An Information Security Engineering Paradigm for Overcoming Information Security Crisis

Yeun-hee Jei, Ick-whan Bae, Sung-ja Choi and Gang-soo Lee Dept of Computer Engineering, Hannam University, Dae-jeon, 306-791, KOREA gslee@eve.hannam.ac.kr
viewpoints, paradigms and technical back-grounds that there is the communication problem among the stakeholders. To cope with those problems, we survey definitions and paradigms of security engineering and propose a new definition and paradigm of security engineering in terms of the security crisis and software engineering. Than we model and propose research topics on security engineering. Our research object is to firmly construct disciplinary structure of the subject of security engineering. Problem of security crisis, that is a motivational status for development of security engineering, is presented in Section 2. Research result, definition and paradigm on security engineering are presented in Section 3. Model and propose research topics are presented in Section 4. Finally, Section 5 has discussion and conclusion.

Abstract
The information security crisis should be overcame by means of information security engineering paradigm. However, definition, approach and paradigm on security engineering are not clear yet. In this paper we survey on definitions on security engineering, and propose a new definition and paradigm. Approaches and research topics on security engineering, to overcome the security crisis, modeled and described. Results of paper are useful for establishing consensus on security engineering in community of information security and cryptography.

1 Introduction
An information security engineering is becomes frequently and confusingly used terminology in computer engineering, software engineering and Web engineering community. However, meaning of the terminology is so various that there has confusion in security community according to user's context, viewpoint and background. Thus we need common definition on security engineering, as well as new security engineering paradigm and technologies. Moreover, it is very hard to distinct the difference between computer science and computer engineering as well as the difference between security science (or cryptography) and security engineering. Subjects of computer and information security are so interdisciplinary subject that they can not be easily classified into science or engineering. Information security, especially, is an interdisciplinary subject that converged from computer, mathematics, physics, law, physiology, and so on. Stakeholders in information security area, such as researcher, developer, policy maker, manager, administrator, adviser, and so on, have so various

2 The Security Crisis

2.1 The software crisis and the web crisis
Software engineering, which is composed of Structured Software Engineering (SSE), Objectoriented Software Engineering (OOSE), and Component-based Software Engineering (CBSE), is a technology for overcome the status of software crisis in late of 1960's [1]. However, the software crisis is not over-come yet. Note that the software crisis means statue of delaying, over-costing and poor quality in development of software and increasing maintenance cost. In late of 1990's, there happened the statue of the web crisis, which means statue of delaying, overcosting and poor quality in development of web system, because of brute-force development of the web systems. Thus research and development on web engineering are beginning by applying software engineering technology,

2006 International Conference on Hybrid Information Technology (ICHIT'06) 0-7695-2674-8/06 $20.00 2006

Fig. 1. Software engineering, web engineering and security engineering

management, economics, psychology, industrial design, etc [2], [3], [4]. For example, optimal (cost-effective) decision of the capacity of web and DB server, response-time, number of concurrently connecting users, size of communication bandwidth are activity on web engineering Fig. 1 presents three crisis and relationship among software engineering, web engineering and security engineering

2.2 The security crisis

increasing maintenance cost: decrease security due to modification and changing over-protecting: protection cost is larger than value of asset to be protected Those problems are phenomenon of security crisis, which is similar to conventional software crisis and web crisis. Thus, security engineering technology is strongly needed to overcome the security crisis, as if software engineering and web engineering are to overcome the software and web crisis, respectively.

Many of security product (e.g., firewall, VPN, IDS) and security system, that is an integrated and implemented information system by using security products, has been developed without systematic and formal requirement analysis/modeling, design, implementation and test phase. Developer's major target is only implementation (coding) of product. Thus, they did not use engineering (especially, software engineering) technology, resulting poor formality of product and documentation. Additionally, many of developers developed security product without quality (i.e., security) management by means of their implementation skill (e.g., using of visual tool, cryptographic library, DB connectivity library, Web application). Thus it is hard to security assurance. Most of security system implemented by using cryptographic library or component (e.g., cryptographic modules in OpenSSL), non-assured commercial software development tool (e.g., JBuilder, Power Builder, Visual Basic, Delphi, and so on) and various library (communication, DB connectivity, GUI, cryptographic library). Therefore, there are the following problems: deteriorating in quality of information security product and system: poor security, availability, reliability declining in productivity of the product: excess and delay of development cost and time

3 Definition and Viewpoint of Security Engineering

3.1 Conventional definitions of security engineering Howe firstly had used the term security engineering in 1992 with following definition: System security engineering is defined as an empirically based methodology for composing and evaluating systems within a structure of standards and which encompasses operation as well as planning design implementation and operation [5]. We have surveyed definition and approach of security engineering in the following references: Howe [5], Anderson [6], SSE-CMM (System Security Engineering- CMU Maturity Model) [7], OPF (Open Process Framework) [10, ISSE (Information Systems Security Engineering) [11], Wikipedia [9], DevanbuStubblebine-Shreyas [13], [14], Vaughan-Henning [15], Scheumacher [16], Amoroso [17]. Kim-Kwon [26]. Definitions in the references have listed in a paper [25]. From analysis of the conventional definitions, common approach of security engineering from conventional definitions is shown in Table 1.
Table 1. Common approach of conventional security engineering definitions

2006 International Conference on Hybrid Information Technology (ICHIT'06) 0-7695-2674-8/06 $20.00 2006

common approach of security engineering Evolving discipline: There in no common definition on Security Engineering. Security engineering is an evolving discipline. As such, a precise definition with community consensus does not exist today.

definitions

all

Howe, Anderson, Whole life-cycle: Security engineering SSE-CMM, covers overall development process (lifeISSE, Vaughancycle) Henning Risk management: Security engineering is OPF, SSE-CMM, the same approach as risk Vaughanmanagement(identification, evaluation Henning, analysis) Scheumacher) Engineering: Security engineering has the Scheumacher, "the principle of optimality" and the OPF cost-effective solutions. Inter-disciplinary subject: Security engineering is an inter-disciplinary subject technology from computer Anderson, SSEengineering/science, cryptography, CMM, Wikipedia mathematics, physics, law, economics, physiology, and so on. Anderson, SSECMM, DevanbuSoftware engineering approach: Security Stubblebineengineering is an application of both Shreyas, system engineering and software Vaughanengineering. Henning, Kim-

Standard and assurance: All material, process, product, quality should be standarded by standard organizations (e.g., ISO/IEC, ANSI, BS, KS, JIS) and be assured by evaluation and certification authority. For example, in security engineering, cryptographic algorithms (e.g., DES, AES, and so on) and cryptographic protocols (e.g., SET, SSL), should be standarded and assured. Quantification: Development and maintenance cost and time, quality of product and man-month should be quantifiably measured. Thus they can be controlled and managed. In security engineering, evaluation assurance level, risk level, reliability and security strength should be quantifiably measured. Cost-effective: We should maximize the return of interest which is the principle of economics. User centric: Output or product should be useful for end user. Effectiveness: All solutions should be practical and feasible, even they are not optimal solution. Documentation: All material, process, product, quality should be formally documented. (2) Relating technology Security engineering technology has the following relating technologies: Information security technology: cryptography, cryptographic protocol, security service (e.g., nonrepudiation, authentication, access control, and so on) and conventional information security technology Software engineering technology: architecture technology for cryptographic object or component Security evaluation technology: information security system evaluation (or assessment) and authentication technology Security management technology: organization's security management technology, security policy technology, risk evaluation technology, and so on. Additionally there are two approaches on security engineering and software engineering Security engineering for software: Security engineering and cryptographic technologies are used for the purpose of protecting source code of software. Copyright protection technology such as digital watermark, DRM technology, and so on is the example. Software engineering for security: It is narrow view on security engineering. Conventional software technologies are applied to security engineering. Note that security engineering is an instance of software engineering. (3) Principles on security engineering Minimization of development cost and development duration in a security product development.

Kwon

3.2 A new definition of security engineering

Security engineering is defined by a set of methodologies and technologies for fast and cheap development and operation (i.e. maintenance) of high quality (i.e., security) security systems (or information security systems) by means of applying cryptology, information security technology and software engineering. Security engineering covers all phases of life-cycle, those are requirement analysis, design, implementation, testing, maintenance phase, of development of a security system. Note that security engineering is a systematic development technology for security system. The security system is a information system that is developed by using security products such as intrusion detection system, Firewall, smart card, computer virus vaccine product.

3.3 View on security engineering

(1) Common objects of engineering Most of engineering subjects, including security engineering, electrical, mechanical, civil, chemical, system and bio-medical engineering, have the following common objects:

2006 International Conference on Hybrid Information Technology (ICHIT'06) 0-7695-2674-8/06 $20.00 2006

Maximization of quality (security, usability, maintainability, and so on) of a developed security product. Providing just as much as needed assurance level and security function in security system construction. Obtain maximum security strength by using minimum cost in security system construction.

4. Approaches on Security engineering

4.1 Security requirement engineering
In software engineering paradigm, a requirement engineering is defined as follows [28]: The process of studying user needs to arrive at a definition of system, HW, or SW requirements....[where a requirement is defined as] A condition or capability needed by a user to solve a problem or achieve an objective; A condition or capability that must be met or possessed by a system or system component to satisfy a contract, standard, specification, or other formally imposed document; a documented representation of a condition or capability as in or . Additionally, requirement engineering process has the following processes [1]: Feasibility study: generate a feasibility report, Requirements elicitation and analysis (i.e., generate a system model): discovery (by means of view point, interview, scenarios, Use-case, etc.), classification and organization, prioritization and negotiation, documentation, Requirement specification: generate a user and system requirement , Requirement validation: validity check, consistency check, completeness check, realism check, verifiability In security engineering paradigm, the security requirement engineering means that systematic and engineering method are used in analyzing security functional and assurance requirement and developing a Security Functional Requirement Specification (SFRS). The SFRS is regarded as a Security Target (ST) that developed by conforming and using a Protection Profile (PP) [18]. Security requirement engineering is consisted of security environment analysis, selection of security object and security function, specification of SFRS/PP/ST, which are comparable to feasibility study, requirements elicitation and analysis, requirement specification, respectively, in the requirement engineering process [1]. (1) Security environment analysis (risk analysis) It is consisted of asset value evaluation, threat and vulnerability analysis, security policy development. Asset value evaluation: classify and estimate type and value of asset that to be protected by information

security product/system. We should develop a reasonable asset classification schema for classifying type of assets, as well as an efficient asset value estimation method [19]. Note that, in insurance field and new technology market, there are many applicable research results on asset value estimation. Threat analysis: Threat or attack scenario (or procedure, algorithm, scenario) is specified and analyzed by using threat and attack models such as attack tree [24], Petri net, mis-use case diagram. Result of the threat analysis is vulnerability (weakness), technical complexity level, resulting damage level, and likely-hood level of threat (attack) Development of organizational security policy: Security policy template for similar organizations that have similar security environment has been developed in computer network community or government such as SAN. Each organization easily derives a security policy by customizing the template. A security policy simulation method should be researched, because the pre-evaluation of the policy is important. In this case, specification of security policy must be formal, simulative and executable. No that Petri net is a recommended security policy specification model since it is formal, simulative and executable. (2) Security object and security function selection Given results of security environment analysis, protecting asset to be protected, value of the asset and threat, we must drive security objects. Then we must drive security function (or countermeasure, control) to accomplish the security objects. Security function includes physical, technical, managerial countermeasure. Recall that the word function, (i.e., IT based information security function) is generally used in security product evaluation context such as CC. Instead, word control is used in security management of operational system such as C&A and ISMS, Security Function Selection Problem: This is a problem for optimal selection (design) of security functions or controls in context of security engineering. Problem is described as follow: maximize Pi Xi subject to Wi Xi Y where, Pi : profit of feasible security function i Xi : usage portion of feasible security function i (e.g., 0%, 60%, 100%) Wi : acquisition and operation cost of feasible security function i Y: Total security related budget (constraint) Note that feasible security function i is a function that does not violate security policy and operational environment (e.g., network, OS, hardware). If Xi has only 0% or 100% (i.e., non-dividable), then it is 0/1 knapsack problem (i.e., NP-complete problem), else it

2006 International Conference on Hybrid Information Technology (ICHIT'06) 0-7695-2674-8/06 $20.00 2006

is general knapsack problem (i.e., optimal solution can be obtained by using a polynomial time algorithm). Generally a security function i can not be divided, (i.e. Xi is 0% or 100%), thus the Security Function selection problem is a 0/1 knapsack problem that is optimal solution can be obtained by a non-deterministic polynomial time algorithm. Optimal solution can be obtained only if numbers of feasible security functions is small (e.g., 10 ~ 20) (3) Specification of PP, ST and SFRS Results of Security environment analysis and security object and security function selection should be formally specified in SFRS, PP or ST. Note that PP is common security function and assurance requirement for a type of security product such as Smartcard OS, VPN, Firewall and DBMS. ST is those of specific security products such as Multos, Oracle 9i and Windows CE. Finally, SFRS is those of specific information system such as Hannam university. Most of PP, ST and SFRS are specified by semiformal and textual form. Thus we need more formal, executable and verifiable specification and modeling method such as security context UML (mis-use case diagram). Aspect oriented requirement analysis and specification is a recommended research topic on security requirement analysis [23]. Note that aspect oriented paradigm, based on separation, localization and cross-cutting concern, is useful for analysis, design an implementations of reliability, security, caching, synchronization function. The concern is a requirement function, aspect is a modular unit designed to implement a concern.

Coupling: the manner and degree of interdependence between software modules: data > stamp > control > common > contents (Where, data, stamp, control coupling is call coupling. A > B: A is more desirable then B) Cohesion (=module strength): the manner and degree to which the task performed by a single software module are related to on another: functional > sequential > communicational > temporal > logical (procedural) > coincidental A security architecture is modeled and analyzed by a Security Block Diagram (SBD). SBD = < N, E > Where node N is a set of security functional block, module, component or product (security function, nonsecurity function, evaluation result are designated). Types of node are security, interface and non-security node. E is a set of edge (interfaces or link among nodes) between two relating nodes. Types of edge, modeling interface between two nodes, are security and non-security edge. SBD is useful for estimation of over all EAL or strength of a security system that composed by evaluated security components. Further study on the analysis method for SBD is needed. (2) Security pattern Security pattern is application of conventional research of software pattern (a subject in component base software engineering). There are many research results on security pattern in (http://www.securitypatterns.org/). Major subjects of security pattern are development of an efficient security pattern description language (e.g., UMLsec in http://www4.in.tum.de/~umlsec/), development of efficient security pattern repository(data base) and pattern mining method, development of new and reusable security patterns [16].

4.2 Security architecture and pattern

(1) Security architecture In security engineering context, security architecture design is a problem described below: Given a set of security component or module (e.g., firewall, VPN, and so on) that performs unit security function (e.g., access control, authentication, and so on), and their costs, evaluated assurance levels (EAL) and security strength, we must integrate, organize and construct an optimal security architecture that has maximal security by using minimal cost. Security architecture design is comparable to Lego block. Quality of architecture can be measured by means of evaluating coupling (i.e., interface complexity) between components and cohesion of internal of a component.

Fig. 2. Element structure of Security Block Diagram

4.3 Security implementation

(1) Security functional structure in programming languages

In modern general purpose high level programming language such as Java and C#, there are many functional structures such as exception handling and

2006 International Conference on Hybrid Information Technology (ICHIT'06) 0-7695-2674-8/06 $20.00 2006

monitor structure. They are useful for concurrent programming and fault tolerant programming those are necessary problems in modern computing environments (e.g. parallel, concurrent, distributed, high availability, real-time). Security monitor and security exception handler are possible extensions of conventional monitor and exception handler. Recall that monitor is a modular unit to implement concurrency control function (e.g., mutual exclusion and synchronization). Security monitor is a new modular unit to implement security function (e.g., data/variable level information flow control and access control). Security exception handler is another extended exception handling structure that has security exception. (2) Secured programming Recall that Dijkstras structured programming was influenced to software engineering (especially structured programming). Pascal, C and Java are typical structured programming languages. We can research secured programming is by extending the structured programming concept. One of the successful research result is secure programming for Linux and Unix of David A. Wheeler [29]. He provides a set of design and implementation guidelines for writing secure programs for Linux, Unix systems and C, C++, Java, Perl, PHP, TCL and Ada95 (e.g. preventing buffer overflow). Such programs include application programs used as viewers of remote data, web applications (including CGI scripts), network servers, and setuid/setgid programs. (3) Runtime security Security mechanism (e.g., byte code verifier) in Java is regarded as "white box" run-time security monitoring mechanism. That is more secure than Microsoft's activeX control authentication approach

(i.e., "black box" approach) even Java has lower usability than authentication approach. Further research is needed in this area.

4.4 Security assurance

(1) Security test and verification Security testing is an activity of demonstrating that a security system or product is not incorrectly developed in conformance to a Security Functional Requirement Specification (SFRS) (or PP, ST) by using the test case or penetration test scenario. We need testing engine that automatically generate the test case or penetration test scenario from SFRS and test and analyze. (2) Security validation Security validation is an activity of demonstrating that a SFR (or PP, ST) is really reflected security requirements and environment. PP and ST evaluation in CC evaluation are example of the security validation. Acceptance test, system level evaluation, operational evaluation, certification and authentication are can be regarded as the security validation. (3) Security evaluation model A scheme of information security evaluation consisted of evaluation criteria, deliverables, and evaluation tools as shows in Figure 3. For each atomic (i.e., non dividable) criteria ci , deliverable di and tool ti are inputs of an atomic evaluation method mi. Results of all mi are merged to final result R. Result of RL is a function of DL, CL as shows below: RL = MT(DL, CL)

Fig. 3. A security evaluation model

2006 International Conference on Hybrid Information Technology (ICHIT'06) 0-7695-2674-8/06 $20.00 2006

 RL = {r1, r2, r3, ...., rm} : set of result of evaluation (ri = path, fail, unconclusion) (Example of verdict rule: If at least an ri is unconclusion, then R = unconclusion, else If at least an ri is fail then R= fail else R = pass. M = {m1, m2, m3, ...., mn} : a set of evaluation method T = {t1, t2, t3, ...., tp} : a set of evaluation tools (e.g., static analyzer, verifier, test tools) D = {d1, d2, d3, ...., dq}: a set of deliverables (e.g., structure design, source code, security target) C = {c1, c2, c3, ...., cs} : a set of evaluation criteria(e.g., ITSEC, TCSEC, CC) DL DL+1 .... DLmax = D CL CL+1 .... CLmax = C L {level1, level2, ..., levelLmax}: set of evaluation levels It is important to note that, in some security product and system evaluation schemes, all set of criteria and deliverables are not used, but subset of them are used for each specific Target evaluation assurance level (e.g., EAL1 ~ EAL7 in CC) [20]. However, in scheme of information security management system such as ISO/IEC 17799 and ISO/IEC 21827 (SSE-CMM), whole set of criteria and deliverables are needed. Optimal and cost-effective evaluation criteria, evaluation tool, and form and contents of deliverables as well as evaluation methods should be developed in context of security engineering paradigm [7], [21]. (4) Dependability evaluation As a user of real information system, he should concurrently consider not only security, but also availability, reliability and safety. Thus evaluation method of the dependability is needed [23]. The dependability is a property of the system that equates to its trustworthiness. Trustworthiness essentially means the degree of user confidence that the system will operate as they expect and the system will not fail in normal use. Dimensions to the dependability are reliability (correctness, precision, timeliness), safety and security (confidentiality, integrity, availability). Repair-ability, maintainability, survivability and error tolerance are other system properties can also be considered under the heading of dependability. Technologies on dependability engineering should be developed in context of the engineering of security, reliability, safety engineering.

Conventional information security systems have been suffered from maintenance problem and security decline problem, which is status of security crisis, because they developed with out security engineering discipline. The Security Process Re-engineering (SPR), by applying Business Process Re-engineering (BPR) approach, detect the problems (e.g., hot spot, critical region, vulnerability , and so on) in development and operational process, then cost-effectively restructure (i.e., re-engineering) a conventional legacy security system. SPR approach, using with reverse-engineering method, is useful for seamless migration from legacy security system to a new security system. (2) Security economics Recall that as the quality is a function of cost, as the security is a function of cost. Cost-effective development and operation of security system are emphasized in security economics. Analysis of development and operation cost, return of interest (ROI) and earned value (EV) are research topics in security economics. Note that, in B. Boehmss software economics, only development and maintenance cost estimation methods (i.e., COCOMO), in context of software metrics and complexity, are researched. In security economics context, suitable (i.e., costeffective, non-overprotection, non-overlapped) level of security strength, security function and security assurance level should be obtained and accomplished. Following simple principles are axioms in security economics. A: acquisition and operation cost of a security product (700$) V: loss cost of asset to be protected (e.g., 1000$) P: profit from a security product V A and P = V- A The principle is simple and a matter of course, however it is not observed. Thus there happens problem of over-protection and over-cost. For example, in a small cost e-commerce site if the site has high strength of security and long key size, then it needs more computing power, bandwidth, operation cost, and customer becomes feeing trouble (in identification and authentication). The e-commerce site will be closed and remained with much damage cost and complaining customers. Finally, security economics is similar to web turning that is a subject of web engineering. It deduces costeffective decision among cryptographic key length, key management cost, communication and cryptographic computation overhead, security assurance level, and user an operator's usability

4.5

(1) Security process reengineering

Security operation, maintenance and security management

2006 International Conference on Hybrid Information Technology (ICHIT'06) 0-7695-2674-8/06 $20.00 2006

(3) Documentation engineering Recall that software is consisted of program, data base and document. Documents (or deliverables) is regarded as visual image of real program and it's development history. Therefore, correct, complete and formal documents for a target of evaluation (e.g., security software product) are needed for security evaluation and authentication such as CC and CMVP scheme. Thus, systematic and engineered documentation technology, that is documentation engineering, is very important. In documentation engineering, costeffective, standard and optimal development and management technology of documents such as requirement specification, PP/ST, design specification, implementation report, test report, configuration management report, and so on, should be researched. The XML-based documentation engineering technology for security evaluation is a highly recommended research topic.

5 Conclusion
This paper has the following contributions on information security community: Survey of conventional definitions on Information Security Engineering New definition on ISE and SEE paradigm Definition and use of the "Security Crisis" terminology Useful guide on information security research such as security block diagram The software engineering is to overcome the software crisis by using general engineering technology and paradigm, the web engineering is to overcome the web crisis by using software engineering. In those contexts, security engineering is a principle, paradigm and subject for overcoming security crisis by means of software engineering, cryptography, law, and so on. Relationship between computer engineering (including software engineering) and computer science (including discrete mathematics, theory of computation) is compared to relationship between security engineering and cryptography. That is, security engineering is a inter-disciplinary subject of computer engineering/science, mathematics, physics, law, economics, physiology, and so on. Cryptography, however, is based on mathematics. It is important to note that the information security is a combined subject of security engineering and cryptography. In cryptography approach, we need mathematically sounded and formal cryptographic algorithms as well as use analytical problem solving method. In security

engineering approach, however, we need only to satisfy the 'needed level of security' and numerical analytical problem solving method. That means we should not pursuit to perform perfect information security, which is known as an unsolvable problem, but pursuit to perform cost-effective information security that is a paradigm of security engineering. When we regard software engineering as a class, security engineering is a derived or instanced object from software engineering. That is security engineering is an instance of software engineering. Thus, we can develop security engineering technologies by applying and customizing software engineering technologies. The definition and paradigm on security engineering, proposed in this paper, are useful for establishing consensus on security engineering in community of information security and cryptography, since there is not yet common and formal definition or approach on security engineering. The research topics and approaches, proposed in this paper, should be solved by software engineer as well as security engineer in sooner or later

Acknowledgements
This work has been supported by a grant NO **** from Korea Ministry of Commerce Industry and Energy (Security Engineering Research Center of Hannam University). The authors are supported by fund of the second stage of BK-21 of Korea Ministry of Education and Human Resource Development.

References
[1] I. Sommerville, Software Engineering, 7th ed., PearsonAddison-Wesley, 2004. [2] S. Murugesan, Y. Deshpande, S. Hansen and A. Ginige, Web Engineering, A New Discipline for Development of Web-based Systems, LNCS 2016, pp. 3-13, 2001 (IEEE Multimedia) [3] Gang-soo Lee, Digital contents paradigm, Journal of KISS, Korea, 19-2, Feb. 2001. [4] Soo-jin Chang, Gang-soo Lee, Web engineering for web based information system - Web modeling and development process, Journal of KISS, Korea, 21-3, pp.51-59, March 2003. [5] Howe, D. Information System Security Engineering: Cornerstone to the Future, Proceedings of the 15th National Computer Security Conference, Baltimore, MD, Vol. 1, October 15, 1992. pp. 244-251. [6] Ross J. Anderson, Ross Anderson, Security Engineering A Guide to Building Dependable Distributed Systems, Wiley&Sons, 2001. [7] SSE-CMM Architecture -Model Description Document, Version 3.0, June 2003.

2006 International Conference on Hybrid Information Technology (ICHIT'06) 0-7695-2674-8/06 $20.00 2006

[8] ISO/IEC 15288, Systems engineering - System life cycle processes. [9] From Wikipedia, the free encyclopedia., http://en.wikipedia.org/wiki/Engineering. [10] http://www.donald-firesmith.condex.html? Components/WorkUnits/Activities/SecurityEngineering/ SecurityEngineering.html~Contents. [11] http://www.nsa.gov/ia/government/isse.cfm? MenuID=10.3.2. [12] http://en.wikipedia.org/wiki/Security_engineering. [13] P. Devanbu, S. Stubblebine, Software Engineering for Security: a Roadmap. [14] D. Shreyas, Software Engineering for Security: Towards Architecting Secure Software, Term paper, University of California, Irvine. [15] R. Vaughan, R. Henning, An empirical study of industrial security-engineering practices, STAT Operation Center. [16] M. Scheumacher, Security Engineering with Patterns: Origins, Theoretical model, and New Application, LNCS2754, 2004. [17] E. Amoroso, Fundamentals of computer security technology, Prentice Hall, 1994. [18] ISO/IEC PDTR 15446, Guide for the production of Protection Profile and Security Targets, Apr. 2000. [19] Bung-gu Woo, Gang-soo Lee, Tae-myung Chung, A Study on asset evaluation model and methodology of business process infrastructure for efficient security management of information communication network, Journal of KIPS, Korea, 10-C-4, pp. 423-432, Aug. 2003. [20] Common Criteria for Information Technology Security Evaluation, Part 1, 2, 3, Version 2.2, CCIMB-2004-01-001, 002, 003, Jan. 2004.

[21] British Standards Institution (BSI), BS-7799, 2005. [22] NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems, Initial public draft, October 2003. [23] R. Filman, et al., Aspect Oriented Software Development, Addison-Wesley, 2005. [24] Bruce Schneier, Modeling security threats - Attack Trees, Dr. Dobb's Journal December 1999. [25] Sang-soo Choi, Jung-dae Kim, Gang-soo Lee, Definition and research topics on security engineering, Journal of Security Engineering, Korea, 1-1, Aug. 2005. [26] Tai-hoonn Kim, Ho-yeol Kwon, Applying Security Engineering to Build Security Countermeasures: An Introduction, PARA 04, LNCS 3732, 2006. [27] IEEE standard glossary of software engineering terminology, IEEE Std610.12-1990. [28] H. Diab and A. Zomaya (ed.), Dependable computing systems - Paradigms, performances, and applications, Wiley Interscience, 2005. [29] David A. Wheeler, secure programming for Linux and Unix HOWTO, http://www.dwheeler.com/secureprograms/.

2006 International Conference on Hybrid Information Technology (ICHIT'06) 0-7695-2674-8/06 $20.00 2006