What do you assume? A Theory of Security-Related Assumptions
Authors: 
Sophie Corallo, Thomas Weber, Lars König, Kathrin Leonie Schmidt, Frederik Reiche, Anne KoziolekAuthors Info & Claims
Sophie Corallo, Thomas Weber, Lars König, Kathrin Leonie Schmidt, Frederik Reiche, Anne KoziolekAuthors Info & ClaimsPages 278 - 279
Abstract
Assumptions play a significant role in software engineering. Especially for security, implicit, inconsistent, or invalid assumptions on the system can have a high impact. Even though there are several approaches for managing assumptions in security engineering, most of them are highly specific for their domain and phase in software development. However, for holistic assumption management, a general understanding of security-related assumptions is needed. Funded on a Grounded Theory-based approach, including nine interviews with security researchers and a literature review of 53 scientific publications on assumptions, we propose a first definition of security-related assumptions.
References
[1]
Brandon Broadnax, Pascal Birnstill, Jörn Müller-Quade, and Jürgen Beyerer. 2016. Eliciting and refining requirements for comprehensible security. In Security Research Conference : 11th Future Security, Berlin, September 13--14, 2016. Ed.: O. Ambacher. Fraunhofer Verlag, 323--329. 46.12.03; LK 01.
[2]
Prabuddha Chakraborty, Jonathan Cruz, Christopher Posada, Sandip Ray, and Swarup Bhunia. 2022. HASTE: Software Security Analysis for Timing Attacks on Clear Hardware Assumption. IEEE Embedded Systems Letters 14, 2 (2022).
[3]
Kathy Charmaz. 2014. Constructing grounded theory (2 ed.). SAGE Publications, London, England.
[4]
Hassan El-Hadary and Sherif El-Kassas. 2014. Capturing security requirements for software systems. Journal of Advanced Research 5, 4 (2014), 463--472. Cyber Security.
[5]
C.B. Haley, R.C. Laney, J.D. Moffett, and B. Nuseibeh. 2004. The effect of trust assumptions on the elaboration of security requirements. In Proceedings. 12th IEEE International Requirements Engineering Conference, 2004. 102--111.
[6]
Charles B Haley, Robin C Laney, JD Moffett, and B Nuseibeh. 2003. Using Trust Assumptions in Security Requirements Engineering. In Second Internal iTrust Workshop On Trust Management In Dynamic Open Systems. Citeseer, 15--17.
[7]
Robert Koch Institute. 2020. Open-Source Project Corona-Warn-App. https://www.coronawarn.app/en/. Accessed: 2023-07-25.
[8]
Ilya Kabanov and Stuart Madnick. 2020. A Systematic Study of the Control Failures in the Equifax Cybersecurity Incident. (2020).
[9]
Md Abdullah Al Mamun and Jörgen Hansson. 2011. Review and challenges of assumptions in software development. In Second Analytic Virtual Integration of Cyber-Physical Systems Workshop (AVICPS).
[10]
V. Page, M. Dixon, and I. Choudhury. 2007. Security risk mitigation for information systems. BT Technology Journal 25, 1 (01 Jan 2007), 118--127.
[11]
P. Van Aubel and E. Poll. 2019. Smart metering in the Netherlands: What, how, and why. International Journal of Electrical Power & Energy Systems 109 (2019).
[12]
Dimitri Van Landuyt and Wouter Joosen. 2020. A Descriptive Study of Assumptions Made in LINDDUN Privacy Threat Elicitation. In Proceedings of the 35th Annual ACM Symposium on Applied Computing (Brno, Czech Republic) (SAC '20). Association for Computing Machinery, New York, NY, USA, 1280--1287.
[13]
Dimitri Van Landuyt and Wouter Joosen. 2021. A descriptive study of assumptions in STRIDE security threat modeling. Software and Systems Modeling (2021).
[14]
John Viega, Tadayoshi Kohno, and Bruce Potter. 2001. Trust (and Mistrust) in Secure Applications. Commun. ACM 44, 2 (feb 2001), 31--36.
[15]
Xiaowei Wang, John Mylopoulos, Giancarlo Guizzardi, and Nicola Guarino. 2016. How software changes the world: The role of assumptions. In 2016 IEEE Tenth International Conference on Research Challenges in Information Science (RCIS). 1--12.
[16]
Chen Yang, Peng Liang, and Paris Avgeriou. 2018. Assumptions and their management in software development: A systematic mapping study. Information and Software Technology 94 (2018), 82--110.
[17]
Chen Yang, Peng Liang, Paris Avgeriou, Ulf Eliasson, Rogardt Heldal, and Patrizio Pelliccione. 2017. Architectural Assumptions and Their Management in Industry - An Exploratory Study. In Software Architecture, Antónia Lopes and Rogério de Lemos (Eds.). Springer International Publishing, Cham, 191--207.
[18]
Pamela Zave and Michael Jackson. 1997. Four Dark Corners of Requirements Engineering. ACM Trans. Softw. Eng. Methodol. 6, 1 (jan 1997), 1--30.
Index Terms
- What do you assume? A Theory of Security-Related Assumptions
Recommendations
A descriptive study of assumptions in STRIDE security threat modeling
AbstractSecurity threat modeling involves the systematic elicitation of plausible threat scenarios, and leads to the identification and articulation of the security requirements in the early stages of software development. Although they are an important ...
Unhelpful Assumptions in Software Security Research
CCS '23: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications SecurityIn the study of software security many factors must be considered. Once venturing beyond the simplest of laboratory experiments, the researcher is obliged to contend with exponentially complex conditions. Software security has been shown to be affected ...
Rejoinder---Robust Prediction and Unrealistic Assumptions
In the response to my commentary on his 2007 editorial entitled “It's the Findings, Stupid, Not the Assumptions,” Steven Shugan raises a number of thought-provoking ideas. In this rejoinder, I focus on three issues that Shugan and I hold the most ...
Comments
Information & Contributors
Information
Published In
April 2024
531 pages
ISBN:9798400705021
DOI:10.1145/3639478
- Co-chairs:
- Ana Paiva,
- Rui Abreu,
- Program Co-chairs:
- Abhik Roychoudhury,
- Margaret Storey
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
In-Cooperation
- Faculty of Engineering of University of Porto
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 23 May 2024
Check for updates
Author Tags
Qualifiers
- Short-paper
Conference
ICSE-Companion '24
Sponsor:
ICSE-Companion '24: 2024 IEEE/ACM 46th International Conference on Software Engineering: Companion Proceedings
April 14 - 20, 2024
Lisbon, Portugal
Acceptance Rates
Overall Acceptance Rate 276 of 1,856 submissions, 15%
Upcoming Conference
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 75Total Downloads
- Downloads (Last 12 months)75
- Downloads (Last 6 weeks)20
Reflects downloads up to 17 Oct 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in