaatioteknologia Information Technology Jyväskylän yliopisto University of Jyväskylä
author_sort Väyrynen, Aino-Maria
datasource_str_mv jyx
description Vaatimusmäärittelyprosessin tavoitteena on kerätä ja jalostaa ratkaisuiksi tuotteen tai palvelun sidosryhmiksi tunnistettujen osapuolten ajatuksia ja tarpeita. Näiden ratkaisujen avulla poistetaan asiakkaan liiketoiminnassa olevia ongelmia ja tuotetaan lisäarvoa. Ohjelmistokehityksessä on tällä hetkellä keskeistä erityisesti ohjelmistojen turvallisuus. Sitä on tutkittu paljon, mutta sen käytäntöön vieminen on usein ongelmallista ja puutteellista. Ohjelmistojen tietoturvallisuusuhkat ja -riskit lisääntyvät jatkuvasti ja ohjelmistojen kehityksessä muodostuneita haavoittuvuuksia paikallistetaan sekä hyväksi käytetään uusin tavoin. Ohjelmistokehityksen tulisi panostaa tietoturvallisuuden osalta vaatimusmäärittelyprosessin jatkuvaan kehittämiseen. Prosessin tulee kattaa koko tuotteen elinkaari, huomioiden myös lanseerauksen jälkeiset vaiheet, joissa markkinoilla olevaa tuotetta kehitetään. Vaatimuksia on kyettävä tarkentamaan iteratiivisesti, jolloin ne pysyvät ajantasaisina ja huomioivat muutokset ohjelmiston uhkissa ja riskeissä. Tutkimustehtävänä oli luoda toimeksiantajan (iso Suomalainen fyysisten turvallisuustuotteiden valmistaja) tarpeisiin sopiva malli, jonka avulla on mahdollista implementoida tietoturvallisuus kiinteäksi osaksi ohjelmistokehitystä ja turvallisempaa ohjelmiston tuottamista. Tutki-musongelman ratkaisussa hyödynnettiin käytännönläheisen toimintatutkimusmallin kahta ensimmäistä vaihetta. Tutkimuksen aluksi luotiin työn teoreettinen perusta vaatimusmäärittelystä ja tietoturvallisuudesta, sitten aloitettiin nykytila-analyysi. Siinä selvitettiin dokumentti analyysillä toimeksiantajan organisatorista toimintaympäristöä: keskittymällä vaatimusmäärittelyn prosessimalliin ja sitä hyödyntäviin sidosryhmiin. Saatujen tietojen pohjalta laadittiin suunnitelma haastatteluun, jonka avulla kartoitettiin vaatimusmäärittelyprosessin ongelmakohtia. Saadut tulokset analysoitiin codingilla ja teemoittelemalla. Toinen osa diagnoosia oli vertailututkimus, jota hyödynnettiin parhaiden käytänteiden selvittämiseen ja oikeiden elementtien muodostamiseen. Saadut muutosideat yhdistettiin kirjallisuuskatsauksesta nousseisiin, kohdeyrityksen liiketoimintaan sopiviin käytänteisiin. Tämä kombinaatio muodosti mallin tietoturvallisempaan vaatimusmäärittelyprosessiin, joka jalkautetaan kohdeorganisaatioon. Työn uutuusarvo on se, että malli yhdistää ketterää ohjelmistokehitystä riski- ja uhkamallinnus pohjaiseen ajatteluun, jota on tutkittu vielä vähän. Lisäksi molemmat komponentit toimivat lineaarisessa vaatimusmäärittelyprosessissa. The aim of the Requirements Engineering (RE) process is to elicit and refine into a solution the ideas and needs from identified stakeholders of a product or a service. These solve problems in customer business while bringing added value. Software development’s central theme is software’s security. It has been studied abundantly but its usage and implementation are often problematic and deficient. Software threats and risks evolve continuously, and vulnerabilities from software’s development are discovered and exploited in new ways. Software development should invest into information security as a part of requirements engineering processes’ continuous development. This process should encompass the entire product lifecycle and consider post-launch phases where the on-market product is further developed. Requirements should be reviewed iteratively to keep current and adapt to the changing threats and risks in the software. The research objective was to create a suitable model for the commissioner (a large manufacturer of physical security products in Finland) which would adapt information security as an integral part of the software development and thus produce more secure software. Two stages of action re-search were applied to problem solving. The first step was to create the theoret-ical background for requirements engineering and information security. After that, the current situation analysis was initiated, and document analysis was used to map out the organizational operating environment with a focus on the requirements engineering process model and the stakeholders utilizing it. These results formed the foundation for the interviews, where the problems of the requirements engineering process were surveyed. Results were analyzed with coding and categorizing. A second part of the diagnosis was a comparative study, which was utilized to discover suitable practices to form the needed elements for the model. The resulting change recommendations from the interviews were combined with suitable practices from the field. This combination formed a model for information security in RE process and it will be later implemented by the commissioner. The model has a novelty value because it merges agile development practices with the idea of threat and risk modelling, which is still an understudied subject. Additionally, both components work as a part of a linear RE process.
first_indexed 2024-09-11T08:49:31Z
format Pro gradu
free_online_boolean 1
fullrecord [{"key": "dc.contributor.advisor", "value": "Siponen, Mikko", "language": "", "element": "contributor", "qualifier": "advisor", "schema": "dc"}, {"key": "dc.contributor.author", "value": "V\u00e4yrynen, Aino-Maria", "language": "", "element": "contributor", "qualifier": "author", "schema": "dc"}, {"key": "dc.contributor.author", "value": "R\u00e4is\u00e4nen, Elina", "language": "", "element": "contributor", "qualifier": "author", "schema": "dc"}, {"key": "dc.date.accessioned", "value": "2020-05-28T10:40:52Z", "language": "", "element": "date", "qualifier": "accessioned", "schema": "dc"}, {"key": "dc.date.available", "value": "2020-05-28T10:40:52Z", "language": "", "element": "date", "qualifier": "available", "schema": "dc"}, {"key": "dc.date.issued", "value": "2020", "language": "", "element": "date", "qualifier": "issued", "schema": "dc"}, {"key": "dc.identifier.uri", "value": "https://jyx.jyu.fi/handle/123456789/69275", "language": "", "element": "identifier", "qualifier": "uri", "schema": "dc"}, {"key": "dc.description.abstract", "value": "Vaatimusm\u00e4\u00e4rittelyprosessin tavoitteena on ker\u00e4t\u00e4 ja jalostaa ratkaisuiksi tuotteen tai palvelun sidosryhmiksi tunnistettujen osapuolten ajatuksia ja tarpeita. N\u00e4iden ratkaisujen avulla poistetaan asiakkaan liiketoiminnassa olevia ongelmia ja tuotetaan lis\u00e4arvoa. Ohjelmistokehityksess\u00e4 on t\u00e4ll\u00e4 hetkell\u00e4 keskeist\u00e4 erityisesti ohjelmistojen turvallisuus. Sit\u00e4 on tutkittu paljon, mutta sen k\u00e4yt\u00e4nt\u00f6\u00f6n vieminen on usein ongelmallista ja puutteellista. Ohjelmistojen tietoturvallisuusuhkat ja -riskit lis\u00e4\u00e4ntyv\u00e4t jatkuvasti ja ohjelmistojen kehityksess\u00e4 muodostuneita haavoittuvuuksia paikallistetaan sek\u00e4 hyv\u00e4ksi k\u00e4ytet\u00e4\u00e4n uusin tavoin. Ohjelmistokehityksen tulisi panostaa tietoturvallisuuden osalta vaatimusm\u00e4\u00e4rittelyprosessin jatkuvaan kehitt\u00e4miseen. Prosessin tulee kattaa koko tuotteen elinkaari, huomioiden my\u00f6s lanseerauksen j\u00e4lkeiset vaiheet, joissa markkinoilla olevaa tuotetta kehitet\u00e4\u00e4n. Vaatimuksia on kyett\u00e4v\u00e4 tarkentamaan iteratiivisesti, jolloin ne pysyv\u00e4t ajantasaisina ja huomioivat muutokset ohjelmiston uhkissa ja riskeiss\u00e4. Tutkimusteht\u00e4v\u00e4n\u00e4 oli luoda toimeksiantajan (iso Suomalainen fyysisten turvallisuustuotteiden valmistaja) tarpeisiin sopiva malli, jonka avulla on mahdollista implementoida tietoturvallisuus kiinte\u00e4ksi osaksi ohjelmistokehityst\u00e4 ja turvallisempaa ohjelmiston tuottamista. Tutki-musongelman ratkaisussa hy\u00f6dynnettiin k\u00e4yt\u00e4nn\u00f6nl\u00e4heisen toimintatutkimusmallin kahta ensimm\u00e4ist\u00e4 vaihetta. Tutkimuksen aluksi luotiin ty\u00f6n teoreettinen perusta vaatimusm\u00e4\u00e4rittelyst\u00e4 ja tietoturvallisuudesta, sitten aloitettiin nykytila-analyysi. Siin\u00e4 selvitettiin dokumentti analyysill\u00e4 toimeksiantajan organisatorista toimintaymp\u00e4rist\u00f6\u00e4: keskittym\u00e4ll\u00e4 vaatimusm\u00e4\u00e4rittelyn prosessimalliin ja sit\u00e4 hy\u00f6dynt\u00e4viin sidosryhmiin. Saatujen tietojen pohjalta laadittiin suunnitelma haastatteluun, jonka avulla kartoitettiin vaatimusm\u00e4\u00e4rittelyprosessin ongelmakohtia. Saadut tulokset analysoitiin codingilla ja teemoittelemalla. Toinen osa diagnoosia oli vertailututkimus, jota hy\u00f6dynnettiin parhaiden k\u00e4yt\u00e4nteiden selvitt\u00e4miseen ja oikeiden elementtien muodostamiseen. Saadut muutosideat yhdistettiin kirjallisuuskatsauksesta nousseisiin, kohdeyrityksen liiketoimintaan sopiviin k\u00e4yt\u00e4nteisiin. T\u00e4m\u00e4 kombinaatio muodosti mallin tietoturvallisempaan vaatimusm\u00e4\u00e4rittelyprosessiin, joka jalkautetaan kohdeorganisaatioon. Ty\u00f6n uutuusarvo on se, ett\u00e4 malli yhdist\u00e4\u00e4 ketter\u00e4\u00e4 ohjelmistokehityst\u00e4 riski- ja uhkamallinnus pohjaiseen ajatteluun, jota on tutkittu viel\u00e4 v\u00e4h\u00e4n. Lis\u00e4ksi molemmat komponentit toimivat lineaarisessa vaatimusm\u00e4\u00e4rittelyprosessissa.", "language": "fi", "element": "description", "qualifier": "abstract", "schema": "dc"}, {"key": "dc.description.abstract", "value": "The aim of the Requirements Engineering (RE) process is to elicit and refine into a solution the ideas and needs from identified stakeholders of a product or a service. These solve problems in customer business while bringing added value. Software development\u2019s central theme is software\u2019s security. It has been studied abundantly but its usage and implementation are often problematic and deficient. Software threats and risks evolve continuously, and vulnerabilities from software\u2019s development are discovered and exploited in new ways. Software development should invest into information security as a part of requirements engineering processes\u2019 continuous development. This process should encompass the entire product lifecycle and consider post-launch phases where the on-market product is further developed. Requirements should be reviewed iteratively to keep current and adapt to the changing threats and risks in the software. The research objective was to create a suitable model for the commissioner (a large manufacturer of physical security products in Finland) which would adapt information security as an integral part of the software development and thus produce more secure software. Two stages of action re-search were applied to problem solving. The first step was to create the theoret-ical background for requirements engineering and information security. After that, the current situation analysis was initiated, and document analysis was used to map out the organizational operating environment with a focus on the requirements engineering process model and the stakeholders utilizing it. These results formed the foundation for the interviews, where the problems of the requirements engineering process were surveyed. Results were analyzed with coding and categorizing. A second part of the diagnosis was a comparative study, which was utilized to discover suitable practices to form the needed elements for the model. The resulting change recommendations from the interviews were combined with suitable practices from the field. This combination formed a model for information security in RE process and it will be later implemented by the commissioner. The model has a novelty value because it merges agile development practices with the idea of threat and risk modelling, which is still an understudied subject. Additionally, both components work as a part of a linear RE process.", "language": "en", "element": "description", "qualifier": "abstract", "schema": "dc"}, {"key": "dc.description.provenance", "value": "Submitted by Paivi Vuorio (paelvuor@jyu.fi) on 2020-05-28T10:40:51Z\r\nNo. of bitstreams: 0", "language": "en", "element": "description", "qualifier": "provenance", "schema": "dc"}, {"key": "dc.description.provenance", "value": "Made available in DSpace on 2020-05-28T10:40:52Z (GMT). No. of bitstreams: 0\r\n Previous issue date: 2020", "language": "en", "element": "description", "qualifier": "provenance", "schema": "dc"}, {"key": "dc.format.extent", "value": "125", "language": "", "element": "format", "qualifier": "extent", "schema": "dc"}, {"key": "dc.format.mimetype", "value": "application/pdf", "language": null, "element": "format", "qualifier": "mimetype", "schema": "dc"}, {"key": "dc.language.iso", "value": "eng", "language": null, "element": "language", "qualifier": "iso", "schema": "dc"}, {"key": "dc.rights", "value": "In Copyright", "language": "en", "element": "rights", "qualifier": null, "schema": "dc"}, {"key": "dc.subject.other", "value": "security requirements", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "turvallisuusvaatimukset", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.title", "value": "Secure software design and development : towards practical models for implementing information security into the requirements engineering process", "language": "", "element": "title", "qualifier": null, "schema": "dc"}, {"key": "dc.type", "value": "master thesis", "language": null, "element": "type", "qualifier": null, "schema": "dc"}, {"key": "dc.identifier.urn", "value": "URN:NBN:fi:jyu-202005283532", "language": "", "element": "identifier", "qualifier": "urn", "schema": "dc"}, {"key": "dc.type.ontasot", "value": "Pro gradu -tutkielma", "language": "fi", "element": "type", "qualifier": "ontasot", "schema": "dc"}, {"key": "dc.type.ontasot", "value": "Master\u2019s thesis", "language": "en", "element": "type", "qualifier": "ontasot", "schema": "dc"}, {"key": "dc.contributor.faculty", "value": "Informaatioteknologian tiedekunta", "language": "fi", "element": "contributor", "qualifier": "faculty", "schema": "dc"}, {"key": "dc.contributor.faculty", "value": "Faculty of Information Technology", "language": "en", "element": "contributor", "qualifier": "faculty", "schema": "dc"}, {"key": "dc.contributor.department", "value": "Informaatioteknologia", "language": "fi", "element": "contributor", "qualifier": "department", "schema": "dc"}, {"key": "dc.contributor.department", "value": "Information Technology", "language": "en", "element": "contributor", "qualifier": "department", "schema": "dc"}, {"key": "dc.contributor.organization", "value": "Jyv\u00e4skyl\u00e4n yliopisto", "language": "fi", "element": "contributor", "qualifier": "organization", "schema": "dc"}, {"key": "dc.contributor.organization", "value": "University of Jyv\u00e4skyl\u00e4", "language": "en", "element": "contributor", "qualifier": "organization", "schema": "dc"}, {"key": "dc.subject.discipline", "value": "Tietojenk\u00e4sittelytiede", "language": "fi", "element": "subject", "qualifier": "discipline", "schema": "dc"}, {"key": "dc.subject.discipline", "value": "Computer Science", "language": "en", "element": "subject", "qualifier": "discipline", "schema": "dc"}, {"key": "yvv.contractresearch.collaborator", "value": "business", "language": "", "element": "contractresearch", "qualifier": "collaborator", "schema": "yvv"}, {"key": "yvv.contractresearch.funding", "value": "0", "language": "", "element": "contractresearch", "qualifier": "funding", "schema": "yvv"}, {"key": "yvv.contractresearch.initiative", "value": "business", "language": "", "element": "contractresearch", "qualifier": "initiative", "schema": "yvv"}, {"key": "dc.type.coar", "value": "http://purl.org/coar/resource_type/c_bdcc", "language": null, "element": "type", "qualifier": "coar", "schema": "dc"}, {"key": "dc.rights.accesslevel", "value": "openAccess", "language": null, "element": "rights", "qualifier": "accesslevel", "schema": "dc"}, {"key": "dc.type.publication", "value": "masterThesis", "language": null, "element": "type", "qualifier": "publication", "schema": "dc"}, {"key": "dc.subject.oppiainekoodi", "value": "601", "language": "", "element": "subject", "qualifier": "oppiainekoodi", "schema": "dc"}, {"key": "dc.subject.yso", "value": "vaatimusm\u00e4\u00e4rittelyt", "language": "", "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "tietoturva", "language": "", "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "kyberturvallisuus", "language": "", "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "ohjelmistokehitys", "language": "", "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "vaatimustenhallinta", "language": "", "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "requirement specifications", "language": "", "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "data security", "language": "", "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "cyber security", "language": "", "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "software development", "language": "", "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "requirements engineering", "language": "", "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.format.content", "value": "fulltext", "language": null, "element": "format", "qualifier": "content", "schema": "dc"}, {"key": "dc.rights.url", "value": "https://rightsstatements.org/page/InC/1.0/", "language": null, "element": "rights", "qualifier": "url", "schema": "dc"}, {"key": "dc.type.okm", "value": "G2", "language": null, "element": "type", "qualifier": "okm", "schema": "dc"}]
id jyx.123456789_69275
language eng
last_indexed 2025-02-18T10:56:18Z
main_date 2020-01-01T00:00:00Z
main_date_str 2020
online_boolean 1
online_urls_str_mv {"url":"https:\/\/jyx.jyu.fi\/bitstreams\/3ab870ab-8be7-49a4-a2c3-cb95ba4d3dd9\/download","text":"URN:NBN:fi:jyu-202005283532.pdf","source":"jyx","mediaType":"application\/pdf"}
publishDate 2020
record_format qdc
source_str_mv jyx
spellingShingle Väyrynen, Aino-Maria Räisänen, Elina Secure software design and development : towards practical models for implementing information security into the requirements engineering process security requirements turvallisuusvaatimukset Tietojenkäsittelytiede Computer Science 601 vaatimusmäärittelyt tietoturva kyberturvallisuus ohjelmistokehitys vaatimustenhallinta requirement specifications data security cyber security software development requirements engineering
title Secure software design and development : towards practical models for implementing information security into the requirements engineering process
title_full Secure software design and development : towards practical models for implementing information security into the requirements engineering process
title_fullStr Secure software design and development : towards practical models for implementing information security into the requirements engineering process Secure software design and development : towards practical models for implementing information security into the requirements engineering process
title_full_unstemmed Secure software design and development : towards practical models for implementing information security into the requirements engineering process Secure software design and development : towards practical models for implementing information security into the requirements engineering process
title_short Secure software design and development
title_sort secure software design and development towards practical models for implementing information security into the requirements engineering process
title_sub towards practical models for implementing information security into the requirements engineering process
title_txtP Secure software design and development : towards practical models for implementing information security into the requirements engineering process
topic security requirements turvallisuusvaatimukset Tietojenkäsittelytiede Computer Science 601 vaatimusmäärittelyt tietoturva kyberturvallisuus ohjelmistokehitys vaatimustenhallinta requirement specifications data security cyber security software development requirements engineering
topic_facet 601 Computer Science Tietojenkäsittelytiede cyber security data security kyberturvallisuus ohjelmistokehitys requirement specifications requirements engineering security requirements software development tietoturva turvallisuusvaatimukset vaatimusmäärittelyt vaatimustenhallinta
url https://jyx.jyu.fi/handle/123456789/69275 http://www.urn.fi/URN:NBN:fi:jyu-202005283532
work_keys_str_mv AT väyrynenainomaria securesoftwaredesignanddevelopmenttowardspracticalmodelsforimplementinginforma

Similar Items