English  Sprachen Icon  |  Gebärdensprache  |  Leichte Sprache  |  Kontakt


Data Security - The Achilles' Heel in Software Development?

Von Markus Luckey (7.05.2010)

Nowadays, information systems have become indispensable. Companies as Google collect enormous amounts of data, and thereby are able to offer plenty of free every-day software pieces that some people cannot live without any more. In addition, the governments collect a fast increasing amount of data. These days, the media reported from the rising number of surveillance of phone calls in Germany. The authorities advocate this practice with the necessity to oppose criminal actions. With all these data collection activities in mind, the question of data security arises. The increase of complexity in software leads to an increase in the vulnerability to security incidents.

The consequence should be that information systems are properly ensured from the beginning. However, while software engineering has improved about the considerations of customer needs, security aspects have traditionally been ignored in software engineering methodologies. Thus, most IT organizations put little focus on security requirements. The authors in state "… security issues have usually been considered only after the system has been developed completely". Reasons for neglecting security in software engineering lie in wide variety of facets and aspects of security requirements. Furthermore, the strong interrelation in-between security requirements aggravate the manageability of security requirements. Another problem is the increase of costs, which are attended by an elaborate security or quality requirements analysis. A solution for this problem is reusing existing security requirements as already stated in the 80’s. However, reuse is still unclear and reuse methods from academia often fail proving practicability or scalability. Overall, the prevailing problem is that of a missing quality engineering approach that seamlessly integrates in common software engineering approaches and fosters the consideration of security aspects in software engineering. The approach should provide methodological support on the one hand and an increase in quality of the resulting requirements on the other hand while not generating considerable higher costs. Furthermore, the approach should enable the interrelation of all quality aspects (e.g. maintainability, security, usability, performance) in one single model.

Finding Bugs – Security in IT Systems

To this end, we defined a quality-modeling framework that allows efficient reuse of requirements, which affect quality during software engineering, in early software engineering phases of even while acquiring new projects. A new quality engineering process supports the application of the framework. Using the process in connection with a dedicated tool enabled us to conduct a case study at Capgemini sd&m AG, a major German software engineering company. The study was designed to answer two fundamental questions.

1. Can real-world quality requirements specifications be modeled with the quality-modeling framework?

2. How much reuse is possible using the approach?

The first question investigates the applicability or suitability of the approach w.r.t. quality requirements that are needed in practice. An approach for reusing quality requirements can only make sense if it is able to model the needed aspects of quality that occur in real development projects. The second question quantifies what potential there is in real-world projects for the approach. If the quality requirements differ almost completely in practice or the similarities cannot be exploited by our approach, the return-on-investment of using it will probably be negative. The case study works with different customers in six different projects in a variety of domains. The sizes of the selected projects range from one person-month to 333 person-years; the average size was 163 person years. With a ratio of 77% of requirements that could directly be modeled using the framework, we could answer our first research question positively. In the second research question, we asked about the reuse potential that can be tapped by the approach. Again, the results were promising. With an average reuse ratio of 47%, almost every second specified requirement could have been reused employing our approach.

The case study helped adapting the model to industry needs while at the same time evaluating the efficiency of the approach. Furthermore, it allowed introducing the model into the company and prepare for an implementation of the approach within the company. Finally yet importantly, the case study helped revealing relevant future research needs regarding the quality model and reuse of quality requirements, among them the following. We submitted the results of this research work to one of the most important software engineering conferences worldwide.

Markus Luckey
Markus Luckey
* 1984, Wuppertal

  • seit 05/2009
  • Wissenschaftlicher Mitarbeiter an der Universität Paderborn
  • Okt. 2007 - Mai 2009
  • Elitestudiengang Software Engineering an der Universität Augsburg, der LMU München und der TU München
  • März 2007 – Aug. 2007
  • Oregon State University, USA, Anfertigung der Bachelorarbeit zum Thema "Automatic Propagation of Model Updates in the Spreadsheet Paradigm"
  • Okt. 2004 – Sept. 2007
  • Studium der Informatik (Bachelor), Abschluss mit Auszeichnung an der Universität Paderborn

Berufliche Erfahrungen
  • seit Mai 2009
  • Wissenschaftlicher Mitarbeiter/Promotionsstudent am Lehrstuhl Informationssysteme, Universität Paderborn/
  • Aug. 2004 - Mai 2009
  • Werkstudent bei Capgemini sd&m AG, Düsseldorf

  • 2006
  • Eliteförderung an der Universität Paderborn
  • 2008
  • Gewinner des Innovationswettbewerbs 2008 der UnternehmerTUM GmbH an der Technischen Universität München